Module 2 - Threat Management & Cybersecurity Resources

Question 1

What are some features that SIEM (Security Information and Event Management) can perform?

Answer 1

1) SENTIMENT ANALYSIS - is the process of computationaly identifying and categorizing opinions, usually expressed in response to textual data, to determine the writer’s attitude toward a particular topic
2) USER BEHAVIOR ANALYSIS - looks at normal behavior of users and how they interact with systems to create a baseline of typical “everyday” activity
3) LOG AGGREGATION - combines data from multiple data sources to build a comprehensive picture of attacks

Question 2

Which data management tool can automate an incident response?

Answer 2

Security Orchestration, Automation and Response (SOAR)

is similar to SIEM in that it is designed to help security teams manage and respond to security warnings and alarms; SOAR takes it a step further by combining more comprehensive data gathering and analytics to automate incident response

Question 3

What premise is the foundation of threat hunting?

Answer 3

the premise that threat actors have already infiltrated the network

threat hunting is proactively searching for cyber threats that thus far have gone undetected

Question 4

What ISO standard contains controls for managing and controlling risk?

Answer 4

ISO 31000

Question 5

Which group is responsible for the Cloud Controls Matrix?

Answer 5

Cloud Security Alliance (CSA)

goal is to define and raise awareness of best practices to help secure cloud computing environments

the Cloud Controls Matrix is a specialized framework (meta-framework of cloud specific security controls)

Question 6

What is developed by established professional organizations or government agencies using the expertise of seasoned security professionals?

Answer 6

regulations

the process of adhering to regulations is called regulatory compliance

Question 7

What standard is used for handling customer card information?

Answer 7

Payment Card Industry Data Security Standard (PCI DSS)

was introduced to provide a minimum degree of security for handling customer card information

Question 8

What are some sources of general information that can provide valuable in-depth information on cybersecurity?

Answer 8

1) vendor websites
2) conferences
3) academic journals
4) local industry groups
5) social media

Question 9

What are documents authored by technology bodies employing specialists, engineers, and scientists who are experts in those areas?

Answer 9

Requests for Comments (RFCs)

RFCs describe methods, behaviors, research or innovations applicable to cybersecurity

Question 10

What technique is used by a threat actor after penetrating the network to probe other systems using their newly acquired elevated privilege?

Answer 10

lateral movement

with advanced privileges, threat actors tunnel through the network looking for additional systems they can access from their elevated position

Question 11

What is another name for footprinting?

Answer 11

footprinting is also known as active reconnaissance and is the preliminary information gathering fro outside the organization

Question 12

What are the seven rules of engagement in conducting a penetration test?

Answer 12

1) timing - the timing parameter sets when the testing will occur - the first consideration is the start and stop dates of the test; the second consideration involves when the pen test should take place ie. during or after business hours
2) scope - is what should be tested; includes environments, internal targets, external targets, target locations and other boundaries
3) authorization - is the receipt of prior written approval to conduct the pen test - a formal written document MUST be signed by all parties before a pen test can begin
4) exploitation - exploitation level in a pen test should also be part of the scope discussed in the planning stages; should a vulnerability be exploited if detected?
5) communication - pen tester should communicate with the organization on several occasions during the process - initiation, incident response, status and emergency
6) cleanup - following exploitation of the systems the pen tester mus ensure that everything related to the pen test has been removed
7) reporting - once the test is complete a report should be generated to document its objectives, methods used and results; report should be divided into two parts - an executive summary and technical analysis

Question 13

What are some advantages of crowdsourced penetration testing?

Answer 13

1) faster testing, resulting in quicker remediation of vulnerabilities
2) ability to rotate teams so different individuals test the system
3) option of conducting multiple pen tests simultaneously

Question 14

What are the three levels of penetration testing given to testers?

Answer 14

1) black box - testers have no knowledge of the network and no special privileges
2) gray box - testers are given limited knowledge of the network and some elevated privileges
3) white box - testers are given full knowledge of the network and the source code of applications

Question 15

What are some reasons for NOT using internal employees to conduct a penetration test?

Answer 15

insider knowledge: employees often have in-depth knowledge of the network and its devices; a threat actor would not have the same knowledge

lack of expertise: internal employees may not have the credentials needed to perform a comprehensive test; their lack of expertise may result in few deep vulnerabilities being exposed

reluctance to reveal: employees may be reluctant to reveal a vulnerability discovered in a network or system that they or a fellow employee has been charged with protecting

Question 16

What are the four teams used in a penetration test war game scenario?

Answer 16

red team - attackers; scans for vulnerabilities and exploits them

blue team - defenders; monitors for red team attacks and shores up defenses as necessary

white team - referees; enforces the rules of the pen test

purple team - bridge; provides real-time feedback between red and blue teams to enhance the testing

Question 17

What are some characteristics of a penetration test?

Answer 17

a penetration test is performed to find deep vulnerabilities; a pen test goes beyond scans by attempting to exploit vulnerabilities using manual techniques whereas a vulnerability scan utilizes internal employees, penetration test can be conducted by either internal employees or by an external 3rd party

Question 18

What is the first step in performing an in-house penetration test?

Answer 18

planning

it is generally recognized that the most important element in a pen test is the first step: PLANNING; a lack of planning can result in a flawed penetration test that tries to do too little or too much

Question 19

What is the Cloud Security Alliance (CSA)?

Answer 19

the Cloud Security Alliance (CSA) is an organization whose goal is to define and raise awareness of best practices to help secure cloud computing environments; it created a specialized framework, the Cloud Controls Matrix, of cloud specific security controls; these controls are mapped to the leading standards, best practices and regulations regarding cloud computing and are generally regarded as the authoritative source of information about securing cloud resources

Question 20

Compare and contrast the two primary SOCs that relate to cybersecurity.

Answer 20

SSAE SOC 2 Type II - is an internal controls report that reviews how a company safeguards customer data and how well those controls are operating; is designed to determine if service organizations are compliant with the categories of security, availability, processing integrity, confidentiality and privacy

SSAE SOC 2 Type III - is the same as SOC 2 Type II report except for that it can be freely distributed; a SSAE SOC 2 Type II report can only be read y the user organizations that rely on the services

Question 21

Compare and contrast the 4 different ISO Standards discussed in Module 2.

Answer 21

ISO 27001 - is a standard that provided requirements for an information security management system (ISMS)

ISO 27002 - is a code of practice for information security management within an organization and contains 114 control recommendations

ISO 27701 - is an extension to ISO 27001 and is a framework for managing privacy controls to reduce risk of privacy breach to the privacy of individuals

ISO 31000 - contains controls for managing and controlling risk

Question 22

What are the 2 most widely used NIST frameworks?

Answer 22

1) NIST Risk Management Framework (RMF) - considered a guidance document designed to help organizations asses and manage risks to their information and systems; viewed as a road map that organizations can use to seamlessly integrate their cybersecurity privacy and supply-chain risk management processes
2) NIST Cybersecurity Framework (CSF) - is used as a measuring stick companies can use to compare their cybersecurity practices to the threats they face

Question 23

What is NIST?

Answer 23

NIST Is a cybersecurity framework operating under the U.S. Department of Commerce that includes guidelines for how to prevent and recover from an attack; it also provides guidelines for private companies on identifying, detecting, and responding to cybersecurity attacks

the framework is divided into 3 basic parts: 1) framework core 2) implementation 3) profiles

Question 24

What is the Center for Internet Security (CIS) framework?

Answer 24

the Center for Internet Security (CIS) is a nonprofit community-driven organization; it has created 2 frameworks - the CIS Controls are controls for securing an organization and consists of more than 20 basic and advanced cybersecurity recommendations; the CIS Benchmarks are frameworks for protecting 48 operating systems and application software

Question 25

What is the Payment Card Industry Data Security Standard (PCI DSS)?

Answer 25

the Payment Card Industry Data Security Standard (PCI DSS) is a cybersecurity standard that was introduced to provide a minimum degree of security for handling customer card information; Requirement 11 of the latest standard (PCI DSS 3.2.1) states that organizations must regularly test security systems and processes using both vulnerability scans and penetration tests

Question 26

What is GDPR?

Answer 26

GDPR is an international data privacy regulation; its aim is to give individuals control over their personal data to address the transfer of personal data to ares outside of the European Union (EU) and European Economic Area (EEA) and to simplify the regulatory environment for international business by creating a single regulation across al EU members

Question 27

What are the teams and their respective roles when conducting a “War Game”?

Answer 27

red team - role is the attackers; their role is to scan for vulnerabilities and then exploit them

blue team - role is the defenders; their goal is to monitor for red team attacks and shore up defense as necessary

white team - role is the referees; their goal is to enforce the rules of the penetration test

purple team - role is the bridge; their goal is to provide real-time feedback between red and blue teams in order to enhance the penetration test

Question 28

What is passive reconnaissance?

Answer 28

passive reconnaissance is when a tester uses tools that do not raise any alarms; this includes searching online for publicly accessible information called open source intelligence (OSINT) that can reveal valuable insight about the system

basically calls for testers to quietly “make do” with whatever information they can accumulate from public sources

Question 29

What is active reconnaissance and give some examples.

Answer 29

active reconnaissance involves directly probing for vulnerabilities and useful information, much like a threat actor would

war driving and war flying are two examples of active reconnaissance; tools used in war driving: 1) mobile computing device 2) wireless NIC adapter 3) antenna(s) 4) software 5) GPS receiver

active reconnaissance relies on traffic being sent to the targeted system

Question 30

What is privilege escalation, lateral movement and pivoting in regards to penetration test?

Answer 30

privilege escalation is an attempt by threat actors to “escalate” to more advanced resources that are normally protected from an application or user

after threat actors gain advanced privileges they use lateral movement to tunnel through the network looking for additional systems to compromise

once a threat actor gains entry to the network, they will pivot or turn to other systems to be compromised

Question 31

What is key attribute required for penetration testers?

Answer 31

persistence, which is defined as determination, resolve and perseverance; pen testers should be prepared for spending long hours and even days searching for vulnerabilities that they may or may not discover

Question 32

What happens after exploitation and before reporting when defining the rules of engagement in a penetration test?

Answer 32

following exploitation of systems outlines in the scope, the pen tester must ensure that everything related to the pen test has been removed; this is the cleanup phase of a pest and should be clearly outlined in the rules of engagement; cleanup involves removing all software agents scripts, executable binaries, temporary files and backdoors from all affected systems

in short systems should be returned to their pre-engagement state

Question 33

In reference to penetration testing what are the rules of engagement?

Answer 33

rules of engagement in a penetration test are its limitations or parameters; without these parameters a penetration test can easily veer off course and not accomplish the desired results, take too long to produce results or test assets that are not necessary to test;

the categories for the rules of engagement are:

1) timing
2) scope
3) authorization
4) exploitation
5) communication
6) cleanup
7) reporting

Question 34

What is a bug bounty?

Answer 34

a bug bounty is a monetary reward given for uncovering a software vulnerability; companies are taking advantage of crowdsourcing; this is becoming common in penetration testing; rather than contracting with a 3rd party as a single external tester, it offers faster testing, resulting in quicker remediation of vulnerabilities, ability to rotate teams, and option of conducting multiple pen tests simultaneously

Question 35

Compare and contrast the 3 different penetration testing levels.

Answer 35

black box - testers have no knowledge of the network; emulates exactly what a threat actor would do and see; main goal is to penetrate the network

gray box - testers are given limited knowledge of the network and some elevated privileges; more efficiently asses security instead of time spent trying to penetrate and decide which systems to attack; focuses on systems with greatest risk and value to the organization

white box - testers are given full knowledge of network and source code of apps; focuses directly on systems to test; identifies potential points of weakness

Question 36

What is Security Orchestration, Automation, and Response (SOAR)?

Answer 36

a product similar to a SIEM product in that it is designed to help security teams manage and respond to security warnings and alarms, however, SOARs take it a step further by combining more comprehensive data gathering and analytics to automate incident response

Question 37

What is sentiment analysis?

Answer 37

performed by SIEMs, is the process of computationally identifying and categorizing opinions, usually expressed in response to textual data, to determine a writer’s attitude toward a particular topic; is the interpretation and classification of emotions within text data using text analysis techniques

Question 38

What is user behavior analysis?

Answer 38

a feature of SIEM that looks at the normal behavior of users and how they interact with systems to create a picture of typical, “everyday” activity

Question 39

What are some typical features of a SIEM product?

Answer 39

aggregation - SIEM combines data from multiple data sources

correlation - searches data acquired through aggregation to look for common characteristics

alerts - can inform security personnel of critical issues; can be automated

time synchronization - because alerts can occur over a wide spectrum of time, time synchronization can show the order of events

event duplication - can filter multiple alerts into a single alert

logs - records records of events that can be retained for future analysis

Question 40

What is Security Information and Event Management (SIEM)?

Answer 40

a SIEM product consolidates real-time security monitoring and management of security information with analysis and reporting of security events

a SIEM product can be a separate device, software that runs on a computer or even a service provided by a 3rd party

the starting point of SIEM is data; data feeds into a SIEM are the standard pack captures of network activity and log collection

Question 41

What is a configuration review?

Answer 41

an examination of the software settings for a vulnerability scan

this includes defining what devices to scan; ensuring the scan meets its desired goals; determine sensitivity level of the scan ie. depth of the scan and specifying data types to be scanned

a configuration review can also reduce the vulnerability scan’s impact on overall network performance

Question 42

What is used to determine whether a vulnerability is critical and should be addressed/resolved?

Answer 42

vulnerabilities need to prioritized so that the most important ones are addressed first while others are delayed or not even addressed; a numeric score is generated and assigned to a vulnerability based on the Common Vulnerability Scoring System (CVSS); this system uses a complex formula that considers variables such access vectors, attack complexity, authentication, confidentiality of the data and the system integrity and availability; attention should first be given to vulnerabilities deemed to be critical (those that can cause the greatest harm to the organization)

Question 43

How does vulnerability scanning software work?

Answer 43

it works by comparing the software it scans against a set of known vulnerabilities; this monitoring requires access to an updated database of vulnerabilities along with a means of actively comparing and match to known vulnerabilities; the most popular vulnerability feed/database is the Mitre Common Vulnerabilities and Exposures (CVE) - the CVE identifies vulnerabilities in operating systems and application software

Question 44

What needs to be considered when deciding to perform a vulnerability scan?

Answer 44

there are 2 primary reasons for not conducting around the clock vulnerability scans

1) workflow interruptions - the scan impact response times of systems
2) technical constraints - if a network has a lot of devices it may not be possible to scan the entire network; also limits on bandwidth and software license can limit the scan

*another consideration is what to scan; most organizations will scan the network, applications and web applications on a rotating basis or when a new application is developed or when a new device is added to the network

Question 45

Compare and contrast intrusive scan and non-intrusive scan.

Answer 45

an intrusive vulnerability scan attempts to employ any vulnerabilities that it finds, much like a threat actor would

a non-intrusive vulnerability scan does not attempt to exploit the vulnerability but only records that it was discovered

Question 46

What is the difference between a credentialed vulnerability scan and a non-credentialed vulnerability scan?

Answer 46

in a credentialed vulnerability scan valid authentication credentials such as usernames and passwords are supplied to the vulnerability scanner to mimic the work of a threat actor who posses these credentials

in a non-credentialed vulnerability scan no valid authentication credentials are provided; runs faster than credentialed because they perform fundamental actions whereas credentialed scans can provide deeper insight into the system by accessing a fuller range of software

Question 47

What considerations need to be examined to determine the accuracy of a vulnerability scan?

Answer 47

false positives and false negatives

vulnerability scans can produce false positives because the scan options may not have been well defined or may have been missed in a configuration review or the scanner might not recognize a control that is already in place to address an existing vulnerability

log reviews - an analysis of log data can be used to identify false positives

Question 48

What are some crowdsourced attack data used by threat hunters in threat hunting investigations?

Answer 48

advisories & bulletins - information from crowdsourced data

threat feeds - cybersecurity data feeds that provide information on the latest threats

fusion center - is a formal repository of information from enterprises and the government used to share information on the latest attacks; by learning from others who have been successfully attacked, threat hunters can use this attack data for insight into the attackers tactics, techniques and procedures

Question 49

What is a technique used by threat hunters to identify unusual behavior?

Answer 49

maneuvering

is the process of a threat hunter performing unusual behavior in order to identify a possible threat

ex) passwords on an Admins account are changed every two hours (not normal activity) to determine if a hidden threat actor is making internal password cracking attempts

Question 50

What is threat hunting?

Answer 50

threat hunting is proactively searching for cyber threats that thus far have gone undetected in the network

threat hunting begins with a critical major premise - threat actors have already infiltrated the network

it proceeds to find unusual behavior that may indicate malicious activity

Question 51

What are some information sources that provide in-depth information for cybersecurity professionals?

Answer 51

RFCs - white paper documents

vulnerability feeds - databases that provide information on the latest vulnerabilities

threat feeds - databases that provide the latest outline of current threats & attacks

adversary tactics, techniques & procedures - (TTP) is a database of the behavior of threat actors and how they orchestrate and manage attacks

generic sources including: vendor websites, conferences, academic journals, local industry groups and social media