LDR551-Book2 Flashcards
What should a user do if they disagree with the CLA terms?
Not access the Courseware, return for refund
What actions are prohibited without SANS Institute’s consent?
Copying, reproducing, distributing, modifying Courseware
What are the consequences of breaching the CLA?
Irreparable harm, enforceable by injunction
What must the user warrant regarding sanction programs?
Not listed on OFAC or BIS denied party lists
What must the user avoid regarding U.S. export control laws?
Not allow access to embargoed countries
What are the key topics in Section 2 of LDR551?
Collection and Monitoring, Cyber Defense Theory, SOC Tools, MITRE ATT&CK
What mindset should modern cyber defense teams adopt?
Presumption of Compromise
What is a key focus of modern cyber defense?
Detection-Oriented Defense
Who should proactively assume compromise in a SOC?
Hunt teams
What should be the priority for hunt teams?
Post-exploitation stage attacks
What should hunt teams do when they find an issue?
Take care of it quickly and thoroughly
What is a risk-informed strategy in SOC?
Align defenses to prevent most damaging scenarios.
What is the Lockheed Martin Cyber Kill Chain designed to model?
Advanced persistent threats (APTs).
What is a common misuse of the Cyber Kill Chain?
Applying it to all alerts.
What is the purpose of the Kill Chain and Mandiant Attack Cycle?
Visualize attack progress and steps.
What happens if the Kill Chain is used beyond its intended purpose?
It leads to confusion.
What is the advantage of Org 2’s defense strategy?
Better “defense in depth” posture.
What does the Pyramid of Pain illustrate?
Different levels of detection difficulty.
What is a drawback of relying on bottom layer items in the Pyramid of Pain?
Easy to bypass detection capability.
Why is a spread of detection capabilities important?
Provides defense in depth across the pyramid.
What are the characteristics of items at the top of the pyramid?
Longer living, broad coverage, lower fidelity
What are the characteristics of indicators at the bottom of the pyramid?
Short-lived, easy to identify attacks
Why do the two types of analytics team up well?
Provide depth of coverage in different scenarios
What should you do if your analytics distribution is lacking?
Make it a priority to build up the missing piece
What does MITRE ATT&CK provide?
Standardized vocabulary of tactics and techniques
What do tactics describe in the MITRE ATT&CK framework?
Goals attackers need to accomplish
What happens when a new attack technique is found by MITRE?
It is added under one or more tactics
What should you do if you can detect relevant items on the MITRE ATT&CK framework?
Give yourself a pat on the back
How does MITRE ATT&CK help newer analysts?
Provides learning opportunity for attacker TTPs
What can you do if you have no threat intel but know APT X attacks your industry?
Prioritize techniques used by APT X
How can MITRE ATT&CK be used to measure defensive team improvement?
Objectively measure defensive team improvement
What indicates Blue Team improvement in MITRE ATT&CK?
Rise in percentage or count of covered techniques
What is the PICERL model based on?
NIST SP 800-61 “Computer Security Incident Handling Guide”
What stage do most analysts drop in during the PICERL model?
Identify stage
What does the DAIR model address compared to PICERL?
Practical application criticisms like least privilege
What does DAIR highlight the need for?
Security monitoring, threat intelligence, vulnerability remediation
How does DAIR conceptualize incident response?
As multiple events occurring across time.
How does DAIR differ from the PICERL model?
DAIR uses waypoints, outcomes, and activities.
Are PICERL and DAIR mutually exclusive?
No, they complement each other.
What is the OODA loop?
Observe, Orient, Decide, Act.
Who designed the OODA loop?
John Boyd, a military strategist.
What does the OODA loop represent for a SOC?
Stages to go head-to-head with adversaries.
What drives the operations tempo in a SOC?
The OODA loop.
What is the key step in the OODA loop?
The “Orient” phase.
What is the main takeaway from the OODA loop model?
Faster, accurate loops win head-to-head situations.
What differentiates a manager from a leader according to Peter Drucker?
Manager does things right; leader does the right things.
What are the two roles required to run a SOC?
Management and leadership.
What must a leader of a SOC be aware of?
Industry news, trends, and available tools.
What is necessary for day-to-day SOC operations?
Balanced workload, following processes, securing the organization.
What is the main goal in infinite games?
Stay in the game as long as possible
What are examples of finite games?
Sports, board games
What are examples of infinite games?
Business, marriage, education, life
What is the primary difference between finite and infinite games?
How you win
What happens in infinite games by definition?
They have no end
What is the goal of finite games?
To beat out your opponent
What do finite games have that infinite games lack?
A clear outcome at the ending time
What do infinite games require for long-term success?
Infinite strategies
What mindset is doomed for sub-optimal results in infinite games?
Finite game mindset
What do finite-minded players tend to overlook?
Second order effects
What does Sinek say about finite-minded businesses?
They may rely too heavily on a single product
What does human nature drive us to focus on in finite games?
Personal rewards
What is necessary to succeed in an infinite game?
Focus on the long term
What is the focus of a short-term SOC strategy?
Ticket numbers closed, time-based goals
What should a SOC optimize for in an infinite game strategy?
Job satisfaction, retention, engagement
What is a key aspect of playing with an infinite strategy in SOC?
Sustainability of workload
What does Sinek’s infinite game strategy emphasize for SOCs?
Continuous improvement, team building
What should a human-focused SOC prioritize?
Challenging, growing, and creative employees
What is the benefit of cybersecurity mental models?
Help analysts understand complex events
What is the goal of SOC Theory and Models?
Avoid misapplying models, help operations
What are the main tools used daily by SOC analysts?
EDR/XDR, SIEM, TIP, IMS
What does SOAR stand for?
Security Orchestration, Automation, & Response
What is the role of EDR/XDR in a SOC?
Central interface for querying, detection, analysis
What is the function of a SIEM?
Nexus of all log data
What does a Threat Intelligence Platform provide?
Context around matched IOCs
What is the purpose of an Incident Management System?
Ticketing system for working incidents
What does SOAR focus on in a SOC?
Automation tools for efficiency
What do Use Case Databases/Playbooks/SOPs inform analysts about?
Actions to take when an alert triggers
What is stored in an Unstructured Information Knowledgebase?
Additional reference data for analysts
What is a common use for systems like OneNote or SharePoint in a SOC?
Collaboratively adding and editing data
What is the main job of a SIEM?
Receive and parse all logs correctly
Why is high-quality data important for a SIEM?
Better chances for successful detection
What is the role of a Threat Intelligence Platform in a SOC?
Stores tactical, operational, strategic threat intel
What must be exported periodically to a SIEM or IDS?
All atomic indicators
What should a TIP ideally contain?
Info on how, when, and why each atomic item was marked as an IOC.
What does an analyst need to do when an alert goes off?
Find why the IP was marked bad.
What is the main source of incoming data for the IMS?
Alerts sent from the environment.
What should analysts do once incidents are investigated and closed?
Close the associated ticket.
What is a key item to note when closing an incident ticket?
Categorization of the incident.
Why should metrics be noted in a structured way?
To help SOC managers allocate budget.
What should be done before selecting or changing an IMS?
Thoroughly test contenders with real-world scenarios.
Who should drive the testing of IMS contenders?
Analysts.
What should a SOC knowledgebase include?
Unstructured documents, reference info, and general storage.
What is essential for a knowledgebase to be useful?
Usability and ease of maintenance.
What is the first step in selecting the right technology?
Identify the opportunity.
What is the second step in selecting the right technology?
Define analysis criteria.
What is the third step in selecting the right technology?
Identify alternatives.
What is the fourth step in selecting the right technology?
Compare features & functionality.
What is a major element of security operations?
Technology
Why is it important to maintain governance over SOC technologies?
To manage changes and improvements
What must you quantify when investing in SOC technology?
Return on investment
What is MITRE’s formal analysis process called?
Analysis of Alternatives (AoA)
What does AoA provide a framework for?
Evaluating and comparing solutions
What can help keep your decision data-driven and objective?
Using the AoA process as a reference
What did the US Government Accountability Office report about the Department of Defense?
Caused budget overruns by not evaluating alternatives
What can conducting a proper evaluation when selecting new tools help reduce?
Cost and operational risks
What are the five phases of the AoA process?
Identify opportunity, define criteria, identify alternatives, compare, report
What should strategic priorities inform?
Tool deployment and data collection
What can attack tree diagrams help with?
Brainstorming damaging attacks and planning defenses
What is a vital step in devising a threat-informed defense?
Using threat modeling output for planning
What tools are commonly used in SOCs?
EDR & XDR, SIEM, Threat Intelligence Platform, Incident Management System
What should be the goal when purchasing SOC tools?
Improve analyst workflow and organize detection data
What is the goal of the initial course section?
Understand what to purchase now and what can wait.
What is the first step in the core SOC process?
Data collection.
What will be reviewed in the systems-level model of the collection function?
Most important sources of log data.
What complicates data collection according to the text?
New encryption protocols.
What is crucial in the SOC process for effective detection and triage?
Appropriate data collection.
What does the collection system include?
Environment, Auditing, Collection Policy.
What is the first core function discussed in the text?
Data collection capability.
What happens between events being generated and collected?
Events are logged/recorded and centralized.
What influences whether events are recorded locally or centrally?
Auditing policy and collection policy.
What is the ideal collection system for security data?
Perfect Auditing Policy, Complete Collection.
What should be centralized in an ideal collection system?
Events of security value.
What major input influences the ability to detect attacks?
Threat intelligence.
What characterizes the realistic collection system in average organizations?
Imperfect Auditing Policy, Best effort Collection Policy.
Why might some important events not be recorded centrally?
Gaps in knowledge, affordability, visibility.
What drives the best effort solution in realistic collection systems?
Volume, access, threat intel.
What is a consequence of not having a proper auditing policy?
Inadequate attack detection capability.
What is the first step in setting up an effective system for attack detection?
Setting up an auditing policy and network infrastructure
What must thorough collection be matched with?
A solid centralization and collection strategy
Why is starting off with a good auditing and collection policy important?
It gives the best chance of attack detection downstream
What are the two components of complete collection?
Network Security Monitoring (NSM) and Continuous Security Monitoring (CSM)
What does Network Security Monitoring (NSM) include?
Full packet capture and network metadata
What does Continuous Security Monitoring (CSM) include?
Endpoint/device-generated data and application/SaaS logs
What are the two major types of data in the collection function?
Network data and endpoint data
What does network data tell us?
Who is talking to whom, protocols used, and conversation content
What does endpoint and application data provide?
Details about processes and access nature
Why is it important to have both network and endpoint data?
Attackers may subvert endpoint data collection
What is a key aspect of audit policy in a SOC?
Flexibility, as collection needs may change
What drives log volume in a collection policy?
Collection policy
What should you consider when deciding what to collect?
Specific goals for collection
What are some goals for log collection?
IOC-based matching, advanced attack detection, audit, compliance
What is a common misconception about compliance and log collection?
That it means full collection of everything possible
What are the three common strategies for log centralization?
Input-driven, output-driven, and a balanced approach
What is the most cost-effective and high-performing way of collecting logs?
Output-driven collection
What is the hybrid collection approach?
Start input-driven, then reduce noise
What should be done with high-volume, likely not useful items?
Turn them off
What should be done with low-volume, potentially useful logs?
Leave them on
Which approach does the SANS Blue Team Operations curriculum recommend?
Hybrid approach
What is a key feature of the hybrid approach?
Emphasizes tactical collection
Why should your auditing and collection strategy be in constant flux?
To adapt to changing threats
What course is recommended for SIEM engineers and SOC analysts?
SEC555: SIEM with Tactical Analytics
What is a key to success in audit policy flexibility?
Fast approval process for changes
Why must your collection policy be nimble?
To keep up with attackers