LDR551-Book 3

Question 1

What does the Internet Storm Center do?

Answer 1

Operates the Internet’s early warning system.

Question 2

What skills are necessary for security leaders?

Answer 2

Business, leadership, and technical skills.

Question 3

What is the inefficiency in traditional Blue Team operations?

Answer 3

Each team gathers and analyzes threat intel independently.

Question 4

What is the benefit of information sharing in Blue Team operations?

Answer 4

Efficient sharing of defense knowledge.

Question 5

What is MITRE ATT&CK?

Answer 5

Model for sharing attacker tactics and techniques.

Question 6

What are Sigma signatures used for?

Answer 6

Log content matching.

Question 7

What is the purpose of Jupyter notebooks in security analysis?

Answer 7

Make complex analysis repeatable and shareable.

Question 8

What is MITRE D3FEND?

Answer 8

Knowledge graph of security countermeasures.

Question 9

What is MITRE Engage?

Answer 9

Knowledge base for denial, deception, and adversary engagement.

Question 10

What is D3FEND?

Answer 10

A knowledge graph mapping security countermeasures to attacks

Question 11

What is the main goal of D3FEND?

Answer 11

Establish a common vocabulary for security tools

Question 12

What is the most obvious use case for D3FEND?

Answer 12

Capturing and comparing features of controls

Question 13

What has replaced MITRE’s Shield framework?

Answer 13

MITRE Engage

Question 14

What does MITRE Engage describe?

Answer 14

Denial, deception, and adversary engagement techniques

Question 15

What new concepts were added in MITRE Engage?

Answer 15

Goals and adversary vulnerabilities

Question 16

What is YARA?

Answer 16

A language for defining file characteristics

Question 17

What can YARA signatures identify?

Answer 17

Strings, bytes, and other content in files

Question 18

Why should teams invest in learning YARA?

Answer 18

To produce file-based threat detections

Question 19

What makes YARA signatures easy to manage?

Answer 19

Simple text-based format for change tracking

Question 20

Who created notable YARA rule sets?

Answer 20

Didier Stevens and Florian Roth

Question 21

What is Sigma?

Answer 21

High-level generic language for log analytics

Question 22

Who leads the Sigma project?

Answer 22

Florian Roth and Thomas Patzke

Question 23

What problem does Sigma address?

Answer 23

Generic detection for log content

Question 24

How does Sigma benefit SOC teams?

Answer 24

Allows sharing and distributing log analytics

Question 25

What format are Sigma rules written in?

Answer 25

Text-based YAML files

Question 26

What does Sigma eliminate?

Answer 26

Vendor lock-in

Question 27

What is a key benefit of Sigma’s text-based format?

Answer 27

Enables version control for analytics

Question 28

What can Sigma’s metadata sections refer to?

Answer 28

ATT&CK tactics and techniques

Question 29

What tool can be used to visualize Sigma data on MITRE’s ATT&CK navigator?

Answer 29

Sigma tools

Question 30

What does implementing Sigma help avoid when changing SIEM products?

Answer 30

Migration pains

Question 31

What format are Sigma rule files written in?

Answer 31

YAML

Question 32

What does the metadata in a Sigma rule include?

Answer 32

Title, status, description, author, tag

Question 33

What is the purpose of the log source in a Sigma rule?

Answer 33

Indicates the log type, brand, service

Question 34

Why is auditing Sigma rules easy?

Answer 34

YAML formatting

Question 35

What can be easily performed using Sigma rules?

Answer 35

Gap analysis

Question 36

What does the Sigma converter do?

Answer 36

Converts generic rules to SIEM-specific queries

Question 37

What is a major benefit of Sigma format rules?

Answer 37

Analytic version control

Question 38

What would increase ops tempo for defense teams?

Answer 38

Publishing analytics in Sigma format

Question 39

What do analysts often lack knowledge in?

Answer 39

Writing Python code and understanding analysis

Question 40

What do notebooks lower the bar for?

Answer 40

Applying advanced analysis and data science

Question 41

What should you avoid when running cells in a notebook?

Answer 41

Using “run all cells”

Question 42

What does the notebook credential compromise notebook leverage for analysis?

Answer 42

Machine learning

Question 43

Where can you find pre-made threat hunting oriented notebooks?

Answer 43

GitHub repo

Question 44

What are examples of pre-captured logs and network data for analytic testing?

Answer 44

Mordor, EVTX-ATTACK-SAMPLES, Splunk Boss of the SOC

Question 45

What project allows you to spin up Active Directory labs in Azure?

Answer 45

Adaz

Question 46

What does Splunk’s Attack Range perform?

Answer 46

Attack simulation using different engines

Question 47

What does the Attack Range integrate into to automate detection rule testing?

Answer 47

CI/CD pipeline

Question 48

What are some shared data types for cyber defense?

Answer 48

Tactics with ATT&CK, detection with YARA and Sigma

Question 49

What should you do if your tools don’t support YARA and Sigma signatures?

Answer 49

Request it from your vendor

Question 50

What are the benefits of simple text-based formats?

Answer 50

Help with version control and make information sharable.

Question 51

Where should you share new detections or analysis methods?

Answer 51

Conferences, GitHub, or anywhere the Blue Team benefits.

Question 52

What is the second core SOC function responsible for?

Answer 52

Finding malicious content in gathered events.

Question 53

What is a central struggle for nearly every SOC?

Answer 53

Alert tuning.

Question 54

What is the first step to detection?

Answer 54

Submitting the captured event to analytic matching rules.

Question 55

What should receive top priority for analysis if resources are limited?

Answer 55

Logs most likely to identify an intrusion.

Question 56

What determines how many alerts will be made?

Answer 56

Accuracy, sensitivity, and rule count.

Question 57

What would an ideal detection system achieve?

Answer 57

100% true positives, no false positives, no false negatives.

Question 58

What must a reliable detection system support?

Answer 58

Reliable collection, health telemetry, and analytic development.

Question 59

What is the “fuel” for modern, detection-oriented SOCs?

Answer 59

SIEM function

Question 60

What are the commonalities in effective detection solutions?

Answer 60

Reliable, scalable, healthy, low overhead, analytic abstraction

Question 61

What are the four analytic outcomes for events?

Answer 61

True positives, true negatives, false positives, false negatives

Question 62

Why are false positives problematic for SOC analysts?

Answer 62

They drive analysts crazy daily

Question 63

Why are false negatives considered the worst outcome?

Answer 63

They indicate undetected attacks

Question 64

Can a detection system achieve zero false positives and zero false negatives?

Answer 64

No, it’s unrealistic

Question 65

What does the “alerting threshold” represent?

Answer 65

Line separating alert/no alert events

Question 66

What happens when you lower the alerting threshold?

Answer 66

Increase false positives

Question 67

What happens when you raise the alerting threshold?

Answer 67

Increase false negatives

Question 68

What is the SOC manager’s job regarding false positives and false negatives?

Answer 68

Decide the acceptable mix

Question 69

What should analysts know if the system prioritizes minimizing false positives?

Answer 69

Very small chance of false positives

Question 70

What is the key to writing the best possible detection rules?

Answer 70

Apply analytics downstream, post enrichment

Question 71

How can you improve the accuracy of analytics in SOCs?

Answer 71

Use correlation and enrichment

Question 72

What is one way of working alerting with Snort IDS?

Answer 72

Send alerts for everything that matches one of the signatures.

Question 73

How can SOCs improve upon sending IDS alerts straight to a triage queue?

Answer 73

Forward Snort information to the SIEM for enrichment.

Question 74

What can internal IPs in the alert be cross-referenced against?

Answer 74

DHCP logs, hostnames, and vulnerability databases.

Question 75

What does Snort not know about the web server?

Answer 75

Whether it runs Apache or its patch level.

Question 76

What should be done instead of forwarding alerts directly to a triage queue?

Answer 76

Send the alert to the SIEM for further analysis.

Question 77

What is the benefit of sending alerts to the SIEM?

Answer 77

Alerts irrelevant to the system can be ignored.

Question 78

How should the Snort alert rule be implemented at the SIEM?

Answer 78

If Snort sends an alert for an exploit against a system and that system runs the affected software and version, then alert.

Question 79

What is a key action in assessing false positives and analytic accuracy?

Answer 79

Assessing accuracy of individual analytics.

Question 80

What should you periodically run a report on?

Answer 80

Each alert that fired.

Question 81

What should all analytics have?

Answer 81

A unique ID.

Question 82

What should alert instances include?

Answer 82

Unique ID and final disposition.

Question 83

What is a key activity in keeping sanity in your SOC?

Answer 83

Knowing the accuracy and count of each analytic.

Question 84

What should each analytic have?

Answer 84

A unique identifier or alert name.

Question 85

What happens when your analytics match?

Answer 85

An alert is created with a unique ID.

Question 86

What should you do after a week of analytics activity?

Answer 86

Create metrics on fired alerts.

Question 87

What should the final determination of alerts be labeled for?

Answer 87

Easy counting for metrics.

Question 88

What should be done with false positives?

Answer 88

Dismissed from the alert queue.

Question 89

What should both paths of false positives lead to?

Answer 89

A label for ultimate “false positive count.”

Question 90

How should you evaluate your best and worst analytics?

Answer 90

Create a chart grouping by unique alert ID.

Question 91

What does creating the chart of alerts help visualize?

Answer 91

True and false positive counts and ratios per rule.

Question 92

What is the goal when tuning alerts to minimize time wasted?

Answer 92

Fix the source of the highest number of false positives first.

Question 93

Which alert should be addressed after fixing alert C?

Answer 93

Alert A, due to higher false positives count.

Question 94

What should be done if Alert E continuously produces no value?

Answer 94

Alert E should likely be disabled

Question 95

What are the two variables to consider for high volume alerts?

Answer 95

Analytics’ accuracy and apparent priority

Question 96

What action is suggested for high volume, poor accuracy, low priority alerts?

Answer 96

Disable or fix them

Question 97

What should be done with high volume, poor accuracy, high priority alerts?

Answer 97

Fix them first

Question 98

How should high volume, accurate, low priority alerts be handled?

Answer 98

Triage and possibly group alerts

Question 99

What is the key to success in dealing with high volume alerts?

Answer 99

Increased efficiency

Question 100

What indicates a prevention capability issue in high volume alerts?

Answer 100

High accuracy and high priority alerts

Question 101

What should be done if true positives remain high after controls?

Answer 101

Consider adding more people

Question 102

Why might some attacks not apply to your environment?

Answer 102

You don’t run the relevant software

Question 103

Why should internet noise alerts be suppressed?

Answer 103

They waste time and provide no value

Question 104

What is Hanlon’s Razor?

Answer 104

Never attribute to malice what can be explained by stupidity

Question 105

What should be done with rules not tied to a specific use case?

Answer 105

Deactivate them

Question 106

What is the solution for advanced attacks triggering low priority alerts?

Answer 106

Use Risk Based Scoring

Question 107

What does Risk Based Scoring involve?

Answer 107

Assigning risk scores based on predefined rules

Question 108

What is the purpose of collecting all suspicious events into a holding area?

Answer 108

To aggregate risk by user/host/asset/system.

Question 109

What triggers an analyst’s attention in risk-based scoring?

Answer 109

Hitting a threshold per user/device.

Question 110

How can low priority alerts indicate potential compromise?

Answer 110

By aggregating alerts over time for the same systems and users.

Question 111

What is the middle ground approach used by many SOCs for low priority alerts?

Answer 111

Risk based scoring or alerting.

Question 112

How do alerting systems handle low priority alerts in risk-based scoring?

Answer 112

Collect all alerts, score risk based on user, system, and software.

Question 113

When is a situation escalated in a risk-based alerting system?

Answer 113

When enough alerts occur for a single user or system.

Question 114

What assumption is key to risk-based scoring?

Answer 114

Advanced attacks may only fire low priority anomaly alerts.

Question 115

How can repeated low priority alerts help identify attacks?

Answer 115

By triggering more than one alert for the same system.

Question 116

Who documented a specific method for risk-based scoring at the 2019 SANS SIEM Summit?

Answer 116

Jim Apger, staff architect at Splunk.

Question 117

What impact did Jim Apger’s “Risk Based Attribution” method reportedly have?

Answer 117

Increased true positive alert rate, reduced alert count.

Question 118

What factors affect alert count in detection systems?

Answer 118

Scope, sensitivity, accuracy, and analytics enabled.

Question 119

What is the worst part of many analysts’ jobs?

Answer 119

False positives.

Question 120

What is more dangerous than false positives?

Answer 120

False negatives.

Question 121

What is crucial for improving true positive separation from false positives?

Answer 121

Data enrichment and constant analytic testing and tuning.

Question 122

What should SOCs prioritize to combat alert fatigue and burnout?

Answer 122

Understanding and maximizing enrichment opportunities.

Question 123

What should be done if high volume alerts indicate valid concerns?

Answer 123

Block the issue before it becomes a problem.

Question 124

What can remedy bad high volume alert rules?

Answer 124

Tuning, enrichment, suppression, or risk based scoring.

Question 125

What is the focus of Section 3 in the course?

Answer 125

Attack Detection, Threat Hunting, and Triage

Question 126

What are the objectives of Exercise 3.1?

Answer 126

Rule management, Sigma usage, Git tracking, MITRE visualization

Question 127

What is the key to success in the triage phase?

Answer 127

Speed, accuracy, context, automation

Question 128

What is a downside of a tiered SOC?

Answer 128

Complex alerts may be improperly passed over

Question 129

What is a benefit of a tierless SOC?

Answer 129

Analysts gain exposure to diverse data

Question 130

What is a downside of a tierless SOC?

Answer 130

Analysts must work closely to avoid cherry-picking alerts

Question 131

What is the MSSP hybrid model?

Answer 131

A strategy for dealing with complex alerts in-house

Question 132

What is the role of MSSP in the hybrid model?

Answer 132

Outsourced Tier 1 for filtering alerts

Question 133

What is a key advantage of the MSSP hybrid model?

Answer 133

In-house team focuses on important items

Question 134

What is a major con of the MSSP hybrid model?

Answer 134

Trusting first line to someone else

Question 135

How can the risk of MSSP incorrectly dismissing alerts be mitigated?

Answer 135

Pre-determine high-priority alerts

Question 136

What is a con of pre-determining high-priority alerts?

Answer 136

Requires frontloaded work to review alerts

Question 137

What should be tracked to measure MSSP effectiveness?

Answer 137

Incidents by alert source, false positive rate

Question 138

What skills are necessary for accurate triage and risk assessment?

Answer 138

Understanding alert, attack stage, context

Question 139

What is a benefit of triaging alerts in the point product?

Answer 139

Interface is designed for specific alert type

Question 140

What is a downside of triaging alerts in the SIEM?

Answer 140

Data related to alert is in remote system

Question 141

What is a downside of using SIEMs for displaying network packets?

Answer 141

SIEMs aren’t always the best way to display network packets.

Question 142

What is the third option for handling alerts in a SIEM?

Answer 142

Gather all alerts, enrich them, and push to incident management.

Question 143

Why might ticketing systems offer the best UI and user experience for alert triage?

Answer 143

Ticketing systems are often specifically designed for this workflow.

Question 144

What is a downside of using ticketing systems similar to SIEMs?

Answer 144

May need to reach out to other systems for additional data.

Question 145

What must the software used to triage alerts support?

Answer 145

Must support the workflow and data display needed.

Question 146

What is the ideal experience for displaying data in an alert triage system?

Answer 146

Well-formatted data displayed clearly and field-separated.

Question 147

What should analysts be able to see in an alert triage system?

Answer 147

All metadata, original packet/log, and signature/analytic.

Question 148

What should analysts be able to do from the alert view?

Answer 148

Easily enrich or pivot to external data with a click.

Question 149

How should fields be transferred when an alert is accepted as true positive?

Answer 149

Without extraneous copy and paste or formatting changes.

Question 150

Name two point product-based alert triage systems.

Answer 150

Sguil and EveBox.

Question 151

What do Sguil and EveBox offer?

Answer 151

View packet metadata, full PCAP captures, signatures, enrichment information.

Question 152

What is key to success in alert triage systems?

Answer 152

No manual process of moving data into different boxes.

Question 153

What should you do if security products don’t supply data in the needed format?

Answer 153

Use SOAR or a script to format data seamlessly.

Question 154

What are important alerts for immediate attention?

Answer 154

Targeted attacks, exploits against sensitive info, safety critical infrastructure.

Question 155

What indicates an attack should jump to the top of the priority list?

Answer 155

Exploits against air gapped or segmented subnets.

Question 156

What must analysts do when faced with limited resources?

Answer 156

Look for the very worst items first.

Question 157

What often signifies the worst attacks?

Answer 157

Attacks nearing completion of attackers’ goals.

Question 158

What should analysts do if they see signs of data theft, destruction, or denial of service?

Answer 158

Take quick action.

Question 159

What must analysts be familiar with to identify high-priority items?

Answer 159

Organization’s threat model and attack tactics.

Question 160

What helps analysts make the call on advanced attack stages?

Answer 160

Perspective on attacker techniques and target systems.

Question 161

What combination helps get analysts to identify advanced attacks?

Answer 161

Data classification, technology, experience, and Red Team training.

Question 162

What does Microsoft Defender for Office 365 support for prioritizing accounts?

Answer 162

Account tagging for fast identification of priority account attacks.

Question 163

Why is fast and accurate triage of suspicious email important?

Answer 163

90% of attacks originate over email, high cost of breaches.

Question 164

What is a new feature in Defender for Office 365 Plan 2?

Answer 164

Priority Account Protection

Question 165

What does Priority Account Protection allow security teams to do?

Answer 165

Tag accounts for high visibility alerts

Question 166

Who should you tag with Priority Account Protection?

Answer 166

VIPs, C-Suite, admin users, help desk, accounting

Question 167

What is one benefit of tagging accounts during triage?

Answer 167

Visually labeled, stands out in alerts

Question 168

How can custom workflows for tagged accounts help?

Answer 168

Increase speed of addressing alerts

Question 169

What can trigger a fast response for priority account alerts?

Answer 169

Notify SOC members via SMS/email

Question 170

What should you design for priority account alerts?

Answer 170

Fast track treatment workflows

Question 171

How does Defender for Office 365 support investigation of tagged accounts?

Answer 171

Priority tags in submission queues, quarantine, threat explorer

Question 172

What does distinguishing attack trends to priority accounts help with?

Answer 172

Build relevant threat intelligence

Question 173

What key information should alerts include for proper triage?

Answer 173

User type, asset, patching status, criticality

Question 174

How can you ensure alerts are prioritized correctly from the start?

Answer 174

Show key info about source and destination in triage interface

Question 175

What is required for effective alert triage?

Answer 175

Data classification

Question 176

What should SIEMs monitor to keep user lists up-to-date?

Answer 176

Domain administrators, email administrators groups

Question 177

What is the benefit of loading information at one point in time?

Answer 177

Prevents data, system, and user lists from becoming outdated.

Question 178

What is the focus of the Efficient Alert Triage Summary?

Answer 178

Fundamentals of alert triage and investigation.

Question 179

What must be done to convert noise into meaningful signal in an alert queue?

Answer 179

Effectively process and triage the data.

Question 180

What was discussed regarding managing alerts in a SOC?

Answer 180

Fundamentals, tools, approaches, and strategies.

Question 181

What should analysts prioritize to respond to late-stage attacks?

Answer 181

Identify and prioritize critical alerts.

Question 182

What helps separate important alerts from noise?

Answer 182

Adding context to alerts.

Question 183

What is the next step after handling current alerts in a SOC?

Answer 183

Designing and creating new analytics.

Question 184

What are the sections covered in the Course Roadmap?

Answer 184

SOC Design, Telemetry, Attack Detection, and more.

Question 185

What should analysts have for various alert conditions?

Answer 185

Reference for alert conditions and reactions.

Question 186

What supports the creation of playbooks for analysts?

Answer 186

Use case documentation.

Question 187

What drives the data collection required in detection?

Answer 187

Use cases implemented.

Question 188

Who described the “Githubification of Infosec”?

Answer 188

John Lambert

Question 189

What is the “Githubification of Infosec”?

Answer 189

Community-based, democratized approach to analysis

Question 190

What tools support a common language for detections?

Answer 190

Sigma, Jupyter, YARA, ATT&CK

Question 191

What should you strive to maintain for effective incident response?

Answer 191

Proven set of curated detections

Question 192

What are the inputs to the detection engineering process?

Answer 192

Threat model, intelligence, visibility

Question 193

What does the detection engineering process include?

Answer 193

Data sources, event pipelines, correlation, enrichment

Question 194

What is the goal of detection engineering?

Answer 194

Complete data sources, robust pipeline, flexible detections

Question 195

What is detection engineering?

Answer 195

Blending engineering and analysis to identify and implement use cases

Question 196

What varies depending on SOC maturity in detection engineering?

Answer 196

Process and rigor

Question 197

What should analytics be based on?

Answer 197

Intelligence and threat model

Question 198

What should advanced teams avoid when solving detection problems?

Answer 198

Avoid solving detection problems with analysts.

Question 199

What should detection engineers be aware of according to the “law of the lever”?

Answer 199

Work imbalance created by new detections.

Question 200

What do engineering best practices involve in detection engineering?

Answer 200

Building rigor into the process and thorough testing.

Question 201

What is crucial to provide analysts to reduce their response time?

Answer 201

Arm analysts with as much information as possible.

Question 202

What should not be given a pass in detection engineering?

Answer 202

Bad alerts must be tuned or retired.

Question 203

When should detections be tested according to the guiding principles?

Answer 203

Before an incident occurs.

Question 204

What is the importance of historical accuracy in rule classification?

Answer 204

True/false positive ratio of past rule firings.

Question 205

What should analysts consider about the type of alert?

Answer 205

Whether it detects known malicious activities or anomalies.

Question 206

What should be documented in a use case?

Answer 206

Conditions/attack techniques to detect and related details.

Question 207

What is the purpose of use case tracking in a SOC?

Answer 207

List specific conditions to detect and how to detect them.

Question 208

What should a use case documentation set include?

Answer 208

Why detect condition, detection method, owner, required data

Question 209

Why is tracking detailed use cases important for SOCs?

Answer 209

To avoid “tribal knowledge” and ensure continuity

Question 210

What happens if detection conditions are undocumented and key personnel leave?

Answer 210

No one may know what an alarm means or what action to take

Question 211

What alleviates the issue of undocumented detection conditions?

Answer 211

Use case documentation and tracking

Question 212

Where should information on actions to take when key alerts fire be kept?

Answer 212

Use case database or tracking system

Question 213

What are key items to look for in a use case tracking solution?

Answer 213

Usability, customization, flexibility, metrics reporting capability

Question 214

What should a use case tracking tool be easy to do?

Answer 214

Enter new data and track life cycle and metadata

Question 215

What is a use case database for?

Answer 215

Documenting new analytics and supporting details

Question 216

What should analysts refer to when seeing an alert for the first time?

Answer 216

Use case information in the database

Question 217

What additional function should a use case database serve?

Answer 217

Generate metrics

Question 218

What features are important in a use case database platform?

Answer 218

Field customization, owner assignment, nested items, framework alignment

Question 219

What drives the formality of a use case tracking system?

Answer 219

Size and complexity of SOC operation

Question 220

What tools might smaller teams use for use case tracking?

Answer 220

Excel

Question 221

What should a use case tracking system ideally allow?

Answer 221

Simple use, easy customization, organization, change tracking, metric generation

Question 222

What can use case database metrics drive?

Answer 222

Investments in new technology

Question 223

Who are the primary users of a use case database?

Answer 223

Analysts

Question 224

Who documents the details of analytics in the use case database?

Answer 224

Detection engineers

Question 225

What should managers be able to do with a use case database?

Answer 225

Answer coverage questions and pull metrics