Module 2 - Threat Management & Cybersecurity Resources Flashcards
What are some features that SIEM (Security Information and Event Management) can perform?
1) SENTIMENT ANALYSIS - is the process of computationaly identifying and categorizing opinions, usually expressed in response to textual data, to determine the writer’s attitude toward a particular topic
2) USER BEHAVIOR ANALYSIS - looks at normal behavior of users and how they interact with systems to create a baseline of typical “everyday” activity
3) LOG AGGREGATION - combines data from multiple data sources to build a comprehensive picture of attacks
Which data management tool can automate an incident response?
Security Orchestration, Automation and Response (SOAR)
is similar to SIEM in that it is designed to help security teams manage and respond to security warnings and alarms; SOAR takes it a step further by combining more comprehensive data gathering and analytics to automate incident response
What premise is the foundation of threat hunting?
the premise that threat actors have already infiltrated the network
threat hunting is proactively searching for cyber threats that thus far have gone undetected
What ISO standard contains controls for managing and controlling risk?
ISO 31000
Which group is responsible for the Cloud Controls Matrix?
Cloud Security Alliance (CSA)
goal is to define and raise awareness of best practices to help secure cloud computing environments
the Cloud Controls Matrix is a specialized framework (meta-framework of cloud specific security controls)
What is developed by established professional organizations or government agencies using the expertise of seasoned security professionals?
regulations
the process of adhering to regulations is called regulatory compliance
What standard is used for handling customer card information?
Payment Card Industry Data Security Standard (PCI DSS)
was introduced to provide a minimum degree of security for handling customer card information
What are some sources of general information that can provide valuable in-depth information on cybersecurity?
1) vendor websites
2) conferences
3) academic journals
4) local industry groups
5) social media
What are documents authored by technology bodies employing specialists, engineers, and scientists who are experts in those areas?
Requests for Comments (RFCs)
RFCs describe methods, behaviors, research or innovations applicable to cybersecurity
What technique is used by a threat actor after penetrating the network to probe other systems using their newly acquired elevated privilege?
lateral movement
with advanced privileges, threat actors tunnel through the network looking for additional systems they can access from their elevated position
What is another name for footprinting?
footprinting is also known as active reconnaissance and is the preliminary information gathering fro outside the organization
What are the seven rules of engagement in conducting a penetration test?
1) timing - the timing parameter sets when the testing will occur - the first consideration is the start and stop dates of the test; the second consideration involves when the pen test should take place ie. during or after business hours
2) scope - is what should be tested; includes environments, internal targets, external targets, target locations and other boundaries
3) authorization - is the receipt of prior written approval to conduct the pen test - a formal written document MUST be signed by all parties before a pen test can begin
4) exploitation - exploitation level in a pen test should also be part of the scope discussed in the planning stages; should a vulnerability be exploited if detected?
5) communication - pen tester should communicate with the organization on several occasions during the process - initiation, incident response, status and emergency
6) cleanup - following exploitation of the systems the pen tester mus ensure that everything related to the pen test has been removed
7) reporting - once the test is complete a report should be generated to document its objectives, methods used and results; report should be divided into two parts - an executive summary and technical analysis
What are some advantages of crowdsourced penetration testing?
1) faster testing, resulting in quicker remediation of vulnerabilities
2) ability to rotate teams so different individuals test the system
3) option of conducting multiple pen tests simultaneously
What are the three levels of penetration testing given to testers?
1) black box - testers have no knowledge of the network and no special privileges
2) gray box - testers are given limited knowledge of the network and some elevated privileges
3) white box - testers are given full knowledge of the network and the source code of applications
What are some reasons for NOT using internal employees to conduct a penetration test?
insider knowledge: employees often have in-depth knowledge of the network and its devices; a threat actor would not have the same knowledge
lack of expertise: internal employees may not have the credentials needed to perform a comprehensive test; their lack of expertise may result in few deep vulnerabilities being exposed
reluctance to reveal: employees may be reluctant to reveal a vulnerability discovered in a network or system that they or a fellow employee has been charged with protecting
What are the four teams used in a penetration test war game scenario?
red team - attackers; scans for vulnerabilities and exploits them
blue team - defenders; monitors for red team attacks and shores up defenses as necessary
white team - referees; enforces the rules of the pen test
purple team - bridge; provides real-time feedback between red and blue teams to enhance the testing
What are some characteristics of a penetration test?
a penetration test is performed to find deep vulnerabilities; a pen test goes beyond scans by attempting to exploit vulnerabilities using manual techniques whereas a vulnerability scan utilizes internal employees, penetration test can be conducted by either internal employees or by an external 3rd party
What is the first step in performing an in-house penetration test?
planning
it is generally recognized that the most important element in a pen test is the first step: PLANNING; a lack of planning can result in a flawed penetration test that tries to do too little or too much
What is the Cloud Security Alliance (CSA)?
the Cloud Security Alliance (CSA) is an organization whose goal is to define and raise awareness of best practices to help secure cloud computing environments; it created a specialized framework, the Cloud Controls Matrix, of cloud specific security controls; these controls are mapped to the leading standards, best practices and regulations regarding cloud computing and are generally regarded as the authoritative source of information about securing cloud resources
Compare and contrast the two primary SOCs that relate to cybersecurity.
SSAE SOC 2 Type II - is an internal controls report that reviews how a company safeguards customer data and how well those controls are operating; is designed to determine if service organizations are compliant with the categories of security, availability, processing integrity, confidentiality and privacy
SSAE SOC 2 Type III - is the same as SOC 2 Type II report except for that it can be freely distributed; a SSAE SOC 2 Type II report can only be read y the user organizations that rely on the services
Compare and contrast the 4 different ISO Standards discussed in Module 2.
ISO 27001 - is a standard that provided requirements for an information security management system (ISMS)
ISO 27002 - is a code of practice for information security management within an organization and contains 114 control recommendations
ISO 27701 - is an extension to ISO 27001 and is a framework for managing privacy controls to reduce risk of privacy breach to the privacy of individuals
ISO 31000 - contains controls for managing and controlling risk
What are the 2 most widely used NIST frameworks?
1) NIST Risk Management Framework (RMF) - considered a guidance document designed to help organizations asses and manage risks to their information and systems; viewed as a road map that organizations can use to seamlessly integrate their cybersecurity privacy and supply-chain risk management processes
2) NIST Cybersecurity Framework (CSF) - is used as a measuring stick companies can use to compare their cybersecurity practices to the threats they face
What is NIST?
NIST Is a cybersecurity framework operating under the U.S. Department of Commerce that includes guidelines for how to prevent and recover from an attack; it also provides guidelines for private companies on identifying, detecting, and responding to cybersecurity attacks
the framework is divided into 3 basic parts: 1) framework core 2) implementation 3) profiles
What is the Center for Internet Security (CIS) framework?
the Center for Internet Security (CIS) is a nonprofit community-driven organization; it has created 2 frameworks - the CIS Controls are controls for securing an organization and consists of more than 20 basic and advanced cybersecurity recommendations; the CIS Benchmarks are frameworks for protecting 48 operating systems and application software
What is the Payment Card Industry Data Security Standard (PCI DSS)?
the Payment Card Industry Data Security Standard (PCI DSS) is a cybersecurity standard that was introduced to provide a minimum degree of security for handling customer card information; Requirement 11 of the latest standard (PCI DSS 3.2.1) states that organizations must regularly test security systems and processes using both vulnerability scans and penetration tests
What is GDPR?
GDPR is an international data privacy regulation; its aim is to give individuals control over their personal data to address the transfer of personal data to ares outside of the European Union (EU) and European Economic Area (EEA) and to simplify the regulatory environment for international business by creating a single regulation across al EU members
What are the teams and their respective roles when conducting a “War Game”?
red team - role is the attackers; their role is to scan for vulnerabilities and then exploit them
blue team - role is the defenders; their goal is to monitor for red team attacks and shore up defense as necessary
white team - role is the referees; their goal is to enforce the rules of the penetration test
purple team - role is the bridge; their goal is to provide real-time feedback between red and blue teams in order to enhance the penetration test
What is passive reconnaissance?
passive reconnaissance is when a tester uses tools that do not raise any alarms; this includes searching online for publicly accessible information called open source intelligence (OSINT) that can reveal valuable insight about the system
basically calls for testers to quietly “make do” with whatever information they can accumulate from public sources
What is active reconnaissance and give some examples.
active reconnaissance involves directly probing for vulnerabilities and useful information, much like a threat actor would
war driving and war flying are two examples of active reconnaissance; tools used in war driving: 1) mobile computing device 2) wireless NIC adapter 3) antenna(s) 4) software 5) GPS receiver
active reconnaissance relies on traffic being sent to the targeted system
What is privilege escalation, lateral movement and pivoting in regards to penetration test?
privilege escalation is an attempt by threat actors to “escalate” to more advanced resources that are normally protected from an application or user
after threat actors gain advanced privileges they use lateral movement to tunnel through the network looking for additional systems to compromise
once a threat actor gains entry to the network, they will pivot or turn to other systems to be compromised
What is key attribute required for penetration testers?
persistence, which is defined as determination, resolve and perseverance; pen testers should be prepared for spending long hours and even days searching for vulnerabilities that they may or may not discover
What happens after exploitation and before reporting when defining the rules of engagement in a penetration test?
following exploitation of systems outlines in the scope, the pen tester must ensure that everything related to the pen test has been removed; this is the cleanup phase of a pest and should be clearly outlined in the rules of engagement; cleanup involves removing all software agents scripts, executable binaries, temporary files and backdoors from all affected systems
in short systems should be returned to their pre-engagement state
In reference to penetration testing what are the rules of engagement?
rules of engagement in a penetration test are its limitations or parameters; without these parameters a penetration test can easily veer off course and not accomplish the desired results, take too long to produce results or test assets that are not necessary to test;
the categories for the rules of engagement are:
1) timing
2) scope
3) authorization
4) exploitation
5) communication
6) cleanup
7) reporting
What is a bug bounty?
a bug bounty is a monetary reward given for uncovering a software vulnerability; companies are taking advantage of crowdsourcing; this is becoming common in penetration testing; rather than contracting with a 3rd party as a single external tester, it offers faster testing, resulting in quicker remediation of vulnerabilities, ability to rotate teams, and option of conducting multiple pen tests simultaneously
Compare and contrast the 3 different penetration testing levels.
black box - testers have no knowledge of the network; emulates exactly what a threat actor would do and see; main goal is to penetrate the network
gray box - testers are given limited knowledge of the network and some elevated privileges; more efficiently asses security instead of time spent trying to penetrate and decide which systems to attack; focuses on systems with greatest risk and value to the organization
white box - testers are given full knowledge of network and source code of apps; focuses directly on systems to test; identifies potential points of weakness
What is Security Orchestration, Automation, and Response (SOAR)?
a product similar to a SIEM product in that it is designed to help security teams manage and respond to security warnings and alarms, however, SOARs take it a step further by combining more comprehensive data gathering and analytics to automate incident response
What is sentiment analysis?
performed by SIEMs, is the process of computationally identifying and categorizing opinions, usually expressed in response to textual data, to determine a writer’s attitude toward a particular topic; is the interpretation and classification of emotions within text data using text analysis techniques
What is user behavior analysis?
a feature of SIEM that looks at the normal behavior of users and how they interact with systems to create a picture of typical, “everyday” activity
What are some typical features of a SIEM product?
aggregation - SIEM combines data from multiple data sources
correlation - searches data acquired through aggregation to look for common characteristics
alerts - can inform security personnel of critical issues; can be automated
time synchronization - because alerts can occur over a wide spectrum of time, time synchronization can show the order of events
event duplication - can filter multiple alerts into a single alert
logs - records records of events that can be retained for future analysis
What is Security Information and Event Management (SIEM)?
a SIEM product consolidates real-time security monitoring and management of security information with analysis and reporting of security events
a SIEM product can be a separate device, software that runs on a computer or even a service provided by a 3rd party
the starting point of SIEM is data; data feeds into a SIEM are the standard pack captures of network activity and log collection
What is a configuration review?
an examination of the software settings for a vulnerability scan
this includes defining what devices to scan; ensuring the scan meets its desired goals; determine sensitivity level of the scan ie. depth of the scan and specifying data types to be scanned
a configuration review can also reduce the vulnerability scan’s impact on overall network performance
What is used to determine whether a vulnerability is critical and should be addressed/resolved?
vulnerabilities need to prioritized so that the most important ones are addressed first while others are delayed or not even addressed; a numeric score is generated and assigned to a vulnerability based on the Common Vulnerability Scoring System (CVSS); this system uses a complex formula that considers variables such access vectors, attack complexity, authentication, confidentiality of the data and the system integrity and availability; attention should first be given to vulnerabilities deemed to be critical (those that can cause the greatest harm to the organization)
How does vulnerability scanning software work?
it works by comparing the software it scans against a set of known vulnerabilities; this monitoring requires access to an updated database of vulnerabilities along with a means of actively comparing and match to known vulnerabilities; the most popular vulnerability feed/database is the Mitre Common Vulnerabilities and Exposures (CVE) - the CVE identifies vulnerabilities in operating systems and application software
What needs to be considered when deciding to perform a vulnerability scan?
there are 2 primary reasons for not conducting around the clock vulnerability scans
1) workflow interruptions - the scan impact response times of systems
2) technical constraints - if a network has a lot of devices it may not be possible to scan the entire network; also limits on bandwidth and software license can limit the scan
*another consideration is what to scan; most organizations will scan the network, applications and web applications on a rotating basis or when a new application is developed or when a new device is added to the network
Compare and contrast intrusive scan and non-intrusive scan.
an intrusive vulnerability scan attempts to employ any vulnerabilities that it finds, much like a threat actor would
a non-intrusive vulnerability scan does not attempt to exploit the vulnerability but only records that it was discovered
What is the difference between a credentialed vulnerability scan and a non-credentialed vulnerability scan?
in a credentialed vulnerability scan valid authentication credentials such as usernames and passwords are supplied to the vulnerability scanner to mimic the work of a threat actor who posses these credentials
in a non-credentialed vulnerability scan no valid authentication credentials are provided; runs faster than credentialed because they perform fundamental actions whereas credentialed scans can provide deeper insight into the system by accessing a fuller range of software
What considerations need to be examined to determine the accuracy of a vulnerability scan?
false positives and false negatives
vulnerability scans can produce false positives because the scan options may not have been well defined or may have been missed in a configuration review or the scanner might not recognize a control that is already in place to address an existing vulnerability
log reviews - an analysis of log data can be used to identify false positives
What are some crowdsourced attack data used by threat hunters in threat hunting investigations?
advisories & bulletins - information from crowdsourced data
threat feeds - cybersecurity data feeds that provide information on the latest threats
fusion center - is a formal repository of information from enterprises and the government used to share information on the latest attacks; by learning from others who have been successfully attacked, threat hunters can use this attack data for insight into the attackers tactics, techniques and procedures
What is a technique used by threat hunters to identify unusual behavior?
maneuvering
is the process of a threat hunter performing unusual behavior in order to identify a possible threat
ex) passwords on an Admins account are changed every two hours (not normal activity) to determine if a hidden threat actor is making internal password cracking attempts
What is threat hunting?
threat hunting is proactively searching for cyber threats that thus far have gone undetected in the network
threat hunting begins with a critical major premise - threat actors have already infiltrated the network
it proceeds to find unusual behavior that may indicate malicious activity
What are some information sources that provide in-depth information for cybersecurity professionals?
RFCs - white paper documents
vulnerability feeds - databases that provide information on the latest vulnerabilities
threat feeds - databases that provide the latest outline of current threats & attacks
adversary tactics, techniques & procedures - (TTP) is a database of the behavior of threat actors and how they orchestrate and manage attacks
generic sources including: vendor websites, conferences, academic journals, local industry groups and social media
