LDR551-Book 3 Flashcards
1
Q
What does the Internet Storm Center do?
A
Operates the Internet’s early warning system.
2
Q
What skills are necessary for security leaders?
A
Business, leadership, and technical skills.
3
Q
What is the inefficiency in traditional Blue Team operations?
A
Each team gathers and analyzes threat intel independently.
4
Q
What is the benefit of information sharing in Blue Team operations?
A
Efficient sharing of defense knowledge.
5
Q
What is MITRE ATT&CK?
A
Model for sharing attacker tactics and techniques.
6
Q
What are Sigma signatures used for?
A
Log content matching.
7
Q
What is the purpose of Jupyter notebooks in security analysis?
A
Make complex analysis repeatable and shareable.
8
Q
What is MITRE D3FEND?
A
Knowledge graph of security countermeasures.
9
Q
What is MITRE Engage?
A
Knowledge base for denial, deception, and adversary engagement.
10
Q
What is D3FEND?
A
A knowledge graph mapping security countermeasures to attacks
11
Q
What is the main goal of D3FEND?
A
Establish a common vocabulary for security tools
12
Q
What is the most obvious use case for D3FEND?
A
Capturing and comparing features of controls
13
Q
What has replaced MITRE’s Shield framework?
A
MITRE Engage
14
Q
What does MITRE Engage describe?
A
Denial, deception, and adversary engagement techniques
15
Q
What new concepts were added in MITRE Engage?
A
Goals and adversary vulnerabilities
16
Q
What is YARA?
A
A language for defining file characteristics
17
Q
What can YARA signatures identify?
A
Strings, bytes, and other content in files
18
Q
Why should teams invest in learning YARA?
A
To produce file-based threat detections
19
Q
What makes YARA signatures easy to manage?
A
Simple text-based format for change tracking
20
Q
Who created notable YARA rule sets?
A
Didier Stevens and Florian Roth
21
Q
What is Sigma?
A
High-level generic language for log analytics
22
Q
Who leads the Sigma project?
A
Florian Roth and Thomas Patzke
23
Q
What problem does Sigma address?
A
Generic detection for log content
24
Q
How does Sigma benefit SOC teams?
A
Allows sharing and distributing log analytics
25
What format are Sigma rules written in?
Text-based YAML files
26
What does Sigma eliminate?
Vendor lock-in
27
What is a key benefit of Sigma's text-based format?
Enables version control for analytics
28
What can Sigma's metadata sections refer to?
ATT&CK tactics and techniques
29
What tool can be used to visualize Sigma data on MITRE's ATT&CK navigator?
Sigma tools
30
What does implementing Sigma help avoid when changing SIEM products?
Migration pains
31
What format are Sigma rule files written in?
YAML
32
What does the metadata in a Sigma rule include?
Title, status, description, author, tag
33
What is the purpose of the log source in a Sigma rule?
Indicates the log type, brand, service
34
Why is auditing Sigma rules easy?
YAML formatting
35
What can be easily performed using Sigma rules?
Gap analysis
36
What does the Sigma converter do?
Converts generic rules to SIEM-specific queries
37
What is a major benefit of Sigma format rules?
Analytic version control
38
What would increase ops tempo for defense teams?
Publishing analytics in Sigma format
39
What do analysts often lack knowledge in?
Writing Python code and understanding analysis
40
What do notebooks lower the bar for?
Applying advanced analysis and data science
41
What should you avoid when running cells in a notebook?
Using "run all cells"
42
What does the notebook credential compromise notebook leverage for analysis?
Machine learning
43
Where can you find pre-made threat hunting oriented notebooks?
GitHub repo
44
What are examples of pre-captured logs and network data for analytic testing?
Mordor, EVTX-ATTACK-SAMPLES, Splunk Boss of the SOC
45
What project allows you to spin up Active Directory labs in Azure?
Adaz
46
What does Splunk's Attack Range perform?
Attack simulation using different engines
47
What does the Attack Range integrate into to automate detection rule testing?
CI/CD pipeline
48
What are some shared data types for cyber defense?
Tactics with ATT&CK, detection with YARA and Sigma
49
What should you do if your tools don't support YARA and Sigma signatures?
Request it from your vendor
50
What are the benefits of simple text-based formats?
Help with version control and make information sharable.
51
Where should you share new detections or analysis methods?
Conferences, GitHub, or anywhere the Blue Team benefits.
52
What is the second core SOC function responsible for?
Finding malicious content in gathered events.
53
What is a central struggle for nearly every SOC?
Alert tuning.
54
What is the first step to detection?
Submitting the captured event to analytic matching rules.
55
What should receive top priority for analysis if resources are limited?
Logs most likely to identify an intrusion.
56
What determines how many alerts will be made?
Accuracy, sensitivity, and rule count.
57
What would an ideal detection system achieve?
100% true positives, no false positives, no false negatives.
58
What must a reliable detection system support?
Reliable collection, health telemetry, and analytic development.
59
What is the "fuel" for modern, detection-oriented SOCs?
SIEM function
60
What are the commonalities in effective detection solutions?
Reliable, scalable, healthy, low overhead, analytic abstraction
61
What are the four analytic outcomes for events?
True positives, true negatives, false positives, false negatives
62
Why are false positives problematic for SOC analysts?
They drive analysts crazy daily
63
Why are false negatives considered the worst outcome?
They indicate undetected attacks
64
Can a detection system achieve zero false positives and zero false negatives?
No, it's unrealistic
65
What does the "alerting threshold" represent?
Line separating alert/no alert events
66
What happens when you lower the alerting threshold?
Increase false positives
67
What happens when you raise the alerting threshold?
Increase false negatives
68
What is the SOC manager's job regarding false positives and false negatives?
Decide the acceptable mix
69
What should analysts know if the system prioritizes minimizing false positives?
Very small chance of false positives
70
What is the key to writing the best possible detection rules?
Apply analytics downstream, post enrichment
71
How can you improve the accuracy of analytics in SOCs?
Use correlation and enrichment
72
What is one way of working alerting with Snort IDS?
Send alerts for everything that matches one of the signatures.
73
How can SOCs improve upon sending IDS alerts straight to a triage queue?
Forward Snort information to the SIEM for enrichment.
74
What can internal IPs in the alert be cross-referenced against?
DHCP logs, hostnames, and vulnerability databases.
75
What does Snort not know about the web server?
Whether it runs Apache or its patch level.
76
What should be done instead of forwarding alerts directly to a triage queue?
Send the alert to the SIEM for further analysis.
77
What is the benefit of sending alerts to the SIEM?
Alerts irrelevant to the system can be ignored.
78
How should the Snort alert rule be implemented at the SIEM?
If Snort sends an alert for an exploit against a system and that system runs the affected software and version, then alert.
79
What is a key action in assessing false positives and analytic accuracy?
Assessing accuracy of individual analytics.
80
What should you periodically run a report on?
Each alert that fired.
81
What should all analytics have?
A unique ID.
82
What should alert instances include?
Unique ID and final disposition.
83
What is a key activity in keeping sanity in your SOC?
Knowing the accuracy and count of each analytic.
84
What should each analytic have?
A unique identifier or alert name.
85
What happens when your analytics match?
An alert is created with a unique ID.
86
What should you do after a week of analytics activity?
Create metrics on fired alerts.
87
What should the final determination of alerts be labeled for?
Easy counting for metrics.
88
What should be done with false positives?
Dismissed from the alert queue.
89
What should both paths of false positives lead to?
A label for ultimate "false positive count."
90
How should you evaluate your best and worst analytics?
Create a chart grouping by unique alert ID.
91
What does creating the chart of alerts help visualize?
True and false positive counts and ratios per rule.
92
What is the goal when tuning alerts to minimize time wasted?
Fix the source of the highest number of false positives first.
93
Which alert should be addressed after fixing alert C?
Alert A, due to higher false positives count.
94
What should be done if Alert E continuously produces no value?
Alert E should likely be disabled
95
What are the two variables to consider for high volume alerts?
Analytics' accuracy and apparent priority
96
What action is suggested for high volume, poor accuracy, low priority alerts?
Disable or fix them
97
What should be done with high volume, poor accuracy, high priority alerts?
Fix them first
98
How should high volume, accurate, low priority alerts be handled?
Triage and possibly group alerts
99
What is the key to success in dealing with high volume alerts?
Increased efficiency
100
What indicates a prevention capability issue in high volume alerts?
High accuracy and high priority alerts
101
What should be done if true positives remain high after controls?
Consider adding more people
102
Why might some attacks not apply to your environment?
You don't run the relevant software
103
Why should internet noise alerts be suppressed?
They waste time and provide no value
104
What is Hanlon's Razor?
Never attribute to malice what can be explained by stupidity
105
What should be done with rules not tied to a specific use case?
Deactivate them
106
What is the solution for advanced attacks triggering low priority alerts?
Use Risk Based Scoring
107
What does Risk Based Scoring involve?
Assigning risk scores based on predefined rules
108
What is the purpose of collecting all suspicious events into a holding area?
To aggregate risk by user/host/asset/system.
109
What triggers an analyst's attention in risk-based scoring?
Hitting a threshold per user/device.
110
How can low priority alerts indicate potential compromise?
By aggregating alerts over time for the same systems and users.
111
What is the middle ground approach used by many SOCs for low priority alerts?
Risk based scoring or alerting.
112
How do alerting systems handle low priority alerts in risk-based scoring?
Collect all alerts, score risk based on user, system, and software.
113
When is a situation escalated in a risk-based alerting system?
When enough alerts occur for a single user or system.
114
What assumption is key to risk-based scoring?
Advanced attacks may only fire low priority anomaly alerts.
115
How can repeated low priority alerts help identify attacks?
By triggering more than one alert for the same system.
116
Who documented a specific method for risk-based scoring at the 2019 SANS SIEM Summit?
Jim Apger, staff architect at Splunk.
117
What impact did Jim Apger's "Risk Based Attribution" method reportedly have?
Increased true positive alert rate, reduced alert count.
118
What factors affect alert count in detection systems?
Scope, sensitivity, accuracy, and analytics enabled.
119
What is the worst part of many analysts' jobs?
False positives.
120
What is more dangerous than false positives?
False negatives.
121
What is crucial for improving true positive separation from false positives?
Data enrichment and constant analytic testing and tuning.
122
What should SOCs prioritize to combat alert fatigue and burnout?
Understanding and maximizing enrichment opportunities.
123
What should be done if high volume alerts indicate valid concerns?
Block the issue before it becomes a problem.
124
What can remedy bad high volume alert rules?
Tuning, enrichment, suppression, or risk based scoring.
125
What is the focus of Section 3 in the course?
Attack Detection, Threat Hunting, and Triage
126
What are the objectives of Exercise 3.1?
Rule management, Sigma usage, Git tracking, MITRE visualization
127
What is the key to success in the triage phase?
Speed, accuracy, context, automation
128
What is a downside of a tiered SOC?
Complex alerts may be improperly passed over
129
What is a benefit of a tierless SOC?
Analysts gain exposure to diverse data
130
What is a downside of a tierless SOC?
Analysts must work closely to avoid cherry-picking alerts
131
What is the MSSP hybrid model?
A strategy for dealing with complex alerts in-house
132
What is the role of MSSP in the hybrid model?
Outsourced Tier 1 for filtering alerts
133
What is a key advantage of the MSSP hybrid model?
In-house team focuses on important items
134
What is a major con of the MSSP hybrid model?
Trusting first line to someone else
135
How can the risk of MSSP incorrectly dismissing alerts be mitigated?
Pre-determine high-priority alerts
136
What is a con of pre-determining high-priority alerts?
Requires frontloaded work to review alerts
137
What should be tracked to measure MSSP effectiveness?
Incidents by alert source, false positive rate
138
What skills are necessary for accurate triage and risk assessment?
Understanding alert, attack stage, context
139
What is a benefit of triaging alerts in the point product?
Interface is designed for specific alert type
140
What is a downside of triaging alerts in the SIEM?
Data related to alert is in remote system
141
What is a downside of using SIEMs for displaying network packets?
SIEMs aren't always the best way to display network packets.
142
What is the third option for handling alerts in a SIEM?
Gather all alerts, enrich them, and push to incident management.
143
Why might ticketing systems offer the best UI and user experience for alert triage?
Ticketing systems are often specifically designed for this workflow.
144
What is a downside of using ticketing systems similar to SIEMs?
May need to reach out to other systems for additional data.
145
What must the software used to triage alerts support?
Must support the workflow and data display needed.
146
What is the ideal experience for displaying data in an alert triage system?
Well-formatted data displayed clearly and field-separated.
147
What should analysts be able to see in an alert triage system?
All metadata, original packet/log, and signature/analytic.
148
What should analysts be able to do from the alert view?
Easily enrich or pivot to external data with a click.
149
How should fields be transferred when an alert is accepted as true positive?
Without extraneous copy and paste or formatting changes.
150
Name two point product-based alert triage systems.
Sguil and EveBox.
151
What do Sguil and EveBox offer?
View packet metadata, full PCAP captures, signatures, enrichment information.
152
What is key to success in alert triage systems?
No manual process of moving data into different boxes.
153
What should you do if security products don't supply data in the needed format?
Use SOAR or a script to format data seamlessly.
154
What are important alerts for immediate attention?
Targeted attacks, exploits against sensitive info, safety critical infrastructure.
155
What indicates an attack should jump to the top of the priority list?
Exploits against air gapped or segmented subnets.
156
What must analysts do when faced with limited resources?
Look for the very worst items first.
157
What often signifies the worst attacks?
Attacks nearing completion of attackers' goals.
158
What should analysts do if they see signs of data theft, destruction, or denial of service?
Take quick action.
159
What must analysts be familiar with to identify high-priority items?
Organization's threat model and attack tactics.
160
What helps analysts make the call on advanced attack stages?
Perspective on attacker techniques and target systems.
161
What combination helps get analysts to identify advanced attacks?
Data classification, technology, experience, and Red Team training.
162
What does Microsoft Defender for Office 365 support for prioritizing accounts?
Account tagging for fast identification of priority account attacks.
163
Why is fast and accurate triage of suspicious email important?
90% of attacks originate over email, high cost of breaches.
164
What is a new feature in Defender for Office 365 Plan 2?
Priority Account Protection
165
What does Priority Account Protection allow security teams to do?
Tag accounts for high visibility alerts
166
Who should you tag with Priority Account Protection?
VIPs, C-Suite, admin users, help desk, accounting
167
What is one benefit of tagging accounts during triage?
Visually labeled, stands out in alerts
168
How can custom workflows for tagged accounts help?
Increase speed of addressing alerts
169
What can trigger a fast response for priority account alerts?
Notify SOC members via SMS/email
170
What should you design for priority account alerts?
Fast track treatment workflows
171
How does Defender for Office 365 support investigation of tagged accounts?
Priority tags in submission queues, quarantine, threat explorer
172
What does distinguishing attack trends to priority accounts help with?
Build relevant threat intelligence
173
What key information should alerts include for proper triage?
User type, asset, patching status, criticality
174
How can you ensure alerts are prioritized correctly from the start?
Show key info about source and destination in triage interface
175
What is required for effective alert triage?
Data classification
176
What should SIEMs monitor to keep user lists up-to-date?
Domain administrators, email administrators groups
177
What is the benefit of loading information at one point in time?
Prevents data, system, and user lists from becoming outdated.
178
What is the focus of the Efficient Alert Triage Summary?
Fundamentals of alert triage and investigation.
179
What must be done to convert noise into meaningful signal in an alert queue?
Effectively process and triage the data.
180
What was discussed regarding managing alerts in a SOC?
Fundamentals, tools, approaches, and strategies.
181
What should analysts prioritize to respond to late-stage attacks?
Identify and prioritize critical alerts.
182
What helps separate important alerts from noise?
Adding context to alerts.
183
What is the next step after handling current alerts in a SOC?
Designing and creating new analytics.
184
What are the sections covered in the Course Roadmap?
SOC Design, Telemetry, Attack Detection, and more.
185
What should analysts have for various alert conditions?
Reference for alert conditions and reactions.
186
What supports the creation of playbooks for analysts?
Use case documentation.
187
What drives the data collection required in detection?
Use cases implemented.
188
Who described the "Githubification of Infosec"?
John Lambert
189
What is the "Githubification of Infosec"?
Community-based, democratized approach to analysis
190
What tools support a common language for detections?
Sigma, Jupyter, YARA, ATT&CK
191
What should you strive to maintain for effective incident response?
Proven set of curated detections
192
What are the inputs to the detection engineering process?
Threat model, intelligence, visibility
193
What does the detection engineering process include?
Data sources, event pipelines, correlation, enrichment
194
What is the goal of detection engineering?
Complete data sources, robust pipeline, flexible detections
195
What is detection engineering?
Blending engineering and analysis to identify and implement use cases
196
What varies depending on SOC maturity in detection engineering?
Process and rigor
197
What should analytics be based on?
Intelligence and threat model
198
What should advanced teams avoid when solving detection problems?
Avoid solving detection problems with analysts.
199
What should detection engineers be aware of according to the "law of the lever"?
Work imbalance created by new detections.
200
What do engineering best practices involve in detection engineering?
Building rigor into the process and thorough testing.
201
What is crucial to provide analysts to reduce their response time?
Arm analysts with as much information as possible.
202
What should not be given a pass in detection engineering?
Bad alerts must be tuned or retired.
203
When should detections be tested according to the guiding principles?
Before an incident occurs.
204
What is the importance of historical accuracy in rule classification?
True/false positive ratio of past rule firings.
205
What should analysts consider about the type of alert?
Whether it detects known malicious activities or anomalies.
206
What should be documented in a use case?
Conditions/attack techniques to detect and related details.
207
What is the purpose of use case tracking in a SOC?
List specific conditions to detect and how to detect them.
208
What should a use case documentation set include?
Why detect condition, detection method, owner, required data
209
Why is tracking detailed use cases important for SOCs?
To avoid "tribal knowledge" and ensure continuity
210
What happens if detection conditions are undocumented and key personnel leave?
No one may know what an alarm means or what action to take
211
What alleviates the issue of undocumented detection conditions?
Use case documentation and tracking
212
Where should information on actions to take when key alerts fire be kept?
Use case database or tracking system
213
What are key items to look for in a use case tracking solution?
Usability, customization, flexibility, metrics reporting capability
214
What should a use case tracking tool be easy to do?
Enter new data and track life cycle and metadata
215
What is a use case database for?
Documenting new analytics and supporting details
216
What should analysts refer to when seeing an alert for the first time?
Use case information in the database
217
What additional function should a use case database serve?
Generate metrics
218
What features are important in a use case database platform?
Field customization, owner assignment, nested items, framework alignment
219
What drives the formality of a use case tracking system?
Size and complexity of SOC operation
220
What tools might smaller teams use for use case tracking?
Excel
221
What should a use case tracking system ideally allow?
Simple use, easy customization, organization, change tracking, metric generation
222
What can use case database metrics drive?
Investments in new technology
223
Who are the primary users of a use case database?
Analysts
224
Who documents the details of analytics in the use case database?
Detection engineers
225
What should managers be able to do with a use case database?
Answer coverage questions and pull metrics
