Week 3 Flashcards
What is the assumption behind SOIM?
The assumption is that we can’t, or won’t, fully protect our cyber environment
What is the MAPE-K model for cybersecurity?
Monitor, Analyse, Plan, Execute - Knowledge
What could be described as an architecture for adaptive systems?
MAPE-K
It is like an event-driven loop
What are the three workflows of SOIM?
-IDPS
-SIEM
-SOAR
What is CTI?
Cyber Threat Intelligence: Detailed knowledge of threats against an organisation
What is ISAC?
Information Sharing and Analysis Centers: Organisations that gather data on security threats
Why is it so crucial to maintain an internal knowledge base?
To be able to cross-reference events with known intelligence
What is an example of an open, commercial database of cybersecurity intelligence?
Mitre ATT&CK
Why are honeypots important to SOIM?
We can learn both about hacker techniques as well as who they are
What are examples of CTI that should be shared?
Signatures for different platforms, snort rule sets, YARA signature exchange, Indicators of Compromise (IoC)
What official European body can help increase our situational awareness of current cyber threats?
ENISA
Incident response is roughly divided into two tasks:
-Establishing capabilities
-Incident handling
Who should be part of a Computer Security Incident Response Team (CSIRT)?
Technical staff, legal, public relations, HR
Which five things should be part of the incident response plan?
-Incident classification
-Response list
-Resources available
-Communication plan (who to talk to and when)
-Contingency plan (prioritisation)
What types of resources need to be easily available during an incident response?
-Backup internet connection
-Backup recovery plan
-Empty removable storage
-Backup power
-Backup laptops with correct tools
-Evidence gathering gear
What is investigated during the analysis part of MAPE-K?
The nature of the incident and the damage caused
What are examples of tasks that can be done to mitigate damage?
-Cutting the network
-Applying security patches
-Reinstalling machines
-Shutting down services
Why is communication an important part of incident response?
Legal and compliance reasons as well as maintaining trust
What is an important activity to do after an incident?
Measure the performance of the incident handling to learn from it
Where might we source the data from the monitoring phase of MAPE-K?
IDPS, Firewalls, Clients, Servers, other network equipment
What is a rule-based system often used during the monitoring phase of MAPE-K?
Snort
What are the four modes of Snort?
-Sniffer
-Packet logger
-IDPS
-PCAP Investigation
What is an example of a system that aggregates log data from different sources during the monitoring phase?
SIEM (Security Information and Event Management)
What is a tool that can be used during the analysing phase to make sense of the data that has been gathered?
ELK
What are the two broad methods for data analysis?
-Misuse detection
-Anomaly detection
What is misuse detection dependent on?
DEFINITIONS of harmful code/behaviour/traffic
What are the benefits and drawbacks of misuse detection?
Cheap and easy to implement but it has difficulty identifying new events
What does anomaly detection rely on?
MODELS, often statistical, that define normal behaviour
Which method of data analysis gives events a score that reflects how normal they are?
Anomaly detection - it then comes with a threshold that when reached sends off an alarm
What is a false positive alarm?
Alert is raised for a benign event
What is a true negative alarm?
Alert is not raised for a benign event
Which phase in addition to the analysing phase is covered by the SIEM?
The planning phase
What is logstack?
A log aggregator that collects logs from various sources
Which tool is a combination of four technologies?
ELK: Elasticsearch, Kibana, Beats
What is Elasticsearch?
A search engine
What is the name of the visualisation layer for elasticsearch which makes it possible to create dashboards?
Kibana
What is beats?
Agents that can collect data from hosts and forward to elasticsearch
What is an alternative tool to ELK?
SPLUNK
What are examples of automating the execution phase of MAPE-K?
-IDPS block rules
-Firewall filters
-Malware quarantine
What are playbooks used for?
To help manage incidents efficiently
What is developed to provide a guide for how to manage a certain type of incident?
A playbook
What are some types of information that should be included in a playbook?
-Roles to be involved
-Tools to use
-Steps to take
