Domain 7 - Security Operations Flashcards
User and entity behavior analytics (UEBA)
- entity behavior is collected and input to a threat model, model establishes baseline of normal based on historical data, enables analysis to uncover anomalies
Threat intel feeds
- feed containing malicious entities ingested by cyber tools, educational tools for threat landscape changes, single feed may contain many sources including OSINT, entity = IP, website, actor, hashes
Role of AI and ML (SecOps)
- automate analysis, automated investigation feature, quickly analyze millions of events and identify many different types of threats, profiles are built on users/ assets/ networks/ devices allowing AI to detect and respond to deviations from established norms, factor in anti-malware, SIEM, IDS/IPS, IDaaS
Collusion
- agreement among multiple persons to perform unauthorized action
Separation of duties
- ensure 1 person doesn’t control all elements of a critical function
Job rotation
- employees rotated into different jobs or tasks, flush out fraud
Monitoring privileged operations
- monitor all assignment of privileges and the use of privileged operations, can detect many attacks because attackers commonly use special privileges
Information lifecycle
- Creation (file creation by user or system logs) > classification (to ensure its handled properly) > storage (protect data with adequate controls based on classification) > usage (anytime data is in use or in transit) > archive (sometimes needed to comply with laws or regulations) > destruction (destroyed in a way so it is not readable)
Service level agreements
-performance expectations like max downtimes/ availability numbers, can include penalties, usually applies to vendors
Secure provisioning
- ensures that resources are deployed in a secure manner and maintained in a secure manner throughout lifecycle, ie PC deployed from secure image
Virtual assets
- VMs, VDIs, SDN, SAN, hypervisors are primary component that manage virtual assets but also provide attackers with an additional target, KEEP IT PATCHED!!
Configuration management
ensures that systems are configured in a similar manner, configs are KNOWN and DOCUMENTED
Baselining
- ensures systems are deployed with a common baseline ie imaging, policy based config (GPOs), can then be TAILORED as needed
Change management
- helps reduce outages/ weakened sec from unauthorized changes, make sure all changes are documented/ discussed/ authorized, changes are tested approved and documented
Versioning
- uses labeling/ numbering to track changes in software, helpful in change management process
Patch management
- ensures systems are kept up to date with current sec patches, evaluate/ test/ approve/ deploy patches, system audits verify the deployment of approved patches to system, vuln scanner can identify missing patches
Vuln scanners
- detect vulns, weaknesses, absence of patches, weak passwords ie tenable, qualys
Vuln assessments
- includes review and audits to detects vulns in addition to a scan
Detection (IR)
- monitoring tools, IPS, firewalls, notifying management
Response (IR)
- triage (is it really an incident?), decision to declare, LIMIT DAMAGE
Mitigation (IR)
- first containment effort or step, create team, CONTAINMENT IS HERE
Reporting (IR)
- to relevent stakeholders (customers, vendors, law enforcement), MANAGEMENT DECISION
Recovery (IR)
- returning to normal ops, MANAGEMENT DECISION
Remediation (IR)
- root cause is addressed, ROOT CAUSE ANALYSIS
Lessons learned (IR)
- prevent recurrence, improve IR process
Denial of Service attacks (DoS)
- prevent a system from responding to legit requests for service, blocks resources
SYN flood attack
- disrupts TCP 3 way handshake
Smurf attack
- amplification network (systems under control of bad actor) to send many response packets to victim
Botnet
-collection of compromised computing devices (often called bots or zombies)
Bot herder
- attacker who remotely controls botnet via a C2 server, often use them to launch attacks or send phishing emails
Honeypot
- has pseudo flaws and fake data to lure/ distract intruders, cant entrap someone to commit an actual crime, as long as attackers are in the honeypot they are not in the live network and admins can observe, some IDS can transfer attackers to padded cell after detection (hardened honeypot)
Anti-malware software
- up to date definitions, installed on each system/ boundary device/ email servers/ etc, also has behavioral analysis now
Policies (blocking malicious code)
- enforce basic sec principles ie least privilege, no local admin, etc
Education (blocking malicious code)
- teaching users about risks and methods attackers use to spread viruses
Penetration tests
- discover vulns then mimic an attack to identify what can be exploited, not without consent and knowledge from management, can result in damage so should be done on isolated systems whenever possible, schedule at time of minimal activity
Black box pentesting
- no knowledge of environment
White box pentesting
- full knowledge of environment, open book test
Gray box pentesting
- partial knowledge of environment
IDS
- can respond by passively logging and notifying OR actively by changing the environment, reactive
§ HIDS - monitor activity on single system only, attackers can discover and disable
§ NIDS - monitor activity on a network, not as visible to attackers
IPS
- placed inline with traffic, can block malicious traffic before it reaches target, proactive
Espionage
- external threat, competitor tries to steal info
Sabotage
- insider threat, malicious insiders can become disgruntled, ie mass deletion/ server shutdowns, data theft
Zero-day exploits
- attack that uses a vulnerability that is either unknown to anyone but the attacker or a limited # of people, basic sec practices can often prevent these from being fully utilized
Common log files
- security logs, system logs, application logs, firewall logs, proxy logs, protected by centrally storing them and restricting access so they can’t be modified, read only!
Monitoring
- form of auditing, focuses on active review of log file data, used to hold subjects accountable and monitor system performance, automated by IDS/ SIEM
Audit trails
- used to reconstruct event, prove culpability, DETECTIVE security control, essential evidence in prosecution of criminals
Sampling
- extracting elements from a large body of data, construct a meaningful representation of the whole set of data
Statistical sampling
- uses precise math function to extract meaningful info from a large volume of data
Clipping
- non-statistical sampling, records only events that exceed a threshold
Accountability
- maintained for individual users aka subjects through AUDITING, logs record user activities and users can be held accountable for logged actions, promotes good user behavior because people know theyre being watched
Security audits/ reviews
- help ensure that management programs are effective and being followed, commonly associated with account management to prevent violations with least priv and need to know, can be used to oversee many programs and processes ie patch/ vuln/ change/ config management
Auditing
- examination of environment to ensure compliance, DETECTIVE control, frequency is based on risk, degree of risk affects how often an audit is performed, secure environments rely heavily on audits
Due care
- act with common sense, prudent management, responsible
Controlling access to audit reports
- contain sensitive info, purpose/ scope and any results discovered, only people with sufficient priv should have access, senior sec admins should have full details, senior management only needs high level summary to meet their requirement for due care
Access review
- ensures object access and account management practices support the security policy
User entitlement audit
- ensure that least priv is followed and focused on privileged accounts
Access control audit
- can track logon success and failure of any account, incloud resources (object) access and action performed on resources ie mass file exfiltration, IDS can monitor these logs and easily identify attacks and notify admins
Computer crime
- military and intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, thrill attacks
Electronic discovery
- eDiscovery, info ID and governance, preservation and collection, processing, review and analysis, production and presentation (in case of lawsuit will need to present data)
Possession (evidence gathering)
- must have possession of equipment/ data to analyze and use it as evidence
Modification (evidence gathering)
- must acquire evidence w/o modifying it or allowing anyone else to modify it
Chain of evidence
- aka chain of custody, documents all who handle evidence
Voluntary surrender
- ask the person who owns the evidence to voluntarily surrender it for investigation
Subpoena
- compels a subject to surrender evidence
Search warrant
- when you need to confiscate evidence w/o giving subject the opportunity to alter it
Data retention
- ensure critical logs are retained for a reasonable period of time based on sec policy/ regulatory requirements, can be maintained in place or in archives
Best evidence
- original
Secondary evidence
- copy
Direct evidence
- proves or disproves an act based on the 5 senses ie something seen or heard in the 1st person
Conclusive evidence
- cannot be disproven, overrides all other types
Circumstantial evidence
- inferred from other info, often comes up in financial crimes
Corroborative evidence
- supporting evidence that cannot stand on its own
Opinions (evidence)
- expert and non-expert
Hearsay (evidence)
- not based on first hand knowledge
Evidence admissibility
- must be relevant to the case, must be material to the case, must be competent or legally collected, must comply with traditional notions of reliability ie court is satisfied with handling and type of evidence
Real evidence
- consists of ACTUAL objects that can be brought into a courtroom
Documentary evidence
- consists of written documents that provide insight into the facts
Testimonial evidence
- consists of verbal or written statements made by witnesses
Evidence collection
- start as soon as incident is discovered, collect as much evidence as possible, can be used in legal action or in finding attacker identity, determine extent of damage
Natural disasters
- earthquakes, floods, tornados, etc. can be location specific ie hurricanes by the coast
Man made disasters
- explosions, electrical fires, terrorist acts, power outages, other utility failures
Hot site
- “proactive” site, replication of production environment, keep servers and a live backup site up and running, allows for IMMEDIATE cutover in case of disaster, is a MUST for mission critical sites, HIGH COST LOW EFFORT
Warm site
- “preventative” site, allows pre-installed hardware and pre-configured bandwidth, if disaster strikes just load software and data to restore business systems MEDIUM COST MEDIUM EFFORT
Cold site
- just data center space, power, network connectivity. Ready when you need it. If disaster strikes, engineering and logistical support teams can help move hardware into the data center to get you up and running, LOW COST HIGH EFFORT
Service Bureau
- company that leases computer time, own large server farms and often fields of workstations, may be onsite or remote
Mobile site
- non-mainstream alternative to traditional recovery sites, consist of self-contained trailers or other easily relocated units
Recovery point objective (RPO)
- age of files that have to be recovered from backup storage for normal ops to resume if a system or network goes down
Recovery time objective (RTO)
- duration of time and service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity
Mutual Assistance Agreements (MAAs)
- entities agree to provide assistance to each other before during and after an emergency, inexpensive alternative to disaster recovery sites, can happen between gov agencies often, CONS: orgs may be shut down by same disaster and this does raise confidentiality concerns, difficult to enforce if one side lets the other down
Business continuity planning
- STEPS: Project scope and planning > business impact assessment > continuity planning > approval and implementation. GOAL: efficient response to enhance a companys ability to recover from a disruptive event promptly
BCP (business continuity plan)
- organizational plan for HOW TO continue business
COOP (Continuity of operations plan)
- plan for continuing to do business until IT infrastructure is restored
DRP (Disaster recovery plan)
- plan for recovering from an IT disaster and having the IT infrastructure back in operation
BRP (business resumption plan)
- plan to move from the disaster recovery site back to business environment/ back to normal operations
MTBF (mean time between failures)
- time determination for how long a piece of IT infrastructure will continue to work before it fails
MTTR (mean time to repair)
- how long it takes to get a piece of hardware/ software repaired and back online
MTD (max tolerable downtime)
- time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate the DRP
Goals of DR and BCP
- minimize effects of a disaster, improving responsiveness by the employees in different situations, ease confusion by providing written procedures and participation in drills, help make logical decisions during a crisis/ extreme stress
Read through test
- distribute copies of DRP for members of the disaster recovery team to review
Structured walk-through test (tabletop exercise)
- members of the disaster recovery team gather in a large conference room and role play a disaster scenario AKA tabletop exercise, scenario is known only to the moderator
Simulation test
- similar to structured walkthrough, except response measures are then tested on NON-CRITICAL FUNCTIONS
Parallel test
- relocate personnel to alternate recovery site and implement site activation procedures. Employees perform DRP responsibilities
Full interruption test
- shutting down ops at primary site and using the backup/ recovery site
Recovery team
- get critical business functions running at alternate site
Salvage team
- returns primary site to normal processing conditions
Electronic vaulting
- transfer database backups to a remote site as part of a bulk transfer
Remote journaling
- transmitting journal/ transaction logs to the off site facility (not actual files)
Remote mirroring
- live database server is maintained at the backup site, most advanced database backup solution (most expensive backup strategy)
Non-disaster (disruption category)
- disruption is service from malfunction or user error
Disaster (disruption category)
- whole facility unusable for a day or longer
Catastrophe (disruption category)
- major disruption that destroys facility altogether, requires short and long term solution
Uniform Computer
Information
Transactions Act
(UCITA)
Common framework for the conduct of computer-related
business transactions. A federal law Eg. Use of software
licensing