Section 23 - Monitoring Types Flashcards

1
Q

When it comes to monitoring the network, this can be done manually or through an automated means. What are three automated methods?

A

Signature Based
Anomaly Based
Behavior Based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Signature Based monitoring?

A

Network traffic is analyzed for predetermined attack patterns

*** imagine this is like profiling and evaluating characteristics. If you see someone walk through the door who is 5’8” with brown hair then that would be Alex’s signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is anomaly based monitoring?

A

A baseline is established and any network traffic that is outside of the baseline is evaluated

*** This is evaluating behaviors. Doing something it doesn’t normally do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is behavior based monitoring?

A

Activity is evaluated based on the previous behavior of the applications, executables, and the OS in comparison to the current activity of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Often times, in an intrusion detection or intrusion prevention system, we would do what with these monitoring systems?

A

Combine them into a hybrid approach

These methods do not have to be used in isolation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is baselining?

A

Process of measuring changes in networking, hardware, software and applications

*** Doing this allows us to see what is normal and what is abnormal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is baseline reporting?

A

Documenting and reporting on the changes in a baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is security posture?

A

Risk level to which a system or other technology element is exposed

*** You will have a baseline for the system that you create as part of your security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is performance baselining?

A

This is focused on the operations and functionality

It is one of the most common types of monitoring

** Ex. how much disk space being used, how much is the network bandwidth being used, etc.

This is important to monitor because if something is being overtaxed it could be because it has malware and the behavior could serve as an indicator only found by monitoring its performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some different ways you can do performance monitoring?

A
  1. A tool called Performance Monitor - This will show you the amount of processing power, memory and disk space being utilized and allows you to set up reports to compare those in the future
    (perfmon.exe in command prompt)
  2. Protocol Analyzer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are protocol analyzers?

A

These are used to capture and analyzed network traffic

*** Wireshark is an example of a protocol analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How are protocol analyzers connected to your network?

A

Promiscuous mode
Non-promiscuous mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does Promiscuous mode in a protocol analyzer mean?

A

Network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them

** Of the two options, this one captures the most information but not all network adapters support this so make sure you have one that does

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does non-promiscuous mode in a protocol analyzer mean?

A

Network adapter can only capture the packets addresses to itself directly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is port mirroring?

A

One or more switch ports are configured to forward all of their packets to another port on the switch

** With switches, everything is going based on the MAC address to specific ports based on its CAM table. To be able to get all that data, you set up port mirroring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a SPAN port?

A

This is being used to do port mirroring of all the other ports so that the protocol analyzer can see it

This is doing using a logical method to replicate the traffic across all of the other ports on to that SPAN port

*** If you cannot configure a SPAN port, then you can use a network tap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a network tap?

A

A physical device that allows you to intercept the traffic between two points on the network

*** You could put this between the router and the switch at the boundary of the network which would allow you to see everything that’s coming in and out of the network that way

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does SNMP stand for?

A

Simple Network Management Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is SNMP?

A

A TCP/IP protocol that aids in monitoring network-attached devices and computers

*** This is heavily incorporated into the concept of management and monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

SNMP is broken down into three components. What are they?

A

Agent
Managed Devices
Network Management Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are SNMP managed devices?

A

Computers or other network attached devices monitoring through the use of agents by a network management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are SNMP agents?

A

Software that is loaded on a managed device to redirect information to the network management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are SNMP Network Management Systems?

A

Also called NMS, this is software run on one or more servers to control the monitoring of network-attached devices and computers

*** This is going to act as our manager and it’s going to send and receive message to all of our managed devices across the network (your routers, switches and servers)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When your SNMP NMS is running, what are the different requests it can make?

A

Set Request - Devices will send information back

Get Request - it wants information

Trap Request - Receiving unsolicited information from management devices (where they just send information as needed at periodic intervals)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

From a security standpoint, it’s important to know the different versions of SNMP. They are…?

A

SNMP v1
SNMP v2
SNMP v3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

SNMP v1 and SNMP v2 are considered insecure because…?

A

They use community strings to access a device

*** These are default community strings of public, which are read-only or private. This allows read and write access to the devices.

27
Q

The only version of SNMP that you should be using is…?

A

SNMP v3

Provides integrity, authentication and encryption of the messages being sent over the network.

*** It will hash your messages being transmitted, validate the source of the message to give you authentication and it uses DES encryption to provide confidentiality and privacy.

28
Q

When you conduct network management using SNMP, you have two options where the data can be sent. What are these options?

A

In Band Communication

Out of Band Communication

29
Q

What is SNMP In Band Communication?

A

Sending your management data over the same network that’s carrying your corporate information and normal data

*** This is cheaper, easier but also less secure.

30
Q

What is SNMP Out of Band Communication?

A

Thi sis a secondary network where all the management occurs but you still ahve that primary in band network where all of the data that the user is going to get is going to occur.

31
Q

Management should always be conducted on a In-band or Out of Band network?

A

Out of Band

This is because it increases security and takes management function out of the place where users can touch it or see it

32
Q

What is auditing?

A

A technical assessment conducted on applications, systems or networks

*** This is essentially a detective control that’s look to make sure everything was being done correctly and if anything went wrong, we can go back and put together those pieces.

33
Q

What are the two ways that auditing can be conducted?

A

Manually or by using tools

*** Often times these are both used in conjunction

34
Q

What is a big part of auditing?

A

Logs

This is because these get tied together very frequently inside the auditing concept

35
Q

What are logs?

A

Data files that contain the accounting and audit trails for actions performed by a user on the computer on the network

36
Q

On a Windows system, there are three types of logs you should be familiar with. What are they?

A

Security
System
Application

37
Q

What information would you find in security logs?

A

Logs for events such as successful and unsuccessful user logons to the system

38
Q

What information would you find in system logs?

A

These logs have events such as system shutdown or driver failure

39
Q

What information would you find in application logs?

A

Logs event for the OS and third party appications

40
Q

How do you view the three types of logs on a Windows computer?

A

using the “Event Viewer” or a syslog server

41
Q

Why would you opt to use a SYSLOG server for viewing logs?

A

This is a much more efficient way to view logs because it allows you to consolidate all of the logs into a single respository that you can use to read through and help correlate

42
Q

What is SYSLOG server?

A

A standardized format for computer message logging that allows the separation of the software that generates the message, the system that stores them, and the software that reports and analyzes them.

*** Essentially, you can have different servers around the world and they would send all their log files back to a single logging server (SYSLOG.) It is a centralized monitoring system.

43
Q

What port does SYSLOG use?

A

514

UDP

44
Q

How do you maintain log files?

A

Perform log file maintenance

45
Q

What is log file maintenance?

A

The actions taken to ensure proper creation and storage of a log file

Such as the proper configuration, saving, backing up, securing and encryption of those log files.

46
Q

What does it mean to overwrite an event?

A

When a maximum log size is reached, the system can begin overwriting the oldest events in the log files to make room

47
Q

What is WORM?

A

Write Once Read Many

Technology like a DVD-R that allows data to be written only once but read unlimited times

48
Q

What does SIEM stand for?

A

Security Information and Event Management systems

49
Q

What is SIEM?

A

Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

One of the best ways this is used is by correlating events. For example, if you see one of your employees has logged in on a VPN in Asia but also just scanned his badge in at work then you can correlate those events to assume there’s a potential security risk through an SIEM.

50
Q

A SIEM can be implemented in many ways. What are those?

A

Software appliances
Hardware appliances
Outsource managed service

51
Q

To effectively deploy an SIEM, what things do you have to consider?

A
  1. You need to be able to log all relevant events and filter out anything that is not
  2. You need to make sure you can establish and document the scope of the events.
  3. You need to develop use cases to define a threat.
  4. You need to plan instant responses before given events.
  5. Establish a ticketing process to track the event
  6. Schedule regular threat hunting
  7. Providing auditors and analysts an evidence trail.
52
Q

There are many commercial and open-source solutions available on the market. What are some examples of SIEM products you can use?

A

Splunk
ELK (Elastic Stack)
ArcSight
QRadar
Alient Vault
OSSIM
GrayLog

53
Q

What does a SYSLOG message contain?

A

PRI Code
Header
Message portion

54
Q

What is SYSLOG PRI code?

A

A priority code that is calculated based on the facility and the severity level of the data

55
Q

What is a SYSLOG header?

A

This will contain the timestamp of the event and the host name

56
Q

What is a SYSLOG message portion?

A

This contains the source process of the event and the related content

** Basically, what data happened and what do you want to tell us about.

57
Q

Originally, SYSLOG did not use any encryption but new implementations do. What port does SYSLOG on TCP use?

A

1468

58
Q

The newer version of SYSLOG is called what?

A

Syslog-ng (SYSLOG Next Generation) or rsylog

59
Q

How did the new version of SYSLOG upgrade?

A

Moved to TCP for consistent delivery

Moved to TLS for encryption

Uses MD-5 and SHA-1 for authentication and integrity

60
Q

SYSLOG is often used to mean three things. What are they?

A
  1. It can refer to the protocol that we send the data over
  2. It can refer to the server as in the SYSLOG server
  3. It can refer to the log entries themselves as in the Syslog data.

*** Depending on the context, people will often say syslog and mean all three or any of three

61
Q

What does SOAR stand for?

A

Security Orchestration Automation and Response

62
Q

What is SOAR?

A

This is a class of security tools that helps facilitate incident response, threat hunting, and security configurations by orchestrating and automating runbooks and delivery data enrichment

*** Basically, SIEM version 2.0. It takes a security information and event monitoring system and integrates it with SOAR.

63
Q

What is a playbook?

A

A checklist of actions that you’re going to perform to detect and respond to a specific type of incident

64
Q

What is a runbook?

A

An automated version of a playbook