Section 4 Flashcards
What does HMM?
Hunting Maturity Model
What are the 5 levels in the HMM model?
HM0 (Least Proactive) HM1 HM2 HM3 HM4 (Most Proactive)
What is happening at HM0 level?
Only collecting IDS alerts and as such is a reactive model.
What is happening at HM1 level?
Collecting IDS alerts but also collecting logs from other systems.
What is happening at HM2 level?
Mostly perform active, rather than reactive, hunt operations at this level.
Collecting large amounts of data.
Use External sources into their own hunt operations.
What is happening at HM3 level?
Do not rely on external sources
Usually, push such information out
Using machine learning to see beyond the alert.
What is happening at HM4 level?
Highest level
automate many tactical level analysis
scripts or programs can be written that are based on intelligence and hunt procedures
What is the Threat Hunting Cycle?
Hypothesis
Investigation
Uncover
Inform and enrich
What happens in the Hypothesis stage of the Threat Hunting Cycle?
The: Who What Where How Are there Vulnerable systems
What happens in the Investigation stage of the Threat Hunting Cycle?
Checking security system logs
Querying datasets
Use of machine learning to help find malicious code
What happens in the Uncover stage of the Threat Hunting Cycle?
Identify IOCs (Indicator of compromise) TTP = Tactics, Techniques and procedures
What happens in the Inform and enrich stage of the Threat Hunting Cycle?
Lessons learnt
Support documentation of previous steps
What is the Hot Threat Dashboard?
It is used by SOCs to investigate the top 15 vulnerabilities in the network.
Must have a CVSS score of 7.0 or higher to make it onto the top threat dashboard.
After 30 days old vulnerabilities are moved off the list and into the database.
What is TLP?
Traffic Light Protocol
In the Traffic Light Protocol, what are the different levels?
Red
Amber
Green
White