Security Incident Creation and Threat Intelligence Flashcards

1
Q

Who is responsible for the alert rules used to automatically generate security incidents?

A

Security Admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What application is activated with Security Incident Response Event Management Support plugin?

A

Event Management -

This allows the Security Incident Response System to receive security events from integrated third-party alert monitoring tools, such as Splunk, and to use the imported data to create security incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How are Security Incidents created from Events and Alerts?

A

Events are imported from alert monitoring tools, they are first processed by Event Management and grouped into Alerts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 5 categories in Guided Setup Assistant for Security Incident Response?

A
  1. System Administration
  2. Security Incident Response Administration
  3. Security Incident Email Settings
  4. Security Incident Playbook Settings
  5. Capability Configuration (Workflow Actions, sighting search, email block and delete)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what are the steps in Incident Response Lifecycle?

A

Preparation

Detection and Analysis

Containment, Eradication and Recovery

Post Incident Activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What role is key in Analysis stage of Security Incident Response?

A

sn_si.analyst

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Detection and Analysis stage of SIR consists of?

A

Detection originates from tools such as Firewalls, Intrusion Detection Systems, logs of emails and web gateways, but could also be raised through manual means.

Analysis is mainly a Manual process (security analysts working the incident) but could also be automated to perform some number-crunching and enrichment prior to manual decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are the 5 setup categories in SIR Setup Assistant and what roles are required?

A

5 setup categories
1. System Administration
2. Security Incident Response Adminstration
3. Security Incident Email Settings
4. Security Incident Playbook Settings
5. Capability Configurations (workflow actions, sighting search, email block and delete)
roles Admin and Security Incident Administrator [sn_si_admin]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Requests raised through Security Incident Catalog are all handled by what that drives actions?

A

Record Producers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Adding new items to the Security Incident Catalog requires what role?

A

sn_si.admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Users will inevitably report security issues with Incident. A gent then could raise the incident to a Security Incident by using what button on the Incident form?

A

Create Security Incident

Agent that escalate to a Security Incident may not see information on the Security Incident due to Confidentiality policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Threat Intelligence? Definition

A

Process of collecting valuable or critical information to act or respond to an event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Threat Intelligence Consists of ________, ________, and _________

A

Threats, threat actors, and TTPS (Techniques, Tactics, and Procedures)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the Threat Intelligence Lifecycle?

A

Aggregate, Contextualize, Prioritize, Utilize, and Learn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are TTPs (Tactics, Techniques, and Procedures)

A

Patterns of activities or methods associated with a specific threat actor or group of threat actors

Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Structured Threat Information Express (STIX)

A

A structure format for the description of threat data

17
Q

what is Trusted Automated Exchange of Intelligence information (CybOX)?

A

Common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity

18
Q

What is a Threat Actor?

A

a person, group or entity that creates all or part of an incident with the aim to impact an organizations security.

19
Q

What are Observables?

A

Observables are the first actionable items in threat intelligence and give you clues regarding the targets and motivation of the attacker

Stateful properties such as:

  • Observed MD5 hashes
  • Observed IP addresses
  • Observed DNS names
  • Observed email addresses
20
Q

what are Indicators of Compromise (IoCs)?

A

Indicators of Compromise (LoCs) are anything that allows you to detect an attack or breach:

  • Log entry
  • change in status or some form of a modification
  • file integrity differences
  • an alert from a tool

An Indicator of Compromise (IOC) is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.
source from “https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/”

21
Q

What are Sighting Searches?

A

Sightings are observations of Potentially malicious activity

  • Interesting events that have yet to be analyzed
  • Logins in the middle of the night
  • Heavy network or CPU activity
  • Additional software appearing out of nowhere

Sighting Searches agains deployed detection tools are Splunk Radar and LogRhythm

22
Q

What are security Case?

A

Security Case is a collection of records that aid in building an argument for identifying and dealing with particular threats

23
Q

What are some examples of Security Cases can be created from an Instance?

A

Security Case Management
Security Incident Response
Threat Intelligence

also, Configuration Items and affected users in the Configuration Items and Users tables.

24
Q

What are the main sections of a Security Case?

A

A header Section
a section with additional case details
a case artifacts section containing a collection of records that aid in building an argument for identifying and dealing with particular threats

25
Q

What is the prefix for a Security Case?

A

SECC

26
Q

What does MITRE - ATT&CK stand for?

A

MITRE created ATT&CK which stands for

Adversarial Tactics
Techniques
&
Common Knowledge

27
Q

What is MITRE ATT&CK Framework?

A

knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies.

28
Q

Enterprise ATT&CK has how many Tactics and Techniques defined?

A

Enterprise ATT&CK has 14 Tactics defined and 500 Techniques defined

29
Q

What doe Enterprise ATT&CK Tactics and Techniques represent?

A

Tactics represent the why of an ATT&CK technique

Technique represents how an adversary achieves a tactical objective by performing an action

30
Q

What problem does MITRE ATT&CK and ServiceNow solve?

A

Even when customers try and coordinate SOAR and MITRE ATT&CK they struggle to get beyond a simple data repository or ad hoc indicator look up

SN’s integration with MITRE ATT&CK addresses this issue

31
Q

MITRE ATT&CK integration populates ServiceNow tables in the Threat Intelligence Application

What tables are ATT&CK Tactics and Techniques are stored?

A

Tactics is stored in table Kill Chain Phase [sn_ti_stix2_kill_chain_phase]

Techniques is stored in table Attack Pattern [sn_ti_stix2_attack_pattern]

32
Q

MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:

Which persona benefits enriching their Analysis of events and alerts, inform their investigations and determine the bees actions to take depending on relevance and sightings within their environment?

A

Analysts

33
Q

MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:

Which persona benefits the MITRE ATT&CK dashboards to get a view of the data source coverage, tactics and techniques used in the organization?

A

CISO

34
Q

MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:

Which persona benefits from correlating and performing link analysis on observables, security incidents, and MITRE ATT&CK related information and then use the heat map and filters to display the information?

A

Threat Hunters

35
Q

MIRTE ATT&CK major component that visually represents the structure of the STIX object and its relationship?

A

STIX Visualizer

36
Q

MIRTE ATT&CK major component that charts display aggregate data visually using colors to represent different values?

A

Heatmap

37
Q

What are the MITRE ATT&CK configuration in ServiceNow?

A

First is to setup the Integration TAXII profiles

Remaining steps are in no specific order

  • Review and update the Properties
  • Review and update the Extraction rules
  • Review and update the Detection rules
  • Review and update the info on the Data Source Mapping
  • Review and update the coverage Definitions and Mapping
38
Q

What role allows navigation for the MITRE features between SIR and TI support common?

A

sn_ti.mitre_analyst

39
Q

What system properties need to be reviewed and updated for MITRE ATT&CK integration?

A

sn_ti_rollup_mitre_att&ck_technique_observable_si / default value true

sn_ti_rollup_mitre_att&ck_technique_threat_lookup_si / default value true

sn_ti.enable_category_mapping_with_alert_rule / default value false