Security Incident Creation and Threat Intelligence

Question 1

Who is responsible for the alert rules used to automatically generate security incidents?

Answer 1

Security Admin

Question 2

What application is activated with Security Incident Response Event Management Support plugin?

Answer 2

Event Management -

This allows the Security Incident Response System to receive security events from integrated third-party alert monitoring tools, such as Splunk, and to use the imported data to create security incidents

Question 3

How are Security Incidents created from Events and Alerts?

Answer 3

Events are imported from alert monitoring tools, they are first processed by Event Management and grouped into Alerts.

Question 4

What are the 5 categories in Guided Setup Assistant for Security Incident Response?

Answer 4

1. System Administration
2. Security Incident Response Administration
3. Security Incident Email Settings
4. Security Incident Playbook Settings
5. Capability Configuration (Workflow Actions, sighting search, email block and delete)

Question 5

what are the steps in Incident Response Lifecycle?

Answer 5

Preparation

Detection and Analysis

Containment, Eradication and Recovery

Post Incident Activity

Question 6

What role is key in Analysis stage of Security Incident Response?

Answer 6

sn_si.analyst

Question 7

Detection and Analysis stage of SIR consists of?

Answer 7

Detection originates from tools such as Firewalls, Intrusion Detection Systems, logs of emails and web gateways, but could also be raised through manual means.

Analysis is mainly a Manual process (security analysts working the incident) but could also be automated to perform some number-crunching and enrichment prior to manual decisions.

Question 8

what are the 5 setup categories in SIR Setup Assistant and what roles are required?

Answer 8

5 setup categories
1. System Administration
2. Security Incident Response Adminstration
3. Security Incident Email Settings
4. Security Incident Playbook Settings
5. Capability Configurations (workflow actions, sighting search, email block and delete)
roles Admin and Security Incident Administrator [sn_si_admin]

Question 9

Requests raised through Security Incident Catalog are all handled by what that drives actions?

Answer 9

Record Producers

Question 10

Adding new items to the Security Incident Catalog requires what role?

Answer 10

sn_si.admin

Question 11

Users will inevitably report security issues with Incident. A gent then could raise the incident to a Security Incident by using what button on the Incident form?

Answer 11

Create Security Incident

Agent that escalate to a Security Incident may not see information on the Security Incident due to Confidentiality policy.

Question 12

What is Threat Intelligence? Definition

Answer 12

Process of collecting valuable or critical information to act or respond to an event

Question 13

Threat Intelligence Consists of ________, ________, and _________

Answer 13

Threats, threat actors, and TTPS (Techniques, Tactics, and Procedures)

Question 14

What are the Threat Intelligence Lifecycle?

Answer 14

Aggregate, Contextualize, Prioritize, Utilize, and Learn

Question 15

What are TTPs (Tactics, Techniques, and Procedures)

Answer 15

Patterns of activities or methods associated with a specific threat actor or group of threat actors

Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks

Question 16

What is Structured Threat Information Express (STIX)

Answer 16

A structure format for the description of threat data

Question 17

what is Trusted Automated Exchange of Intelligence information (CybOX)?

Answer 17

Common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity

Question 18

What is a Threat Actor?

Answer 18

a person, group or entity that creates all or part of an incident with the aim to impact an organizations security.

Question 19

What are Observables?

Answer 19

Observables are the first actionable items in threat intelligence and give you clues regarding the targets and motivation of the attacker

Stateful properties such as:

• Observed MD5 hashes
• Observed IP addresses
• Observed DNS names
• Observed email addresses

Question 20

what are Indicators of Compromise (IoCs)?

Answer 20

Indicators of Compromise (LoCs) are anything that allows you to detect an attack or breach:

• Log entry
• change in status or some form of a modification
• file integrity differences
• an alert from a tool

An Indicator of Compromise (IOC) is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.
source from “https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/”

Question 21

What are Sighting Searches?

Answer 21

Sightings are observations of Potentially malicious activity

• Interesting events that have yet to be analyzed
• Logins in the middle of the night
• Heavy network or CPU activity
• Additional software appearing out of nowhere

Sighting Searches agains deployed detection tools are Splunk Radar and LogRhythm

Question 22

What are security Case?

Answer 22

Security Case is a collection of records that aid in building an argument for identifying and dealing with particular threats

Question 23

What are some examples of Security Cases can be created from an Instance?

Answer 23

Security Case Management
Security Incident Response
Threat Intelligence

also, Configuration Items and affected users in the Configuration Items and Users tables.

Question 24

What are the main sections of a Security Case?

Answer 24

A header Section
a section with additional case details
a case artifacts section containing a collection of records that aid in building an argument for identifying and dealing with particular threats

Question 25

What is the prefix for a Security Case?

Answer 25

SECC

Question 26

What does MITRE - ATT&CK stand for?

Answer 26

MITRE created ATT&CK which stands for

Adversarial Tactics
Techniques
&
Common Knowledge

Question 27

What is MITRE ATT&CK Framework?

Answer 27

knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies.

Question 28

Enterprise ATT&CK has how many Tactics and Techniques defined?

Answer 28

Enterprise ATT&CK has 14 Tactics defined and 500 Techniques defined

Question 29

What doe Enterprise ATT&CK Tactics and Techniques represent?

Answer 29

Tactics represent the why of an ATT&CK technique

Technique represents how an adversary achieves a tactical objective by performing an action

Question 30

What problem does MITRE ATT&CK and ServiceNow solve?

Answer 30

Even when customers try and coordinate SOAR and MITRE ATT&CK they struggle to get beyond a simple data repository or ad hoc indicator look up

SN’s integration with MITRE ATT&CK addresses this issue

Question 31

MITRE ATT&CK integration populates ServiceNow tables in the Threat Intelligence Application

What tables are ATT&CK Tactics and Techniques are stored?

Answer 31

Tactics is stored in table Kill Chain Phase [sn_ti_stix2_kill_chain_phase]

Techniques is stored in table Attack Pattern [sn_ti_stix2_attack_pattern]

Question 32

MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:

Which persona benefits enriching their Analysis of events and alerts, inform their investigations and determine the bees actions to take depending on relevance and sightings within their environment?

Answer 32

Analysts

Question 33

MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:

Which persona benefits the MITRE ATT&CK dashboards to get a view of the data source coverage, tactics and techniques used in the organization?

Answer 33

CISO

Question 34

MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:

Which persona benefits from correlating and performing link analysis on observables, security incidents, and MITRE ATT&CK related information and then use the heat map and filters to display the information?

Answer 34

Threat Hunters

Question 35

MIRTE ATT&CK major component that visually represents the structure of the STIX object and its relationship?

Answer 35

STIX Visualizer

Question 36

MIRTE ATT&CK major component that charts display aggregate data visually using colors to represent different values?

Answer 36

Heatmap

Question 37

What are the MITRE ATT&CK configuration in ServiceNow?

Answer 37

First is to setup the Integration TAXII profiles

Remaining steps are in no specific order

• Review and update the Properties
• Review and update the Extraction rules
• Review and update the Detection rules
• Review and update the info on the Data Source Mapping
• Review and update the coverage Definitions and Mapping

Question 38

What role allows navigation for the MITRE features between SIR and TI support common?

Answer 38

sn_ti.mitre_analyst

Question 39

What system properties need to be reviewed and updated for MITRE ATT&CK integration?

Answer 39

sn_ti_rollup_mitre_att&ck_technique_observable_si / default value true

sn_ti_rollup_mitre_att&ck_technique_threat_lookup_si / default value true

sn_ti.enable_category_mapping_with_alert_rule / default value false