Section 4 - Security Operations Flashcards
What is the continual process used to understand the threat faced by an organization and what organization aids in identifying the different types of issues faced
Threat Intelligence
Cybersecurity & Infrastructure Security Agency (CISA) - 16 critical sectors
What 3 distinct areas are threat intelligence broken down into
Tactical - Tactics, techniques and procedures of a threat actor (TTP’s). Used by network and security teams to fortify VulnMgmt, alerting, and architectural design
Strategic - big picture leadership and associated with reports to identify the motivations, capabilities, and intentions of various threat actors
Operational - logs, SIEM Platforms, used to identify current attacks and IOCs. Used by security and forensic analyst and incident responders.
Describe the differences between Threat and Adversary Emulation
Threat emulation describes emulating known TTP’s to mimic the actions of a threat in a realistic way without emulating a specific threat actor which is where adversary emulation comes into play.
What is an assessment technique that utilizes insights gained from threat intelligence to proactively discover IOC’s within the environment using an “assume breach” mindset.
Threat Hunting - led by senior staff and very time consuming.
Uses Advisories and Bulletins
Used Intelligence fusion and threat data:
- Intelligence Feeds
- Deep Web
- OSINT
- Human Intelligence (HUMINT)
Name the Threat Actor Groups
Script Kiddies
Insider Threats - employee or contractor and intentional and unintentional
Competitor - corporate espionage
Organized Crime - for commercial gain
Hacktivists -
Nation-State - both military and commercial goals - APT
Which Threat Management Framework is focused on the relationship between tactics and techniques
MITRE ATT&CK
also documents group behavior profiles of various well-known adversarial groups to show the techniques of each group.
There is a MITRE ATT&CK for ICS
What Threat Management framework focuses on events and describes them in terms of four core and interrelated base features
Diamond Model of Intrusion Analysis
- Advesary
- Capability
- Infrastructure
- Victim
Uses visualization using a diamond to demonstrate the meta features that connect to each of them.
What is the threat management framework developed by Lockheed Martin that describes the steps/actions an adversary must complete in order to achieve their goals.
Cyber Kill Chain - 7 Steps
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control (C2)
7. Action on objectives
Name some key elements of Vulnerability Management
With our without credentials
Agent vs Agentless
Active vs Passive (netflow)
Criticality Ranking
invariably identify patching requirements
Name some Vulnerability Information Sources
Advisories - typically software vendor
Bulletins - newsletters and reports
ISACS - Information Sharing and Analysis Centers - non-profit agencies
News Reports
What describes a suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws such as misconfiguration and/or vulnerabilities
Security Content Automation Protocol
Name the SCAP Languages
Open vulnerability and Assessment Language (OVAL) - describes 3 main aspects of an evaluated system.
Asset Reporting Format (ARF) helps to correlate formats to asset information independently from any specific application or vendor for consistency
Extensible Configuration Checklist Description Format (XCCDF) - written in XML and provides a consistent and standardize way to define benchmark information as well as configuration and security checks to be performed.
Name the 3 SCAP Identification schemes
Common Platform Enumeration (CPE)- standardize naming format for systems and software
Common Vulnerabilities and Exposures (CVE) - unique identifier to describe public known vulnerabilities
Common Configuration Enumeration (CCE) - similar to CVE but focused on configuration issues which may result in a vulnerability
How is SCAP scored for levels of severity and what are those levels
Common Vulnerability Scoring System (CVSS)
0 - None
.1-3.9 - Low
4.0-6.9 - Medium
7-8.9 - High
9-10 - Critical
What is the difference between a Protocol Analyzer and a Network Traffic Analyzer?
Network traffic analyzer is crafted to aid in the analysis of data capture by a sensor while protocol analyzer like wireshark to create PCAP files for further analysis
What is a common HTTP Interceptor or Proxy
BurpSuite and BeEF
What does a SCAP Scanner perform?
Uses SCAP to compare a target computer/software configuration and patch levels against predetermined settings contained in SCAP content baseline.
SCAP scanners also use DOD STiGS as a baseline
Name the deceptive technologies that can be used to help better identify threats and facilitate research and analysis of the techniques in a safe environment
Decoy Files - honeytokens and/or canary traps .
Honeypot - mimics genuine system
Honeynet - several honeypots
Simulators - such as ssh, mail, telnet, etc.
Dynamic Network Configuration – allows for SDN and flexibility to be re-deployed.
What advanced service can Security Data Analytics feed into
User and Entity Behavior Analytics (UEBA)
What is the monitoring of data focused on DBMS
Database Activity Monitoring (DAM)
requirement of SOX 404
What is the type of attack that is based on a race condition where the time it is checked vs the time it is used allowing attacker to achieve unauthorized outcomes
Time of check vs time of use (TOCTOU)
What is the Linux utility for software deployment, application virtualization, and package management?
Flatpak
What are some techniques that can protect against buffer overflow attacks
Patching
Security Coding
Address Space Layout Randomization (ASLR) - components are randomized
Data Execution Protection (DEP) - allows for an OS to detect areas of memory that contain executable code and areas that do not and prevent execution
Name some common Web Application vulnerabilities
Broken Authentication
Insecure References - changing Customer ID for example
Weak Ciphers and Cipher Suites
Improper Headers
Certificate Errors
What describes the process by which software can be analyzed for open-source components
Software Composition Analysis
Best performed using automation such as the OWASP Dependency-Check Tool and in more depth the Dependency-Track tool.
What is the popular data exchange based on web technologies
JSON/REST API
SOAP - where REST is an architectural style SOAP is a protocol to communicate over HTTP using XML
What is the difference between Browser Extensions and Browser Plugins and what technology has replaced plugins
Extensions can be added web browser to expand its functionality or add features not present by default. Plugin are applications installed in a way to be called or executed. Flash, Java, etc. are examples of plugins
HTML5 and Asynchronous JavaScript and XML (AJAX)
What ty-pe of attack allows an attacker to access OS files that run the web application
Directory or File Traversal
%2E - . and %2F - /
What attack is similar to directory traversal that manipulates file paths to control how a web application operates
Cross Site Scripting (XSS)
Reflected - bounces off web site when link is clicked
Stored - inserts malicious code into the web application
Type of attack that causes victim to unintendedly carry out an action on a website.
Cross-Site Request Forgery (CSRF)
What type of attack uses SQL Language in place of username
Authentication Bypass
Protection is input validation
What is the attack where there threat actor is able to execute shell commands on a host via a vulnerable web application
Command Injection
OS API’s should be used instead of command shells
What is the attack that where an adversary can insert code into an existing process to evade detection and gain access privileges equivalent to the exploited process
Process Injection
MITRE ATT&CK ID T1055
Name some common infrastructure attacks and mitigations
Sandbox escape
VM Hopping and Escape
VLAN Hopping - spoofing and double tagging - disable dynamic trunking and change default VLAN ID
BGP Route Hijacking
What is the difference between packet and protocol capture and Netflow
a flow connector is a means of recording metadata and statistics about network traffic rather than capturing each frame.
Developed by Cisco and redeveloped as IP Flow Information Export (IPFIX)
What tools and classification systems can be used with Antivirus protection
virus total
Yara Rules
Describe False/True Negative/Positive
False Negative - a case that is not identified
Fales Positive - case that is reported that should not be
True Positive - case reported when it should be
True Negative - not reported and it should not be. Informational only
What are the action and guideline for dealing with security events and what are the specific actions to take in response to emergency scenarios
Incident Response Plans (IRP)
Incident response playbooks
Describe the differences between Cryptanalysis and Steganalysis
Cryptanalysis is the art and science of cracking cryptographic schemes with Steganalysis attempts to identify messages and/or media which have been hidden in cover files
What is the tool for inspecting firmware images
Binwalk -
What is as tool for performing memory analysis
Volatility
What tool can used to identify interactions between processes and Linux Kernel
Strace
which command line utility is designed to display real time information about system memory, running processes, interrupts, paging and I/O stats
vmstat
