Incident detection strategies

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

NIST SP 800-61, Rev. 1 provides a five-category incident classification scheme for network-based incidents:

Denial of service—An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources Malicious code—A virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host Unauthorized access—When a person, without permission, gains logical or physical access to a network, system, application, data, or other IT resource Inappropriate usage—When a person violates acceptable use of any network or computer policies Multiple component—A single incident that encompasses two or more incidents

Cyber kill chain

a series of steps that follow stages of a cyberattack from the early reconnaissance stages to the exfiltration of data; it helps you understand, identify, and combat many cyberattack strategies and advanced persistent threats

four types of adverse events that are probable indicators of actual incidents:

activities at unexpected times presence of unexpected new accounts reported attacks notification from an IDPS

Incident candidates

an adverse event that is a possible incident

Noise

candidate events that are legitimate activities wrongly reported as incident candidates in a properly designed system (whether human-based or machine-based)

Violation of policy

if organizational policies adressing info or info security has been violated, an incident has occurred

Violation of law

if the law has been broken and the organization's info assets are involved, an incident has occurred

Loss of availability

info or info systems become unavailable

four types of indicators that actual incidents are possibly under way:

presence of unfamiliar files presence or execution of unknown programs or processes unusual consumption of computing resources unusual system crashes

Ransomware

software designed to penetrate security controls, identify valuable content, and then encrypt files and data in place in order to extort payment for the key needed to unlock the encryption

False negatives

the failure of a technical control to react to the intended stimulus so that it goes unreported

Footprinting

the organized research and investigation of Internet addresses owned or controlled by a target organization

Tuning

the process of adjusting a technical control to maximize its efficiency in detecting true positives while minimizing false positives and false negatives

Incident classification

the process of evaluating the circumstances of reported events

Fingerprinting

the process of gathering information about the organization and its network activities and the subsequent process of identifying network assets by a potential attacker

five types of adverse events that are definite indicators of an actual incident: (they clearly and specifically signal that an incident is in progress or has occurred)

use of dormant accounts changes to logs presence of hacker tools notifications by partner or peer notification by hacker

Loss of integrity

users report corrupt data files, garbage where data should be, or data that just looks wrong

Incident

when an adverse event becomes a genuine threat to the ongoing operations of an organization

loss of confidentiality

you are notified of sensitive information leaks, or info you thought was protected has been disclosed


Ensembles d'études connexes

Ch. 20 Anorexia Nervosa, Bulimia Nervosa

View Set

Newborn Transitions & Complications

View Set

Marquis Leadership 8e Ch 1-25 (exclude 9)

View Set

Microeconomics Ch.7: Utility Maximization (Law of diminishing Marginal Utility & Theory of Consumer Behavior)

View Set

Chapter 16 Vocabulary Absolute & Relative Dating

View Set