Techniques employed in security Assessments

Question 1

What is Threat hunting

Answer 1

Threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system.

Intelligence fusion
Threat feeds
Advisories and bulletins
Maneuver

Question 2

What is Intelligence fusion

Answer 2

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
An organization with a security information and event management (SIEM) and threat analytics platform can apply intelligence fusion techniques. The analytics platform is kept up to date with a TTP and IoC threat data feed. Analysts can develop queries and filters to correlate threat data against on-premises data from network traffic and logs. This process may also be partially or wholly automated using AI-assisted analysis and correlation.

Question 3

What is Threat feeds

Answer 3

An ongoing stream of data related to potential or current threats to an organization’s security.

Question 4

What is Advisories and bulletins

Answer 4

Threat hunting is a labor-intensive activity and so needs to be performed with clear goals and resources. Threat hunting usually proceeds according to some hypothesis of possible threat. Security bulletins and advisories from vendors and security researchers about new TTPs and/or vulnerabilities may be the trigger for establishing a threat hunt. For example, if threat intelligence reveals that Windows desktops in many companies are being infected with a new type of malware that is not being blocked by any current malware definitions, you might initiate the following threat-hunting plan to detect whether the malware is also infecting your systems.

Question 5

What is Maneuver

Answer 5

When investigating a suspected live threat, you must remember the adversarial nature of hacking. A capable threat actor is likely to have anticipated the likelihood of threat hunting, and attempted to deploy countermeasures to frustrate detection. For example, the attacker may trigger a DDoS attack to divert the security team’s attention, and then attempt to accelerate plans to achieve actions on objectives. Maneuver is a military doctrine term relating to obtaining positional advantage

Question 6

What is Vulnerability scans

Answer 6

Hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.

Question 7

What is False positives

Answer 7

A false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not.

Question 8

What is False negatives

Answer 8

False negatives—that is, potential vulnerabilities that are not identified in a scan. This risk can be mitigated somewhat by running repeat scans periodically and by using scanners from more than one vendor.

Question 9

What is Log reviews

Answer 9

Reviewing related system and network logs can enhance the vulnerability report validation process. As an example, assume that your vulnerability scanner identified a running process on a Windows machine. According to the scanner, the application that creates this process is known to be unstable, causing the operating system to lock up and crash other processes and services. When you search the computer’s event logs, you notice several entries over the past couple of weeks indicate the process has failed. Additional entries show that a few other processes fail right after. In this instance, you’ve used a relevant data source to help confirm that the vulnerability alert is, in fact, valid.

Question 10

What is Credentialed vs. non-credentialed

Answer 10

A credentialed scan is given a user account with logon rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve. A credentialed scan is a more intrusive type of scan than non-credentialed scanning.

A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. The view obtained is the one that the host exposes to an unprivileged user on the net
work. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access.

Question 11

What is Intrusive vs. non-intrusive

Answer 11

Non intrusive == An enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.

Active scanning means probing the device’s configuration using some sort of network connection with the target. Active scanning consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some other sort of outage. Agent-based scanning is also an active technique.

The most intrusive type of vulnerability scanner does not stop at detecting a vulnerability. Exploitation frameworks contain default scripts to try to use a vulnerability to run code or otherwise gain access to the system. This type of highly intrusive testing is more typical of penetration testing than automated vulnerability scanning.

Question 12

What is Application Vulnerability scanner

Answer 12

A dedicated application scanner is configured with more detailed and specific scripts to test for known attacks, as well as scanning for missing patches and weak configurations.

Question 13

What is Web application Vulnerability scanner

Answer 13

look for known web exploits, such as SQL injection and cross-site scripting (XSS), and may also analyze source code and database security to detect unsecure programming practices. Other types of application scanner would be optimized for a particular class of software, such as a database server.

Question 14

What is Network Vulnerability scanner

Answer 14

Network vulnerability scanners are configured with information about known vulnerabilities and configuration weaknesses for typical network hosts. These scanners will be able to test common operating systems, desktop applications, and some server applications. This is useful for general purpose scanning, but some types of applications might need more rigorous analysis.

Question 15

What is Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS)

Answer 15

CVE/Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
Is a dictionary of vulnerabilities in published operating systems and applications software (cve.mitre.org). There are several elements that make up a vulnerability’s entry in the CVE

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Question 16

What is Configuration review

Answer 16

Reviewing A systems configurations for settings that compromise security or failures to update.

Question 17

What is Syslog/Security information and event management (SIEM)

Answer 17

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

Review Reports
Packet Capture
Data inputs
User behavior analysis
Sentiment analysis
Security monitoring 
Log aggregation
Log collectors

Question 18

What is Review reports

Answer 18

This means that the SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Correlation can then be used to drive an alerting system. These reports would be viewed from the SIEM dashboard.

Question 19

What is Packet capture

Answer 19

Data captured from network sensors/sniffers plus netflow sources provides both summary statistics about bandwidth and protocol usage and the opportunity for detailed frame analysis.

Question 20

What is Data inputs

Answer 20

Data input into the systems.

Question 21

What is User behavior analysis

Answer 21

A user and entity behavior analytics (UEBA) solution supports identification of malicious behaviors from comparison to a baseline. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and to embedded hardware, such as Internet of Things (IoT) devices. The complexity of determining baselines and reducing false positives means that UEBA solutions are heavily dependent on AI and machine learning.

Question 22

What is Sentiment analysis

Answer 22

Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements.

Question 23

What is Security monitoring

Answer 23

Security assessments and incident response both require real-time monitoring of host and network status indicators plus audit information.

Question 24

What is Log aggregation

Answer 24

As distinct from collection, aggregation refers to normalizing data from different sources so that it is consistent and searchable. SIEM software features connectors or plug-ins to interpret (or parse) data from distinct types of systems and to account for differences between vendor implementations. Usually parsing will be carried out using regular expressions tailored to each log file format to identify attributes and content that can be mapped to standard fields in the SIEM’s reporting and analysis tools. Another important function is to normalize date/time zone differences to a single timeline.

Question 25

What is Log collectors

Answer 25

The first task for SIEM is to collect data inputs from multiple sources. There are three main types of log collection:

Agent-based—with this approach, you must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage.
Listener/collector—rather than installing an agent, hosts can be configured to push updates to the SIEM server using a protocol such as syslog or SNMP. A process runs on the management server to parse and normalize each log/monitoring source.
Syslog (tools.ietf.org/html/rfc3164)allows for centralized collection of events from multiple sources. It also provides an open format for event logging messages, and as such has become a de facto standard for logging of events from distributed systems. For example, syslog messages can be generated by Cisco routers and switches, as well as servers and workstations.

Sensor—as well as log data, the SIEM might collect packet captures and traffic flow data from sniffers.

Question 26

What is Security orchestration, automation, and response (SOAR)

Answer 26

Refers to technologies that enable organizations to collect inputs monitored by the security operations team. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.