LDR551-Book 3 Flashcards
What does the Internet Storm Center do?
Operates the Internet’s early warning system.
What skills are necessary for security leaders?
Business, leadership, and technical skills.
What is the inefficiency in traditional Blue Team operations?
Each team gathers and analyzes threat intel independently.
What is the benefit of information sharing in Blue Team operations?
Efficient sharing of defense knowledge.
What is MITRE ATT&CK?
Model for sharing attacker tactics and techniques.
What are Sigma signatures used for?
Log content matching.
What is the purpose of Jupyter notebooks in security analysis?
Make complex analysis repeatable and shareable.
What is MITRE D3FEND?
Knowledge graph of security countermeasures.
What is MITRE Engage?
Knowledge base for denial, deception, and adversary engagement.
What is D3FEND?
A knowledge graph mapping security countermeasures to attacks
What is the main goal of D3FEND?
Establish a common vocabulary for security tools
What is the most obvious use case for D3FEND?
Capturing and comparing features of controls
What has replaced MITRE’s Shield framework?
MITRE Engage
What does MITRE Engage describe?
Denial, deception, and adversary engagement techniques
What new concepts were added in MITRE Engage?
Goals and adversary vulnerabilities
What is YARA?
A language for defining file characteristics
What can YARA signatures identify?
Strings, bytes, and other content in files
Why should teams invest in learning YARA?
To produce file-based threat detections
What makes YARA signatures easy to manage?
Simple text-based format for change tracking
Who created notable YARA rule sets?
Didier Stevens and Florian Roth
What is Sigma?
High-level generic language for log analytics
Who leads the Sigma project?
Florian Roth and Thomas Patzke
What problem does Sigma address?
Generic detection for log content
How does Sigma benefit SOC teams?
Allows sharing and distributing log analytics
What format are Sigma rules written in?
Text-based YAML files
What does Sigma eliminate?
Vendor lock-in
What is a key benefit of Sigma’s text-based format?
Enables version control for analytics
What can Sigma’s metadata sections refer to?
ATT&CK tactics and techniques
What tool can be used to visualize Sigma data on MITRE’s ATT&CK navigator?
Sigma tools
What does implementing Sigma help avoid when changing SIEM products?
Migration pains
What format are Sigma rule files written in?
YAML
What does the metadata in a Sigma rule include?
Title, status, description, author, tag
What is the purpose of the log source in a Sigma rule?
Indicates the log type, brand, service
Why is auditing Sigma rules easy?
YAML formatting
What can be easily performed using Sigma rules?
Gap analysis
What does the Sigma converter do?
Converts generic rules to SIEM-specific queries
What is a major benefit of Sigma format rules?
Analytic version control
What would increase ops tempo for defense teams?
Publishing analytics in Sigma format
What do analysts often lack knowledge in?
Writing Python code and understanding analysis
What do notebooks lower the bar for?
Applying advanced analysis and data science
What should you avoid when running cells in a notebook?
Using “run all cells”
What does the notebook credential compromise notebook leverage for analysis?
Machine learning
Where can you find pre-made threat hunting oriented notebooks?
GitHub repo
What are examples of pre-captured logs and network data for analytic testing?
Mordor, EVTX-ATTACK-SAMPLES, Splunk Boss of the SOC
What project allows you to spin up Active Directory labs in Azure?
Adaz
What does Splunk’s Attack Range perform?
Attack simulation using different engines
What does the Attack Range integrate into to automate detection rule testing?
CI/CD pipeline
What are some shared data types for cyber defense?
Tactics with ATT&CK, detection with YARA and Sigma
What should you do if your tools don’t support YARA and Sigma signatures?
Request it from your vendor
What are the benefits of simple text-based formats?
Help with version control and make information sharable.
Where should you share new detections or analysis methods?
Conferences, GitHub, or anywhere the Blue Team benefits.
What is the second core SOC function responsible for?
Finding malicious content in gathered events.
What is a central struggle for nearly every SOC?
Alert tuning.
What is the first step to detection?
Submitting the captured event to analytic matching rules.
What should receive top priority for analysis if resources are limited?
Logs most likely to identify an intrusion.
What determines how many alerts will be made?
Accuracy, sensitivity, and rule count.
What would an ideal detection system achieve?
100% true positives, no false positives, no false negatives.
What must a reliable detection system support?
Reliable collection, health telemetry, and analytic development.
What is the “fuel” for modern, detection-oriented SOCs?
SIEM function
What are the commonalities in effective detection solutions?
Reliable, scalable, healthy, low overhead, analytic abstraction
What are the four analytic outcomes for events?
True positives, true negatives, false positives, false negatives
Why are false positives problematic for SOC analysts?
They drive analysts crazy daily
Why are false negatives considered the worst outcome?
They indicate undetected attacks
Can a detection system achieve zero false positives and zero false negatives?
No, it’s unrealistic
What does the “alerting threshold” represent?
Line separating alert/no alert events
What happens when you lower the alerting threshold?
Increase false positives
What happens when you raise the alerting threshold?
Increase false negatives
What is the SOC manager’s job regarding false positives and false negatives?
Decide the acceptable mix
What should analysts know if the system prioritizes minimizing false positives?
Very small chance of false positives
What is the key to writing the best possible detection rules?
Apply analytics downstream, post enrichment
How can you improve the accuracy of analytics in SOCs?
Use correlation and enrichment
What is one way of working alerting with Snort IDS?
Send alerts for everything that matches one of the signatures.
How can SOCs improve upon sending IDS alerts straight to a triage queue?
Forward Snort information to the SIEM for enrichment.
What can internal IPs in the alert be cross-referenced against?
DHCP logs, hostnames, and vulnerability databases.
What does Snort not know about the web server?
Whether it runs Apache or its patch level.
What should be done instead of forwarding alerts directly to a triage queue?
Send the alert to the SIEM for further analysis.
What is the benefit of sending alerts to the SIEM?
Alerts irrelevant to the system can be ignored.
How should the Snort alert rule be implemented at the SIEM?
If Snort sends an alert for an exploit against a system and that system runs the affected software and version, then alert.
What is a key action in assessing false positives and analytic accuracy?
Assessing accuracy of individual analytics.
What should you periodically run a report on?
Each alert that fired.
What should all analytics have?
A unique ID.
What should alert instances include?
Unique ID and final disposition.
What is a key activity in keeping sanity in your SOC?
Knowing the accuracy and count of each analytic.
What should each analytic have?
A unique identifier or alert name.
What happens when your analytics match?
An alert is created with a unique ID.
What should you do after a week of analytics activity?
Create metrics on fired alerts.
What should the final determination of alerts be labeled for?
Easy counting for metrics.
What should be done with false positives?
Dismissed from the alert queue.
What should both paths of false positives lead to?
A label for ultimate “false positive count.”
How should you evaluate your best and worst analytics?
Create a chart grouping by unique alert ID.