Enterprise Security Fundamentals

Question 1

Cybersecurity Landscape - App Development Security

Answer 1

Adopt secure app development practices

Question 2

Cybersecurity Landscape - Skill gap

Answer 2

IT staff must be trained in information security processes

Question 3

Cybersecurity Landscape - Technology lag

Answer 3

Always run the most recent versions of OS and apps

Question 4

Cybersecurity Landscape - Availability and sophistication of attack tools

Answer 4

Automated exploit tools are easy to procure and use

Question 5

Cybersecurity Landscape - Asymmetry of attack and defense

Answer 5

Resources required to secure an organization exceed the resources required for an attacker to perform an intrusion

Question 6

Cybersecurity Landscape - Monetization of Malware

Answer 6

Coin Mining attacks

Question 7

Cybersecurity Landscape - Internet of Things

Answer 7

Distributed DoS attacks on IoT devices

Question 8

Cybersecurity Landscape - Increasing regulation

Answer 8

An increased number of jurisdictions to introduce legislation and regulation mandating the security controls that should be present over certain types of data hosted in organizational information systems.

Question 9

Assume Compromise Philosophy

Answer 9

An organization should build and maintain its security posture based on the idea that their information
systems have already been compromised.
The information security teams should focus on detecting and responding to suspicious activity rather
than simply preventing intrusion.

Question 10

Cost of a Breach - Proportional security

Answer 10

Security spend should be proportional to the value of assets being protected

Question 11

Cost of a Breach - Breach Investigation

Answer 11

The organization will have a clear picture of how the breach occurred, how long the intruder was present and the steps needed to make sure those attacks will not work in the future

Question 12

Cost of a Breach - Systems rehabilitation

Answer 12

Remediate the vulnerabilities that allowed the attacker to compromise the system and any modifications he/she may have made to the system. In many cases the only way to ensure that a system is rehabilitated is to deploy it again from the beginning and then address the vulnerabilities that allowed the attacker to gain access.

Question 13

Cost of a Breach - Reputational damage

Answer 13

When customers lose faith in an organization’s ability to protect their information, they are less likely to interact with that organization.

Question 14

Cost of a Breach - Destruction of assets

Answer 14

Some malware works by reconfiguring hardware to work beyond its safe specification. For example, overclocking a processor until it overheats and fails. Other malware erases data on target systems or renders them inoperable. In some cases, the malware is deployed deliberately, destroying sensitive systems either to inflict financial damage or as a way of forcing the target organization’s information systems to become inoperative.

Question 15

Cost of a Breach - Compliance costs

Answer 15

Depending on the type of breach that occurs and the type of industry the target organization is in, there may be fines that must be paid to specific authorities as well as investigations and reports that must be generated, all of which cost money and other organizational resources.

Question 16

Red Team vs Blue Team exercises

Answer 16

Red team simulates the attack while the blue team simulates the response to the attack.
Goal: to determine if vulnerabilities are present in the existing security configuration as well as to train
organizational staff how to detect and respond to attacks.

Question 17

Attacker’s objective - Persist Presence

Answer 17

Reliable remote access via a back door to the organization’s systems

Question 18

Attacker’s objective - Hackstortion

Answer 18

When an attacker compromises a target’s network and then requests payment for a specific action to be taken. This action might be for the attackers to destroy sensitive data they exfiltrated rather than exposing that data to the public.

Question 19

Attacker’s objective - Ransomware

Answer 19

Encrypts files and sometimes entire systems so that they are inaccessible unless a special decryption key is provided. The attackers will provide a decryption key that can be used to recover the encrypted systems for a fee, usually in a cryptocurrency like BitCoin.

Question 20

Attacker’s objective - Other

Answer 20

Steal data;
Coin miners;
Destroy systems.

Question 21

Red Team Kill Chain - Reconnaissance

Answer 21

To determine whether a target is worth attacking, the objectives of an attack, and the characteristics of the target

Question 22

Red Team Kill Chain - Weaponization

Answer 22

Creating, or selecting existing, remote access malware

Question 23

Red Team Kill Chain - Delivery

Answer 23

Having the target of the attack execute the malware on the information systems infrastructure. Some attacks require user intervention for the remote code to execute; other attack types can be performed remotely.

Question 24

Red Team Kill Chain - Exploitation

Answer 24

The attacker’s malware code successfully triggers, leveraging the targeted vulnerability

Question 25

Red Team Kill Chain - Installation

Answer 25

The original malware code is leveraged to deploy an access point, also known as a back door, through which the attacker can access the compromised beachhead system

Question 26

Red Team Kill Chain - Command and Control

Answer 26

a. Lateral movement - the attacker begins to compromise other systems on the network, increasing the
number of compromised systems as they move laterally towards accomplishing their goal.
b. Privilege escalation - attacker leveraging a compromised unprivileged account, such as that of a
standard user or service, into control over an account that is able to perform actions beyond those
original privileges.
c. Domain dominance/Administrative privilege

Question 27

Red Team Kill Chain - Actions on the objective

Answer 27

Perform the necessary actions on the target in order to reach the final objective

Question 28

Blue Team

Answer 28

Is comprised of the organization’s existing information security and IT administration staff.
Goals:
- Stopping the red team from successfully achieving its goals
- Early detection and effective response to red team activities
- Post-exercise report
- Revise the incident response strategy

Question 29

Blue team Kill Chain - Gather baseline data

Answer 29

To understand what your environment looks like when it is not under attack. It means configuring effective logging, monitoring, and auditing for your organization.

Question 30

Blue team Kill Chain - Detect

Answer 30

Noticing abnormal activity on your organization’s information systems

Question 31

Blue team Kill Chain - Alert

Answer 31

The process of bringing suspicious anomalies in the telemetry generated by information systems to the attention of the blue team

Question 32

Blue team Kill Chain - Investigate

Answer 32

It should determine which systems the intruder has compromised, when those systems were compromised and how those systems were compromised

Question 33

Blue team Kill Chain - Other activites

Answer 33

Plan a response;

Execute.

Question 34

Restrict Privilege Escalation

Answer 34

The process by which an attacker acquires the ability to perform a greater variety of tasks on the
organization’s systems from those that they were able to perform when they gained an initial beachhead
on the network.
The end goal of privilege escalation is to acquire full administrative privileges.

Question 35

Restrict Privilege Escalation - Privileged access workstations (PAW)

Answer 35

Access is limited to staff that perform administrative tasks;
Should be able to connect to sensitive servers but should be unable to browse the internet or perform non-administrative tasks, such as responding to email. Restrictions on software that can run on the PAW.
Protected by secure technologies. PAWs are configured with secure boot, BitLocker and technologies including Credential Guard.

Question 36

Restrict Privilege Escalation - Just enough administration (JEA)

Answer 36

Creates special PowerShell endpoints that limit which PowerShell cmdlets, functions, parameters, and values can be used during a connection to the endpoint

Question 37

Restrict Privilege Escalation - Just in time administration

Answer 37

Administrative privileges are provided only for a limited amount of time.
Just in time administration can be combined with JEA

Question 38

Restrict Privilege Escalation - Restrictions on administrative accounts

Answer 38

Restricting where administrative accounts can be used

Question 39

Restrict Lateral Movement

Answer 39

When an attacker who has compromised one system is able to compromise another system on the
network by using an existing compromised system as a jump off point

Question 40

Restrict Lateral Movement - Code Integrity policies

Answer 40

Restrict which applications and scripts can run on a computer

Question 41

Restrict Lateral Movement - Network segmentation

Answer 41

Segmenting critical workloads onto separate networks and VLANS and then controlling which traffic can cross those boundaries. Network segmentation allows you to limit which hosts can communicate with sensitive servers.

Question 42

Restrict Lateral Movement - Passwords/accounts

Answer 42

No common accounts or passwords

Question 43

Restrict Lateral Movement - Logon script sanitation

Answer 43

Logon scripts can often include sensitive information, with some logon scripts even including passwords in clear text

Question 44

Restrict Lateral Movement - Apply software update and patches

Answer 44

Organizations should ensure that operating systems, applications, device drivers and firmware have all appropriate software updates applied in a timely manner as this will restrict attackers from using known exploits to perform lateral movement.

Question 45

Attack Detection - Logging and monitoring

Answer 45

The collection of system event telemetry is important to detecting and understanding how an attacker is infiltrating and compromising a system.

Question 46

Attack Detection - SIEM systems

Answer 46

Perform analysis of event log data as it is generated.

Question 47

Attack Detection - IDS

Answer 47

Software application, hardware or virtual appliance, that monitors an organization’s information
systems for problematic activity or violations of policy.

Question 48

Attack Detection - Attack detection and machine learning

Answer 48

Finding patterns and anomalies that may not have been apparent using older analysis techniques

Question 49

Attack Detection - Microsoft’s Advanced Threat Analytics

Answer 49

Solution deployed in on-premises environments to detect threats. It uses behavioral analytics to determine what constitutes abnormal behavior on the network based on its understanding of prior behavior of security entities

Question 50

Attack Detection - Microsoft’s Azure Advanced Threat Protection

Answer 50

All of the telemetry is funneled for analysis into the cloud rather than that analysis being performed on-premises

Question 51

Attack Detection - Microsoft’s Azure Security Center

Answer 51

Can analyze event telemetry from servers running both on-premises, bare metal or virtualized as well as servers running as IaaS virtual machines, correlating events so that administrators are able to view the timeline of a specific attack as well as steps that can be taken to mitigate that attack.

Question 52

Attack Detection - Microsoft’s Windows Defender Advanced Threat Protection

Answer 52

Endpoint behavioral sensors : Monitors a Windows 10 computer’s telemetry, including gathering data from event logs, running processes, registry, file, and network communications data. This data is forwarded to the organization’s Windows Defender ATP cloud instance.

Cloud security analytics takes the telemetry gathered at the endpoint level and analyzes that data, providing threat detections and recommended responses back to the organization.

Threat intelligence : engages with partner organizations to identify attacker tools and techniques and to raise alerts when evidence of these tools and techniques surfaces in customer telemetry.

Office 365 ATP:
Scan email attachments to find malware;
Scan email messages and office documents to locate malicious web addresses;
Locate spoof email messages;
Determine when an attacker attempts to impersonate your users or organization’s custom domains.

Question 53

CIA triad - Confidentiality

Answer 53

Ensuring that the dissemination of info is limited to the intended audience and remains unavailable to unauthorized persons

Question 54

CIA triad - Integrity

Answer 54

Ensuring data isn’t modified or deleted without authorization. Authorized modifications should also be tracked. Auditing and change tracking should be implemented.

Question 55

CIA triad - Availability

Answer 55

Ensuring data is accessible to those that have permission to access it when they need it.
Ensuring that data remains available after information systems become unavailable, either through
equipment failure, data corruption or natural disaster.

Question 56

Organization Preparation - Baseline Security Posture

Answer 56

An organization’s desired/expected security configuration

Question 57

Organization Preparation - Information Classification

Answer 57

Determining which information needs to be protected and the level of protection. Determines which controls will be implemented when it comes to addressing the pillars of CIA triad

Question 58

Organization Preparation - Change tracking and auditing

Answer 58

Determining who modified a document, when it was modified and what modifications were done. Auditing - info about which users, authorized and unauthorized, may have attempted or gained access to data

Question 59

Organization Preparation - Monitoring and Reporting

Answer 59

Collecting system event telemetry to determine what actions an external intruder might be taking and also what unauthorized actions an authorized insider might be performing

Question 60

Developing and Maintaining Policies

Answer 60

They provide clarity on how sensitive info is to be protected and who is responsible for configuring and maintaining the controls that provide the protection.

Question 61

Pre-Incident processes

Answer 61

Maintaining the organization’s ongoing baseline security posture:

• patch management strategy
• effective monitoring and alerting - only a calibrated monitoring and allerting system can warn that
  an incident is ocurring
• ensuring good administrative practices - privileged access wks, just enough administration,
  privileged access management
• restricting possibility of lateral movement
• ensure good data classification and protection practices
• perform red team exercises regularly

Question 62

Intra-Incident processes

Answer 62

Policies and procedures for when an intruder is detected:

• determine the extent of the compromise - a detailed investigation on which systems have been
  compromised, how and when
• plan a response - the attempt to evict the intruder occurs only after the extent of the compromise
  has been determined
• enact the response - evict the intruder and also remediate the vulnerabilities that allowed the
  intruder to gain access to the network

Question 63

Post-Incident processes

Answer 63

Analysis of what was lacking in the implementation of the baseline security posture that allowed the intruder to gain access

Question 64

Disclosure responsability

Answer 64

Not only must information systems be remediated, but appropriate notifications must be made