Monitoring and Auditing

Question 1

What is SYSLOG

Answer 1

Standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them

Question 2

Log File Maintence

Answer 2

Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backup, securing, and encryption of the log files

Question 3

What is ELK/Elastic Stack

Answer 3

Collection of free and open-source SIEM tools that provides, storage, search, and analysis functions

Question 4

what does ELK/ Elastic Stack consist of.

Answer 4

Elasticsearch (query/analytics),
logstatsh( log colleciton/normalization),
kibana(visualization),
beats (endpoint collection agents)

Question 5

What is syslog

Answer 5

A protocol enabling different appliances and software applications to transmit logs or event records toa central server.

It is the defacto standard for logging of events from distributed systems

Question 6

what are the contexts of a syslog message?

Answer 6

PRI Code (priority code)
A header
A message portion

Question 7

How is the pri code in a syslog message determined

Answer 7

A PRI code is calculated form the facility and severity level of the data

Question 8

What is contained in the header of a syslog message

Answer 8

A header contains the timestamp of the event and the hostname

Question 9

What does the message portion of a syslog message contain

Answer 9

The source process of the event and related content.

Question 10

What was the original drawback to Syslog

Answer 10

Since the syslog relied on UDP, there can be delivery issues within congested networks.

There were also no security controls such as authentication and encryption included by default.

This can cause issues because UDP packets may be lost as they are fire and forget. This can be problematic

Question 11

What are the improvements to newer Syslog messagin?

Answer 11

The ability to use port 1468 for TCP connections, ensuring consistent delivery.

The ability to use TLS to encrypt messages sent to servers

The ability to use MD-5 or SHA-1 for authentication and integrity

Message filtering, automated log analysis, event response scripting, and alternate message formats

Question 12

What is the newer version of syslog server called?

Answer 12

Syslog-NG or Rsyslog

Question 13

Syslog can be refered to as what three thigns

Answer 13

The network protocol, the server, or the log entries themselves

Question 14

What is soar? And what is it primarily used for?

Answer 14

Security orchestration, automation, and response (SIEM 2.0) is used for incident response.

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

Question 15

What can you use a SOAR For

Answer 15

Scan security / threat data
Analyze data with Machine Learning
Automate data enrichment
Provision new resources using automated playbooks
( New accounts, VMs, delete infected virtual machines. )

Question 16

What is a playbook

Answer 16

A checklist of actions to perform to detect and respond to a specific type of incident.

Question 17

What is a runbook

Answer 17

An automated version of a playbook that leaves clearly defined interaction points for human analysis

Assist analysts by performing tasks before flagging for human involvement, humans make a decision, then the runbook performs actions based on the choices made.

Question 18

What is SNMP and what does it provide

Answer 18

Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Question 19

What are the 3 main forms of automated monitoring and their characteristics

Answer 19

Signature - Network traffic is analyzed for predetermined attack patterns

Anomaly - Baseline is established, anything outside baseline is evaluated

Behavior - activity is based upon the previous behavior of applications, executables, and OS in comparison to the activity of the system

Question 20

What automated monitoring form causes the most and least number of false positvives

Answer 20

Behavior creates the largest number of false positives
Signature based produces the fewest number of false positives

Question 21

Can you combine monitoring methods?

Answer 21

Yes, hybrid approaches can be used with some IDS\IPS systems

Question 22

What is baseline reporting

Answer 22

Documenting and reporting on the changes in a baseline which is used to inform the organizations security posture.

Example: 60% CPU utilization is now running at 80%, 5 apps installed on a PC now there are 30

Question 23

How is security posturing measured

Answer 23

High Risk = Less configuration management
Low Risk = more configuration management

Question 24

What is performance baselining used for

Answer 24

Used to investigate anomalies and track operations and functions to their root.

More useful for Operations and functionality than security.

I/O usage, CPU usage, Memory
Can use Resource Monitor to track and create alerts

Question 25

What are protocol analyzers used for

Answer 25

Capturing and analyzing network traffic

Question 26

What are the two modes that protocol analyzers can run in?

Answer 26

Promiscuos mode - The network adapter is able to capture all of the packets on the network regardless of the destination mac address of the frames

Non-Promisuos - Network adapter is only capturing the packets addressed to the protocol analyzer itself

Question 27

What are somethings to know about promiscuos mode

Answer 27

You need promiscuous mode enabled to capture the most amount of traffic

Not all network adapters allow this

The port on the switch must also support this.

Question 28

What is port mirroring

Answer 28

One or more switch ports are configured to forward all of their traffic to another port on a switch known as a “SPAN PORT”

Question 29

What can you do if a span port is not an option, but you need to analyze all traffic coming across a port or device link.

Answer 29

Span ports put strain on the CPU of switches, a network tap can come in handy. You break the line between the switches or routers, and insert a physical device between the two links.
Network taps add no strain on networking devices.

Question 30

What is SNMP

Answer 30

Simple Network Management Protocol aides in the monitoring of network attached devices

SNMP is typically incorporated into a network management ad monitoring system, but it can also send data inband, although this is much less secure.

Question 31

What are the three components of SNMP

Answer 31

Managed Devices - Computers and other network attached devices monitored through the use of agents by a NMS

Agent- Software that is loaded on to a managed device to redirect information to the NMS

Network Management System (NMS)- Software running on one or more servers to control the monitoring of network attached devices and PCs

Question 32

What is SNMP Trap used for?

Answer 32

It is a connection whereby un-solicited traffic can be sent from agent to the NMS

Question 33

What Versions are there of SNMP and are there any concerns?

Answer 33

SNMP V.1 and V.2 are insecure due to the risk of community strings used to access devices.

SNMP V. provides integrity, authentication and encryption of the message over the network

Question 34

How should management traffic be tramsitted on a network

Answer 34

Management traffic should be conducted out of band to increase security

Question 35

What is Open files and what does it do?

Answer 35

it is a CMD that allows you to see what files are open on the system, what process is calling the file and the PID of the process

Question 36

What does Netstat -ano do

Answer 36

It shows all connections in established, listening, and closed. It also shows source and destination IP along with the PID

Question 37

What is Auditing in IT

Answer 37

Technical assessment conducted on applications systems, or networks

Question 38

What are some manual auditing items

Answer 38

Reviewing of:
Security logs
ACL
User Rights and Permissions
GPOs
Performing Vulnerability Scans
Written Organizational Policy
Interviewing Personell

Question 39

What are some automatic auditing tools

Answer 39

Windows local group policy editor can be used to establish audit policies based on computer events

You can also use the security tab in NTFS settings to configure file access auditing

Question 40

what is a log

Answer 40

Data file that contains the accounting and audit trail for actions performed by a user on a computer or network.

Question 41

Where are logs located in Linux

Answer 41

/var/log

Question 42

Which windows logs should always be audited and where do you find them

Answer 42

Security, System, and Application logs

Windows event viewer

Question 43

Explain what security, system, and application logs measure

Answer 43

Security Logs - events such as successful and unsuccessful user logons to the syste.

System Logs - logs events such as a system shutdown or driver failures

Application logs - logs events for the OS and third part apps

Question 44

What is the importance of log files? What are some considerations with Log files

Answer 44

They allow for the reconstruction of events once they occur.

What the scope of the audit should be, and how long you should keep them

Question 45

How should log files be stored at rest?

Answer 45

Log files should not be stored on the same device that is generating them.
They should be stored on an external server

Logs should be archived and backed up to ensure availability

Question 46

Wat is a SIEM

Answer 46

Security Information Event Management

A solation that provides real-time or near real-time analysis of security events generated b network hardware and applications.

The main function of a SIEM is log review and event correlation

Question 47

How can SIEMs be implemented

Answer 47

They can be implemented as both software and hardware appliances. SIEMs can also be outsourced managed services

Question 48

What are the first 3 steps to implementing a SIEM

Answer 48

1. Log all relevant events and filter irrelevant data
2. Establish and document scope of events
3. Develop use cases to define a threat

Question 49

What are the last 4 steps to implementing a SIEM

Answer 49

4. Plan incident response for an event
5. Establish a ticketing process to track events
6. Schedule threat hunting
7. Provide evidence trail for analysts and auditors

Question 50

What is splunk

Answer 50

Big data information gathering and analytics tool that can import machine generated data using connector visibility addon. Can be installed locally or cloud based

Question 51

What are some other SIEMS

Answer 51

ArcSight
Qradar - log mgmt - created by IBM
Alien Vault - Owned by ATT AKA ATT cyber security
OSSIM - open source,
GrayLog - focused on Devo Ops and IT Operations