Cybersecurity Operations
Probabilistic analysis
Estimates the potential success of an exploit by estimating the likelihood that if one step in an exploit has successfully been completed that the next step will also be successful
Deterministic analysis
Evaluates risk based on what is known about a vulnerability
Benign events
Event that should not trigger alerts
A benign event should trigger an alert T/F?
False
Which type of incident has occurred when nothing is reported, however an exploit has occurred?
False negative
Which type of alert has happened when an alert is received, but no incident has occurred?
False positive
False positives are desirable T/F?
False, although they do not indicate that an undetected exploit has occurred, they are costly since cyber analysts must investigate any "False-alarms"
True negatives are not desireable T/F?
False, true negatives are desireable because they indicate that benign normal traffic is correctly ignored, and erroneous alerts are not being issued
Zeek
Formerly known as Bro which is a NIDS that uses more of a behavior-based approach to intrusion detection
Three core functions of Security Onion:
Full packet capture and data types, network-based and host-based intrusion detection systems, and alert analyst tools
RT
Real-time
Probabilistic analysis is useful in which network security analysis scenario?
Real-time network security analysis
HTTP, DNS, and TCP transactions
Recorded by Zeek and pcaps
content:
Refers to content of the packet
What does the variable present in the Rule Options?
Represents the portion of the rule that is enclosed in parenthesis
What additional features can Suricata include?
Reputation-based blocking and support for Graphics Processing Unit (GPU)
True positives are the desired type of alert T/F? and what does this mean?
True, this means that the rules that generate alerts have worked correctly
Alert ID
Two-part number that represents the sensor that has reported the problem and the event number for that sensor
Snort includes a set of default categories that have one of ______ priority values a.) Two b.) Three c.) Four d.) Five
c.) Four
The values for these variables are configured in the which snort file?
snort.conf
The alert will be sent if what literal text appears anywhere in the packet data?
uid=0(root)
Detection rules should be overly conservative T/F?
True
Two categories of an alert that was not generated
True and False negative
Alerts can be classified in which two categories?
True and False positive
Which type of alert would have no incident reported and no incident has occurred?
True negative
Which type of alert is it when an alert is received, and an exploit has been verified?
True positive
Which variables appear in the snort rules?
$HOME_NET and $EXTERNAL_NET
Rule Header
Contains the action to be taken, source and destination addresses and port, and the direction of traffic flow
With CNT, the system has determined that this set of events is:
Correlated
Three common sources for Snort rules are:
- GPL - ET - VRT
Fields available for the real-time events:
- ST - CNT - Sensor - Alert ID - Date/Time - Event Message
Security Onion Analysis Tools:
- Sguil - Kibana - Wireshark - Zeek
The Five-tuples of alert information includes the following:
- SrcIP - SPort - DstIP - DPort - Pr
Four priority levels:
1. Very low 2. Low 3. Medium 4. High
Snort
A Network Intrusion Detection System (NIDS) that is a important source of alert data that is indexed in the Sguil analysis tool
classtype:
A category for the attack
Zeek
A network traffic analyzer that serves as a security monitor
While detecting with CNT, What do the high numbers represent about the event?
A security problem or the need for tuning of the event signatures to limit the number of potentially spurious events that are being reported
sid:
A unique numeric identifier for the rule
CapME
A web application that allows viewing of pcap transcripts rendered with the tcpflow or Zeek tool
Rule Location
Added by Sguil to indicate the location of the rule in the Security Onion file structure and in the specified rule file
What does Kibana allow?
Allows querying of NSM data and provides flexible visualizations of data
Native multithreading
Allows the distribution of packet stream processing across multiple processor cores
False Negative
An undetected incident has occurred
Detection modules:
CapME, Snort, ZeekBRO, OSSEC, Wazuh, Suricata
What features does Kibana provide?
Data exploration and machine learning data analysis
Analysis assumes that all of the information to accomplish an exploit is known
Deterministic
Analysis can only describe the worst case
Deterministic
Assumes that for an exploit to be successful all prior steps in the exploit process must also be successful
Deterministic
What are two general approaches used to evaluate risks of exploits?
Deterministic and probabilistic analysis
When true positives are suspected, a cybersecurity analyst is sometimes required to
Escalate the alert to a higher level for investigation
Which types of endpoint mechanisms does Wazuh provide?
Host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response
The available sensors and their identifying numbers can be found where in the Sguil Window?
In the Agent Status tab of the pane which appears below the events window on the left
Where can the associated rule can be viewed in Sguil Window?
In the right-hand pane, just above the packet data
Rule Options
Includes the message to be displayed, details of packet content, alert type, source ID, and additional details, such as a reference for the rule or vulnerability
Excess benign events
Indicate that some rules or other detectors need to be improved or eliminated
What can Snort also allow?
Individual IP addresses, blocks of addresses, or lists of either to be specified in rules
What can a cybersecurity analyst also be responsible for?
Informing security personnel that false positives are occurring to the extent that the cybersecurity analyst's time is seriously impacted
Wazuh
Is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including
ET (Emerging Threats)
Is a collection point for Snort rules from multiple sources
False negatives are dangerous T/F?
True, they indicate that exploits are not being detected by the security systems that are in place
OSSEC
Is a host-based intrusion detection system (HIDS) that is integrated into Security Onion and actively monitors host system operations, including conducting file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection
Wireshark
Is a packet capture application that is integrated into the Security Onion suite and can be opened directly from other tools and will display full packet captures relevant to an analysis
Kibana
Is an interactive dashboard interface to Elasticsearch data
Security Onion
Is an open-source suite of Network Security Monitoring (NSM) tools that run on an Ubuntu Linux distribution
reference:
Is often a link to a URL that provides more information on the rule
Sensor
Is the agent reporting the event
Date/Time
Is the timestamp for the event, usually for the first event
What does deterministic analysis assume?
It assumes that for an exploit to be successful all prior steps in the exploit process must also be successful
Syslog messages
Multiple sources
Suricata uses what type of threading method?
Native multithreading
True Negative
No security incident has occurred. The activity is benign
What are security alerts?
Notification messages that are generated by NSM tools, systems, and security devices
HIDS
OSSEC, Wazuh
Asset management and monitoring
Passive Asset Detection System (PADS)
Analysis assumes that port numbers that will be used by an exploit can only be predicted with some degree of confidence
Probabilistic
Analysis estimates the likelihood that an exploit has been ultimately successful
Probabilistic
Analysis is useful in real time network security analysis in which numerous variables are at play
Probabilistic
Emerging Threats is a division of which incorporation?
Proofpoint Inc.
What does Sguil provide in Security Onion?
Provides a console that integrates alerts from multiple sources into a timestamped queue
Sguil
Provides a high-level console for investigating security alerts from a wide variety of sources and serves as a starting point in the investigation of security alerts
Alerts can be generated based on what values?
Rules, signatures, anomalies, or behaviors
How can the ranges of ports be specified
Separates the upper and lower values of the range with a colon
The GPL ruleset can be downloaded from the ____________ website and it is included in ________________
Snort, Security Onion
NIDS
Snort, Zeek, and Suricata
Older Snort rules that were created by which program and distributed under a which GPL?
Sourcefire, GPLv2
Security Onion can be installed as which two platforms?
Standalone installation or as a sensor and server platform
What does Probabilistic analysis rely on?
Statistical techniques that are designed to estimate the probability that an event will occur based on the likelihood that prior events will occur
msg:
Text that describes the alert
The identifying numbers can also be used in which area of the Sguil Window?
The Alert ID column
Pr
The IP protocol number for the event
In order to display the associated rule, which checkbox needs to be selected?
The Show Rule checkbox
Alert
The action to be taken is to issue an alert, other actions are log and pass
False Positive
The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger
True Positive
The alert has been verified to be an actual security incident
When using Sguil in Security Onion, instead of using a dedicated workflow management system such as Request Tracker for Incident Response (RTIR), what would a cybersecurity analyst use to orchestrate an NSM investigation
The analyst would an output of an application such as Sguil
CNT
The count for the number of times this event has been detected for the same source and destination IP address
DstIP
The destination IP for the event
DPort
The destination Layer 4 port for the event
->
The direction of flow is from the source to the destination
How does CNT report events?
The field lists the events once with the number of times it has been detected in this column
Event Message
The identifying text for the event
ip
The protocol
rev:
The revision of the rule that is represented by the sid
Two sections of a snort rule:
The rule header and the rule options
SPort
The source (local) Layer 4 port for the event
SrcIP
The source IP address for the event
the sid is hyperlinked to which source on the internet
The source of the rule
any any
The specified source or destination is any IP address and any Layer 4 port
ST
The status of the event
What does the variable in the Rule Options contain?
The text message that identifies the alert, metadata about the alert, such as a URL that provides reference information for the alert, the type of rule, and a unique numeric identifier for the rule and the rule revision
What do variables do in the snort rule?
They simplify the creation of rules by eliminating the need to specify specific addresses and masks for every rule
Suricata
Uses a signature-based approach and can also be used for inline intrusion prevention
What is the structure of the options section of the rule?
Variable
Snort uses _____________ to represent internal and external IP addresses
Variables
When can an RSA occur?
When newly obtained rules or other threat intelligence is applied to archived network security data
Which detection module can Suricata be similar to?
Zeek
ET rules are open source under a _____________ license a.) BSD b.) GNU GPL
a.) BSD
Rule Location is sometimes added by a.) Sguil b.) Snort c.) Wireshark d.) Zeek
a.) Sguil
Alerts will generally include _____-tuples information when available a.) Two b.) Three c.) Five d.) Seven
c.) Five
