LDR551-Book 3 Flashcards
What does the Internet Storm Center do?
Operates the Internet’s early warning system.
What skills are necessary for security leaders?
Business, leadership, and technical skills.
What is the inefficiency in traditional Blue Team operations?
Each team gathers and analyzes threat intel independently.
What is the benefit of information sharing in Blue Team operations?
Efficient sharing of defense knowledge.
What is MITRE ATT&CK?
Model for sharing attacker tactics and techniques.
What are Sigma signatures used for?
Log content matching.
What is the purpose of Jupyter notebooks in security analysis?
Make complex analysis repeatable and shareable.
What is MITRE D3FEND?
Knowledge graph of security countermeasures.
What is MITRE Engage?
Knowledge base for denial, deception, and adversary engagement.
What is D3FEND?
A knowledge graph mapping security countermeasures to attacks
What is the main goal of D3FEND?
Establish a common vocabulary for security tools
What is the most obvious use case for D3FEND?
Capturing and comparing features of controls
What has replaced MITRE’s Shield framework?
MITRE Engage
What does MITRE Engage describe?
Denial, deception, and adversary engagement techniques
What new concepts were added in MITRE Engage?
Goals and adversary vulnerabilities
What is YARA?
A language for defining file characteristics
What can YARA signatures identify?
Strings, bytes, and other content in files
Why should teams invest in learning YARA?
To produce file-based threat detections
What makes YARA signatures easy to manage?
Simple text-based format for change tracking
Who created notable YARA rule sets?
Didier Stevens and Florian Roth
What is Sigma?
High-level generic language for log analytics
Who leads the Sigma project?
Florian Roth and Thomas Patzke
What problem does Sigma address?
Generic detection for log content
How does Sigma benefit SOC teams?
Allows sharing and distributing log analytics
What format are Sigma rules written in?
Text-based YAML files
What does Sigma eliminate?
Vendor lock-in
What is a key benefit of Sigma’s text-based format?
Enables version control for analytics
What can Sigma’s metadata sections refer to?
ATT&CK tactics and techniques
What tool can be used to visualize Sigma data on MITRE’s ATT&CK navigator?
Sigma tools
What does implementing Sigma help avoid when changing SIEM products?
Migration pains
What format are Sigma rule files written in?
YAML
What does the metadata in a Sigma rule include?
Title, status, description, author, tag
What is the purpose of the log source in a Sigma rule?
Indicates the log type, brand, service
Why is auditing Sigma rules easy?
YAML formatting
What can be easily performed using Sigma rules?
Gap analysis
What does the Sigma converter do?
Converts generic rules to SIEM-specific queries
What is a major benefit of Sigma format rules?
Analytic version control
What would increase ops tempo for defense teams?
Publishing analytics in Sigma format
What do analysts often lack knowledge in?
Writing Python code and understanding analysis
What do notebooks lower the bar for?
Applying advanced analysis and data science
What should you avoid when running cells in a notebook?
Using “run all cells”
What does the notebook credential compromise notebook leverage for analysis?
Machine learning
Where can you find pre-made threat hunting oriented notebooks?
GitHub repo
What are examples of pre-captured logs and network data for analytic testing?
Mordor, EVTX-ATTACK-SAMPLES, Splunk Boss of the SOC
What project allows you to spin up Active Directory labs in Azure?
Adaz
What does Splunk’s Attack Range perform?
Attack simulation using different engines
What does the Attack Range integrate into to automate detection rule testing?
CI/CD pipeline
What are some shared data types for cyber defense?
Tactics with ATT&CK, detection with YARA and Sigma
What should you do if your tools don’t support YARA and Sigma signatures?
Request it from your vendor
What are the benefits of simple text-based formats?
Help with version control and make information sharable.
Where should you share new detections or analysis methods?
Conferences, GitHub, or anywhere the Blue Team benefits.
What is the second core SOC function responsible for?
Finding malicious content in gathered events.
What is a central struggle for nearly every SOC?
Alert tuning.
What is the first step to detection?
Submitting the captured event to analytic matching rules.
What should receive top priority for analysis if resources are limited?
Logs most likely to identify an intrusion.
What determines how many alerts will be made?
Accuracy, sensitivity, and rule count.
What would an ideal detection system achieve?
100% true positives, no false positives, no false negatives.
What must a reliable detection system support?
Reliable collection, health telemetry, and analytic development.
What is the “fuel” for modern, detection-oriented SOCs?
SIEM function
What are the commonalities in effective detection solutions?
Reliable, scalable, healthy, low overhead, analytic abstraction
What are the four analytic outcomes for events?
True positives, true negatives, false positives, false negatives
Why are false positives problematic for SOC analysts?
They drive analysts crazy daily
Why are false negatives considered the worst outcome?
They indicate undetected attacks
Can a detection system achieve zero false positives and zero false negatives?
No, it’s unrealistic
What does the “alerting threshold” represent?
Line separating alert/no alert events
What happens when you lower the alerting threshold?
Increase false positives
What happens when you raise the alerting threshold?
Increase false negatives
What is the SOC manager’s job regarding false positives and false negatives?
Decide the acceptable mix
What should analysts know if the system prioritizes minimizing false positives?
Very small chance of false positives
What is the key to writing the best possible detection rules?
Apply analytics downstream, post enrichment
How can you improve the accuracy of analytics in SOCs?
Use correlation and enrichment
What is one way of working alerting with Snort IDS?
Send alerts for everything that matches one of the signatures.
How can SOCs improve upon sending IDS alerts straight to a triage queue?
Forward Snort information to the SIEM for enrichment.
What can internal IPs in the alert be cross-referenced against?
DHCP logs, hostnames, and vulnerability databases.
What does Snort not know about the web server?
Whether it runs Apache or its patch level.
What should be done instead of forwarding alerts directly to a triage queue?
Send the alert to the SIEM for further analysis.
What is the benefit of sending alerts to the SIEM?
Alerts irrelevant to the system can be ignored.
How should the Snort alert rule be implemented at the SIEM?
If Snort sends an alert for an exploit against a system and that system runs the affected software and version, then alert.
What is a key action in assessing false positives and analytic accuracy?
Assessing accuracy of individual analytics.
What should you periodically run a report on?
Each alert that fired.
What should all analytics have?
A unique ID.
What should alert instances include?
Unique ID and final disposition.
What is a key activity in keeping sanity in your SOC?
Knowing the accuracy and count of each analytic.
What should each analytic have?
A unique identifier or alert name.
What happens when your analytics match?
An alert is created with a unique ID.
What should you do after a week of analytics activity?
Create metrics on fired alerts.
What should the final determination of alerts be labeled for?
Easy counting for metrics.
What should be done with false positives?
Dismissed from the alert queue.
What should both paths of false positives lead to?
A label for ultimate “false positive count.”
How should you evaluate your best and worst analytics?
Create a chart grouping by unique alert ID.
What does creating the chart of alerts help visualize?
True and false positive counts and ratios per rule.
What is the goal when tuning alerts to minimize time wasted?
Fix the source of the highest number of false positives first.
Which alert should be addressed after fixing alert C?
Alert A, due to higher false positives count.
What should be done if Alert E continuously produces no value?
Alert E should likely be disabled
What are the two variables to consider for high volume alerts?
Analytics’ accuracy and apparent priority
What action is suggested for high volume, poor accuracy, low priority alerts?
Disable or fix them
What should be done with high volume, poor accuracy, high priority alerts?
Fix them first
How should high volume, accurate, low priority alerts be handled?
Triage and possibly group alerts
What is the key to success in dealing with high volume alerts?
Increased efficiency
What indicates a prevention capability issue in high volume alerts?
High accuracy and high priority alerts
What should be done if true positives remain high after controls?
Consider adding more people
Why might some attacks not apply to your environment?
You don’t run the relevant software
Why should internet noise alerts be suppressed?
They waste time and provide no value
What is Hanlon’s Razor?
Never attribute to malice what can be explained by stupidity
What should be done with rules not tied to a specific use case?
Deactivate them
What is the solution for advanced attacks triggering low priority alerts?
Use Risk Based Scoring
What does Risk Based Scoring involve?
Assigning risk scores based on predefined rules
What is the purpose of collecting all suspicious events into a holding area?
To aggregate risk by user/host/asset/system.
What triggers an analyst’s attention in risk-based scoring?
Hitting a threshold per user/device.
How can low priority alerts indicate potential compromise?
By aggregating alerts over time for the same systems and users.
What is the middle ground approach used by many SOCs for low priority alerts?
Risk based scoring or alerting.
How do alerting systems handle low priority alerts in risk-based scoring?
Collect all alerts, score risk based on user, system, and software.
When is a situation escalated in a risk-based alerting system?
When enough alerts occur for a single user or system.
What assumption is key to risk-based scoring?
Advanced attacks may only fire low priority anomaly alerts.
How can repeated low priority alerts help identify attacks?
By triggering more than one alert for the same system.
Who documented a specific method for risk-based scoring at the 2019 SANS SIEM Summit?
Jim Apger, staff architect at Splunk.
What impact did Jim Apger’s “Risk Based Attribution” method reportedly have?
Increased true positive alert rate, reduced alert count.
What factors affect alert count in detection systems?
Scope, sensitivity, accuracy, and analytics enabled.
What is the worst part of many analysts’ jobs?
False positives.
What is more dangerous than false positives?
False negatives.
What is crucial for improving true positive separation from false positives?
Data enrichment and constant analytic testing and tuning.
What should SOCs prioritize to combat alert fatigue and burnout?
Understanding and maximizing enrichment opportunities.
What should be done if high volume alerts indicate valid concerns?
Block the issue before it becomes a problem.
What can remedy bad high volume alert rules?
Tuning, enrichment, suppression, or risk based scoring.
What is the focus of Section 3 in the course?
Attack Detection, Threat Hunting, and Triage
What are the objectives of Exercise 3.1?
Rule management, Sigma usage, Git tracking, MITRE visualization
What is the key to success in the triage phase?
Speed, accuracy, context, automation
What is a downside of a tiered SOC?
Complex alerts may be improperly passed over
What is a benefit of a tierless SOC?
Analysts gain exposure to diverse data
What is a downside of a tierless SOC?
Analysts must work closely to avoid cherry-picking alerts
What is the MSSP hybrid model?
A strategy for dealing with complex alerts in-house
What is the role of MSSP in the hybrid model?
Outsourced Tier 1 for filtering alerts
What is a key advantage of the MSSP hybrid model?
In-house team focuses on important items
What is a major con of the MSSP hybrid model?
Trusting first line to someone else
How can the risk of MSSP incorrectly dismissing alerts be mitigated?
Pre-determine high-priority alerts
What is a con of pre-determining high-priority alerts?
Requires frontloaded work to review alerts
What should be tracked to measure MSSP effectiveness?
Incidents by alert source, false positive rate
What skills are necessary for accurate triage and risk assessment?
Understanding alert, attack stage, context
What is a benefit of triaging alerts in the point product?
Interface is designed for specific alert type
What is a downside of triaging alerts in the SIEM?
Data related to alert is in remote system
What is a downside of using SIEMs for displaying network packets?
SIEMs aren’t always the best way to display network packets.
What is the third option for handling alerts in a SIEM?
Gather all alerts, enrich them, and push to incident management.
Why might ticketing systems offer the best UI and user experience for alert triage?
Ticketing systems are often specifically designed for this workflow.
What is a downside of using ticketing systems similar to SIEMs?
May need to reach out to other systems for additional data.
What must the software used to triage alerts support?
Must support the workflow and data display needed.
What is the ideal experience for displaying data in an alert triage system?
Well-formatted data displayed clearly and field-separated.
What should analysts be able to see in an alert triage system?
All metadata, original packet/log, and signature/analytic.
What should analysts be able to do from the alert view?
Easily enrich or pivot to external data with a click.
How should fields be transferred when an alert is accepted as true positive?
Without extraneous copy and paste or formatting changes.
Name two point product-based alert triage systems.
Sguil and EveBox.
What do Sguil and EveBox offer?
View packet metadata, full PCAP captures, signatures, enrichment information.
What is key to success in alert triage systems?
No manual process of moving data into different boxes.
What should you do if security products don’t supply data in the needed format?
Use SOAR or a script to format data seamlessly.
What are important alerts for immediate attention?
Targeted attacks, exploits against sensitive info, safety critical infrastructure.
What indicates an attack should jump to the top of the priority list?
Exploits against air gapped or segmented subnets.
What must analysts do when faced with limited resources?
Look for the very worst items first.
What often signifies the worst attacks?
Attacks nearing completion of attackers’ goals.
What should analysts do if they see signs of data theft, destruction, or denial of service?
Take quick action.
What must analysts be familiar with to identify high-priority items?
Organization’s threat model and attack tactics.
What helps analysts make the call on advanced attack stages?
Perspective on attacker techniques and target systems.
What combination helps get analysts to identify advanced attacks?
Data classification, technology, experience, and Red Team training.
What does Microsoft Defender for Office 365 support for prioritizing accounts?
Account tagging for fast identification of priority account attacks.
Why is fast and accurate triage of suspicious email important?
90% of attacks originate over email, high cost of breaches.
What is a new feature in Defender for Office 365 Plan 2?
Priority Account Protection
What does Priority Account Protection allow security teams to do?
Tag accounts for high visibility alerts
Who should you tag with Priority Account Protection?
VIPs, C-Suite, admin users, help desk, accounting
What is one benefit of tagging accounts during triage?
Visually labeled, stands out in alerts
How can custom workflows for tagged accounts help?
Increase speed of addressing alerts
What can trigger a fast response for priority account alerts?
Notify SOC members via SMS/email
What should you design for priority account alerts?
Fast track treatment workflows
How does Defender for Office 365 support investigation of tagged accounts?
Priority tags in submission queues, quarantine, threat explorer
What does distinguishing attack trends to priority accounts help with?
Build relevant threat intelligence
What key information should alerts include for proper triage?
User type, asset, patching status, criticality
How can you ensure alerts are prioritized correctly from the start?
Show key info about source and destination in triage interface
What is required for effective alert triage?
Data classification
What should SIEMs monitor to keep user lists up-to-date?
Domain administrators, email administrators groups
What is the benefit of loading information at one point in time?
Prevents data, system, and user lists from becoming outdated.
What is the focus of the Efficient Alert Triage Summary?
Fundamentals of alert triage and investigation.
What must be done to convert noise into meaningful signal in an alert queue?
Effectively process and triage the data.
What was discussed regarding managing alerts in a SOC?
Fundamentals, tools, approaches, and strategies.
What should analysts prioritize to respond to late-stage attacks?
Identify and prioritize critical alerts.
What helps separate important alerts from noise?
Adding context to alerts.
What is the next step after handling current alerts in a SOC?
Designing and creating new analytics.
What are the sections covered in the Course Roadmap?
SOC Design, Telemetry, Attack Detection, and more.
What should analysts have for various alert conditions?
Reference for alert conditions and reactions.
What supports the creation of playbooks for analysts?
Use case documentation.
What drives the data collection required in detection?
Use cases implemented.
Who described the “Githubification of Infosec”?
John Lambert
What is the “Githubification of Infosec”?
Community-based, democratized approach to analysis
What tools support a common language for detections?
Sigma, Jupyter, YARA, ATT&CK
What should you strive to maintain for effective incident response?
Proven set of curated detections
What are the inputs to the detection engineering process?
Threat model, intelligence, visibility
What does the detection engineering process include?
Data sources, event pipelines, correlation, enrichment
What is the goal of detection engineering?
Complete data sources, robust pipeline, flexible detections
What is detection engineering?
Blending engineering and analysis to identify and implement use cases
What varies depending on SOC maturity in detection engineering?
Process and rigor
What should analytics be based on?
Intelligence and threat model
What should advanced teams avoid when solving detection problems?
Avoid solving detection problems with analysts.
What should detection engineers be aware of according to the “law of the lever”?
Work imbalance created by new detections.
What do engineering best practices involve in detection engineering?
Building rigor into the process and thorough testing.
What is crucial to provide analysts to reduce their response time?
Arm analysts with as much information as possible.
What should not be given a pass in detection engineering?
Bad alerts must be tuned or retired.
When should detections be tested according to the guiding principles?
Before an incident occurs.
What is the importance of historical accuracy in rule classification?
True/false positive ratio of past rule firings.
What should analysts consider about the type of alert?
Whether it detects known malicious activities or anomalies.
What should be documented in a use case?
Conditions/attack techniques to detect and related details.
What is the purpose of use case tracking in a SOC?
List specific conditions to detect and how to detect them.
What should a use case documentation set include?
Why detect condition, detection method, owner, required data
Why is tracking detailed use cases important for SOCs?
To avoid “tribal knowledge” and ensure continuity
What happens if detection conditions are undocumented and key personnel leave?
No one may know what an alarm means or what action to take
What alleviates the issue of undocumented detection conditions?
Use case documentation and tracking
Where should information on actions to take when key alerts fire be kept?
Use case database or tracking system
What are key items to look for in a use case tracking solution?
Usability, customization, flexibility, metrics reporting capability
What should a use case tracking tool be easy to do?
Enter new data and track life cycle and metadata
What is a use case database for?
Documenting new analytics and supporting details
What should analysts refer to when seeing an alert for the first time?
Use case information in the database
What additional function should a use case database serve?
Generate metrics
What features are important in a use case database platform?
Field customization, owner assignment, nested items, framework alignment
What drives the formality of a use case tracking system?
Size and complexity of SOC operation
What tools might smaller teams use for use case tracking?
Excel
What should a use case tracking system ideally allow?
Simple use, easy customization, organization, change tracking, metric generation
What can use case database metrics drive?
Investments in new technology
Who are the primary users of a use case database?
Analysts
Who documents the details of analytics in the use case database?
Detection engineers
What should managers be able to do with a use case database?
Answer coverage questions and pull metrics