Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MODULE 26 - Evaluating Alerts CERTIFICATION REVISION PREPARATION > MODULE 26 - CERTIFICATION REVISION PREPARATION > Flashcards

MODULE 26 - CERTIFICATION REVISION PREPARATION Flashcards

1
Q

Security Onion Security Onion is an open-source suite of Network Security Monitoring (NSM) tools that run on an Ubuntu Linux distribution.

A

Security Onion Security Onion is an open-source suite of Network Security Monitoring (NSM) tools that run on an Ubuntu Linux distribution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security Onion Security Onion tools provide three core functions for the cybersecurity analyst:

full packet capture and data types,

network-based and

host-based intrusion detection systems, and

alert analyst tools.

A

Security Onion Security Onion tools provide three core functions for the cybersecurity analyst:

full packet capture and data types,

network-based and

host-based intrusion detection systems, and

alert analyst tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Onion Security Onion can be installed as a standalone installation or as a sensor and server platform.

Some components of Security Onion are owned and maintained by corporations, such as Cisco and Riverbend Technologies, but are made available as open source.

A

Security Onion Security Onion can be installed as a standalone installation or as a sensor and server platform.

Some components of Security Onion are owned and maintained by corporations, such as Cisco and Riverbend Technologies, but are made available as open source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Detection Tools for Collecting Alert Data Security Onion contains many components.

It is an integrated environment which is designed to simplify the deployment of a comprehensive NSM solution.

The figure illustrates a simplified view of the way in which some of the components of the Security Onion work together.

A

It is an integrated environment which is designed to simplify the deployment of a comprehensive NSM solution.

The figure illustrates a simplified view of the way in which some of the components of the Security Onion work together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Detection Tools for Collecting Alert Data A Security Onion Architecture

https://snipboard.io/41wWVi.jpg

A

https://snipboard.io/41wWVi.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

– capME

This is a web application that allows viewing of pcap transcripts rendered with the tcpflow or Zeek tools.

CapME can be accessed from the Enterprise Log Search and Archive (ELSA) tool.

CapME provides the cybersecurity analyst with an easy-to-read means of viewing an entire Layer 4 session.

CapME acts as a plugin to ELSA and provides access to relevant pcap files that can be opened in Wireshark.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

– SNORT

This is a Network Intrusion Detection System (NIDS).

It is an important source of alert data that is indexed in the Sguil analysis tool.

Snort uses rules and signatures to generate alerts.

Snort can automatically download new rules using the PulledPork component of Security Onion.

Snort and PulledPork are open source tools that are sponsored by Cisco.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

– ZEEK

Formerly known as Bro.

This is a NIDS that uses more of a behavior-based approach to intrusion detection.

Rather than using signatures or rules, Zeek uses policies, in the form of scripts that determine what data to log and when to issue alert notifications.

Zeek can also submit file attachments for malware analysis, block access to malicious locations, and shut down a computer that appears to be violating security policies.

Note: Some interfaces within Security Onion have yet to be updated with the Bro to Zeek name change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

– OSSEC

This is a host-based intrusion detection system (HIDS) that is integrated into Security Onion.

It actively monitors host system operations, including conducting file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.

OSSEC alerts and log data are available to Sguil and Kibana.

OSSEC requires an agent to be running on the Windows computers in the enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

– WAZUH

Wazuh is a HIDS that will replace OSSEC in Security Onion.

It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response.

Like OSSEC, it requires agents to be running on network hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A Security Onion Architecture:

–capME

–SNORT

– ZEEK

– OSSEC

– WAZUH

– SURICATA

A

– SURICATA

This is a NIDS that uses a signature-based approach.

It can also be used for inline intrusion prevention.

It is similar to Zeek; however, Suricata uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores.

It also includes some additional features such as reputation-based blocking and support for Graphics Processing Unit (GPU) multithreading for performance improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Analysis Tools Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs into a single platform through the following tools:

– Sguil

– Kibana

– Wireshark

– Zeek

A

Analysis Tools Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs into a single platform through the following tools:

– Sguil

– Kibana

– Wireshark

– Zeek

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Analysis Tools:

Analysis Tools Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs into a single platform through the following tools:

– Sguil

– Kibana

– Wireshark

– Zeek

A

– Sguil

This provides a high-level console for investigating security alerts from a wide variety of sources.

Sguil serves as a starting point in the investigation of security alerts.

A wide variety of data sources are available to the cybersecurity analyst by pivoting directly from Sguil to other tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Analysis Tools :

Analysis Tools Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs into a single platform through the following tools:

– Sguil

– Kibana

– Wireshark

– Zeek

A

– Kibana

Kibana is an interactive dashboard interface to Elasticsearch data.

It allows querying of NSM data and provides flexible visualizations of that data.

It provides data exploration and machine learning data analysis features.

It is possible to pivot from Sguil directly into Kibana to see contextualized displays based on the source and destination IP addresses that are associated with an alert.

Search the internet and visit the elastic.co website to learn more about the many features of Kibana.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Analysis Tools :

Analysis Tools :

Analysis Tools Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs into a single platform through the following tools:

– Sguil

– Kibana

– Wireshark

– Zeek

A

– Wireshark

This is a packet capture application that is integrated into the Security Onion suite.

It can be opened directly from other tools and will display full packet captures relevant to an analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Analysis Tools :

Analysis Tools :

Analysis Tools :

Analysis Tools Security Onion integrates these various types of data and Intrusion Detection System (IDS) logs into a single platform through the following tools:

– Sguil

– Kibana

– Wireshark

– Zeek

A

– Zeek

This is a network traffic analyzer that serves as a security monitor.

Zeek inspects all traffic on a network segment and enables in-depth analysis of that data.

Pivoting from Sguil into Zeek provides access to very accurate transaction logs, file content, and customized output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Alert Generation Security alerts are notification messages that are generated by NSM tools, systems, and security devices.

Alerts can come in many forms depending on the source.

For example, syslog provides support for severity ratings which can be used to alert cybersecurity analysts regarding events that require attention.

A

Alert Generation Security alerts are notification messages that are generated by NSM tools, systems, and security devices.

Alerts can come in many forms depending on the source.

For example, syslog provides support for severity ratings which can be used to alert cybersecurity analysts regarding events that require attention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Alert Generation In Security Onion

Sguil provides a console that integrates alerts from multiple sources into a timestamped queue.

A cybersecurity analyst can work through the security queue investigating, classifying, escalating, or retiring alerts.

A

Sguil provides a console that integrates alerts from multiple sources into a timestamped queue.

A cybersecurity analyst can work through the security queue investigating, classifying, escalating, or retiring alerts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Alert Generation Instead of using a dedicated workflow management system such as Request Tracker for Incident Response (RTIR), a cybersecurity analyst would use the output of an application like Sguil to orchestrate an NSM investigation.

A

Alert Generation Instead of using a dedicated workflow management system such as Request Tracker for Incident Response (RTIR), a cybersecurity analyst would use the output of an application like Sguil to orchestrate an NSM investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Alert Generation Alerts will generally include five-tuples information when available, as well as timestamps and information identifying which device or system generated the alert.

Recall that the five-tuples includes the following information for tracking a conversation between a source and destination application:

A

Alert Generation Alerts will generally include five-tuples information when available, as well as timestamps and information identifying which device or system generated the alert.

Recall that the five-tuples includes the following information for tracking a conversation between a source and destination application:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Alert Generation Recall that the five-tuples includes the following information for tracking a conversation between a source and destination application:

SrcIP - the source IP address for the event.

SPort - the source (local) Layer 4 port for the event.

DstIP - the destination IP for the event.

DPort - the destination Layer 4 port for the event.

Pr - the IP protocol number for the event.

A

Alert Generation Recall that the five-tuples includes the following information for tracking a conversation between a source and destination application:

SrcIP - the source IP address for the event.

SPort - the source (local) Layer 4 port for the event.

DstIP - the destination IP for the event.

DPort - the destination Layer 4 port for the event.

Pr - the IP protocol number for the event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Alert Generation

Additional information could be whether a permit or deny decision was applied to the traffic, some captured data from the packet payload, or a hash value for a downloaded file, or any of a variety of data.

A

Alert Generation

Additional information could be whether a permit or deny decision was applied to the traffic, some captured data from the packet payload, or a hash value for a downloaded file, or any of a variety of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Alert Generation

The figure shows the Sguil application window with the queue of alerts that are waiting to be investigated in the top portion of the interface.

Sguil Window

https://snipboard.io/rVPHYb.jpg

A

Alert Generation

The figure shows the Sguil application window with the queue of alerts that are waiting to be investigated in the top portion of the interface.

Sguil Window

https://snipboard.io/rVPHYb.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Alert Generation:

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A

Alert Generation:

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Alert Generation:

The fields available for the real-time events : ST

Alert Generation:

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A

–ST

This is the status of the event. RT means real time.

The event is color-coded by priority.

The priorities are based on the category of the alert.

There are four priority levels: very low, low, medium, and high.

The colors range from light yellow to red as the priority increases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Alert Generation:

The fields available for the real-time events :

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A
  • CNT

This is the count for the number of times this event has been detected for the same source and destination IP address.

The system has determined that this set of events is correlated.

Rather than reporting each in a potentially long series of correlated events in this window, the event is listed once with the number of times it has been detected in this column.

High numbers here can represent a security problem or the need for tuning of the event signatures to limit the number of potentially spurious events that are being reported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Alert Generation: The fields available for the real-time events :

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A

– Sensor

This is the agent reporting the event. The available sensors and their identifying numbers can be found in the Agent Status tab of the pane which appears below the events window on the left.

These numbers are also used in the Alert ID column.

From the Agent Status pane, we can see that OSSEC, pcap, and Snort sensors are reporting to Sguil.

In addition, we can see the default hostnames for these sensors, which includes the monitoring interface.

Note that each monitoring interface has both pcap and Snort data associated with it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Alert Generation: The fields available for the real-time events : Alert ID

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A

– Alert ID

This two-part number represents the sensor that has reported the problem and the event number for that sensor.

We can see from the figure that the largest number of events that are displayed are from the OSSEC sensor (1).

The OSSEC sensor has reported eight sets of correlated events.

Of these events, 232 have been reported with event ID 1.24.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Alert Generation: The fields available for the real-time events : Date/Time

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A

– Date/Time

This is the timestamp for the event.

In the case of correlated events, it is the timestamp for the first event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Alert Generation: The fields available for the real-time events : Event Message

The fields available for the real-time events are as follows:

– ST

– CNT

– Sensor

– Alert ID

– Date/Time

– Event Message

A

– Event Message

This is the identifying text for the event.

This is configured in the rule that triggered the alert.

The associated rule can be viewed in the right-hand pane, just above the packet data.

To display the rule, the Show Rule checkbox must be selected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Alert Generation:

Depending on the security technology, alerts can be generated based on rules, signatures, anomalies, or behaviors.

No matter how they are generated, the conditions that trigger an alert must be predefined in some manner.

A

Alert Generation:

Depending on the security technology, alerts can be generated based on rules, signatures, anomalies, or behaviors.

No matter how they are generated, the conditions that trigger an alert must be predefined in some manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

A

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Rules and Alerts Alerts can come from a number of sources: NIDS

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

A

– NIDS

Snort, Zeek, and Suricata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Rules and Alerts Alerts can come from a number of sources: HIDS

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

A

– HIDS

OSSEC, Wazuh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Rules and Alerts Alerts can come from a number of sources: Asset management and monitoring

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

A

– Assest Management and Monitoring

Passive Asset Detection System (PADS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Rules and Alerts Alerts can come from a number of sources:

HTTP, DNS, and TCP transactions

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

A

– HTTP, DNS, and TCP transcations

Recorded by Zeek and pcaps

38
Q

Rules and Alerts Alerts can come from a number of sources:

Syslog messages

Rules and Alerts Alerts can come from a number of sources:

NIDS

HIDS

Asset management and monitoring

HTTP, DNS, and TCP transactions

Syslog messages

A

– Syslog messages

Multiple sources

39
Q

Rules and Alerts

The information found in the alerts that are displayed in Sguil will differ in message format because they come from different sources.

A

Rules and Alerts

The information found in the alerts that are displayed in Sguil will differ in message format because they come from different sources.

40
Q

Rules and Alerts

The Sguil alert in the figure was triggered by a rule that was configured in Snort.

It is important for the cybersecurity analyst to be able to interpret what triggered the alert so that the alert can be investigated.

For this reason, the cybersecurity analyst should understand the components of Snort rules, which are a major source of alerts in Security Onion.

A

It is important for the cybersecurity analyst to be able to interpret what triggered the alert so that the alert can be investigated.

For this reason, the cybersecurity analyst should understand the components of Snort rules, which are a major source of alerts in Security Onion.

41
Q

Rules and Alerts Sguil Alert and the Associated Rule

https://snipboard.io/ZeA4ki.jpg

A

Rules and Alerts Sguil Alert and the Associated Rule

https://snipboard.io/ZeA4ki.jpg

42
Q

Snort Rule Structure Snort rules consist of two sections, as shown in the figure the rule header and the rule options.

The rule header contains the action, protocol, source and destination IP addresses and netmasks, and the source and destination port information.

The rule options section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. Rule Location is sometimes added by Sguil.

Rule Location is the path to the file that contains the rule and the line number at which the rule appears so that it can be found and modified, or eliminated, if required.

Snort Rule Structure and Sguil-supplied Information

A

Snort Rule Structure Snort rules consist of two sections, as shown in the figure the rule header and the rule options.

The rule header contains the action, protocol, source and destination IP addresses and netmasks, and the source and destination port information.

The rule options section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. Rule Location is sometimes added by Sguil.

Rule Location is the path to the file that contains the rule and the line number at which the rule appears so that it can be found and modified, or eliminated, if required.

Snort Rule Structure and Sguil-supplied Information

https://snipboard.io/cgUSNy.jpg

43
Q

Snort Rule Structure Component

rule header alert ip any any -> any any Contains the action to be taken, source and destination addresses and port, and the direction of traffic flow

A

Snort Rule Structure Component

rule header alert ip any any -> any any Contains the action to be taken, source and destination addresses and port, and the direction of traffic flow

44
Q

Snort Rule Structure Component

rule options (msg:”GPL ATTACK_RESPONSE ID CHECK RETURNED ROOT”;…) Includes the message to be displayed, details of packet content, alert type, source ID, and additional details, such as a reference for the rule or vulnerability

A

Snort Rule Structure Component

rule options (msg:”GPL ATTACK_RESPONSE ID CHECK RETURNED ROOT”;…) Includes the message to be displayed, details of packet content, alert type, source ID, and additional details, such as a reference for the rule or vulnerability

45
Q

Snort Rule Structure Component

rule location /nsm/server_data/securityonion/rules/… Added by Sguil to indicate the location of the rule in the Security Onion file structure and in the specified rule file

A

Snort Rule Structure Component

rule location /nsm/server_data/securityonion/rules/… Added by Sguil to indicate the location of the rule in the Security Onion file structure and in the specified rule file

46
Q

Snort Rule Structure The Rule Header

The rule header contains the action, protocol, addressing, and port information, as shown in the figure.

In addition, the direction of flow that triggered the alert is indicated.

The structure of the header portion is consistent between Snort alert rules.

A

Snort Rule Structure The Rule Header

The rule header contains the action, protocol, addressing, and port information, as shown in the figure.

In addition, the direction of flow that triggered the alert is indicated.

The structure of the header portion is consistent between Snort alert rules.

47
Q

Snort Rule Structure The Rule Header

Snort can be configured to use variables to represent internal and external IP addresses.

These variables, $HOME_NET and $EXTERNAL_NET, appear in the Snort rules.

A

Snort Rule Structure The Rule Header

Snort can be configured to use variables to represent internal and external IP addresses.

These variables, $HOME_NET and $EXTERNAL_NET, appear in the Snort rules.

48
Q

Snort Rule Structure The Rule Header

They simplify the creation of rules by eliminating the need to specify specific addresses and masks for every rule.

The values for these variables are configured in the snort.conf file. Snort also allows individual IP addresses, blocks of addresses, or lists of either to be specified in rules.

Ranges of ports can be specified by separating the upper and lower values of the range with a colon.

Other operators are also available.

A

Snort Rule Structure The Rule Header

They simplify the creation of rules by eliminating the need to specify specific addresses and masks for every rule.

The values for these variables are configured in the snort.conf file. Snort also allows individual IP addresses, blocks of addresses, or lists of either to be specified in rules.

Ranges of ports can be specified by separating the upper and lower values of the range with a colon.

Other operators are also available.

49
Q

Snort Rule Structure Snort Rule Header Structure

Snort Rule Header Structure

https://snipboard.io/UfKNGE.jpg

A

Snort Rule Structure Snort Rule Header Structure

Snort Rule Header Structure

https://snipboard.io/UfKNGE.jpg

50
Q

Snort Rule Structure Snort Rule Header Structure

COMPONENTS: alert ip any any -> any any

A

Snort Rule Structure Snort Rule Header Structure

COMPONENTS: alert ip any any -> any any

51
Q

Snort Rule Structure Snort Rule Header Structure : alert

the action to be taken is to issue an alert, other actions are log and pass

A

Snort Rule Structure Snort Rule Header Structure : alert

the action to be taken is to issue an alert, other actions are log and pass

52
Q

Snort Rule Structure Snort Rule Header Structure : ip

the protocol

A

Snort Rule Structure Snort Rule Header Structure : ip

the protocol

53
Q

Snort Rule Structure Snort Rule Header Structure :any any

the specified source is any IP address and any Layer 4 port

A

Snort Rule Structure Snort Rule Header Structure :any any

the specified source is any IP address and any Layer 4 port

54
Q

Snort Rule Structure Snort Rule Header Structure : ->

the direction of flow is from the source to the destination

A

Snort Rule Structure Snort Rule Header Structure : ->

the direction of flow is from the source to the destination

55
Q

Snort Rule Structure Snort Rule Header Structure : any any

the specified destination is any IP address and any Layer 4 port

A

Snort Rule Structure Snort Rule Header Structure : any any

the specified destination is any IP address and any Layer 4 port

56
Q

Snort Rule Structure The Rule Options The structure of the options section of the rule is variable.

It is the portion of the rule that is enclosed in parenthesis, as shown in the figure.

It contains the text message that identifies the alert.

It also contains metadata about the alert, such as a URL that provides reference information for the alert.

A

Snort Rule Structure The Rule Options The structure of the options section of the rule is variable.

It is the portion of the rule that is enclosed in parenthesis, as shown in the figure.

It contains the text message that identifies the alert.

It also contains metadata about the alert, such as a URL that provides reference information for the alert.

57
Q

Snort Rule Structure

The Rule Options

Other information can be included, such as the type of rule and a unique numeric identifier for the rule and the rule revision.

In addition, features of the packet payload may be specified in the options.

The Snort users manual, which can be found on the internet, provides details about rules and how to create them.

A

Snort Rule Structure

The Rule Options

Other information can be included, such as the type of rule and a unique numeric identifier for the rule and the rule revision.

In addition, features of the packet payload may be specified in the options.

The Snort users manual, which can be found on the internet, provides details about rules and how to create them.

58
Q

Snort Rule Structure

The Rule Options

Snort rule messages may include the source of the rule.

Three common sources for Snort rules are:

– GPL

– ET

– VRT

A

Snort Rule Structure

The Rule Options

Snort rule messages may include the source of the rule.

Three common sources for Snort rules are:

– GPL

– ET

– VRT

59
Q

Snort rule messages may include the source of the rule. Three common sources for Snort rules are: GPL

Snort Rule Structure

The Rule Options

Snort rule messages may include the source of the rule.

Three common sources for Snort rules are:

– GPL

– ET

– VRT

A

–GPL

Older Snort rules that were created by Sourcefire and distributed under a GPLv2.

The GPL ruleset is not Cisco Talos certified.

It includes Snort SIDs 3464 and below.

The GPL ruleset is can be downloaded from the Snort website, and it is included in Security Onion.

60
Q

Three common sources for Snort rules are: ET

Snort Rule Structure

The Rule Options

Snort rule messages may include the source of the rule.

Three common sources for Snort rules are:

– GPL

– ET

– VRT

A

– ET

Snort rules from Emerging Threats.

Emerging Threats is a collection point for Snort rules from multiple sources.

ET rules are open source under a BSD license.

The ET ruleset contains rules from multiple categories. A set of ET rules is included with Security Onion.

Emerging Threats is a division of Proofpoint, Inc.

61
Q

Three common sources for Snort rules are:

VRT

Snort Rule Structure

The Rule Options

Snort rule messages may include the source of the rule.

Three common sources for Snort rules are:

– GPL

– ET

– VRT

A

– VRT

These rules are immediately available to subscribers and are released to registered users 30 days after they were created, with some limitations.

They are now created and maintained by Cisco Talos.

62
Q

The Rule Options

Rules can be downloaded automatically from Snort.org using the PulledPork rule management utility that is included with Security Onion.

Alerts that are not generated by Snort rules are identified by the OSSEC or PADS tags, among others.

In addition, custom local rules can be created.

Snort Rules Options Structure

https://snipboard.io/u790CK.jpg

A

The Rule Options

Rules can be downloaded automatically from Snort.org using the PulledPork rule management utility that is included with Security Onion.

Alerts that are not generated by Snort rules are identified by the OSSEC or PADS tags, among others.

In addition, custom local rules can be created.

Snort Rules Options Structure

https://snipboard.io/u790CK.jpg

63
Q

Snort Rule Structure Component :

msg:

Text that describes the alert.

A

Snort Rule Structure Component :

msg:

Text that describes the alert.

64
Q

Snort Rule Structure Component : content:

Refers to content of the packet.

In this case, an alert will be sent if the literal text “uid=0(root)” appears anywhere in the packet data.

Values specifying the location of the text in the data payload can be provided.

A

Snort Rule Structure Component : content:

Refers to content of the packet.

In this case, an alert will be sent if the literal text “uid=0(root)” appears anywhere in the packet data.

Values specifying the location of the text in the data payload can be provided.

65
Q

Snort Rule Structure Component : reference:

This is not shown in the figure.

It is often a link to a URL that provides more information on the rule.

In this case, the sid is hyperlinked to the source of the rule on the internet.

A

Snort Rule Structure Component : reference:

This is not shown in the figure.

It is often a link to a URL that provides more information on the rule.

In this case, the sid is hyperlinked to the source of the rule on the internet.

66
Q

Snort Rule Structure Component : classtype:

A category for the attack.

Snort includes a set of default categories that have one of four priority values.

A

Snort Rule Structure Component : classtype:

A category for the attack.

Snort includes a set of default categories that have one of four priority values.

67
Q

Snort Rule Structure Component : sid:

A unique numeric identifier for the rule.

A

Snort Rule Structure Component : sid:

A unique numeric identifier for the rule.

68
Q

Snort Rule Structure Component : rev:

The revision of the rule that is represented by the sid.

A

Snort Rule Structure Component : rev:

The revision of the rule that is represented by the sid.

69
Q

The Need for Alert Evaluation

The threat landscape is constantly changing as new vulnerabilities are discovered and new threats evolve.

A

As user and organizational needs change, so also does the attack surface.

Threat actors have learned how to quickly vary features of their exploits in order to evade detection.

70
Q

The Need for Alert Evaluation

It is impossible to design measures to prevent all exploits.

A

Exploits will inevitably evade protection measures, no matter how sophisticated they may be.

Sometimes, the best that can be done is to detect exploits during or after they have occurred.

71
Q

The Need for Alert Evaluation

Detection rules should be overly conservative.

A

In other words, it is better to have alerts that are sometimes generated by innocent traffic, than it is to have rules that miss malicious traffic.

For this reason, it is necessary to have skilled cybersecurity analysts investigate alerts to determine if an exploit has actually occurred.

72
Q

The Need for Alert Evaluation

Tier 1 cybersecurity analysts will typically work through queues of alerts in a tool like Sguil, pivoting to tools like Zeek, Wireshark, and Kibana to verify that an alert represents an actual exploit.

Primary Tools for the Tier 1 Cybersecurity Analyst

https://snipboard.io/5Sj4o8.jpg

A

The Need for Alert Evaluation

Tier 1 cybersecurity analysts will typically work through queues of alerts in a tool like Sguil, pivoting to tools like Zeek, Wireshark, and Kibana to verify that an alert represents an actual exploit.

Primary Tools for the Tier 1 Cybersecurity Analyst

https://snipboard.io/5Sj4o8.jpg

73
Q

Evaluating Alerts Security incidents are classified using a scheme borrowed from medical diagnostics.

A

This classification scheme is used to guide actions and to evaluate diagnostic procedures.

For example, when a patient visits a doctor for a routine examination, one of the doctor’s tasks is to determine whether the patient is sick.

One of the outcomes can be a correct determination that disease is present and the patient is sick.

Another outcome can be that there is no disease and the patient is healthy.

74
Q

Evaluating Alerts

The concern is that either diagnosis can be accurate, or true, or inaccurate, or false.

For example, the doctor could miss the signs of disease and make the incorrect determination that the patient is well when they are in fact sick.

Another possible error is to rule that a patient is sick when that patient is in fact healthy.

False diagnoses are either costly or dangerous.

A

Evaluating Alerts

The concern is that either diagnosis can be accurate, or true, or inaccurate, or false.

For example, the doctor could miss the signs of disease and make the incorrect determination that the patient is well when they are in fact sick.

Another possible error is to rule that a patient is sick when that patient is in fact healthy.

False diagnoses are either costly or dangerous.

75
Q

Evaluating Alerts

In network security analysis, the cybersecurity analyst is presented with an alert.

This is similar to a patient going to the doctor and saying, “I am sick.”

The cybersecurity analyst, like the doctor, needs to determine if this diagnosis is true.

The cybersecurity analyst asks, “The system says that an exploit has occurred. Is this true?”

A

Evaluating Alerts

In network security analysis, the cybersecurity analyst is presented with an alert.

This is similar to a patient going to the doctor and saying, “I am sick.”

The cybersecurity analyst, like the doctor, needs to determine if this diagnosis is true.

The cybersecurity analyst asks, “The system says that an exploit has occurred. Is this true?”

76
Q

Evaluating Alerts Alerts can be classified as follows:

True Positive: The alert has been verified to be an actual security incident.

False Positive: The alert does not indicate an actual security incident.

Benign activity that results in a false positive is sometimes referred to as a benign trigger.

A

Evaluating Alerts Alerts can be classified as follows:

True Positive: The alert has been verified to be an actual security incident.

False Positive: The alert does not indicate an actual security incident.

Benign activity that results in a false positive is sometimes referred to as a benign trigger.

77
Q

Evaluating Alerts

An alternative situation is that an alert was not generated.

The absence of an alert can be classified as:

True Negative: No security incident has occurred.

The activity is benign.

False Negative: An undetected incident has occurred.

A

Evaluating Alerts

An alternative situation is that an alert was not generated.

The absence of an alert can be classified as:

True Negative: No security incident has occurred.

The activity is benign.

False Negative: An undetected incident has occurred.

78
Q

Evaluating Alerts

When an alert is issued, it will receive one of four possible classifications

https://snipboard.io/W4Zbcv.jpg

A

Evaluating Alerts

When an alert is issued, it will receive one of four possible classifications

https://snipboard.io/W4Zbcv.jpg

79
Q

Evaluating Alerts

True positives are the desired type of alert.

They mean that the rules that generate alerts have worked correctly.

A

Evaluating Alerts True positives are the desired type of alert.

They mean that the rules that generate alerts have worked correctly.

80
Q

Evaluating Alerts False positives are not desirable.

Although they do not indicate that an undetected exploit has occurred, they are costly because cybersecurity analysts must investigate false alarms; therefore, time is taken away from investigation of alerts that indicate true exploits.

A

Evaluating Alerts False positives are not desirable.

Although they do not indicate that an undetected exploit has occurred, they are costly because cybersecurity analysts must investigate false alarms; therefore, time is taken away from investigation of alerts that indicate true exploits.

81
Q

Evaluating Alerts

True negatives are desirable.

They indicate that benign normal traffic is correctly ignored, and erroneous alerts are not being issued.

A

Evaluating Alerts

True negatives are desirable.

They indicate that benign normal traffic is correctly ignored, and erroneous alerts are not being issued.

82
Q

Evaluating Alerts False negatives are dangerous.

They indicate that exploits are not being detected by the security systems that are in place.

These incidents could go undetected for a long time, and ongoing data loss and damage could result.

A

Evaluating Alerts False negatives are dangerous.

They indicate that exploits are not being detected by the security systems that are in place.

These incidents could go undetected for a long time, and ongoing data loss and damage could result.

83
Q

Evaluating Alerts

Benign events are those that should not trigger alerts.

Excess benign events indicate that some rules or other detectors need to be improved or eliminated.

A

Evaluating Alerts

Benign events are those that should not trigger alerts.

Excess benign events indicate that some rules or other detectors need to be improved or eliminated.

84
Q

Evaluating Alerts

When true positives are suspected, a cybersecurity analyst is sometimes required to escalate the alert to a higher level for investigation.

The investigator will move forward with the investigation in order to confirm the incident and identify any potential damage that may have been caused.

This information will be used by more senior security personnel who will work to isolate the damage, address vulnerabilities, mitigate the threat, and deal with reporting requirements.

A

Evaluating Alerts

When true positives are suspected, a cybersecurity analyst is sometimes required to escalate the alert to a higher level for investigation.

The investigator will move forward with the investigation in order to confirm the incident and identify any potential damage that may have been caused.

This information will be used by more senior security personnel who will work to isolate the damage, address vulnerabilities, mitigate the threat, and deal with reporting requirements.

85
Q

Evaluating Alerts

A cybersecurity analyst may also be responsible for informing security personnel that false positives are occurring to the extent that the cybersecurity analyst’s time is seriously impacted.

This situation indicates that security monitoring systems need to be tuned to become more efficient.

Legitimate changes in the network configuration or newly downloaded detection rules could result in a sudden spike in false positives as well.

A

Evaluating Alerts

A cybersecurity analyst may also be responsible for informing security personnel that false positives are occurring to the extent that the cybersecurity analyst’s time is seriously impacted.

This situation indicates that security monitoring systems need to be tuned to become more efficient.

Legitimate changes in the network configuration or newly downloaded detection rules could result in a sudden spike in false positives as well.

86
Q

Evaluating Alerts

False negatives may be discovered well after an exploit has occurred.

This can happen through retrospective security analysis (RSA).

RSA can occur when newly obtained rules or other threat intelligence is applied to archived network security data.

A

For this reason, it is important to monitor threat intelligence to learn of new vulnerabilities and exploits and to evaluate the likelihood that the network was vulnerable to them at some time in the past.

In addition, the exploit needs to be evaluated regarding the potential damage that the enterprise could suffer.

It may be determined that adding new mitigation techniques is sufficient, or that a more detailed analysis should be conducted.

87
Q

Deterministic Analysis and Probabilistic Analysis

Statistical techniques can be used to evaluate the risk that exploits will be successful in a given network.

This type of analysis can help decision makers to better evaluate the cost of mitigating a threat with the damage that an exploit could cause.

A

Deterministic Analysis and Probabilistic Analysis

Statistical techniques can be used to evaluate the risk that exploits will be successful in a given network.

This type of analysis can help decision makers to better evaluate the cost of mitigating a threat with the damage that an exploit could cause.

88
Q

Deterministic Analysis and Probabilistic Analysis

Two general approaches used to do this are deterministic and probabilistic analysis.

Deterministic analysis evaluates risk based on what is known about a vulnerability.

It assumes that for an exploit to be successful all prior steps in the exploit process must also be successful.

A

This type of risk analysis can only describe the worst case.

However, many threat actors, although aware of the process to carry out an exploit, may lack the knowledge or expertise to successfully complete each step on the path to a successful exploit.

This can give the cybersecurity analyst an opportunity to detect the exploit and stop it before it proceeds any further.

89
Q

Deterministic Analysis and Probabilistic Analysis

Probabilistic analysis estimates the potential success of an exploit by estimating the likelihood that if one step in an exploit has successfully been completed that the next step will also be successful.

Probabilistic analysis is especially useful in real-time network security analysis in which numerous variables are at play and a given threat actor can make unknown decisions as an exploit is pursued.

A

Deterministic Analysis and Probabilistic Analysis

Probabilistic analysis estimates the potential success of an exploit by estimating the likelihood that if one step in an exploit has successfully been completed that the next step will also be successful.

Probabilistic analysis is especially useful in real-time network security analysis in which numerous variables are at play and a given threat actor can make unknown decisions as an exploit is pursued.

90
Q

Deterministic Analysis and Probabilistic Analysis

Probabilistic analysis relies on statistical techniques that are designed to estimate the probability that an event will occur based on the likelihood that prior events will occur.

Using this type of analysis, the most likely paths that an exploit will take can be estimated and the attention of security personnel can be focused on preventing or detecting the most likely exploit.

A

Deterministic Analysis and Probabilistic Analysis

Probabilistic analysis relies on statistical techniques that are designed to estimate the probability that an event will occur based on the likelihood that prior events will occur.

Using this type of analysis, the most likely paths that an exploit will take can be estimated and the attention of security personnel can be focused on preventing or detecting the most likely exploit.

91
Q

Deterministic Analysis and Probabilistic Analysis

In a deterministic analysis all of the information to accomplish an exploit is assumed to be known.

The characteristics of the exploit, such as the use of specific port numbers, are known either from other instances of the exploit, or because standardized ports are in use.

In probabilistic analysis, it is assumed that the port numbers that will be used can only be predicted with some degree of confidence.

In this situation, an exploit that uses dynamic port numbers, for example, cannot be analyzed deterministically.

Such exploits have been optimized to avoid detection by firewalls that use static rules.

A

Deterministic Analysis and Probabilistic Analysis

In a deterministic analysis all of the information to accomplish an exploit is assumed to be known.

The characteristics of the exploit, such as the use of specific port numbers, are known either from other instances of the exploit, or because standardized ports are in use.

In probabilistic analysis, it is assumed that the port numbers that will be used can only be predicted with some degree of confidence.

In this situation, an exploit that uses dynamic port numbers, for example, cannot be analyzed deterministically.

Such exploits have been optimized to avoid detection by firewalls that use static rules.

92
Q

Deterministic Analysis and Probabilistic Analysis

The two approaches are summarized below.

Deterministic Analysis - For an exploit to be successful, all prior steps in the exploit must also be successful. The cybersecurity analyst knows the steps for a successful exploit.

Probabilistic Analysis - Statistical techniques are used to determine the probability that a successful exploit will occur based on the likelihood that each step in the exploit will succeed.

A

Deterministic Analysis and Probabilistic Analysis

The two approaches are summarized below.

Deterministic Analysis - For an exploit to be successful, all prior steps in the exploit must also be successful. The cybersecurity analyst knows the steps for a successful exploit.

Probabilistic Analysis - Statistical techniques are used to determine the probability that a successful exploit will occur based on the likelihood that each step in the exploit will succeed.

MODULE 26 - Evaluating Alerts CERTIFICATION REVISION PREPARATION (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions