Chapter 7 - Security Assessment Techniques

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Gartner

A leading research company that created SOAR to be used for threat and vulnerability management, security incident response, and security operations automation.

Threat Hunting

A protective approach that aims to find an attacker before alerts are triggered.

Syslog

A standard for message logging that is available on most network devices (switches, routers, and firewalls) and many Unix and Linux systems. They listen for data messages coming from syslog clients and log these messages.

Fusion Analysis

A type of analysis used to gain more meaningful insights. Can compare internal telemetry data with external data to provide more insight.

SIEM System

Aggregates syslog data.

Internal Threat Data

Alert and event data from SIEM and other raw logs.

Reactive Approach

An approach that requires data (like SIEM data).

Web- application Scanners

Applies specifically to web applications, identifies vulnerabilities. A type of scan that scans from the outside.(DAST) dynamic application security testing.

Three Basic Functions of SIEM

Central management of security events Connect and normalize events for context and alerting others Report on data gathered from various sources

SOAR Solution

Combines Security Orchestration and Automation (SOA) with threat intelligence platforms (TIP) and incident response platforms (URP).

Cyber Kill Chain

Framework that is developed to track steps or phases that an attacker uses when penetrating an environment.

Comprehensive Vulnerability scan

Helps a company identify vulnerabilities, uncover common misconfigurations and understand any other security controls required.

Attributes of Threat Hunting

Hypothesis (forming a guess about threats based on clues); People (the security analyst knows the organization's environment); Assumptive (assumption that the organization is already breached); Iterative (frequent pivoting).

How SIEM works

Identifies internal and external threats Monitors activity and resource usage Conducts compliance reporting for internal and external audits(how well internal and external auditing is completed) Supports incident responses

Identifying vulnerabilities

Includes identifying outdated software versions that may contain flaws or misconfigurations.

Non-Credentialed(Scan)

Less invasive and provide outsider's point of view to company security More likely to have false negatives than credentialed scans Less false positives because of limited information

Credentials(Scan)2

More complete vulnerability scan with detailed results More likely to have false positives Reduces number of false negatives

Network Scanner

Probes hosts for open ports, catalogs information about the user and groups, looks for vulnerabilities.

Detective Approach

Relies on the use of algorithms and rules to find threats.

Log Aggregation

SIEM combining similar events to condense data volume and increase efficiency Consolidates data so that important events are not missed

Threat Hunting Sources

SIEM system and external sources.

External Threat Data

Structured threat information like STIX or unobstructed data from security advisors, bulletins, or OSINT tools.

Intelligence Fusion

The fusing together of internal and external threat feeds.

Mitigation

The organization can introduce a control to reduce the likelihood of vulnerability.

Remediation

The organization can patch up the vulnerability

Acceptance

The organization can take no action if the risk is low

Sentiment Analysis

The study of human emotions present within data (positive, negative, or neutral opinions/attitudes).

Goal of the Security Team

To disrupt the attacker and prevent them from moving across the attack chain.

Security Orchestration, Automation, and Response (SOAR)

Tools that are used to aggregate intelligence from internal and external sources to provide fusion analysis and other insights.

Non-Intrusive Scan

does not exploit vulnerabilities as part of the systems test helps organizations minimize disruptions from vulnerability testing

Credentials(Scan)1

examples are usernames and passwords Enables authorized access to a system

False positive

false identification of security risk time-consuming, burden on IT staff

Common Vulnerability Scoring System (CVSS)

framework that communicates the characteristics and severity score of vulnerabilities. EXAM ALERT: CVSS provides a score from 0 to 10 that indicates the severity of a vulnerability.

Identifying common misconfigurations

identifies common misconfigurations and may be capable of remediation.

False negative

lack of alert/no alert to an actual security issue can lead to security breaches

SIEM - EOI creation

pattern matching, anomaly detection, boolean logic, and Boolean logic with context-relevant data Creates alerts for immediate incidents to alert IT personnel

Passive Scanning

poses minimal risk to the assessed environment, designed to avoid interference with daily activities

Identifying the lack of security

provides an opportunity to remediate vulnerabilities/weaknesses.

Application Scanner

requires access to an application source code. Tests the application from inside. Supports all applications(SAST) static application security testing.

Log Collectors

responsible for aggregating/ingesting data from devices including security devices, network devices, servers, and applications

Network Vulnerability Scanner

software utility that scans a range of IP addresses, testing for the presence of vulnerabilities.

Common Vulnerabilities and Exposure(CVE)

standard for identifying vulnerabilities. Designed to allow vulnerability databases to be linked together. Primarily include a unique identifier assigned by the vendor where a patch has been provided to fix the vulnerability. EXAM ALERT: CVE is a list of publicly known vulnerabilities containing an ID number, description, and reference

Security Information and Event Management(SIEM)

to store and turn a large amount of data into knowledge that can be acted upon

Intrusive Scan

verify vulnerabilities by trying to exploit them execute with care: can cause damage/disrupt systems

US Government Facts on Security Assessments

vulnerability is discussed using the Open Vulnerability Assessment Language (OVAL), sponsored by the Department of Homeland Security's National Cyber Security Division (NCSD). OVAL is intended to be an international language to discuss vulnerabilities.


Set pelajaran terkait

Introduction To Anatomy & Physiology

View Set

Shoulder and Arm, Muscle Group #4 ~ Biceps Brachii, Triceps Brachii, and Coracobrachialis

View Set

Chapter 13: Sunnah Salahs, Prostration of Recitation

View Set

Lesson 2: Overcurrent Protective Device Categories (2023)

View Set

Crim chapter 7 (both parts) EXAM

View Set

Lesson 1: Introduction to Networking

View Set

MGMT-464: Chapter 7 - Positive Organizational Behavior

View Set

New U1L2- Dialogue -What's Your Name?

View Set