Security Operations Part I Flashcards
TPM
Trusted Platform Module:
- build into motherboard
- stores encyrption keys locally (some keys)
- supports BitLocker, Secure Boot
- Keys never leave the chip
- not scalabe
- used on 1 device
HSM
Hardware Security Module:
- Used in data centers, clouds
- stores millions of encrypted keys
- scalable
- used in banks, enterprises
UEFI
Unified Extensible Firmware Interface:
+ replacement for BIOS
+ faster boot times
+ supports Secure Boot
+required for BitLocker with Security Boot
Secure Boot
*UEFI feature
*allows only trusted software to run during setup
*verifies drives using digital signatures
* blocks rootkits, bootkits (malware)
* cryptographics keys (PK, KEK< db, dbx)
*works with TPM for Measured Boot & Attestation
Whitelisting✔️
Only approved apps can run ✔️
Blacklisting❌
blocks untrusted apps ❌
Application hardening🤷
removing unnecessary features, code, access so attackers have less things to target. 🤷
Antimalware🦠
Antyvirus 2.0
basic protection, blocks known threats🦠
EDR 🦠
Endpoint Detenction and Response:
Advanced security detects, responds, analizes, even if threat is unknown 🦠
Network segmentation
Isolate critial systems with VLANs, firewalls, DMZs
NAC
Network Access Control
Network gatekeeper :)
= checks device identity and security posture✅
= allows or blocks access✅
Degaussing 💿
data destruction method to wipe magnetic storage (HDDs, tapes) 💿
- does not work on SSDs
Asset inventory 💻🖥️
(what is does?)
Tracks all assets in a company. Hardware & Software, people. 💻🖥️
CMDB 🧑🤝🧑
Configuration Management Database:
Tracks configurations, owners, relatioships between devices, dependencies, change history, etc. 🧑🤝🧑
Assets (?)
Everything valuable to company that needs protection:
- IT devices
- data
- cloud services (VMs)
- people
- certificates, keys
CVSS
Common Vulnerability Scoring System (0 -10)
+ scores how big vulnerability is
+ 9-10 is critical
+ helps prioritize patching
0.1-3.9 - low
4.0-6.9 - medium
7.0-8.9 - high
9.0-10.0 - critical
Remediation
You found the vulnerability now eliminate it :))
Compensate, Mitigation
buy time or limit damage cuz you cant fix the issue directly
penetration test
simulating real world cyberattack (hiring ethical hackers to hack their company)
WAF
Web Application Firewall
Endpoints
user devices connected to the network (laptop, phone, printer)
SIEM 🧠
Security Information and Event Management:
- Central Brain 🧠
- stores, collects, analizes logs from everywhere (firewalls, endpoints, servers)
*sends allerts - “Log centralization” + detection + analysis + alerting
EDR 💻
Can isolate infected devices and roll back damage
Endpoint Detection and Response: 💻
- “Endpoint Bodyguard”
Watches Endponts (laptops, desktops, servers) for malware and sus activity
NDR 🌐
Network Detection and Response: 🌐
@ Network Watchtower
@ Watches the network for threats and lateral movement
@ east-west network traffic surveillance
HIDS/HIPS 🕵️
Host-Based/Network-based Intrustion Detection/Prevention Systems: 🕵️
|OLD but uself for known threats
| “Classic Detectives”
HIDS monitores files, logs on a SINGLE device
| NIDS analyzes network traffic in real time
SOAR🤖
Security Orchestration, Automation and Response: 🤖
~ “The Automation Hero”
~automates responses across multiple tools
~ isolating endpoints, sending alerts
~SIEM detects, SOAR acts ‼️
UEBA 🧍
User and Entity Behavior Analytics:🧍
🧷 “Sus user behavior
🧷 “whos acting weird???”
🧷 Uses AI/ML to find behaviour anomalies - user logging at 3 am
Automation
Individual tasks performed by system without human interaction do humans can do focus on other things.
🧷blocks IP after 5 failed login attempts
🧷 remove human error, improve efficency
Orchestration ⭐
Coordinating multiple automated tasks across different systems into a unified workflow ⭐
⭐ Focus on hard, multi-steps problems from start to finish
⭐ Malware is detected → system isolates the host → forensics tool collects evidence → alert sent to SOC team → IR ticket created
⭐ SOAR = Automation + Orchestration + Response
⭐ chain of actions, workflow
IR steps (6 steps) 📢
Incident Response steps:
- Preparation
- Detection and Analysis
- Containment
- Eradication
- Recovery
- Lessons Learned (Post-Incident Acticity)
- Preparation 🥒
🥒 Be ready. Before the attack occurs
🥒 Develop IR team (IRT or CSIRT)
🥒 communication protocols
🥒 security tools - SIEM, IDS/IPS, EDR
🥒 Create IRP (IR plan)
🥒logging and monitoring
- Detection and Analysis 🪐
🪐Recognize and confirm the incident ❗
🪐SIEM alerts, IDS/IPS logs, Antivirus, user reports, monitoring dashboards
🪐 validate the incident (false or positive)
🪐 determine the scope of it
🪐document it
🪐 Categorize severity (low or high)
🪐start the incident ticket
- Containment 🔒
🔒 stop the SPREAD ❗
🔒isolate infected devices
🔒 block malicious IPs
🔒 disable compromised accounts
🔒 take systems offline
- Eradicatoin ☠️
☠️ELIMINATE the threat completely ❗
☠️remove malware
☠️ patch systems
☠️remove backdoors
☠️ reimage systems
- Recoverty 🎗️
🎗️ bring systems back to safety❗
🎗️ clean backups
🎗️ monitor for re-infection
- Lessons Learned 👩🏿🏫
👩🏿🏫Post Incident review and documentation❗
👩🏿🏫Incident report
👩🏿🏫 Update IRP
Forensics (whats that)
Identifying, collecting, analyzing evidence post indicent(attack)
Key Goals of Forensic Investigation 🔑
- identify 🔑
- preserve ( the integrity of the evidence)
- analyze (the data to find the root cause)
- report ( findings in a legally defensible manner)
Chain of Custody ⛓️
⛓️ Detaild log of who handled the evidence, when and what they did, to prove it wasn’t tampered with - so it can be legally valid in court.
⛓️💥 who touched the evidence
⛓️💥 when and where
⛓️💥 why it was accessed
⛓️💥 how it was secured
DNS logs🫧 (what it shows?)
🫧 sus domain lookups
🫧identify connections to malicious domains
Firewall logs 🔥 (what it shows?)
🔥blocked/allowed traffic, ports, IPs
🔥detect port scanning
IDS/IPS logs🚒 (what it shows?)
🚒 detected attacks or anomalies
🚒 detected SQL injection or buffer overflow
NetFlow /SFlow data🛜 (what it shows?)
🛜 metadata about traffic (IP pairs, ports, bytes)
🛜 who talked to who on the network
🛜 how much data was transfered
Application logs 🤳🏿 (what it shows?)
🤳🏿app specific behavior
🤳🏿help debug software
🤳🏿catch errors
🤳🏿 track app misuse
SIEM logs 📶 (what it shows?)
📶 correlate all logs for broader context
📶 aggregates logs
📶 supports automated responses
📶 correlates events
System logs (Event logs)⌨️
(what it shows?)
⌨️ login attempts
⌨️ logouts
⌨️ policy changes
⌨️ system crashes
EDR logs 🖥️ (what is shows)
🖥️ malware infections
🖥️ransomware
🖥️ endpoint threats
System Performance Logs 👺
(what is shows)
👺 detect DDoS
👺hardware-related performance issues