Writing Assignment: Module 06 Flashcards
From the perspective of incident response, what is an event?
Any observable system or network occurrence.
What is an incident candidate?
A potential incident or ambiguously identified attack that could be an actual attack.
What is the cyber kill chain?
1.Reconnaissance
2.Intrusion
3.Exploitation
4.Privilege Escalation
5.Lateral Movement
6.Obfuscation / Anti-forensics
7.Denial of Service
8.Exfiltration
In the TCP/IP protocol, what is a port?
A port is a number used to uniquely identify a transaction over a network by specifying both the host and the service.
Port numbers range from 0 to 65535.
Well known ports are 0-1023,
Registered ports are 1024-49151
Dynamic ports or Private ports are from 49152-65535
What are the three broad categories of incident indicators?
Possible, probable and definite.
What are the four categories of events that are considered possible indicators of actual incidents?
- Presence of unfamiliar files
Unfamiliar or unexplained files in illogical locations - Presence or execution of unknown programs or processes
Unfamiliar programs running, or processes executing - Unusual consumption of computing resources
Memory or hard disk consumption spikes and falls - Unusual system crashes
System crashing, hanging, rebooting, or freezing more frequently than usual
What are the four types of events that are considered probable indicators of actual incidents?
- Activities at unexpected times
Network traffic levels exceed baseline levels - Presence of unexpected new accounts
Periodic review indicates unfamiliar accounts
Unlogged new account with root or special privileges - Reported attacks
Verify user technical sophistication - Notification from IDPS
Must determine if notification real or a false positive
What are the five types of events that are considered definite indicators of actual incidents?
- Use of dormant accounts
- Changes to logs
- Presence of hacker tools
- Notifications by partner or peer
- Notification by hacker
The occurrences of what general types of events indicate that an actual incident is occurring?
-loss of availability
-loss of integrity
-loss of confidentiality
-violation of policy
-violation of law
What is a false positive?
a test result which incorrectly indicates that a particular condition or attribute is present.
What is noise? Is noise different from a false positive event?
Noise: legitimate activities wrongly reported
-Activate feedback process to prevent flagging
-Inherent in the nature of best-tuned systems
What are the general causes of noise?
Sensor placement; policy; lack of awareness
What is tuning?
Tuning is a combination of reducing false positives, working with alerts, and correlating events and trends to ensure greater accuracy. Each of these helps the analyst by refining alerts being looked into.
What is a false negative?
normal user detected as a new user
What is a computer process?
is a set of instructions, A set of memory, A list of allocated, A list of attributes, and A table that identifies the current context of the various parts.
