Security Incident Creation and Threat Intelligence Flashcards
Who is responsible for the alert rules used to automatically generate security incidents?
Security Admin
What application is activated with Security Incident Response Event Management Support plugin?
Event Management -
This allows the Security Incident Response System to receive security events from integrated third-party alert monitoring tools, such as Splunk, and to use the imported data to create security incidents
How are Security Incidents created from Events and Alerts?
Events are imported from alert monitoring tools, they are first processed by Event Management and grouped into Alerts.
What are the 5 categories in Guided Setup Assistant for Security Incident Response?
- System Administration
- Security Incident Response Administration
- Security Incident Email Settings
- Security Incident Playbook Settings
- Capability Configuration (Workflow Actions, sighting search, email block and delete)
what are the steps in Incident Response Lifecycle?
Preparation
Detection and Analysis
Containment, Eradication and Recovery
Post Incident Activity
What role is key in Analysis stage of Security Incident Response?
sn_si.analyst
Detection and Analysis stage of SIR consists of?
Detection originates from tools such as Firewalls, Intrusion Detection Systems, logs of emails and web gateways, but could also be raised through manual means.
Analysis is mainly a Manual process (security analysts working the incident) but could also be automated to perform some number-crunching and enrichment prior to manual decisions.
what are the 5 setup categories in SIR Setup Assistant and what roles are required?
5 setup categories
1. System Administration
2. Security Incident Response Adminstration
3. Security Incident Email Settings
4. Security Incident Playbook Settings
5. Capability Configurations (workflow actions, sighting search, email block and delete)
roles Admin and Security Incident Administrator [sn_si_admin]
Requests raised through Security Incident Catalog are all handled by what that drives actions?
Record Producers
Adding new items to the Security Incident Catalog requires what role?
sn_si.admin
Users will inevitably report security issues with Incident. A gent then could raise the incident to a Security Incident by using what button on the Incident form?
Create Security Incident
Agent that escalate to a Security Incident may not see information on the Security Incident due to Confidentiality policy.
What is Threat Intelligence? Definition
Process of collecting valuable or critical information to act or respond to an event
Threat Intelligence Consists of ________, ________, and _________
Threats, threat actors, and TTPS (Techniques, Tactics, and Procedures)
What are the Threat Intelligence Lifecycle?
Aggregate, Contextualize, Prioritize, Utilize, and Learn
What are TTPs (Tactics, Techniques, and Procedures)
Patterns of activities or methods associated with a specific threat actor or group of threat actors
Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks
What is Structured Threat Information Express (STIX)
A structure format for the description of threat data
what is Trusted Automated Exchange of Intelligence information (CybOX)?
Common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity
What is a Threat Actor?
a person, group or entity that creates all or part of an incident with the aim to impact an organizations security.
What are Observables?
Observables are the first actionable items in threat intelligence and give you clues regarding the targets and motivation of the attacker
Stateful properties such as:
- Observed MD5 hashes
- Observed IP addresses
- Observed DNS names
- Observed email addresses
what are Indicators of Compromise (IoCs)?
Indicators of Compromise (LoCs) are anything that allows you to detect an attack or breach:
- Log entry
- change in status or some form of a modification
- file integrity differences
- an alert from a tool
An Indicator of Compromise (IOC) is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.
source from “https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/”
What are Sighting Searches?
Sightings are observations of Potentially malicious activity
- Interesting events that have yet to be analyzed
- Logins in the middle of the night
- Heavy network or CPU activity
- Additional software appearing out of nowhere
Sighting Searches agains deployed detection tools are Splunk Radar and LogRhythm
What are security Case?
Security Case is a collection of records that aid in building an argument for identifying and dealing with particular threats
What are some examples of Security Cases can be created from an Instance?
Security Case Management
Security Incident Response
Threat Intelligence
also, Configuration Items and affected users in the Configuration Items and Users tables.
What are the main sections of a Security Case?
A header Section
a section with additional case details
a case artifacts section containing a collection of records that aid in building an argument for identifying and dealing with particular threats
What is the prefix for a Security Case?
SECC
What does MITRE - ATT&CK stand for?
MITRE created ATT&CK which stands for
Adversarial Tactics
Techniques
&
Common Knowledge
What is MITRE ATT&CK Framework?
knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies.
Enterprise ATT&CK has how many Tactics and Techniques defined?
Enterprise ATT&CK has 14 Tactics defined and 500 Techniques defined
What doe Enterprise ATT&CK Tactics and Techniques represent?
Tactics represent the why of an ATT&CK technique
Technique represents how an adversary achieves a tactical objective by performing an action
What problem does MITRE ATT&CK and ServiceNow solve?
Even when customers try and coordinate SOAR and MITRE ATT&CK they struggle to get beyond a simple data repository or ad hoc indicator look up
SN’s integration with MITRE ATT&CK addresses this issue
MITRE ATT&CK integration populates ServiceNow tables in the Threat Intelligence Application
What tables are ATT&CK Tactics and Techniques are stored?
Tactics is stored in table Kill Chain Phase [sn_ti_stix2_kill_chain_phase]
Techniques is stored in table Attack Pattern [sn_ti_stix2_attack_pattern]
MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:
Which persona benefits enriching their Analysis of events and alerts, inform their investigations and determine the bees actions to take depending on relevance and sightings within their environment?
Analysts
MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:
Which persona benefits the MITRE ATT&CK dashboards to get a view of the data source coverage, tactics and techniques used in the organization?
CISO
MITRE ATT&CK ServiceNow functionality was developed for multiple levels within the organization:
Which persona benefits from correlating and performing link analysis on observables, security incidents, and MITRE ATT&CK related information and then use the heat map and filters to display the information?
Threat Hunters
MIRTE ATT&CK major component that visually represents the structure of the STIX object and its relationship?
STIX Visualizer
MIRTE ATT&CK major component that charts display aggregate data visually using colors to represent different values?
Heatmap
What are the MITRE ATT&CK configuration in ServiceNow?
First is to setup the Integration TAXII profiles
Remaining steps are in no specific order
- Review and update the Properties
- Review and update the Extraction rules
- Review and update the Detection rules
- Review and update the info on the Data Source Mapping
- Review and update the coverage Definitions and Mapping
What role allows navigation for the MITRE features between SIR and TI support common?
sn_ti.mitre_analyst
What system properties need to be reviewed and updated for MITRE ATT&CK integration?
sn_ti_rollup_mitre_att&ck_technique_observable_si / default value true
sn_ti_rollup_mitre_att&ck_technique_threat_lookup_si / default value true
sn_ti.enable_category_mapping_with_alert_rule / default value false
