Lecture 4 pt. 5 Flashcards
What does NIST Special Publication 800-61 cover?
The major phases of the incident response process
NIST defines the incident response process in detail.
What is considered one of the most challenging phases of the incident response process?
The detection and analysis phase
It might be the most difficult task in incident response.
What is critical to eliminating network blind spots?
Implementing analytics and correlation tools
Typical networks have ‘blind spots’ where anomalous traffic goes undetected.
What must the incident response team do when an incident is detected?
React quickly to analyze and validate each incident
This is done by following a predefined process.
What are some NIST recommendations for incident analysis?
- Profile networks and systems
- Understand normal behaviors
- Create a log retention policy
- Perform event correlation
- Maintain and use a knowledge base
- Use Internet search engines for research
- Create effective communication processes
- Run packet sniffers to collect data
- Filter the data
- Seek assistance from others
- Keep all host clocks synchronized
- Know different types of attacks and attack vectors
These recommendations help in effective incident analysis.
Fill in the blank: The _______ phase of incident response involves validating and analyzing incidents.
[detection and analysis]
What does deterministic analysis evaluate?
The potential success of an exploit by estimating the likelihood of subsequent successful steps
It focuses on the conditions necessary for a successful exploit.
What does probabilistic analysis assume about the exploit process?
That the port numbers used by an exploit can be predicted with some degree of confidence
This analysis uses statistical techniques to evaluate risk.
What is Security Onion?
An open-source suite of Network Security Monitoring (NSM) tools that run on Ubuntu Linux
It can be installed as a standalone or as a sensor and server platform.
What are the three core functions of Security Onion tools?
- Full packet capture
- Network-based intrusion detection systems (NIDS)
- Host-based IDSs (HIDS)
These functions support cybersecurity analysts in monitoring and analyzing network security.
What generates security alerts in Security Onion?
NSM tools, systems, and security devices
Alerts generally include five-tuples information and timestamps.
What is the purpose of the Sguil tool?
To integrate alerts from multiple sources into a timestamped queue for investigation
Analysts classify, escalate, or retire alerts using Sguil.
What does the Sguil application window display?
A queue of alerts with color-coded status indicating event severity
It helps analysts prioritize alerts for investigation.
