LDR551_Book1 Flashcards
(242 cards)
1
Q
What are common goals of attackers?
A
Intellectual property theft, extortion, destruction
2
Q
How might an attacker exploit key IT assets?
A
To damage or hijack value creation.
3
Q
What are the main categories to break down a SOC?
A
Business Alignment, Technology, People, Process.
4
Q
What is crucial for SOCs to avoid reliance on ‘tribal knowledge’?
A
Solid foundation of processes and procedures.
5
Q
What has driven increased understanding of cyber risk by businesses?
A
Heightened awareness and impact of breaches.
6
Q
What do most organizations focus on in their cyber defense programs?
A
Technology solutions and tools.
7
Q
What functions are consolidated in security operations?
A
Hunt, threat intelligence, IR functions.
8
Q
What has brought increased visibility to the cyber security function?
A
Better articulated requirements
9
Q
What aspect of the maturity model saw the biggest single-year jump?
A
People
10
Q
What happens to SOCs without solid processes and procedures?
A
Reliant on ‘tribal knowledge’
11
Q
What cripples the capability of SOCs lacking good processes?
A
Turnover of individuals
12
Q
What stands out in the most capable cyber defense programs?
A
Repeatability, continuous improvement, metrics
13
Q
What is the average measured maturity score for security operations teams?
A
Between 1 and 2
14
Q
What does a score between 1 and 2 indicate about SOCs?
A
Tools not well-integrated, lack of structured process
15
Q
What makes the effectiveness of most cyber defense programs unpredictable?
A
Lack of repeatability, metrics, continuous improvement
16
Q
What is the ideal maturity level for most enterprise SOCs?
A
Level 3
17
Q
What is the ideal maturity level for most managed service provider SOCs?
A
Level 4
18
Q
What is a key characteristic of level 5 maturity?
A
Processes are rigid and less flexible
19
Q
What is a significant downside of rigid processes in SOC management?
A
Significant overhead outweighs benefits.
20
Q
What can rigid processes and overhead lead to in SOCs?
A
They can become counter-productive.
21
Q
How can rigid processes affect SOC workforce engagement?
A
They can create a less engaged workforce.
22
Q
What is a potential consequence of a less engaged SOC workforce?
A
Higher turnover in the SOC.
23
Q
What are the biggest challenges for SOCs according to the SANS SOC Survey?
A
Lack of context, skilled staff, visibility, and automation.
24
Q
What is one of the goals for new SOCs in the course?
A
Building a solid starting foundation.
25
What is a key focus for all SOCs in the course?
Move toward "level 3-4" maturity level.
26
What tactics will be used to ensure continuous improvement in SOCs?
Continuous improvement tactics and metrics.
27
What is the purpose of automation and orchestration in SOCs?
To "do more with less".
28
What are the three main sections of the class?
Creating your SOC, Execution, Continuous Improvement.
29
What is the fictional organization used for scenario-driven problem solving in the class?
Ops Outpost.
30
What is the course roadmap for the SOC class?
Design and Planning, Telemetry and Analysis, Detection and Triage, Response, Metrics.
31
What is included in SOC Planning Overview?
SOC Mission, Requirements, Goals, Standards, Policies, Roles, Staffing.
32
What is the first step in SOC planning?
Decide between internal SOC, MSSP, or hybrid model.
33
What should and shouldn't be considered a SOC?
Occasionally, the term "SOC" is used inappropriately.
34
What follows the discussion on SOC models?
Defining the mission, constituents, and capabilities.
35
What does defining SOC standards include?
Standards, policies, services, roles, staffing, charter, steering committee.
36
What is a common solution for organizations with 0-1,000 users?
MSSP + non-dedicated internal security team.
37
What is a common solution for organizations with 1,000-10,000 users?
MSSP Hybrid with some functions in-house.
38
What is a common solution for organizations with 10,000-100,000 users?
Full internal SOC with possible outsourcing.
39
What is a common solution for organizations with 100,000+ users?
Full-fledged internal SOC with auxiliary services.
40
What determines if a dedicated internal SOC is right for an organization?
Number of employees and assets to protect.
41
Why might a small organization not need a dedicated security group?
Cost-prohibitive due to headcount and hardware requirements.
42
When might a small organization need a dedicated security team?
If dealing with regulatory compliance, health, or payment data.
43
What is a common practice for companies with fewer than 1,000 people?
Utilize managed security service providers (MSSPs).
44
What is a hybrid SOC model?
MSSP handles monitoring, in-house specialists handle incidents.
45
What is a key consideration for organizations with over 10,000 people?
Full-fledged SOC with most roles covered in-house.
46
What should you define when planning a SOC?
Mission, goals, threats, requirements, constituency, capabilities.
47
What are common high-level goals of a SOC?
Situational awareness, monitoring, preventing/minimizing impact.
48
What is the mission of the average security-focused SOC?
Maintain situational awareness, monitor events, prevent damage.
49
What should SOCs maintain awareness of?
Situational awareness of the threat landscape.
50
What is the key goal of any SOC?
Situational awareness of internal and external security environments.
51
What is the "detection" piece of the SOC process?
Monitoring network and endpoint events for suspicious activity.
52
What is the ideal role of a SOC in cyber incidents?
Preventing or minimizing damage and disruption.
53
What should a SOC do when bad things happen?
Run down the ground truth, clean up, and restore order.
54
What is a "mission statement" for a SOC?
Output of the phase defining SOC's goals.
55
What are key questions in threat modeling?
What to protect, from whom, likelihood, consequences, and effort.
56
What is the essence of Sun Tzu's quote in threat modeling?
Preparation, understanding the enemy, and resource optimization.
57
What is required for effective defense?
Starting with the best possible threat model.
58
What should everyone in a SOC think about daily?
Who the enemy is, what they want, and how they'll get it.
59
What is the entire point of threat intelligence?
Developing a strategic and tactical advantage over adversaries.
60
What must SOCs consider in their operations?
Compliance frameworks, standards, company policies, service levels.
61
What are common compliance frameworks affecting infosec?
GDPR, PCI-DSS, HIPAA, NIST SP 800-171, SOX, GLBA.
62
What does GDPR require?
Businesses must protect EU citizen personal data.
63
What is PCI-DSS designed to protect?
Credit cardholder data.
64
What does HIPAA regulate?
Privacy and security rules for health care information.
65
What does NIST 800-171 recommend?
Security requirements for protecting Controlled Unclassified Information (CUI).
66
What are examples of control frameworks?
CIS Critical Security Controls, NIST SP 800-53.
67
What are examples of program frameworks?
NIST Cyber Security Framework (CSF), ISO/IEC 27001.
68
What are examples of risk frameworks?
NIST SP 800-30, SP 800-37, SP 800-39, ISO/IEC 27005.
69
What are the three main types of cybersecurity frameworks?
Controls frameworks, program frameworks, and risk assessment frameworks.
70
What is the purpose of controls frameworks?
To provide baseline controls to mitigate cyber intrusions.
71
How do controls frameworks help established SOCs?
They assess technical capability and prioritize budget use.
72
Name two examples of controls frameworks.
CIS Controls and NIST SP 800-53.
73
What are the three implementation groups in the CIS Controls list?
Basic cyber hygiene, implementation group one.
74
What is the NIST Cyber Security Framework?
A program framework for structuring and operating security programs.
75
What is the purpose of risk frameworks?
To provide a standard way of assessing risk.
76
Name one example of a risk framework.
NIST SP 800-30 Guide for Conducting Risk Assessments.
77
What is SOC-CMM?
A tool for assessing SOC capabilities.
78
What should you do if creating new cybersecurity policies?
Leverage pre-made IT policy templates.
79
What is the SOC's constituency?
The set of users, assets, networks, or organizations secured by the SOC.
80
What should be well defined for the SOC?
Group scope of protection
81
What should you consider when selecting SOC services?
Size and capacity of your team
82
What are small organizations' SOC services focused on?
Monitoring and detection
83
What might large organizations' SOC services include?
Core SOC functions and auxiliary capabilities
84
What is encouraged when choosing SOC services?
Not to boil the ocean from the start
85
What is a smart plan for SOC service offerings?
Break into phases for rollout
86
What should a SOC charter include?
Goals, mission statement, scope, authority
87
Why is the SOC charter important?
Authorizes SOC build and operation
88
Who should sign off the SOC charter?
Management
89
What is the purpose of the SOC steering committee?
Ensure business alignment and correct activities
90
What is the role of the steering committee in SOC planning?
Provides two-way communication with business
91
When should steering committee meetings be held?
Regularly or with significant changes
92
What is the goal regarding security in new initiatives?
Ensure security has a seat at the table
93
What does "shift left" in DevSecOps mean?
Add security from the start
94
What is a better approach to cloud security?
Notify security before usage
95
What is a good way to ensure security stays aware and represented in initiatives?
Constant engagement with IT, Legal, and Finance
96
What is the "10 tight/25 right/100 light" rule for tracking key relationships?
10 close, 25 regular, 100 occasional contacts
97
What should you create to list SOC services and major organization/business units?
An alignment matrix
98
Why is it important to show up for discussions outside of your immediate responsibilities?
To build key relationships
99
What should you do to prepare for meetings and interactions?
Prepare for both major meetings and 1-on-1 interactions
100
How can you stay informed about your company's mission or business?
Read 10-K, annual reports, analyst reports, and strategy documents
101
What is the first step in SOC Planning according to the SOC Planning Summary?
Define your mission and specific goals
102
What is the purpose of creating an SOC Charter and Mission?
To build an organizationally-aligned security team
103
What is the first step in SOC functions?
Collection
104
What follows detection in SOC functions?
Triage
105
What is the final step in SOC functions?
Incident Response
106
What must be done to identified activity?
Triage for closer analysis
107
What happens to confirmed malicious activity?
Passed to incident response
108
What is required for all SOC steps?
Continuous improvement
109
What does "garbage in, garbage out" imply in SOC?
Good data is essential
110
What does the SOC take as its main input?
Environment data
111
What is considered the second input in SOC?
Threat intelligence
112
What is the output of the SOC?
Identified, minimized, remediated incidents
113
What does threat intelligence help identify?
Potential attacks
114
What must be done to understand SOC in detail?
Zoom in on SOC workings
115
What does SOC collect from the environment?
Network transactions, file downloads, etc.
116
What is the goal of understanding SOC functions?
Clear model of SOC functions
117
What helps understand data flow in SOC?
Zooming in on SOC functions
118
What does breaking down SOC help achieve?
Common terminology
119
What is necessary for each function in attack identification?
Constant stream of feedback
120
What does deconstructing security operations help with?
Shows factors required for success
121
What are the core SOC activities?
Data Collection, Detection, Triage, Incident Response
122
What are the specialty/auxiliary functions?
Threat Intelligence, Forensics, Self-Assessment
123
Who typically performs core SOC activities?
SOC engineers, analysts, incident responders
124
What is the role of threat intelligence in SOC?
Improves attack detection
125
What does forensics support in SOC?
Incident Response (IR)
126
What is the purpose of self-assessment in SOC?
Feedback on SOC performance
127
What does the self-assessment function include?
Vulnerability assessments, penetration testing, Red Teaming
128
What drives the detection capability in SOC?
Threat intelligence
129
What happens to detected items in SOC?
Passed to triage and investigation
130
What assists incident response in SOC?
Specialty forensics
131
What is the output of incident response?
Remediated or prevented issues
132
What is the first step in the SOC process?
Collection
133
What is the output of the collection step in SOC?
Events (logs, network traffic, metadata)
134
Where is data turned into events typically generated?
On an endpoint device or from network traffic.
135
How is data centrally collected for SIEM indexing?
Via an endpoint agent or sensor.
136
What is analyzed against detection rules in SIEM?
Output events (logs and traffic metadata).
137
What is the goal of the data collection stage?
Thorough collection of all security relevant data.
138
Who determines the type of data you can record?
Data, infrastructure, or endpoint engineers.
139
What determines the Windows logs that are generated?
Audit policy set in Windows Group Policy Objects.
140
What requires cooperation with the network operations team?
Network taps.
141
What informs the specific data to be collected?
Threat intelligence function.
142
What is required for a thorough collection strategy in most SOCs?
Cooperation across multiple teams and budget.
143
What are the inputs and outputs of the detection stage?
Input: Events + threat intel, Output: Alerts.
144
Who is responsible for detection in SOCs?
Detection/Content Engineering, SOC Analysts, Threat Hunters.
145
How are potential attacks identified from collected data?
Automated analytics engines or manual threat hunting.
146
Who typically creates analytics or correlation rules in larger organizations?
A dedicated detection engineering team.
147
What is the goal of the detection stage?
Find malicious activity and alert with minimal false positives.
148
What correlates with SOC effectiveness in detection?
Quality of tools and threat hunting capabilities.
149
What does successful detection rely on?
Data availability from the collection stage.
150
What are the inputs and outputs of the triage stage?
Input: Alerts, Output: Ranked alerts.
151
What is the goal of the triage stage?
Identify and manage the most important alerts.
152
What factors influence triage decisions?
Attack progression, system criticality, account privilege.
153
What knowledge helps analysts in triage?
Lockheed Martin Cyber Kill Chain, MITRE ATT&CK framework.
154
What is the goal of the investigation stage?
Accurate verification of alerts as true or false positives.
155
What should analysts do when false positives occur?
Feed information back to the detection engineering team.
156
How should analysts perform the investigation stage?
In a rigorous way, free of cognitive bias.
157
What is the main trap new analysts fall into?
Confirmation bias
158
What mistake do many analysts make when matching alerts?
Gather data to confirm their belief
159
Why is matching alerts to beliefs the wrong approach?
Ignores other possible scenarios
160
How should analysts verify a theory?
Attempt to disprove it
161
What improves with thorough training and experience?
Verification of theories
162
What should analysts do after completing an investigation?
Spin up incident response
163
Who handles incident response in large organizations?
Separate team
164
Who handles incident response in smaller organizations?
Analysts
165
What is the goal of incident response?
Fast, complete remediation and recovery
166
What tools help analysts quickly query events?
EDR and centralized SIEM logging
167
What are the outputs of incident response?
Remediation and lessons learned
168
Why is feedback crucial in incident response?
Prevents similar incidents
169
What does tracking details over the long term provide?
Tactical and strategic advantage
170
What is the final piece of the SOC process puzzle?
Continuous improvement
171
What does conceptual feedback do?
Modifies input based on output
172
What helps understand the health of the SOC process?
Metrics
173
How should SOC functions be thought of?
Like steps in a manufacturing line
174
What is the goal of useful metrics collection?
Optimize each function individually
175
What are the core SOC activities?
Collection, detection, triage, investigation, incident response
176
What do metrics provide in the SOC process?
Feedback for continuous improvement
177
What is the importance of high-quality inputs in SOC operations?
High-quality inputs optimize SOC process outputs.
178
What will be discussed in detail through the rest of the course?
Components of SOC functions and their KPIs.
179
What are the key focuses of team creation in SOC?
Org charts, tiered vs. tierless, hiring, training.
180
What should you consider when creating a SOC org chart?
Quick communication, manageable team size, mission effectiveness.
181
What are the core functions of a SOC?
Detection, Incident Response, Support.
182
What is the role of the IR group in organizations?
Clean separation of duties.
183
What does the IR group typically include?
Analysts, forensics capacity.
184
What functions support the SOC?
Architects, system administrators, engineers.
185
Who may handle new analytic writing in some SOCs?
Analysts.
186
What is the mission of the assessment team?
Ensure company is secured from cyber attacks.
187
What is the goal of the threat intel team?
Support SOC activities.
188
Why should the incident response and threat intel teams be under shared management?
Maximize communication and collaboration.
189
What are the core SOC activities?
Detection, triage, analysis, IR.
190
What might organizations need as they grow?
More subgroups or layers of management.
191
Why might forensics be separate from the SOC?
Specialized knowledge different from analysts.
192
What other groups might utilize forensic experts?
Internal corporate investigations, insider threats.
193
Why keep lines of communication open between SOC and other teams?
Compensate for management separation.
194
What is the traditional tiered analyst model?
Tier 1 triages alerts, escalates complex issues.
195
What happens to alerts that analysts cannot determine or require complex solutions?
Get escalated to Tier 2
196
Who handles alerts that Tier 2 cannot resolve?
Tier 3
197
What is the job breakdown of Tier 1-3 dependent on?
The organization
198
What do SOCs with dedicated incident response teams use tiers for?
Increasing difficulty of triage and investigation
199
What tasks are typically assigned to Tier 1 in SOCs without incident response groups?
Triage and alert investigation/validation
200
What tasks are typically assigned to Tier 2 in SOCs without incident response groups?
Incident response
201
What tasks are typically assigned to Tier 3 in SOCs without incident response groups?
Hunting, malware reversing, specialty tasks
202
What should you consider when going with a tiered model for your SOC?
What's most important to you and SOC structure
203
How do analysts in tierless SOCs handle alerts?
All levels triage and investigate alerts
204
What is a key characteristic of the analysis function in tierless SOCs?
Much flatter
205
What is a downside of tiered SOCs for analysts?
Limits analyst growth
206
What is a pro of tierless SOCs for analysts?
Uncapped analyst talent growth
207
What is a con of tierless SOCs?
Less defined process
208
What can cause analysts in tiered SOCs to lose enthusiasm?
Narrow track of repetitive tasks
209
What might analysts do if they can't quickly move to the next tier?
Look for another job
210
Why might MSSPs prefer tiered SOCs?
Customers expect best practice
211
What are some benefits of a tierless model for internal SOCs?
Long-term retention, analyst growth
212
What should you consider when choosing between tiered and tierless models?
Defined process importance, analyst number, budget
213
How many people are needed for a single 24x7x365 seat?
Five people
214
What is a benefit of a 9x5 SOC with on-call positions?
Lower costs, less disruption
215
What can MSSPs provide for off hours coverage?
If budget allows
216
What is the minimum number of people needed for a 24/7 shift configuration?
10-12 people
217
Why are 12-hour shifts not recommended?
Burnout, efficiency drop, personal life balance
218
What are common shift durations for continuous coverage?
12-hour, 10-hour, 8-hour shifts
219
What is a "follow-the-sun" coverage model?
Teams in multiple time zones cover 24/7
220
What percentage of SOCs operate 24/7 according to the survey?
80%
221
What are some alternative shift configurations mentioned?
9/80, 10/40, 12-hour shifts
222
What should be included in an MSSP service contract?
Scope, alert validation, escalation plans
223
What are three key questions for MSSP SLAs?
Value measurement, breach response, service continuity
224
What is a critical part of MSSP onboarding?
Technology deployment, credential sharing, knowledge transfer
225
What should technology deployment be treated as?
Its own major project or basic installation
226
How should vendor-provided hardware and software be treated?
Subject to vulnerability assessment and updates
227
What does credential sharing involve?
Creating domain accounts or establishing VPN connections
228
What increases your attack surface in supply chain risk management?
Establishing trust relationships with vendors
229
What has been a common initial access point for data breaches?
Trusted connections
230
What should an analyst consider to validate alerts and investigate anomalies?
Network diagrams, asset lists, IP ranges
231
What should you develop with your MSS for better incident management?
A communications plan
232
How long does an escalation plan usually need to work out bugs?
Thirty to sixty days
233
What do MSS relationships require for success?
Active engagement and ongoing management
234
Why might SOC teams be unhappy with their MSSPs?
Little to no value from the service
235
What is crucial for hiring the best candidates?
A solid recruiting effort
236
What can steer interviews in the wrong direction?
Poorly performed interviews
237
Where should you not only advertise your SOC jobs?
On your organization's website
238
Where can you meet potential infosec recruits in person?
Infosec conferences and local groups
239
What type of attitude are you looking for in recruits?
Willing to learn more about infosec
240
What can you do with ungraduated candidates from college clubs?
Pre-select them as interns
241
Where do infosec enthusiasts commonly hang out online?
Forums, email lists, Slack, Discord
242
Where can you find potential recruits during online CTFs?
RPG video game style boards
