LDR551-Book2 Flashcards

1
Q

What should a user do if they disagree with the CLA terms?

A

Not access the Courseware, return for refund

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What actions are prohibited without SANS Institute’s consent?

A

Copying, reproducing, distributing, modifying Courseware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the consequences of breaching the CLA?

A

Irreparable harm, enforceable by injunction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What must the user warrant regarding sanction programs?

A

Not listed on OFAC or BIS denied party lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What must the user avoid regarding U.S. export control laws?

A

Not allow access to embargoed countries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the key topics in Section 2 of LDR551?

A

Collection and Monitoring, Cyber Defense Theory, SOC Tools, MITRE ATT&CK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What mindset should modern cyber defense teams adopt?

A

Presumption of Compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a key focus of modern cyber defense?

A

Detection-Oriented Defense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who should proactively assume compromise in a SOC?

A

Hunt teams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should be the priority for hunt teams?

A

Post-exploitation stage attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should hunt teams do when they find an issue?

A

Take care of it quickly and thoroughly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a risk-informed strategy in SOC?

A

Align defenses to prevent most damaging scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Lockheed Martin Cyber Kill Chain designed to model?

A

Advanced persistent threats (APTs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a common misuse of the Cyber Kill Chain?

A

Applying it to all alerts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the purpose of the Kill Chain and Mandiant Attack Cycle?

A

Visualize attack progress and steps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens if the Kill Chain is used beyond its intended purpose?

A

It leads to confusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the advantage of Org 2’s defense strategy?

A

Better “defense in depth” posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the Pyramid of Pain illustrate?

A

Different levels of detection difficulty.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a drawback of relying on bottom layer items in the Pyramid of Pain?

A

Easy to bypass detection capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Why is a spread of detection capabilities important?

A

Provides defense in depth across the pyramid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the characteristics of items at the top of the pyramid?

A

Longer living, broad coverage, lower fidelity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the characteristics of indicators at the bottom of the pyramid?

A

Short-lived, easy to identify attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why do the two types of analytics team up well?

A

Provide depth of coverage in different scenarios

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What should you do if your analytics distribution is lacking?

A

Make it a priority to build up the missing piece

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does MITRE ATT&CK provide?

A

Standardized vocabulary of tactics and techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What do tactics describe in the MITRE ATT&CK framework?

A

Goals attackers need to accomplish

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What happens when a new attack technique is found by MITRE?

A

It is added under one or more tactics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What should you do if you can detect relevant items on the MITRE ATT&CK framework?

A

Give yourself a pat on the back

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How does MITRE ATT&CK help newer analysts?

A

Provides learning opportunity for attacker TTPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What can you do if you have no threat intel but know APT X attacks your industry?

A

Prioritize techniques used by APT X

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

How can MITRE ATT&CK be used to measure defensive team improvement?

A

Objectively measure defensive team improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What indicates Blue Team improvement in MITRE ATT&CK?

A

Rise in percentage or count of covered techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the PICERL model based on?

A

NIST SP 800-61 “Computer Security Incident Handling Guide”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What stage do most analysts drop in during the PICERL model?

A

Identify stage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What does the DAIR model address compared to PICERL?

A

Practical application criticisms like least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What does DAIR highlight the need for?

A

Security monitoring, threat intelligence, vulnerability remediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

How does DAIR conceptualize incident response?

A

As multiple events occurring across time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

How does DAIR differ from the PICERL model?

A

DAIR uses waypoints, outcomes, and activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Are PICERL and DAIR mutually exclusive?

A

No, they complement each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the OODA loop?

A

Observe, Orient, Decide, Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Who designed the OODA loop?

A

John Boyd, a military strategist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What does the OODA loop represent for a SOC?

A

Stages to go head-to-head with adversaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What drives the operations tempo in a SOC?

A

The OODA loop.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is the key step in the OODA loop?

A

The “Orient” phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the main takeaway from the OODA loop model?

A

Faster, accurate loops win head-to-head situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What differentiates a manager from a leader according to Peter Drucker?

A

Manager does things right; leader does the right things.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are the two roles required to run a SOC?

A

Management and leadership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What must a leader of a SOC be aware of?

A

Industry news, trends, and available tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What is necessary for day-to-day SOC operations?

A

Balanced workload, following processes, securing the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is the main goal in infinite games?

A

Stay in the game as long as possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What are examples of finite games?

A

Sports, board games

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What are examples of infinite games?

A

Business, marriage, education, life

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is the primary difference between finite and infinite games?

A

How you win

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What happens in infinite games by definition?

A

They have no end

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is the goal of finite games?

A

To beat out your opponent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What do finite games have that infinite games lack?

A

A clear outcome at the ending time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What do infinite games require for long-term success?

A

Infinite strategies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What mindset is doomed for sub-optimal results in infinite games?

A

Finite game mindset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What do finite-minded players tend to overlook?

A

Second order effects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What does Sinek say about finite-minded businesses?

A

They may rely too heavily on a single product

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What does human nature drive us to focus on in finite games?

A

Personal rewards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What is necessary to succeed in an infinite game?

A

Focus on the long term

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What is the focus of a short-term SOC strategy?

A

Ticket numbers closed, time-based goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What should a SOC optimize for in an infinite game strategy?

A

Job satisfaction, retention, engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What is a key aspect of playing with an infinite strategy in SOC?

A

Sustainability of workload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What does Sinek’s infinite game strategy emphasize for SOCs?

A

Continuous improvement, team building

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What should a human-focused SOC prioritize?

A

Challenging, growing, and creative employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What is the benefit of cybersecurity mental models?

A

Help analysts understand complex events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What is the goal of SOC Theory and Models?

A

Avoid misapplying models, help operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What are the main tools used daily by SOC analysts?

A

EDR/XDR, SIEM, TIP, IMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What does SOAR stand for?

A

Security Orchestration, Automation, & Response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What is the role of EDR/XDR in a SOC?

A

Central interface for querying, detection, analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What is the function of a SIEM?

A

Nexus of all log data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What does a Threat Intelligence Platform provide?

A

Context around matched IOCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What is the purpose of an Incident Management System?

A

Ticketing system for working incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What does SOAR focus on in a SOC?

A

Automation tools for efficiency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What do Use Case Databases/Playbooks/SOPs inform analysts about?

A

Actions to take when an alert triggers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What is stored in an Unstructured Information Knowledgebase?

A

Additional reference data for analysts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What is a common use for systems like OneNote or SharePoint in a SOC?

A

Collaboratively adding and editing data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What is the main job of a SIEM?

A

Receive and parse all logs correctly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Why is high-quality data important for a SIEM?

A

Better chances for successful detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What is the role of a Threat Intelligence Platform in a SOC?

A

Stores tactical, operational, strategic threat intel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What must be exported periodically to a SIEM or IDS?

A

All atomic indicators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What should a TIP ideally contain?

A

Info on how, when, and why each atomic item was marked as an IOC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What does an analyst need to do when an alert goes off?

A

Find why the IP was marked bad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

What is the main source of incoming data for the IMS?

A

Alerts sent from the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What should analysts do once incidents are investigated and closed?

A

Close the associated ticket.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What is a key item to note when closing an incident ticket?

A

Categorization of the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Why should metrics be noted in a structured way?

A

To help SOC managers allocate budget.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What should be done before selecting or changing an IMS?

A

Thoroughly test contenders with real-world scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Who should drive the testing of IMS contenders?

A

Analysts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

What should a SOC knowledgebase include?

A

Unstructured documents, reference info, and general storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What is essential for a knowledgebase to be useful?

A

Usability and ease of maintenance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What is the first step in selecting the right technology?

A

Identify the opportunity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

What is the second step in selecting the right technology?

A

Define analysis criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

What is the third step in selecting the right technology?

A

Identify alternatives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What is the fourth step in selecting the right technology?

A

Compare features & functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

What is a major element of security operations?

A

Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Why is it important to maintain governance over SOC technologies?

A

To manage changes and improvements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

What must you quantify when investing in SOC technology?

A

Return on investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

What is MITRE’s formal analysis process called?

A

Analysis of Alternatives (AoA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

What does AoA provide a framework for?

A

Evaluating and comparing solutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

What can help keep your decision data-driven and objective?

A

Using the AoA process as a reference

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What did the US Government Accountability Office report about the Department of Defense?

A

Caused budget overruns by not evaluating alternatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

What can conducting a proper evaluation when selecting new tools help reduce?

A

Cost and operational risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

What are the five phases of the AoA process?

A

Identify opportunity, define criteria, identify alternatives, compare, report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

What should strategic priorities inform?

A

Tool deployment and data collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

What can attack tree diagrams help with?

A

Brainstorming damaging attacks and planning defenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

What is a vital step in devising a threat-informed defense?

A

Using threat modeling output for planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

What tools are commonly used in SOCs?

A

EDR & XDR, SIEM, Threat Intelligence Platform, Incident Management System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

What should be the goal when purchasing SOC tools?

A

Improve analyst workflow and organize detection data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

What is the goal of the initial course section?

A

Understand what to purchase now and what can wait.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

What is the first step in the core SOC process?

A

Data collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

What will be reviewed in the systems-level model of the collection function?

A

Most important sources of log data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What complicates data collection according to the text?

A

New encryption protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

What is crucial in the SOC process for effective detection and triage?

A

Appropriate data collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

What does the collection system include?

A

Environment, Auditing, Collection Policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

What is the first core function discussed in the text?

A

Data collection capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

What happens between events being generated and collected?

A

Events are logged/recorded and centralized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

What influences whether events are recorded locally or centrally?

A

Auditing policy and collection policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

What is the ideal collection system for security data?

A

Perfect Auditing Policy, Complete Collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

What should be centralized in an ideal collection system?

A

Events of security value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

What major input influences the ability to detect attacks?

A

Threat intelligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

What characterizes the realistic collection system in average organizations?

A

Imperfect Auditing Policy, Best effort Collection Policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

Why might some important events not be recorded centrally?

A

Gaps in knowledge, affordability, visibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

What drives the best effort solution in realistic collection systems?

A

Volume, access, threat intel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

What is a consequence of not having a proper auditing policy?

A

Inadequate attack detection capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

What is the first step in setting up an effective system for attack detection?

A

Setting up an auditing policy and network infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

What must thorough collection be matched with?

A

A solid centralization and collection strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

Why is starting off with a good auditing and collection policy important?

A

It gives the best chance of attack detection downstream

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
131
Q

What are the two components of complete collection?

A

Network Security Monitoring (NSM) and Continuous Security Monitoring (CSM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
132
Q

What does Network Security Monitoring (NSM) include?

A

Full packet capture and network metadata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
133
Q

What does Continuous Security Monitoring (CSM) include?

A

Endpoint/device-generated data and application/SaaS logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
134
Q

What are the two major types of data in the collection function?

A

Network data and endpoint data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
135
Q

What does network data tell us?

A

Who is talking to whom, protocols used, and conversation content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
136
Q

What does endpoint and application data provide?

A

Details about processes and access nature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
137
Q

Why is it important to have both network and endpoint data?

A

Attackers may subvert endpoint data collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
138
Q

What is a key aspect of audit policy in a SOC?

A

Flexibility, as collection needs may change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
139
Q

What drives log volume in a collection policy?

A

Collection policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
140
Q

What should you consider when deciding what to collect?

A

Specific goals for collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
141
Q

What are some goals for log collection?

A

IOC-based matching, advanced attack detection, audit, compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
142
Q

What is a common misconception about compliance and log collection?

A

That it means full collection of everything possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
143
Q

What are the three common strategies for log centralization?

A

Input-driven, output-driven, and a balanced approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
144
Q

What is the most cost-effective and high-performing way of collecting logs?

A

Output-driven collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
145
Q

What is the hybrid collection approach?

A

Start input-driven, then reduce noise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
146
Q

What should be done with high-volume, likely not useful items?

A

Turn them off

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
147
Q

What should be done with low-volume, potentially useful logs?

A

Leave them on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
148
Q

Which approach does the SANS Blue Team Operations curriculum recommend?

A

Hybrid approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
149
Q

What is a key feature of the hybrid approach?

A

Emphasizes tactical collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
150
Q

Why should your auditing and collection strategy be in constant flux?

A

To adapt to changing threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
151
Q

What course is recommended for SIEM engineers and SOC analysts?

A

SEC555: SIEM with Tactical Analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
152
Q

What is a key to success in audit policy flexibility?

A

Fast approval process for changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
153
Q

Why must your collection policy be nimble?

A

To keep up with attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
154
Q

What should be centrally managed in a nimble collection policy?

A

Audit policies

155
Q

What should be fast-tracked in emergency situations?

A

Pushing changes

156
Q

What is a benefit of having control over audit policy changes?

A

Maintain OODA loop pace

157
Q

What is the goal of tactical collection?

A

Balance centralization and local storage

158
Q

Why are PowerShell logs often not recorded?

A

They can be very high volume

159
Q

What does FireEye recommend for logging PowerShell?

A

Centrally log specific events

160
Q

What is an alternative if you can’t centralize all logs?

A

Store them locally

161
Q

What is the easiest method for log collection?

A

SIEM agent

162
Q

What is the most customizable log collection method?

A

SIEM agent/Third-party agent

163
Q

What is the built-in OS forwarding method for Windows?

A

Windows Event Forwarding

164
Q

What is the built-in OS forwarding method for Linux?

A

Syslog Daemon (Rsyslog, Syslog-ng)

165
Q

What should you consider when choosing a log collection method?

A

What you are optimizing for

166
Q

What is a downside of packaged SIEM agents?

A

May lack advanced features

167
Q

What is a suggested third-party log agent with a free edition?

A

NXLog

168
Q

What is the built-in logging method for Linux/Unix?

A

syslog daemon

169
Q

What is the built-in logging method for Windows?

A

Windows Event Forwarding

170
Q

What is a benefit of using the OS’s built-in logging method?

A

Path of least resistance

171
Q

What can you set up if built-in logging methods are not an option?

A

Agentless pickup via remote system

172
Q

What are the separable functions inside a SIEM?

A

Parsing, Filtering, Enrichment, Indexing, Storage

173
Q

What does parsing in SIEM involve?

A

Breaking logs into constituent fields

174
Q

What is the purpose of filtering in SIEM?

A

Decide if log is stored or discarded

175
Q

What does enrichment in SIEM do?

A

Correlates logs with external data

176
Q

What is the role of indexing in SIEM?

A

Index log entries for quick retrieval

177
Q

Why is data quality important in SIEM?

A

Determines the usefulness of logs

178
Q

What happens if data is not parsed correctly in SIEM?

A

SIEM can’t understand it

179
Q

What is categorization in SIEM?

A

Labeling events with tags

180
Q

What is normalization in SIEM?

A

Standardizing field names across sources

181
Q

What does data enrichment involve in SIEM?

A

Supplementing logs with additional context

182
Q

What does enrichment help with in threat hunting?

A

Turns event logs into detailed threat hunting data

183
Q

What are some highest-value host-based data sources?

A

Authentication events, process creation, IOC matches

184
Q

Why do we need the output of security tools like antivirus?

A

They match known IOCs and provide high-fidelity detections

185
Q

What makes a great starting point for detecting malicious activity?

A

Authentication events

186
Q

What should SOCs look deeper into beyond brute force attempts?

A

Context of logins and their origins

187
Q

What is a fast-acting detection for privileged accounts?

A

Identifying use outside expected locations

188
Q

What information do host process creation events provide?

A

What ran, when, where, hash, signature, arguments

189
Q

What are high-value items to monitor for malware persistence?

A

Autorun keys, installed services, scheduled tasks

190
Q

Why is it important to compare autorun programs across an enterprise?

A

To find malicious items by ranking common autoruns

191
Q

What are some highest-value network-based data sources?

A

Network service logs, proxy/web logs, DNS, DHCP

192
Q

What do network service logs help with?

A

Identify anomalies during threat hunting

193
Q

What do proxy and weblogs, DNS, and DHCP help us find?

A

What is on the network and where devices are going

194
Q

What protocols help catch potential lateral movement?

A

SSH, SMB, PowerShell Remoting, VNC, RDP

195
Q

What are some new challenges for network-based data collection?

A

TLS 1.3, DoH/DoT, HTTP/2 & 3, QUIC

196
Q

What does TLS 1.3 enforce that affects traffic decryption?

A

Perfect forward secrecy

197
Q

What is the impact of encrypted certificate details in TLS 1.3?

A

Cannot passively record certificate info

198
Q

What does Encrypted Client Hello (ECH) hide?

A

Domain name, leaving only IP address visible

199
Q

What is TLS 1.3?

A

A new TLS encryption standard released in 2018.

200
Q

When was TLS 1.2 released?

A

2008

201
Q

What does TLS 1.3 fix compared to TLS 1.2?

A

Many security issues present in TLS 1.2

202
Q

What type of cipher suites does TLS 1.3 allow?

A

Only those providing “perfect forward secrecy” (PFS)

203
Q

What is required to decrypt a TLS 1.3 connection?

A

Unique information from every TLS connection

204
Q

How could traffic be decrypted in older standards?

A

With the server’s private key

205
Q

What must be present for the entire conversation in TLS 1.3?

A

The interception proxy

206
Q

What certificate details are no longer visible in TLS 1.3?

A

Details for the site the user is connecting to

207
Q

What field can still be used to detect the domain name in TLS 1.3?

A

The “SNI” field

208
Q

What does Encrypted Client Hello (ECH) encrypt?

A

The entire “Client Hello” portion of a TLS handshake

209
Q

What will be the only details left without decryption with ECH?

A

IP address and port

210
Q

Who originally developed TLS fingerprinting?

A

Salesforce’s security team

211
Q

What is JA4 in TLS fingerprinting?

A

Client fingerprint

212
Q

What is JA4S in TLS fingerprinting?

A

Server fingerprint

213
Q

What does JA4 concatenate and hash?

A

Fields from “ClientHello” TLS packet

214
Q

What can JA4 fingerprints help identify?

A

Good and bad connections without decryption

215
Q

What can network security monitoring tools like Zeek create?

A

JA4 and JA4S hashes

216
Q

What does JARM do differently from JA4?

A

Actively probes a server and fingerprints responses

217
Q

How can JARM be used to identify malicious servers?

A

By creating a JARM fingerprint of the server

218
Q

What is a potential risk of using endpoint telemetry over network layer visibility?

A

It may ruin your OPSEC.

219
Q

What is a recommended action if you can’t get approval for TLS decryption?

A

Deploy tools to check JA4 hashes.

220
Q

What is DNS over HTTPS (DoH)?

A

DNS traffic over port 443 using TLS/HTTPS.

221
Q

What does DoH mean for DNS traffic?

A

DNS traffic becomes indistinguishable from web traffic.

222
Q

What is a security concern with DoH?

A

Blocking non-controlled DNS servers becomes harder.

223
Q

What must you do to log DNS requests with DoH?

A

Intercept TLS or provide your own DoH server.

224
Q

Which applications use DoH by default, bypassing system DNS settings?

A

Firefox.

225
Q

How can you identify DoH traffic without decryption?

A

Check destination IP addresses of well-known DoH providers.

226
Q

What should you search for to test normal uses of DoH on your network?

A

Port 443 traffic to known DNS server IPs.

227
Q

What is a challenge with HTTP/2 and HTTP/3 for SOCs?

A

Interception is required to view the protocol.

228
Q

Why is interception required for protocol analysis?

A

To even view the protocol.

229
Q

What is a major challenge with HTTP/2 and HTTP/3 for SOCs?

A

They complicate data analysis.

230
Q

How has data representation changed in HTTP/2 and HTTP/3?

A

It has drastically changed for performance.

231
Q

What is a limitation of Wireshark with HTTP/2?

A

Cannot carve files out automatically.

232
Q

What makes analysis of malicious activity over HTTP/2 and HTTP/3 difficult?

A

Guaranteed usage of encryption.

233
Q

What did James Kettle’s research at DEF CON 2021 reveal?

A

Issues with HTTP/2 in some applications.

234
Q

What problem did James Kettle demonstrate with a SaaS vendor’s application?

A

Users logged in as random others.

235
Q

What is a challenge with NSM in the cloud?

A

Cloud collection options are less developed.

236
Q

What level of visibility do most SOCs consider adequate for cloud assets?

A

Flow log-level visibility.

237
Q

Which cloud platform has the most feature complete offerings for visibility?

A

AWS.

238
Q

What is a key consideration for SOC data collection?

A

Clear goals and careful planning.

239
Q

What must SOC managers be good stewards of?

A

Organization’s data and investments.

240
Q

What does the MITRE ATT&CK framework help with in SOCs?

A

Data source prioritization.

241
Q

What can threat groups be translated into?

A

Tactics and techniques

242
Q

What is the numeric identification scheme for mitigations in ATT&CK?

A

M####

243
Q

What do group pages in the ATT&CK knowledge base list?

A

Techniques and software used

244
Q

What are groups in the ATT&CK framework?

A

Sets of related attack campaigns

245
Q

Give examples of named threat groups.

A

APT1, DarkHotel, Turla

246
Q

What does the software category in ATT&CK enumerate?

A

Tools and open-source software used by attackers

247
Q

What is the numeric identification scheme for software in ATT&CK?

A

S####

248
Q

What do data sources in ATT&CK list?

A

Sources of information for detecting techniques

249
Q

What new addition was made in ATT&CK v12?

A

Tracking individual campaigns

250
Q

Which data source covers the most ATT&CK techniques?

A

Command execution

251
Q

How many techniques does Command Execution cover?

A

155 techniques

252
Q

What is the second most relevant data component after Command Execution?

A

Process Creation

253
Q

What is the purpose of ATT&CK Navigator?

A

Identify priority attack techniques and detection gaps

254
Q

What is the first step in using ATT&CK Navigator for assessments?

A

Make a layer for each threat group

255
Q

What should be done after creating layers in ATT&CK Navigator?

A

Sum the layers to find highest numbers

256
Q

What is the first step in using the ATT&CK Navigator application?

A

Make separate layers for each threat group

257
Q

How does MITRE ATT&CK fill in techniques for threat groups?

A

Using its built-in knowledge

258
Q

What does each technique receive in the ATT&CK Navigator?

A

A “score” to differentiate it

259
Q

What is the result of adding all individual threat group layers together?

A

A super-layer of all threat group activities

260
Q

What can you enter to take the analysis further in ATT&CK Navigator?

A

Data sources and mitigations

261
Q

What emerges after combining threat layers with mitigation and data source layers?

A

A quick way to assess gaps in coverage

262
Q

What is the difficult piece of the puzzle in detection?

A

Detection logic itself

263
Q

What does MITRE’s Cyber Analytics Repository provide?

A

Pre-made detection rules

264
Q

What question does a SOC detection capability answer?

A

Can you detect technique x?

265
Q

What complicates detection capabilities?

A

Nuance and different environments

266
Q

What is the goal of tracking detection capabilities?

A

Track meaningful metrics

267
Q

What should you consider when tracking detection capabilities?

A

Balance between details and simplicity

268
Q

What is the DeTT&CT project?

A

Tools to label and visualize capabilities

269
Q

What does the DeTT&CT script generate?

A

An ATT&CK Navigator layer

270
Q

What is the GitHub URL for DeTTECT?

A

https://github.com/rabobank-cdc/DeTTECT

271
Q

Who are the authors licensed to in the text?

A

David Newsome

272
Q

What is the URL for MITRE ATT&CK for Enterprise?

A

https://attack.mitre.org/

273
Q

What is the URL for Malware Archaeology Logging Cheat Sheets?

A

https://www.malwarearchaeology.com/cheat-sheets

274
Q

What is the URL for Roberto Rodriguez’s OSSEM Project?

A

https://github.com/OTRF/OSSEM

275
Q

What is the first section in the Course Roadmap?

A

SOC Design and Operational Planning

276
Q

What is the objective of Exercise 2.3?

A

ATT&CK Navigator for Attack Technique Prioritization

277
Q

What is the ideal alert count scenario?

A

All true positives, zero false negatives

278
Q

What are good causes for more alerts?

A

New tools, threat hunting

279
Q

What are bad causes for fewer alerts?

A

Lack of visibility for attacks

280
Q

What might increase alert count but be a good thing?

A

Detecting previously missed attacks

281
Q

What is the goal of handling alerts in a SOC?

A

Drive down bad things, catch all true positives

282
Q

What percentage of SOCs tune alerting features to reduce alert volume?

A

57%

283
Q

What are two “bad” ways to handle too many alerts?

A

Turning off high-volume alerts, ignoring categories

284
Q

What percentage of respondents hire more analysts to handle alerts?

A

38%

285
Q

What is the goal for the alert queue size in a SOC?

A

Keep it at an average size of zero

286
Q

What happens if alert generation rate exceeds triage rate?

A

Alert queue > 0

287
Q

What is a basic formula for alert workload?

A

W = N * T

288
Q

What are the key variables in triage capacity planning?

A

Average number of items, time per item

289
Q

What is a method to estimate alert count for established teams?

A

Historical metrics

290
Q

What is the best source of information for SOC’s alert count history?

A

Historical metrics from your own SOC.

291
Q

What can historical metrics help you understand about alerts?

A

Average number of alerts and variance.

292
Q

For which SOCs is the historical metrics approach best suited?

A

SOCs with months to years of data.

293
Q

Why is it important to understand the variance in alert counts?

A

It affects capacity planning.

294
Q

What do you need to estimate alert counts accurately?

A

Worst-case, average, and lowest numbers.

295
Q

What should SOCs without years of data do?

A

Combine existing data with other approaches.

296
Q

What can SOCs use if they haven’t started yet?

A

Survey data from others.

297
Q

What is a drawback of using survey data for alert counts?

A

It can be wildly inaccurate.

298
Q

What will replace survey data once SOC data starts coming in?

A

Historical averages.

299
Q

How can you reduce inaccuracy in alert estimation?

A

Use alerts per person number.

300
Q

What can probabilistic calculations help with?

A

Estimating minimum and maximum alert numbers.

301
Q

What assumptions are key for probabilistic calculations?

A

Nature of alerts and time to address.

302
Q

What is a major issue in defining “alert” for time calculation?

A

Not all alerts require evaluation.

303
Q

Why are enormous alert numbers not useful for capacity planning?

A

They don’t reflect reality.

304
Q

What complicates capacity planning based on alert count?

A

Duplicates, false positives, simulations.

305
Q

What is a significant factor in the makeup of alert populations?

A

Many alerts are not unique or malicious.

306
Q

Why do alert counts from analysts often not match up?

A

Analysts deal with aggregated alerts, not single items.

307
Q

What does the Poisson distribution help estimate in cybersecurity?

A

Bounds on the number of cyber attacks.

308
Q

What is a key characteristic of alerts in security operations?

A

Alerts are not 1:1 with potential issues.

309
Q

What should be counted to better predict time required for investigations?

A

Count “potential issues” investigated.

310
Q

What is the main goal of measuring aggregated issues?

A

To understand time spent on investigations.

311
Q

What is a Poisson process?

A

Events occur randomly at a constant average rate.

312
Q

Why is the Poisson distribution useful despite not being perfect?

A

Leads to better conclusions than guessing.

313
Q

What is the relationship between the Poisson and binomial distributions?

A

Poisson is a specific case of binomial.

314
Q

What is the Poisson distribution used for in SOCs?

A

Estimating expected rate of randomly occurring events.

315
Q

What can be predicted if cyber attacks are assumed to be a Poisson process?

A

Average number of issues per day and bounds.

316
Q

What does the upper left chart show for a SOC averaging two issues per day?

A

Distribution of alerts per day.

317
Q

What percentage of days will a SOC with two issues per day see 0 alerts?

A

17% of days.

318
Q

What is the probability of seeing 1 alert per day in a SOC with two issues per day?

A

27% of days.

319
Q

What is the probability of seeing 2 alerts per day in a SOC with two issues per day?

A

27% of days.

320
Q

How often will a SOC with two issues per day see 3 alerts?

A

18% of days.

321
Q

How often will a SOC with two issues per day see 4 alerts?

A

9% of days.

322
Q

How often will a SOC with two issues per day see 5 alerts?

A

4% of days.

323
Q

How often will a SOC with two issues per day see 6 alerts?

A

1% of days.

324
Q

How often will a SOC with two issues per day see 7 alerts?

A

0.3% of days.

325
Q

How can capacity planning be estimated with Poisson distribution?

A

By estimating issue count.

326
Q

What is a critical variable in capacity planning using Poisson distribution?

A

Issue count.

327
Q

What should a SOC do if staff can handle the worst days predicted?

A

No problem handling expected volume.

328
Q

What is a limitation of using Poisson distribution for issue count?

A

Doesn’t address average time to deal with issues.

329
Q

Where can you create interactive Poisson distribution charts?

A

Google or WolframAlpha.

330
Q

What is the POISSON.DIST function used for in Excel?

A

Building Poisson distribution models.

331
Q

What does the “cumulative” variable in POISSON.DIST determine?

A

Cumulative percentage up to that point.

332
Q

What does using FALSE for the cumulative variable in POISSON.DIST show?

A

Probability of specific number of alerts.

333
Q

What is shown by the cumulative distribution function?

A

Cumulative probability up to a point.

334
Q

What should you do if you have data on investigation times?

A

Group by category, graph, and find distribution.

335
Q

What should you do if you don’t have data on investigation times?

A

Use probabilistic modeling and surveys.

336
Q

What should be estimated to understand alert volume?

A

Minimum, average, and high-volume alert days

337
Q

What should be leveraged for estimating alert times?

A

Existing data

338
Q

What will be discussed over the next few slides?

A

Sub-dividing alerts and estimating times

339
Q

What does grouping triaged items by time show?

A

Multiple clusters of items

340
Q

What is not a completely random variable?

A

Triage time

341
Q

What tends to have an independent average time?

A

Items of one nature

342
Q

What leads to large margins of error in prediction?

A

Using whole population average

343
Q

What helps in better understanding alert times?

A

Breaking data into smaller groups

344
Q

What emerges from showing types of alerts in a histogram?

A

Detailed and nuanced picture

345
Q

What aligns well when further grouped by alert type?

A

Time taken to deal with alerts

346
Q

What is better than knowing the overall average alert time?

A

Average and variance for each type

347
Q

What allows more accurate workload prediction?

A

Detailed alert type data

348
Q

What may lead to diminishing returns?

A

Getting too fancy with data breakdown

349
Q

What are some options for estimating time?

A

Surveys, normal/log-normal, uniform, beta distributions

350
Q

What is a good starting place for modeling alert times?

A

Log-normal distribution

351
Q

What does survey data provide for estimating times?

A

Base data to start with

352
Q

What do most analysts self-report about investigation times?

A

Twenty minutes or less

353
Q

What might allow probabilistic estimation for investigation timing?

A

Choosing a good model like Poisson

354
Q

What stands out as a good distribution for alert times?

A

Log-normal distribution

355
Q

What is a log-normal distribution best used for?

A

Skewed data with no negative values

356
Q

What does the log-normal distribution prevent?

A

Negative investigation times

357
Q

What analysis is used to simulate total time required?

A

Monte Carlo analysis

358
Q

What is the starting point for estimating time required for alerts?

A

Log-normal distribution

359
Q

What tool can be used to subdivide alert types and categories for detailed estimates?

A

Excel

360
Q

What is the easiest method for running capacity planning simulations?

A

Monte Carlo analysis

361
Q

What does Monte Carlo analysis simulate for capacity planning?

A

Simulated distributions for count and time

362
Q

What does Monte Carlo analysis produce besides an average?

A

A range of total time needed

363
Q

What should be defined before running capacity planning calculations?

A

Exactly what is being calculated

364
Q

What type of data should be used in capacity planning?

A

Historical data

365
Q

What should be looked for in capacity planning besides averages?

A

Ranges

366
Q

What distribution is used to understand expected investigation time?

A

Log-normal distribution

367
Q

What distribution is used to bound expectations of alert count?

A

Poisson distribution

368
Q

What is a key security consideration for SOC members?

A

Keeping SOC members safe

369
Q

What should be separated to secure SOC data?

A

Separate SOC data and accounts

370
Q

What is a nightmare scenario for SOC managers and security teams?

A

Attacker leveraging SOC infrastructure

371
Q

What must be avoided to prevent a compromise of the security team?

A

Separate SOC data and accounts

372
Q

Roles a SOC analyst must play

A

Normal employee, privileged user, investigator

373
Q

Why is separation of accounts and assets important?

A

To safely perform different roles

374
Q

What tasks might a SOC analyst perform?

A

Reading email, downloading files, browsing internet

375
Q

What access might SOC analysts have?

A

Sensitive data, power to make changes

376
Q

How can analysts operate safely in different roles?

A

Separate accounts and assets

377
Q

Why separate accounts and computers for SOC analysts?

A

To prevent role-based mistakes

378
Q

What is one risk of a single machine/account for SOC analysts?

A

Easy escalation for attackers

379
Q

What happens if an analyst’s machine is compromised?

A

All credentials can leak

380
Q

What is the benefit of separate machines and accounts?

A

Prevents privilege escalation

381
Q

What is a drawback of using separate machines and accounts?

A

Increased complexity and reduced productivity

382
Q

How can secure workstations be further protected?

A

Firewalling and hardened configurations

383
Q

What if authentication systems are compromised?

A

Leads to access to all security info

384
Q

What could mitigate domain controller compromise?

A

Separate authentication systems