Section 4 - Security Operations Flashcards

1
Q

What is the continual process used to understand the threat faced by an organization and what organization aids in identifying the different types of issues faced

A

Threat Intelligence

Cybersecurity & Infrastructure Security Agency (CISA) - 16 critical sectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What 3 distinct areas are threat intelligence broken down into

A

Tactical - Tactics, techniques and procedures of a threat actor (TTP’s). Used by network and security teams to fortify VulnMgmt, alerting, and architectural design

Strategic - big picture leadership and associated with reports to identify the motivations, capabilities, and intentions of various threat actors

Operational - logs, SIEM Platforms, used to identify current attacks and IOCs. Used by security and forensic analyst and incident responders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the differences between Threat and Adversary Emulation

A

Threat emulation describes emulating known TTP’s to mimic the actions of a threat in a realistic way without emulating a specific threat actor which is where adversary emulation comes into play.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an assessment technique that utilizes insights gained from threat intelligence to proactively discover IOC’s within the environment using an “assume breach” mindset.

A

Threat Hunting - led by senior staff and very time consuming.

Uses Advisories and Bulletins
Used Intelligence fusion and threat data:

  • Intelligence Feeds
  • Deep Web
  • OSINT
  • Human Intelligence (HUMINT)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name the Threat Actor Groups

A

Script Kiddies
Insider Threats - employee or contractor and intentional and unintentional
Competitor - corporate espionage
Organized Crime - for commercial gain
Hacktivists -
Nation-State - both military and commercial goals - APT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which Threat Management Framework is focused on the relationship between tactics and techniques

A

MITRE ATT&CK

also documents group behavior profiles of various well-known adversarial groups to show the techniques of each group.

There is a MITRE ATT&CK for ICS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What Threat Management framework focuses on events and describes them in terms of four core and interrelated base features

A

Diamond Model of Intrusion Analysis

  1. Advesary
  2. Capability
  3. Infrastructure
  4. Victim

Uses visualization using a diamond to demonstrate the meta features that connect to each of them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the threat management framework developed by Lockheed Martin that describes the steps/actions an adversary must complete in order to achieve their goals.

A

Cyber Kill Chain - 7 Steps
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control (C2)
7. Action on objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name some key elements of Vulnerability Management

A

With our without credentials
Agent vs Agentless
Active vs Passive (netflow)
Criticality Ranking
invariably identify patching requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name some Vulnerability Information Sources

A

Advisories - typically software vendor
Bulletins - newsletters and reports
ISACS - Information Sharing and Analysis Centers - non-profit agencies
News Reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What describes a suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws such as misconfiguration and/or vulnerabilities

A

Security Content Automation Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name the SCAP Languages

A

Open vulnerability and Assessment Language (OVAL) - describes 3 main aspects of an evaluated system.

Asset Reporting Format (ARF) helps to correlate formats to asset information independently from any specific application or vendor for consistency

Extensible Configuration Checklist Description Format (XCCDF) - written in XML and provides a consistent and standardize way to define benchmark information as well as configuration and security checks to be performed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name the 3 SCAP Identification schemes

A

Common Platform Enumeration (CPE)- standardize naming format for systems and software

Common Vulnerabilities and Exposures (CVE) - unique identifier to describe public known vulnerabilities

Common Configuration Enumeration (CCE) - similar to CVE but focused on configuration issues which may result in a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How is SCAP scored for levels of severity and what are those levels

A

Common Vulnerability Scoring System (CVSS)
0 - None
.1-3.9 - Low
4.0-6.9 - Medium
7-8.9 - High
9-10 - Critical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the difference between a Protocol Analyzer and a Network Traffic Analyzer?

A

Network traffic analyzer is crafted to aid in the analysis of data capture by a sensor while protocol analyzer like wireshark to create PCAP files for further analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a common HTTP Interceptor or Proxy

A

BurpSuite and BeEF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does a SCAP Scanner perform?

A

Uses SCAP to compare a target computer/software configuration and patch levels against predetermined settings contained in SCAP content baseline.

SCAP scanners also use DOD STiGS as a baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name the deceptive technologies that can be used to help better identify threats and facilitate research and analysis of the techniques in a safe environment

A

Decoy Files - honeytokens and/or canary traps .

Honeypot - mimics genuine system
Honeynet - several honeypots
Simulators - such as ssh, mail, telnet, etc.
Dynamic Network Configuration – allows for SDN and flexibility to be re-deployed.

19
Q

What advanced service can Security Data Analytics feed into

A

User and Entity Behavior Analytics (UEBA)

20
Q

What is the monitoring of data focused on DBMS

A

Database Activity Monitoring (DAM)
requirement of SOX 404

21
Q

What is the type of attack that is based on a race condition where the time it is checked vs the time it is used allowing attacker to achieve unauthorized outcomes

A

Time of check vs time of use (TOCTOU)

22
Q

What is the Linux utility for software deployment, application virtualization, and package management?

23
Q

What are some techniques that can protect against buffer overflow attacks

A

Patching
Security Coding
Address Space Layout Randomization (ASLR) - components are randomized
Data Execution Protection (DEP) - allows for an OS to detect areas of memory that contain executable code and areas that do not and prevent execution

24
Q

Name some common Web Application vulnerabilities

A

Broken Authentication
Insecure References - changing Customer ID for example
Weak Ciphers and Cipher Suites
Improper Headers
Certificate Errors

25
What describes the process by which software can be analyzed for open-source components
Software Composition Analysis Best performed using automation such as the OWASP Dependency-Check Tool and in more depth the Dependency-Track tool.
26
What is the popular data exchange based on web technologies
JSON/REST API SOAP - where REST is an architectural style SOAP is a protocol to communicate over HTTP using XML
27
What is the difference between Browser Extensions and Browser Plugins and what technology has replaced plugins
Extensions can be added web browser to expand its functionality or add features not present by default. Plugin are applications installed in a way to be called or executed. Flash, Java, etc. are examples of plugins HTML5 and Asynchronous JavaScript and XML (AJAX)
28
What ty-pe of attack allows an attacker to access OS files that run the web application
Directory or File Traversal %2E - . and %2F - /
29
What attack is similar to directory traversal that manipulates file paths to control how a web application operates
Cross Site Scripting (XSS) Reflected - bounces off web site when link is clicked Stored - inserts malicious code into the web application
30
Type of attack that causes victim to unintendedly carry out an action on a website.
Cross-Site Request Forgery (CSRF)
31
What type of attack uses SQL Language in place of username
Authentication Bypass Protection is input validation
32
What is the attack where there threat actor is able to execute shell commands on a host via a vulnerable web application
Command Injection OS API's should be used instead of command shells
33
What is the attack that where an adversary can insert code into an existing process to evade detection and gain access privileges equivalent to the exploited process
Process Injection MITRE ATT&CK ID T1055
34
Name some common infrastructure attacks and mitigations
Sandbox escape VM Hopping and Escape VLAN Hopping - spoofing and double tagging - disable dynamic trunking and change default VLAN ID BGP Route Hijacking
35
What is the difference between packet and protocol capture and Netflow
a flow connector is a means of recording metadata and statistics about network traffic rather than capturing each frame. Developed by Cisco and redeveloped as IP Flow Information Export (IPFIX)
36
What tools and classification systems can be used with Antivirus protection
virus total Yara Rules
37
Describe False/True Negative/Positive
False Negative - a case that is not identified Fales Positive - case that is reported that should not be True Positive - case reported when it should be True Negative - not reported and it should not be. Informational only
38
What are the action and guideline for dealing with security events and what are the specific actions to take in response to emergency scenarios
Incident Response Plans (IRP) Incident response playbooks
39
Describe the differences between Cryptanalysis and Steganalysis
Cryptanalysis is the art and science of cracking cryptographic schemes with Steganalysis attempts to identify messages and/or media which have been hidden in cover files
40
What is the tool for inspecting firmware images
Binwalk -
41
What is as tool for performing memory analysis
Volatility
42
What tool can used to identify interactions between processes and Linux Kernel
Strace
43
which command line utility is designed to display real time information about system memory, running processes, interrupts, paging and I/O stats
vmstat