Sound the Alarm: Detection and Response Flashcards
Computer Security Incident Response Team (CSIRT)
A specialized group of security professionals that are trained in incident management and response.
Documentation
Any form of recorded content that is used for a specific purpose.
Endpoint Detection and Response (EDR)
An application that monitors an endpoint for malicious activity.
Event
An observable occurrence on a network, system, or device.
False negative
A state where the presence of a threat is not detected.
False positive
An alert that incorrectly detects the presence of a threat.
Incident
An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system.
Incident handler’s journal
A form of documentation used in incident response.
Incident response plan
A document that outlines the procedures to take in each step of incident response.
NIST Incident Response Lifecycle
A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity.
Security Operations Center (SOC)
An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks.
Security Orchestration, Automation, and Response (SOAR)
A collection of applications, tools, and workflows that uses automation to respond to security events.
True negative
A state where there is no detection of malicious activity.
True positive
An alert that correctly detects the presence of an attack.
Command
An objective of CSIRT. Refers to having the appropriate leadership and direction to oversee the response.
Control
An objective of CSIRT. Refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.
Communication
An objective of CSIRT. Refers to the ability to keep stakeholders informed.
Security analyst, Technical lead, and Incident coordinator
What are the three key security related roles under CSIRT?
Security analyst
This job title’s role is to continuously monitor an environment for any security threats.
Forensic investigator
This job title is commonly L2s and L3s (under CSIRT) who collect, preserve, and analyze digital evidence related to security incidents to determine what happened.
Threat hunter
This job title is typically L3s (under CSIRT) who work to detect, analyze, and defend against new and advanced cybersecurity threats using threat intelligence.
Endpoint
Any device connected on a network.
Log analysis
The process of examining logs to identify events of interest.
Command and control (C2)
The techniques used by malicious actors to maintain communications with compromised systems.
C2 is crucial in managing compromised devices during a cyber attack.
Command-line interface (CLI).
A text-based user interface that uses commands to interact with the computer.
CLI is often preferred for scripting and automation tasks.
Data exfiltration
Unauthorized transmission of data from a system.
Data exfiltration can lead to data breaches and loss of sensitive information.
Indicators of compromise (IoC)
Observable evidence that suggests signs of a potential security incident.
IoCs can include unusual network traffic, changes in file integrity, etc.
Network data
The data that’s transmitted between devices on a network.
Network data encompasses all forms of digital communication over a network.
Network traffic
The amount of data that moves across a network.
Network traffic can be measured in terms of bandwidth usage.
Network Interface Card (NIC)
Hardware that connects computers to a network.
NICs can be wired or wireless.
Packet capture (p-cap)
A file containing data packets intercepted from an interface or network.
P-cap files are often used for analysis in tools like Wireshark.
tcpdump
A command-line network protocol analyzer.
tcpdump is commonly used for capturing and analyzing network packets.
Wireshark
A GUI network protocol analyzer.
Wireshark provides a graphical interface for packet analysis.
Command and control
What does C2 stand for?
Indicators of compromise
What does IoC stand for?
Network Interface Card
What does NIC stand for?
Packet capture
What does p-cap stand for?
Network operations center (NOC)
An organizational unit that monitors the performance of a network and responds to any network disruption, such as a network outage.
Network operations center
What does NOC stand for?
Data packet
A basic unit of information that travels from one device to another within a network.
Version
An IPv4 field. This field indicates the IP version. For an IPv4 header, IPv4 is used.
For an IPv4 header, IPv4 is used.
Internet Header Length (IHL) field
An IPv4 field. This field specifies the length of the IPv4 header including any Options.
Type of Service (ToS)
An IPv4 field. This field provides information about packet priority for delivery.
Total Length
An IPv4 field. This field specifies the total length of the entire IP packet including the header and the data.
Identification field
An IPv4 field. Packets that are too large to send are fragmented into smaller pieces. This field specifies a unique identifier for fragments of an original IP packet so that they can be reassembled once they reach their destination.
Flags
An IPv4 field. This field provides information about packet fragmentation including whether the original packet has been fragmented and if there are more fragments in transit.
Fragment Offset
An IPv4 field. This field is used to identify the correct sequence of fragments.
Time to Live (TTL)
An IPv4 field. This field limits how long a packet can be circulated in a network, preventing packets from being forwarded by routers indefinitely.
Protocol
An IPv4 field. This field specifies the protocol used for the data portion of the packet.
Header Checksum
An IPv4 field. This field specifies a checksum value which is used for error-checking the header.
Source Address
An IPv4 field. This field specifies the source address of the sender.
Destination Address
An IPv4 field. This field specifies the destination address of the receiver.
Options field
An IPv4 field. This field is optional and can be used to apply security options to a packet.
Traffic Class
An IPv6 field. This field is similar to the IPv4 Type of Service field. The Traffic Class field provides information about the packet’s priority or class to help with packet delivery.
Version
An IPv6 field. This field indicates the IP version. For an IPv6 header, IPv6 is used.
Flow Label
An IPv6 field. This field identifies the packets of a flow. A flow is the sequence of packets sent from a specific source.
Payload Length
An IPv6 field. This field specifies the length of the data portion of the packet.
Next Header
An IPv6 field. This field indicates the type of header that follows the IPv6 header such as TCP.
Hop Limit
An IPv6 field. This field is similar to the IPv4 Time to Live field. The Hop Limit limits how long a packet can travel in a network before being discarded.
Source Address
An IPv6 field. This field specifies the source address of the sender.
Destination Address
An IPv6 field. This field specifies the destination address of the receiver.
Analysis
The investigation and validation of alerts.
Broken chain of custody
Inconsistencies in the collection and logging of evidence in the chain of custody
Business continuity plan (BCP)
A document that outlines the procedures to sustain business operations during and after a significant disruption.
Chain of custody
The process of documenting evidence possession and control during an incident lifecycle.
Containment
The act of limiting and preventing additional damage caused by an incident.
Crowdsourcing
The practice of gathering information using public input and collaboration.
Detection
The prompt discovery of security events.
Eradication
The complete removal of the incident elements from all affected systems.
Honeypot
A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders.
Final report
Documentation that provides a comprehensive review of an incident.
Indicators of attack (IoA)
The series of observed events that indicate a real-time incident.
Lessons learned meeting
A meeting that includes all involved parties after a major incident.
Open-source intelligence (OSINT)
The collection and analysis of information from publicly available sources to generate usable intelligence.
Post-incident activity
The process of reviewing an incident to identify areas for improvement during incident handling.
Recovery
The process of returning affected systems back to normal operations.
Resilience
The ability to prepare for, respond to, and recover from disruptions.
Standards
References that inform how to set policies.
Threat hunting
The proactive search for threats on a network.
Threat intelligence
Evidence-based threat information that provides context about existing or emerging threats.
Triage
The prioritizing of incidents according to their level of importance or urgency.
VirusTotal
A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content.
What does BCP stand for?
Business continuity plan
What does IoA stand for?
Indicators of attack
What does OSINT stand for?
Open-source intelligence
What are three common public or private threat intelligence sources?
Industry reports, Government advisories, and threat data feeds.
What are different types of indicators of compromise (IoCs) found in the Pyramid of Pain?
Hash values, IP addresses, Domain names, Network artifacts, Host artifacts, Tools, and Tactics, techniques, and procedures (TTPs).
What are three types of recovery sites used for site resilience?
Hot sites, Warm sites, and Cold sites
What does TTP stand for?
Tools, and Tactics, techniques, and procedures
Hash values
An IoC. They correspond to known malicious files. These are often used to provide unique references to specific samples of malware or to files involved in an intrusion.
Domain names
An IoC. A web address such as www.google.com
IP addresses
An IoC. An internet protocol address like 192.168.1.1
Network artifacts
An IoC. Observable evidence created by malicious actors on a network. For example, information found in network protocols such as User-Agent strings.
Host artifacts
An IoC. Observable evidence created by malicious actors on a host. A host is any device that’s connected on a network. For example, the name of a file created by malware.
Tools
An IoC. Software that’s used by a malicious actor to achieve their goal. For example, attackers can use password cracking tools like John the Ripper to perform password attacks to gain access into an account.
Tactics, techniques, and procedures (TTPs)
An IoC. This is the behavior of a malicious actor. Tactics refer to the high-level overview of the behavior. Techniques provide detailed descriptions of the behavior relating to the tactic. Procedures are highly detailed descriptions of the technique. TTPs are the hardest to detect.
Anomaly-based analysis
A detection method that identifies abnormal behavior.
Used in various security applications to detect potential threats.
Array
A data type that stores data in a comma-separated ordered list.
Commonly used in programming for organizing data.
Common Event Format (CEF)
A log format that uses key-value pairs to structure data and identify fields and their corresponding values.
Facilitates interoperability among security products.
Configuration file
A file used to configure the settings of an application.
Essential for customizing application behavior.
Endpoint
Any device connected on a network.
Includes computers, mobile devices, and IoT devices.
Endpoint Detection and Response (EDR)
An application that monitors an endpoint for malicious activity.
Helps in detecting, investigating, and responding to threats.
Host-based Intrusion Detection System (HIDS)
An application that monitors the activity of the host on which it’s installed.
Focuses on detecting malicious activity on individual machines.
Key-value pair
A set of data that represents two linked items: a key, and its corresponding value.
Fundamental in data organization and storage.
Log Management
The process of collecting, storing, analyzing, and disposing of log data.
Involves ensuring logs are available for analysis and compliance.
Logging
The recording of events occurring on computer systems and networks.
Essential for monitoring and security.
Network-based Intrusion Detection System (NIDS)
An application that collects and monitors network traffic and network data.
Focuses on detecting threats across the entire network.
Object
A data type that stores data in a comma-separated list of key-value pairs.
Commonly used in software development.
Search Processing Language (SPL)
Splunk’s query language.
Used for searching and analyzing data within Splunk.
Signature
A pattern that is associated with malicious activity.
Used in detection methods to identify threats.
Signature analysis
A detection method used to find events of interest.
Relies on known patterns to detect threats.
Suricata
An open-source intrusion detection system, intrusion prevention system, and network analysis tool.
Widely used for network security monitoring.
Telemetry
The collection and transmission of data for analysis.
Important in various fields, including IT and security.
YARA-L
A computer language used to create rules for searching through ingested log data.
Facilitates identification of specific patterns in logs.
What does CEF stand for?
Common Event Format
What does EDR stand for?
Endpoint detection and response
What does HIDS stand for?
Host-based intrusion detection system
What does SPL stand for?
Search Processing Language
What does NIDS stand for?
Network-based intrusion detection system
What types of logs are there?
Network, System, Application, Security, and Authentication.
Network
A type of log. These logs are generated by network devices like firewalls, routers, or switches.
System
A type of log. These logs are generated by operating systems like Chrome OS™, Windows, Linux, or macOS®.
Application
A type of log. These logs are generated by software applications and contain information relating to the events occurring within the application such as a smartphone app.
Security
A type of log. These logs are generated by various devices or systems such as antivirus software and intrusion detection systems. Security logs contain security-related information such as file deletion.
Authentication
Authentication logs are generated whenever authentication occurs such as a successful login attempt into a computer.
