Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MODULE 27 - Working with Network Security Data CERTIFICATION EXAM PREPARATION > MODULE 27 - CERTIFICATION EXAM PREPARATION > Flashcards

MODULE 27 - CERTIFICATION EXAM PREPARATION Flashcards

1
Q

A Common Data Platform

ELK - Elasticsearch, Logstash, and Kibana (ELK).

A

A Common Data Platform

ELK - Elasticsearch, Logstash, and Kibana (ELK).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ELK:

A typical network has a multitude of different logs to keep track of and most of those logs are in different formats.

With huge amounts of disparate data, how is it possible to get an overview of network operations while also getting a sense of subtle anomalies or changes in the network?

A

ELK:

A typical network has a multitude of different logs to keep track of and most of those logs are in different formats.

With huge amounts of disparate data, how is it possible to get an overview of network operations while also getting a sense of subtle anomalies or changes in the network?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ELK PART 2 :

The Elastic Stack attempts to solve this problem by providing a single interface view into a heterogenous network.

The Elastic Stack consists of Elasticsearch, Logstash, and Kibana (ELK).

It is a highly scalable and modular framework for ingesting, analyzing, storing and visualizing data.

Elasticsearch is an open-core platform (open source in the core components) for searching and analyzing an organization’s data in near real time.

It can be used in many different contexts but has gained popularity in network security as a SIEM tool.

A

ELK PART 2 :

The Elastic Stack attempts to solve this problem by providing a single interface view into a heterogenous network.

The Elastic Stack consists of Elasticsearch, Logstash, and Kibana (ELK).

It is a highly scalable and modular framework for ingesting, analyzing, storing and visualizing data.

Elasticsearch is an open-core platform (open source in the core components) for searching and analyzing an organization’s data in near real time.

It can be used in many different contexts but has gained popularity in network security as a SIEM tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ELK:

Security Onion includes ELK and other components from Elastic including:

–Beats

–ElastAlert

–Curator

A

ELK:

Security Onion includes ELK and other components from Elastic including:

–Beats

–ElastAlert

–Curator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Onion includes ELK and other components from Elastic including:

Beats

ELK:

Security Onion includes ELK and other components from Elastic including:

–Beats

–ElastAlert

–Curator

A

– Beats

This is a series of software plugins that send different types of data to the Elasticsearch data stores.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Onion includes ELK and other components from Elastic including:

ElastAlert

ELK:

Security Onion includes ELK and other components from Elastic including:

–Beats

–ElastAlert

–Curator

A

– ElastAlert

This provides queries and security alerts based on user-defined criteria and other information from data in Elasticsearch.

Alert notifications can be sent to a console, or email and other notification systems such as TheHive security incident response platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Security Onion includes ELK and other components from Elastic including:

Curator

ELK:

Security Onion includes ELK and other components from Elastic including:

–Beats

–ElastAlert

–Curator

A

– Curator

This provides actions to manage Elasticsearch data indices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ELK:

Elasticsearch, which is the search engine component, uses RESTful web services and APIs, a distributed computing cluster with multiple server nodes, and a distributed NoSQL database made up of JSON documents.

Additional functionality can be added through custom-created extensions.

The Elasticsearch company offers a commercial extension called X-Pack which adds security, alerting, monitoring, reporting, and graphs.

The company also offers a machine-learning add-on as well their own Elastic SIEM product.

A

ELK:

Elasticsearch, which is the search engine component, uses RESTful web services and APIs, a distributed computing cluster with multiple server nodes, and a distributed NoSQL database made up of JSON documents.

Additional functionality can be added through custom-created extensions.

The Elasticsearch company offers a commercial extension called X-Pack which adds security, alerting, monitoring, reporting, and graphs.

The company also offers a machine-learning add-on as well their own Elastic SIEM product.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ELK:

Logstash enables the collection and normalization of network data into data indexes that can be efficiently searched by Elasticsearch.

Logstash and Beats modules are used to ingest data into the Elasticsearch cluster.

A

ELK:

Logstash enables the collection and normalization of network data into data indexes that can be efficiently searched by Elasticsearch.

Logstash and Beats modules are used to ingest data into the Elasticsearch cluster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ELK:

Kibana provides a graphical interface to data that is compiled by Elasticsearch.

It enables visualization of network data and provides tools and shortcuts for querying that data in order to isolate potential security breaches.

A

ELK:

Kibana provides a graphical interface to data that is compiled by Elasticsearch.

It enables visualization of network data and provides tools and shortcuts for querying that data in order to isolate potential security breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ELK:

The core open source components of the Elastic Stack are Logstash, Beats, Elasticsearch, and Kibana, as shown in the figure.

A

Elastic Stack Core Components:

https://snipboard.io/0IMdHL.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ELK: Logstash

Logstash is an extract, transform and load system with the ability to take in various sources of log data and transform or parse the data through translation, sorting, aggregating, splitting, and validation.

After transforming the data, the data is loaded into the Elasticsearch database in the proper file format.

The figure shows some of the fields that are available in Logstash as shown in the Kibana Management interface.

https://snipboard.io/jdEBIf.jpg

A

ELK: Logstash

Logstash is an extract, transform and load system with the ability to take in various sources of log data and transform or parse the data through translation, sorting, aggregating, splitting, and validation.

After transforming the data, the data is loaded into the Elasticsearch database in the proper file format.

The figure shows some of the fields that are available in Logstash as shown in the Kibana Management interface.

https://snipboard.io/jdEBIf.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ELK:

BEATS

Beats agents are open source software clients used to send operational data directly into Elasticsearch or through Logstash.

Elastic, as well as the open source community, actively develop Beats agents, so there are a huge variety of Beats agents for sending data to Elasticsearch in near real time.

Some of the Beats agents provided by Elastic are Auditbeat for audit data, Metricbeat for metric data, Heartbeat for availability, Packetbeat for network traffic, Journalbeat for Systemd journals, and Winlogbeat for Windows event logs.

Some community-sourced Beats are

Amazonbeat,

Apachebeat,

Dockbeat,

Nginxbeat, and Mqttbeat to name a few.

A

ELK:

BEATS

Beats agents are open source software clients used to send operational data directly into Elasticsearch or through Logstash.

Elastic, as well as the open source community, actively develop Beats agents, so there are a huge variety of Beats agents for sending data to Elasticsearch in near real time.

Some of the Beats agents provided by Elastic are Auditbeat for audit data, Metricbeat for metric data, Heartbeat for availability, Packetbeat for network traffic, Journalbeat for Systemd journals, and Winlogbeat for Windows event logs.

Some community-sourced Beats are

Amazonbeat,

Apachebeat,

Dockbeat,

Nginxbeat, and Mqttbeat to name a few.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ELK: Elasticsearch

Elasticsearch is a cross platform enterprise search engine written in Java.

The core components are open-source with commercial addons called X-packs that give additional functionality.

Elasticsearch supports near real-time search using simple REST APIs to create or update JavaScript Object Notation (JSON) documents using HTTP requests.

Searches can be made using any program capable of making HTTP requests such as a web browser, Postman, cURL, etc.

These APIs can also be accessed by Python or other programming language scripts for automated operations.

A

ELK: Elasticsearch

Elasticsearch is a cross platform enterprise search engine written in Java.

The core components are open-source with commercial addons called X-packs that give additional functionality.

Elasticsearch supports near real-time search using simple REST APIs to create or update JavaScript Object Notation (JSON) documents using HTTP requests.

Searches can be made using any program capable of making HTTP requests such as a web browser, Postman, cURL, etc.

These APIs can also be accessed by Python or other programming language scripts for automated operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ELK: Elasticsearch PART 2:

The Elasticsearch data structure is called an inverted index, which is designed to allow very fast full-text searches.

An index is like a database, it is a namespace for a collection of documents that are related to each other.

An index can be partitioned or mapped into different types.

A

If you compare an Elasticsearch index to a traditional relational database, the index is like the database, the types are like the tables, and the documents are like the columns and rows, as shown in the table.

https://snipboard.io/iOMTqt.jpg

Elasticsearch stores data in JSON-formatted documents.

A JSON document is organized into hierarchies of key/value pairs, with a key being a name and the corresponding value being either a string, number, Boolean, date, array, or other type of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ELK: Kibana

Kibana provides an easy to use graphical user interface for managing Elasticsearch.

By using a web browser, an analyst can use the Kibana interface to search and view indices. The management tab allows you to create and manage indices and their types and formats.

The discovery tab is a quick and powerful way to view your data and search it using the search tools.

The visualize tab allows you to create custom visualizations like bar charts, line charts, pie charts, heat maps, and more.

The visualizations you create can be organized into customized dashboards for monitoring and analyzing your data.

A Kibana dashboard is shown in the figure.

A

ELK: Kibana

Kibana provides an easy to use graphical user interface for managing Elasticsearch.

By using a web browser, an analyst can use the Kibana interface to search and view indices. The management tab allows you to create and manage indices and their types and formats.

The discovery tab is a quick and powerful way to view your data and search it using the search tools.

The visualize tab allows you to create custom visualizations like bar charts, line charts, pie charts, heat maps, and more.

The visualizations you create can be organized into customized dashboards for monitoring and analyzing your data.

A Kibana dashboard is shown in the figure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ELK: A Kibana Dashboard:

https://snipboard.io/rnSfst.jpg

A

ELK: A Kibana Dashboard:

https://snipboard.io/rnSfst.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Data Reduction

The amount of network traffic that is collected by packet captures and the number of log file entries and alerts that are generated by network and security devices can be enormous.

Even with recent advances in Big Data, processing, storing, accessing, and archiving NSM-related data is a daunting task.

For this reason, it is important to identify the network data that should be gathered.

Not every log file entry, packet, and alert needs to be gathered.

By limiting the volume of data, tools like Elasticsearch will be far more useful, as shown in the figure.

A

Data Reduction

The amount of network traffic that is collected by packet captures and the number of log file entries and alerts that are generated by network and security devices can be enormous.

Even with recent advances in Big Data, processing, storing, accessing, and archiving NSM-related data is a daunting task.

For this reason, it is important to identify the network data that should be gathered.

Not every log file entry, packet, and alert needs to be gathered.

By limiting the volume of data, tools like Elasticsearch will be far more useful, as shown in the figure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Data Reduction PART 2

Some network traffic has little value to NSM.

Encrypted data, such as IPsec or SSL traffic, is largely unreadable.

Some traffic, such as that generated by routing protocols or spanning-tree protocol, is routine and can be excluded.

Other broadcast and multicast protocols can usually be eliminated from packet captures, as can traffic from other protocols that generate a lot of routine traffic.

A

Data Reduction PART 2

Some network traffic has little value to NSM.

Encrypted data, such as IPsec or SSL traffic, is largely unreadable.

Some traffic, such as that generated by routing protocols or spanning-tree protocol, is routine and can be excluded.

Other broadcast and multicast protocols can usually be eliminated from packet captures, as can traffic from other protocols that generate a lot of routine traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Data Reduction PART 3

In addition, alerts that are generated by a HIDS, such as Windows security auditing or OSSEC, should be evaluated for relevance.

Some are informational or of low potential security impact.

These messages can be filtered from NSM data.

Similarly, syslog may store messages of very low severity that could be disregarded to diminish the quantity of NSM data to be handled.

https://snipboard.io/4JLfh7.jpg

A

Data Reduction PART 3

In addition, alerts that are generated by a HIDS, such as Windows security auditing or OSSEC, should be evaluated for relevance.

Some are informational or of low potential security impact.

These messages can be filtered from NSM data.

Similarly, syslog may store messages of very low severity that could be disregarded to diminish the quantity of NSM data to be handled.

https://snipboard.io/4JLfh7.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Data Normalization

Data normalization is the process of combining data from a number of data sources into a common format.

Logstash provides a series of transformations that process security data and transform it before adding it to Elasticsearch.

Additional plugins can be created to suit the needs of the organization.

A

Data Normalization

Data normalization is the process of combining data from a number of data sources into a common format.

Logstash provides a series of transformations that process security data and transform it before adding it to Elasticsearch.

Additional plugins can be created to suit the needs of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Data Normalization PART 2

A common schema will specify the names and formats for the required data fields.

Formatting of the data fields can vary widely between sources.

However, if searching is to be effective, the data fields must be consistent.

For example, IPv6 addresses, MAC addresses, and date and time information can be represented in varying formats.

A

Similarly, subnet masks, DNS records, and so on can vary in format between data sources.

Logstash transformations accept the data in its native format and make elements of the data consistent across all sources.

For example, a single format will be used for addresses and timestamps for data from all sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Data Normalization PART 3 IPv6 Address Formats

2001:db8:acad:1111:2222::33 2001:DB8:ACAD:1111:2222::33 2001:DB8:ACAD:1111:2222:0:0:33 2001:DB8:ACAD:1111:2222:0000:0000:0033

A

Data Normalization PART 3 IPv6 Address Formats

2001:db8:acad:1111:2222::33 2001:DB8:ACAD:1111:2222::33 2001:DB8:ACAD:1111:2222:0:0:33 2001:DB8:ACAD:1111:2222:0000:0000:0033

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Data Normalization PART 4 MAC Formats

A7:03:DB:7C:91:AA A7-03-DB-7C-91-AA A70.3DB.7C9.1AA

A

Data Normalization PART 4 MAC Formats

A7:03:DB:7C:91:AA A7-03-DB-7C-91-AA A70.3DB.7C9.1AA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Data Normalization PART 5 Date Formats

Monday, July 24, 2017 7:39:35pm Mon, 24 Jul 2017 19:39:35 +0000 2017-07-24T19:39:35+00:00 1500925254

Data normalization is required to simplify searching for correlated events.

If differently formatted values exist in the NSM data for IPv6 addresses, for example, a separate query term would need to be created for every variation in order for correlated events to be returned by the query.

A

Data Normalization PART 5 Date Formats

Monday, July 24, 2017 7:39:35pm Mon, 24 Jul 2017 19:39:35 +0000 2017-07-24T19:39:35+00:00 1500925254

Data normalization is required to simplify searching for correlated events.

If differently formatted values exist in the NSM data for IPv6 addresses, for example, a separate query term would need to be created for every variation in order for correlated events to be returned by the query.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Data Archiving

Everyone would love the security of collecting and saving everything, just in case.

However, retaining NSM data indefinitely is not feasible due to storage and access issues.

It should be noted that the retention period for certain types of network security information may be specified by compliance frameworks.

For example, the Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information be retained for one year.

A

Data Archiving

Everyone would love the security of collecting and saving everything, just in case.

However, retaining NSM data indefinitely is not feasible due to storage and access issues.

It should be noted that the retention period for certain types of network security information may be specified by compliance frameworks.

For example, the Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information be retained for one year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Data Archiving PART 2

Security Onion has different data retention periods for different types of NSM data.

For pcaps and raw Bro logs, a value assigned in the **securityonion.conf** file controls the percentage of disk space that can be used by log files.

By default, this value is set to 90%.

A

Data Archiving PART 2

Security Onion has different data retention periods for different types of NSM data.

For pcaps and raw Bro logs, a value assigned in the **securityonion.conf** file controls the percentage of disk space that can be used by log files.

By default, this value is set to 90%.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Data Archiving PART 3 For Elasticsearch, retention of data indices is controlled by Elasticsearch curator.

Curator runs in a Docker container and executes every minute according to **cron** jobs.

Curator logs its activity to curator.log. Curator defaults to closing indices older than 30 days.

To modify this, change CURATOR_CLOSE_DAYS in /etc/nsm/securityonion.conf.

As a disk reaches capacity, Curator deletes old indices to prevent your disk from filling up.

To change the limit, modify LOG_SIZE_LIMIT in /etc/nsm/securityonion.conf.

A

Data Archiving PART 3 For Elasticsearch, retention of data indices is controlled by Elasticsearch curator.

Curator runs in a Docker container and executes every minute according to **cron** jobs.

Curator logs its activity to curator.log. Curator defaults to closing indices older than 30 days.

To modify this, change CURATOR_CLOSE_DAYS in /etc/nsm/securityonion.conf.

As a disk reaches capacity, Curator deletes old indices to prevent your disk from filling up.

To change the limit, modify LOG_SIZE_LIMIT in /etc/nsm/securityonion.conf.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Data Archiving PART 4

Sguil alert data is retained for 30 days by default.

This value is set in the securityonion.conf file.

Security Onion is known to require a lot of storage and RAM to run properly.

Depending on the size of the network, multiple terabytes of storage may be required.

Of course, Security Onion data can always be archived to external storage by a data archive system, depending on the needs and capabilities of the organization.

A

Data Archiving PART 4

Sguil alert data is retained for 30 days by default.

This value is set in the securityonion.conf file.

Security Onion is known to require a lot of storage and RAM to run properly.

Depending on the size of the network, multiple terabytes of storage may be required.

Of course, Security Onion data can always be archived to external storage by a data archive system, depending on the needs and capabilities of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Working in Sguil The primary duty of a cybersecurity analyst is the verification of security alerts.

Depending on the organization, the tools used to do this will vary.

For example, a ticketing system may be used to manage task assignment and documentation.

In Security Onion, the first place that a cybersecurity analyst will go to verify alerts is Sguil.

A

Working in Sguil The primary duty of a cybersecurity analyst is the verification of security alerts.

Depending on the organization, the tools used to do this will vary.

For example, a ticketing system may be used to manage task assignment and documentation.

In Security Onion, the first place that a cybersecurity analyst will go to verify alerts is Sguil.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Working in Sguil Sguil automatically correlates similar alerts into a single line and provides a way to view correlated events represented by that line.

In order to get a sense of what has been happening in the network, it may be useful to sort on the CNT column to display the alerts with the highest frequency.

A

Working in Sguil Sguil automatically correlates similar alerts into a single line and provides a way to view correlated events represented by that line.

In order to get a sense of what has been happening in the network, it may be useful to sort on the CNT column to display the alerts with the highest frequency.

32
Q

Working in Sguil

Right-clicking the CNT value and selecting View Correlated Events opens a tab that displays all events that are related by Sguil.

This can help the cybersecurity analyst understand the time frame during which the correlated events were received by Sguil.

Note that each event receives a unique event ID.

Only the first event ID in the series of correlated events is displayed in the RealTime Events tab.

The figure shows Sguil alerts sorted on CNT with the View Correlated Events menu open.

A

Working in Sguil

Right-clicking the CNT value and selecting View Correlated Events opens a tab that displays all events that are related by Sguil.

This can help the cybersecurity analyst understand the time frame during which the correlated events were received by Sguil.

Note that each event receives a unique event ID.

Only the first event ID in the series of correlated events is displayed in the RealTime Events tab.

The figure shows Sguil alerts sorted on CNT with the View Correlated Events menu open.

33
Q

Sguil Alerts Sorted on CNT

https://snipboard.io/BxHmbY.jpg

A

Sguil Alerts Sorted on CNT

https://snipboard.io/BxHmbY.jpg

34
Q

Working in Sguil Sguil Queries

Queries can be constructed in Sguil using the Query Builder.

It simplifies constructing queries to a certain degree, but the cybersecurity analyst must know the field names and some issues with field values.

For example, Sguil stores IP addresses in an integer representation.

In order to query on an IP address in dotted decimal notation, the IP address value must be placed within the INET_ATON() function. Query Builder is opened from the Sguil Query menu.

Select Query Event Table to search active events.

A

Working in Sguil Sguil Queries

Queries can be constructed in Sguil using the Query Builder.

It simplifies constructing queries to a certain degree, but the cybersecurity analyst must know the field names and some issues with field values.

For example, Sguil stores IP addresses in an integer representation.

In order to query on an IP address in dotted decimal notation, the IP address value must be placed within the INET_ATON() function. Query Builder is opened from the Sguil Query menu.

Select Query Event Table to search active events.

35
Q

Working in Sguil The table shows the names of some of the event table fields that can be queried directly.

Selecting Show DataBase Tables from the Query menu displays a reference to the field names and types for each of the tables that can be queried.

When conducting event table searches, use the pattern event.fieldName = value.

https://snipboard.io/f9z6jU.jpg

A

https://snipboard.io/f9z6jU.jpg

Working in Sguil The table shows the names of some of the event table fields that can be queried directly.

Selecting Show DataBase Tables from the Query menu displays a reference to the field names and types for each of the tables that can be queried.

When conducting event table searches, use the pattern event.fieldName = value.

36
Q

In the example below, the cybersecurity analyst is investigating a source port 40754 that is associated with an Emerging Threats alert.

Towards the end of the query, the WHERE event.src_port = ‘40754’ portion was created by the user in Query Builder.

The remainder of the query is supplied automatically by Sguil and concerns how the data that is associated with the events is to be retrieved, displayed, and presented.

https://snipboard.io/52YXal.jpg

A

In the example below, the cybersecurity analyst is investigating a source port 40754 that is associated with an Emerging Threats alert.

Towards the end of the query, the WHERE event.src_port = ‘40754’ portion was created by the user in Query Builder.

The remainder of the query is supplied automatically by Sguil and concerns how the data that is associated with the events is to be retrieved, displayed, and presented.

https://snipboard.io/52YXal.jpg

37
Q

Pivoting from Sguil Sguil provides the ability for the cybersecurity analyst to pivot to other information sources and tools.

A

Pivoting from Sguil Sguil provides the ability for the cybersecurity analyst to pivot to other information sources and tools.

38
Q

Pivoting from Sguil Log files are available in Elasticsearch.

Relevant packet captures can be displayed in Wireshark.

Transcripts of TCP sessions and Zeek (Bro) detection information are also available.

A

Pivoting from Sguil Log files are available in Elasticsearch.

Relevant packet captures can be displayed in Wireshark.

Transcripts of TCP sessions and Zeek (Bro) detection information are also available.

39
Q

Pivoting from Sguil The menu shown in the figure was opened by right-clicking on an Alert ID.

Selecting from this menu will open information about the alert in other tools, which provides rich, contextualized information to the cybersecurity analyst.

https://snipboard.io/oWVcG7.jpg

A

Pivoting from Sguil The menu shown in the figure was opened by right-clicking on an Alert ID.

Selecting from this menu will open information about the alert in other tools, which provides rich, contextualized information to the cybersecurity analyst.

https://snipboard.io/oWVcG7.jpg

40
Q

Pivoting from Sguil Additionally, Sguil can provide pivots to

– Passive Real-time Asset Detection System (PRADS) and

– Security Analyst Network Connection Profiler (SANCP) information.

A

These tools are accessed by right-clicking on an IP address for an event and selecting the Quick Query or Advanced Query menus.

41
Q

Pivoting from Sguil PRADS gathers

Pivoting from Sguil Additionally, Sguil can provide pivots to

– Passive Real-time Asset Detection System (PRADS) and

– Security Analyst Network Connection Profiler (SANCP) information.

A

Pivoting from Sguil PRADS gathersnetwork profiling data, including information about the behavior of assets on the network.

PRADS is an event source, like Snort and OSSEC.

It can also be queried through Sguil when an alert indicates that an internal host may have been compromised.

Executing a PRADS query out of Sguil can provide information about the services, applications, and payloads that may be relevant to the alert.

In addition, PRADS detects when new assets appear on the network.

42
Q

Pivoting from Sguil PRADS gathers

Pivoting from Sguil Additionally, Sguil can provide pivots to

– Passive Real-time Asset Detection System (PRADS) and

– Security Analyst Network Connection Profiler (SANCP) information.

A

Pivoting from Sguil The Sguil interface refers to PADS instead of PRADS.

PADS was the predecessor to PRADS.

PRADS is the tool that is actually used in Security Onion. PRADS is also used to populate SANCP tables.

In Security Onion, the functionalities of SANCP have been replaced by PRADS, however the term SANCP is still used in the Sguil interface.

PRADS collects the data, and a SANCP agent records the data in a SANCP data table.

43
Q

Pivoting from Sguil PRADS gathers

Pivoting from Sguil Additionally, Sguil can provide pivots to

– Passive Real-time Asset Detection System (PRADS) and

– Security Analyst Network Connection Profiler (SANCP) information.

A

Pivoting from Sguil The SANCP functionalities concern collecting and recording statistical information about network traffic and behavior.

SANCP provides a means of verifying that network connections are valid.

This is done through the application of rules that indicate which traffic should be recorded and the information with which the traffic should be tagged.

44
Q

Event Handling in Sguil Sguil is not only a console that facilitates investigation of alerts.

It is also a tool for addressing or classifying alerts.

A

Three tasks can be completed in Sguil to manage alerts.

45
Q

Event Handling in Sguil:

3 TASKS can be completed in Sguil to manage alerts.

First, alerts that have been found to be false positives can be expired. This can be done by using the right-clicking in the ST column for the event an using the menu or by pressing the F8 key. An expired event disappears from the queue.

Second, if the cybersecurity analyst is uncertain how to handle an event, it can be escalated by pressing the F9 key. The alert will be moved to the Sguil Escalated Events tab.

Finally, an event can be categorized. Categorization is for events that have been identified as true positives.

A

Event Handling in Sguil:

3 TASKS can be completed in Sguil to manage alerts.

First, alerts that have been found to be false positives can be expired. This can be done by using the right-clicking in the ST column for the event an using the menu or by pressing the F8 key. An expired event disappears from the queue.

Second, if the cybersecurity analyst is uncertain how to handle an event, it can be escalated by pressing the F9 key. The alert will be moved to the Sguil Escalated Events tab.

Finally, an event can be categorized. Categorization is for events that have been identified as true positives.

46
Q

Event Handling in Sguil:

Sguil includes seven pre-built categories that can be assigned by using a menu,which is shown in the figure, or by pressing the corresponding function key.

For example, an event would be categorized as Cat I by pressing the F1 key.

In addition, criteria can be created that will automatically categorize an event.

A

Categorized events are assumed to have been handled by the cybersecurity analyst.

When an event is categorized, it is removed from the list of RealTime Events.

The event remains in the database however, and it can be accessed by queries that are issued by category.

47
Q

Event Handling in Sguil:

SCREENSHOT

https://snipboard.io/GbA5Bt.jpg

A

Event Handling in Sguil:

SCREENSHOT

https://snipboard.io/GbA5Bt.jpg

48
Q

Working in ELK

Logstash and Beats are used for data ingestion in the Elastic Stack.

A

Working in ELK

Logstash and Beats are used for data ingestion in the Elastic Stack.

49
Q

Working in ELK

WHAT DO Logstash and Beats PROVIDE?

They provide access to large numbers of log file entries.

Because the number of logs that can be displayed is so large, Kibana, which is the visual interface into the logs, is configured to show the last 24 hours by default.

You can adjust the time range to view broader or older ranges of data.

https://snipboard.io/Wvs0mk.jpg

A

Working in ELK

WHAT DO Logstash and Beats PROVIDE?

They provide access to large numbers of log file entries.

Because the number of logs that can be displayed is so large, Kibana, which is the visual interface into the logs, is configured to show the last 24 hours by default.

You can adjust the time range to view broader or older ranges of data.

https://snipboard.io/Wvs0mk.jpg

50
Q

Working in ELK

In order to see log file records for a different period of time, click the Last 24 hours tab in the upper right corner of Kibana.

From there, set the Time Range by selecting the Quick tab for predefined time ranges.

You can also enter the dates and times manually using the Absolute tab.

The figure shows an Absolute time range from May 17th to May 18th, 2020. Logs are ingested into Elasticsearch into separate indices or databases based on a configured range of time.

A

Working in ELK

In order to see log file records for a different period of time, click the Last 24 hours tab in the upper right corner of Kibana.

From there, set the Time Range by selecting the Quick tab for predefined time ranges.

You can also enter the dates and times manually using the Absolute tab.

The figure shows an Absolute time range from May 17th to May 18th, 2020. Logs are ingested into Elasticsearch into separate indices or databases based on a configured range of time.

51
Q

Working in ELK

The best way to monitor your data in Elasticsearch is to build customized visual dashboards that track the data that you are interested in using.

A variety of visual charts including bar graphs, pie charts, count metrics, heat maps, Geo maps, top number lists are available.

In Kibana, visualizations and charts can be searched and filtered with specific metrics and buckets of data.

A

Working in ELK

The best way to monitor your data in Elasticsearch is to build customized visual dashboards that track the data that you are interested in using.

A variety of visual charts including bar graphs, pie charts, count metrics, heat maps, Geo maps, top number lists are available.

In Kibana, visualizations and charts can be searched and filtered with specific metrics and buckets of data.

52
Q

Queries in ELK:

Elasticsearch is built on Apache Lucene, an open-source search engine software library that features full text indexing and searching capabilities.

Elasticsearch ingests data into documents called indices and those documents are mapped to various datatypes using index patterns.

A

Queries in ELK:

Elasticsearch is built on Apache Lucene, an open-source search engine software library that features full text indexing and searching capabilities.

Elasticsearch ingests data into documents called indices and those documents are mapped to various datatypes using index patterns.

53
Q

Queries in ELK:

The index patterns create a data structure of JSON-formatted fields and values.

The datatypes in the fields can be in the following formats:

Core Datatypes:

Text (Strings),

Numeric,

Date,

Boolean,

Binary, and Range Complex Datatypes:

Object (JSON), Nested (arrays of JSON objects) Geo Datatypes:

Geo-point (latitude/longitude),

Geo-shape (polygons) Specialized Datatypes:

IP addresses, Token count, Histogram, etc.)

A

Queries in ELK:

The index patterns create a data structure of JSON-formatted fields and values.

The datatypes in the fields can be in the following formats:

Core Datatypes:

Text (Strings),

Numeric,

Date,

Boolean,

Binary, and Range Complex Datatypes:

Object (JSON), Nested (arrays of JSON objects) Geo Datatypes:

Geo-point (latitude/longitude),

Geo-shape (polygons) Specialized Datatypes:

IP addresses, Token count, Histogram, etc.)

54
Q

Queries in ELK: Using Lucene software libraries, Elasticsearch has its own query language based on JSON called Query DSL (Domain Specific Language).

Query DSL features leaf queries, compound queries, and expensive queries.

Leaf queries look for a specific value in a specific field, such as the match, term, or range queries.

Compound queries enclose other leaf or compound queries and are used to combine multiple queries in a logical fashion.

Expensive queries execute slowly and include fuzzy matching, regex matching, and wildcard matching.

A

Queries in ELK: Using Lucene software libraries, Elasticsearch has its own query language based on JSON called Query DSL (Domain Specific Language).

Query DSL features leaf queries, compound queries, and expensive queries.

Leaf queries look for a specific value in a specific field, such as the match, term, or range queries.

Compound queries enclose other leaf or compound queries and are used to combine multiple queries in a logical fashion.

Expensive queries execute slowly and include fuzzy matching, regex matching, and wildcard matching.

55
Q

Queries in ELK: Query Language

Along with JSON, Elasticsearch queries make use of the following elements: Boolean operators, Fields, Ranges, Wildcards, Regex, Fuzzy search, Text search.

A

Queries in ELK: Query Language

Along with JSON, Elasticsearch queries make use of the following elements: Boolean operators, Fields, Ranges, Wildcards, Regex, Fuzzy search, Text search.

56
Q

Queries in ELK: Boolean Operators

AND, OR, and NOT operators: “php” OR “zip” OR “exe” OR “jar” OR “run” “RST” AND “ACK”

A

Queries in ELK: Boolean Operators

AND, OR, and NOT operators: “php” OR “zip” OR “exe” OR “jar” OR “run” “RST” AND “ACK”

57
Q

Queries in ELK:

Fields

In colon separated key:value pairs you specify the key field, a colon, a space and the value: dst.ip: “192.168.1.5” dst.port: 80

A

Queries in ELK:

Fields

In colon separated key:value pairs you specify the key field, a colon, a space and the value: dst.ip: “192.168.1.5” dst.port: 80

58
Q

Queries in ELK: Ranges

You can search for fields within a specific range using square brackets (inclusive) or curly braces (exclusive) range:

host:[1 TO 255] — Will return events with age between 1 and 255

TTL:{100 TO 400} — Will return events with prices between 101 and 399

name: [Admin TO User] — Will return names between and including Admin and User

A

Queries in ELK: Ranges

You can search for fields within a specific range using square brackets (inclusive) or curly braces (exclusive) range:

host:[1 TO 255] — Will return events with age between 1 and 255

TTL:{100 TO 400} — Will return events with prices between 101 and 399

name: [Admin TO User] — Will return names between and including Admin and User

59
Q

Queries in ELK: Wildcards

The * character is for multiple character wildcards and the ? character for single character

wildcards: P?ssw?rd — Will match Password,

and P@ssw0rd Pas* — Will match Pass, Passwd, and Password

A

Queries in ELK: Wildcards

The * character is for multiple character wildcards and the ? character for single character

wildcards: P?ssw?rd — Will match Password,

and P@ssw0rd Pas* — Will match Pass, Passwd, and Password

60
Q

Queries in ELK: Regex

These are placed between forward slashes (/): /d[ao]n/ — Will match both dan and don // — Will match text that resembles an HTML tag

A

Queries in ELK: Regex

These are placed between forward slashes (/): /d[ao]n/ — Will match both dan and don // — Will match text that resembles an HTML tag

61
Q

Queries in ELK: Fuzzy Search

Fuzzy searching uses the Damerau-Levenshtein Distance to match terms that are similar in spelling.

This is great when your data set has misspelled words.

Use the tilde (~) to find similar terms: index.php~ - This may return results like “index.html,” “home.php”, and “info.php.”

Use the tilde (~) along with a number to specify the how big the distance between words can be: term~2 - This will match, among other things: “team,” “terms,” “trem,” and “torn”

A

Queries in ELK: Fuzzy Search

Fuzzy searching uses the Damerau-Levenshtein Distance to match terms that are similar in spelling.

This is great when your data set has misspelled words.

Use the tilde (~) to find similar terms: index.php~ - This may return results like “index.html,” “home.php”, and “info.php.”

Use the tilde (~) along with a number to specify the how big the distance between words can be: term~2 - This will match, among other things: “team,” “terms,” “trem,” and “torn”

62
Q

Queries in ELK: Text search

Type in the term or value you want to find.

This can be a field, or a string within a field, etc.

A

Queries in ELK: Text search

Type in the term or value you want to find.

This can be a field, or a string within a field, etc.

63
Q

Queries in ELK: Query Execution

Elasticsearch was designed to interface with users using web-based clients that follow the HTTP REST framework.

A

Queries in ELK: Query Execution

Elasticsearch was designed to interface with users using web-based clients that follow the HTTP REST framework.

64
Q

Queries in ELK: Queries can be executed using the following methods:

URI - Elasticsearch can execute queries using URI searches: http://localhost:9200/_search?q=query:ns.example.com cURL

  • Elasticsearch can execute queries using cURL from the command line: curl “localhost:9200/_search?q=query:ns.example.com”

JSON – Elasticsearch can execute queries with a request body search using a JSON document beginning with a query element, and a query formatted using the Query Domain Specific Language.

Dev Tools – Elasticsearch can execute queries using the Dev Tools console in Kibana and a query formatted using the Query Domain Specific Language.

A

Queries in ELK: Queries can be executed using the following methods:

URI - Elasticsearch can execute queries using URI searches: http://localhost:9200/_search?q=query:ns.example.com cURL

  • Elasticsearch can execute queries using cURL from the command line: curl “localhost:9200/_search?q=query:ns.example.com”

JSON – Elasticsearch can execute queries with a request body search using a JSON document beginning with a query element, and a query formatted using the Query Domain Specific Language.

Dev Tools – Elasticsearch can execute queries using the Dev Tools console in Kibana and a query formatted using the Query Domain Specific Language.

65
Q

Investigating Process or API Calls Applications interact with an operating system (OS) through system calls to the OS application programming interface (API), as shown in the figure.

https://snipboard.io/u7XIg0.jpg

These system calls allow access to many aspects of system operation such as:

Software process control File management Device management Information management Communication

A

Investigating Process or API Calls Applications interact with an operating system (OS) through system calls to the OS application programming interface (API), as shown in the figure.

https://snipboard.io/u7XIg0.jpg

These system calls allow access to many aspects of system operation such as:

Software process control File management Device management Information management Communication

66
Q

Investigating Process or API Calls

Malware can also make system calls.

A

If malware can fool an OS kernel into allowing it to make system calls, many exploits are possible.

67
Q

Investigating Process or API Calls

HIDS software tracks the operation of a host OS.

OSSEC rules detect changes in host-based parameters like the execution of software processes, changes in user privileges, and registry modifications, among many others.

OSSEC rules will trigger an alert in Sguil.

A

Pivoting to Kibana on the host IP address allows you to choose the type of alert based on the program that created it.

Filtering for OSSEC indices results in a view of the OSSEC events that occurred on the host, including indicators that malware may have interacted with the OS kernel.

68
Q

Investigating File Details

In Sguil, if the cybersecurity analyst is suspicious of a file the hash value can be submitted to an online site, such as VirusTotal, to determine if the file is known malware.

The hash value can be submitted from the Search tab on the VirusTotal page.

A

Investigating File Details

In Sguil, if the cybersecurity analyst is suspicious of a file the hash value can be submitted to an online site, such as VirusTotal, to determine if the file is known malware.

The hash value can be submitted from the Search tab on the VirusTotal page.

69
Q

Investigating File Details In Kibana, Zeek Hunting can be used to display information regarding the files that have entered the network.

From the MIME, or media, types that are present, filters can be set to display information about specific types of files such as application/xml or application/zip.

From there, details for the individual files can be displayed, as shown in the figure.

Note that in Kibana, the event type is shown as bro_files, even though the new name for Bro is Zeek. File Details from Zeek as Displayed in Kibana

https://snipboard.io/gFYs9I.jpg

A

Investigating File Details In Kibana, Zeek Hunting can be used to display information regarding the files that have entered the network.

From the MIME, or media, types that are present, filters can be set to display information about specific types of files such as application/xml or application/zip.

From there, details for the individual files can be displayed, as shown in the figure.

Note that in Kibana, the event type is shown as bro_files, even though the new name for Bro is Zeek. File Details from Zeek as Displayed in Kibana

https://snipboard.io/gFYs9I.jpg

70
Q

Dashboards and Visualizations

Dashboards provide a combination of data and visualizations that are designed to improve access to and interpretation of large amounts of information.

Dashboards are usually interactive.

They allow cybersecurity analysts to focus on specific details and information by clicking on elements of the dashboard.

For example, clicking on a bar in a bar chart could provide a breakdown of the information for the data represented by that bar.

A

Kibana includes the capability of designing custom dashboards.

In addition, other tools that are included in Security Onion, such as Squert, provide a visual interface to NSM data.

The Kibana interface for selecting the visualizations that will compose a custom dashboard are shown in the figure.

Selecting Visualizations for a Custom Kibana Dashboard:

https://snipboard.io/8MJm6n.jpg

71
Q

Workflow Management Because of the critical nature of network security monitoring it is essential that workflows are managed.

Workflows are the sequence of processes and procedures through which work tasks are completed.

Managing SOC workflows enhances the efficiency of the cyberoperations team, increases the accountability of staff, and ensures that all potential alerts are treated properly.

A

Workflow Management Because of the critical nature of network security monitoring it is essential that workflows are managed.

Workflows are the sequence of processes and procedures through which work tasks are completed.

Managing SOC workflows enhances the efficiency of the cyberoperations team, increases the accountability of staff, and ensures that all potential alerts are treated properly.

72
Q

Workflow Management In large security organizations it is conceivable that thousands of alerts will be received daily.

Each alert should be systematically assigned, processed, and documented by cyberoperations staff.

A

Workflow Management In large security organizations it is conceivable that thousands of alerts will be received daily.

Each alert should be systematically assigned, processed, and documented by cyberoperations staff.

73
Q

Workflow Management

Runbook automation, or workflow management systems provide the tools necessary to streamline and control processes in a cybersecurity operations center.

Sguil provides basic workflow management.

However, it is not a good choice for large operations with many employees.

Instead, third party workflow management systems are available that can be customized to suit the needs of cybersecurity operations.

A

Workflow Management

Runbook automation, or workflow management systems provide the tools necessary to streamline and control processes in a cybersecurity operations center.

Sguil provides basic workflow management.

However, it is not a good choice for large operations with many employees.

Instead, third party workflow management systems are available that can be customized to suit the needs of cybersecurity operations.

74
Q

Workflow Management

In addition, automated queries are useful for adding efficiency to the cyberoperations workflow.

These queries, sometimes known as plays, or playbooks, automatically search for complex security incidents that may evade other tools.

A

Workflow Management

In addition, automated queries are useful for adding efficiency to the cyberoperations workflow.

These queries, sometimes known as plays, or playbooks, automatically search for complex security incidents that may evade other tools.

75
Q

Workflow Management

In Kibana filtered searches can be turned into visualizations, which can be dynamically updated and monitored to track events.

The ELK stack can add alerting functionality by installing the X-Pack extension into Elastic.

A

Workflow Management

In Kibana filtered searches can be turned into visualizations, which can be dynamically updated and monitored to track events.

The ELK stack can add alerting functionality by installing the X-Pack extension into Elastic.

76
Q

Workflow Management

X-Pack is a commercial extension to Elasticsearch and bundles security, alerting, monitoring, reporting, and graph capabilities.

Elasticsearch provides multiple forms of alert notification and can notify cybersecurity analysts by email or other means.

A

Workflow Management

X-Pack is a commercial extension to Elasticsearch and bundles security, alerting, monitoring, reporting, and graph capabilities.

Elasticsearch provides multiple forms of alert notification and can notify cybersecurity analysts by email or other means.

77
Q

Workflow Management In addition to X-Pack

Elastic.co also offers their own commercial Elastic SIEM product with advanced monitoring, alerting, and orchestration capabilities.

A

Workflow Management In addition to X-Pack

Elastic.co also offers their own commercial Elastic SIEM product with advanced monitoring, alerting, and orchestration capabilities.

MODULE 27 - Working with Network Security Data CERTIFICATION EXAM PREPARATION (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions