Section 4 Flashcards
What does HMM?
Hunting Maturity Model
What are the 5 levels in the HMM model?
HM0 (Least Proactive) HM1 HM2 HM3 HM4 (Most Proactive)
What is happening at HM0 level?
Only collecting IDS alerts and as such is a reactive model.
What is happening at HM1 level?
Collecting IDS alerts but also collecting logs from other systems.
What is happening at HM2 level?
Mostly perform active, rather than reactive, hunt operations at this level.
Collecting large amounts of data.
Use External sources into their own hunt operations.
What is happening at HM3 level?
Do not rely on external sources
Usually, push such information out
Using machine learning to see beyond the alert.
What is happening at HM4 level?
Highest level
automate many tactical level analysis
scripts or programs can be written that are based on intelligence and hunt procedures
What is the Threat Hunting Cycle?
Hypothesis
Investigation
Uncover
Inform and enrich
What happens in the Hypothesis stage of the Threat Hunting Cycle?
The: Who What Where How Are there Vulnerable systems
What happens in the Investigation stage of the Threat Hunting Cycle?
Checking security system logs
Querying datasets
Use of machine learning to help find malicious code
What happens in the Uncover stage of the Threat Hunting Cycle?
Identify IOCs (Indicator of compromise) TTP = Tactics, Techniques and procedures
What happens in the Inform and enrich stage of the Threat Hunting Cycle?
Lessons learnt
Support documentation of previous steps
What is the Hot Threat Dashboard?
It is used by SOCs to investigate the top 15 vulnerabilities in the network.
Must have a CVSS score of 7.0 or higher to make it onto the top threat dashboard.
After 30 days old vulnerabilities are moved off the list and into the database.
What is TLP?
Traffic Light Protocol
In the Traffic Light Protocol, what are the different levels?
Red
Amber
Green
White
What can be disclosed at TLP Red level?
Not for disclosure, restricted to participants only
What can be disclosed at TLP Amber level?
Limited disclosure, restricted to participants organizations only.
What can be disclosed at TLP Green level?
Limited disclosure, restricted to the community
What can be disclosed at TLP White level?
Disclosure not limited
What is an injection attack?
SQL injection attack is when an attacker adds SQL statements to an online form in the hope that it will retrieve secure information, add or delete from the database, crash the database. Validating user input before passing it to the database can stop this attack
What is broken authentication & session management?
An attacker takes advantage of a failure to properly expire sessions and to tie a session to an individual.
What is Cross-site scripting (XSS) attack?
Poor input validation which allows an attacker to run malicious code in a users browser which might display a message or steal a users cookies.
What is insecure direct object reference attack?
An attacker changing the ID in a web address from the current user to a different user and getting the information on that user. This shows a lack of authentication.
What is security misconfiguration attack?
An attacker takes advantage of improper configurations of any part of the application stack, including web servers, databases, or application code.
