CySA
Standard security practices dictate a what?
"Default-deny" Firewall Rules
EAP-TLS
"EAP-Transport Layer Security--Uses PKI, requiring both server-side and client-side certificates."
planning phase
1. Authorization, 2. Scope, 3. Timing
NIST monitoring process
1. Define 2. Establish 3. Implement 4. Analyze/Report 5. Respond 6. Review/Update
Kill Chain
1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and Control 7. Action on Objectives
HTTP Response Codes
200—This indicates a successful GET or POST request (OK). 201—This indicates where a PUT request has succeeded in creating a resource. 3xx—Codes in this range indicate a redirect, where the server tells the client to use a different path to access the resource. 4xx—Codes in this range indicate an error in the client request, such as requesting a non-existent resource (404), not supplying authentication credentials (401), or requesting a resource without sufficient permissions (403). Code 400 indicates a request that the server could not parse. 5xx—These codes indicate a server-side issue, such as a general error (500) or overloading causing service unavailability (503). If the server is acting as a proxy, messages such as 502 (bad gateway) and 504 (gateway timeout) indicate an issue with the upstream server.
Sinkhole
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
Secure Shell (SSH)
A Linux/UNIX-based command interface and protocol for securely accessing a remote computer. Port 22.
ifconfig
A TCP/IP configuration and management utility used with UNIX and Linux systems.
traceroute (tracert)
A TCP/IP troubleshooting utility that uses ICMP to trace the path from one networked node to another, identifying all intermediate hops between the two nodes. Traceroute is useful for determining router or subnet connectivity problems. On Windows-based systems, the utility is known as tracert.
netstat
A TCP/IP utility that shows the status of each active connection.
Event Viewer (Eventvwr.msc)
A Windows tool useful for troubleshooting problems with Windows, applications, and hardware. It displays logs of significant events such as a hardware or network failure, OS failure, OS error messages, a device or service that has failed to start, or General Protection Faults.
Managerial
A category of security control that gives oversight of the information system.
Technical
A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.
Operational
A category of security control that is implemented by people.
tcpdump
A command-line protocol analyzer. Administrators use it to capture packets.
reverse proxy
A computer or an application program that routes incoming requests to the correct server.
proxy server
A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user.
Defense in Depth
A defense that uses multiple types of security devices to protect a network. Also called layered security.
use cases
A detailed description of the steps in a process to achieve the stated goal.
/var/log
A directory that contains most log files on a Linux system.
OpenIOC
A file format for supplying codified information to automate incident detection and analysis.
Web Application Firewall (WAF)
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
host-based firewall
A firewall that only protects the computer on which it's installed.
adversary capabilities
A formal classification of the resources and expertise available to a threat actor.
Structured Threat Information eXpression (STIX)
A framework for analyzing cybersecurity incidents.
The Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents.
Network Access Control (NAC)
A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
Security group
A group used to assign rights and permissions and gain access to network resources.
Test Access Port (TAP)
A hardware device inserted into a cable to copy frames for analysis.
Network firewall
A hardware device that is located at the "edge" of the network as the first line of defense defending the network and devices connected to it.
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.
Black hole
A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic.
Security Information and Event Management (SIEM)
A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. ___________ allows for the correlation of different events and early detection of attacks.
kill chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.
Scope—(Google Hacking)
A multitude of keywords can be used to target the search. Examples include site: (within a domain or TLD), filetype:, related: (return results from sites that Google identifies as similar to the one specified), and allintitle: / allinurl: / allinanchor: (match terms in a specific part of the page.)
Network Segmentation
A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.
Nmap
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.
Nessus
A network-vulnerability scanner available from Tenable Network Security.
Indicator
A pattern of observables that are "of interest," or worthy of cybersecurity analysis. Ideally, software would automate the discovery of correlations between observables based on a knowledge of past incidents and TTPs.
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.
Threat Actor
A person or element that has the power to carry out a threat.
Extensible Authentication Protocol over LAN (EAPoL)
A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.
Network Scanning
A procedure for identifying active hosts on a network.
Syslog
A protocol enabling different appliances and software applications to transmit logs or event records to a central server.
Trusted Automated eXchange of Indicator Information (TAXII)
A protocol for supplying codified information to automate incident detection and analysis.
Host software baselining
A security baseline which defines the security level that will be implemented and maintained.
Forward Proxy
A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.
Nontransparent Proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
Transparent Proxy
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
indicator of compromise (IoC)
A sign that an asset or network has been attacked or is currently under attack.
IDS (Intrusion Detection System)
A software and/ or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
Intrusion Detection System (IDS)
A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
Security Information and Event Management (SIEM)
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
Web Application Firewall
A special type of firewall that looks more deeply into packets that carry HTTP traffic.
attack vector
A specific path by which a threat actor gains unauthorized access to a system.
IEEE 802.1x
A standard for encapsulating EAP communications over a LAN or wireless LAN and that provides port-based authentication. Also known as EAP (Extensible Authentication Protocol).
Observed Data
A stateful property of the computer system or network or an event occurring within it. Examples of observables include an IP address, a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt. Observables would be generated by the logging and monitoring system.
Sysinternals
A suite of tools designed to assist with troubleshooting issues with windows.
Port-based NAC (PNAC)
A switch (or router) that performs some sort of authentication of the attached device before activating the port.
security control
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
unintentional threat
A threat actor that causes a vulnerability or exposes an attack vector without malicious intent.
intentional threats
A threat actor with a malicious purpose.
known threats
A threat that can be identified using basic signature or pattern matching.
unknown threats
A threat that cannot be identified using basic signature or pattern matching.
DDoS
A traffic surge might be an indicator of a ___________ attack. Typically, the attacker will leverage a botnet. As well as elevated traffic levels, you are likely to notice unusual geographic distribution of source IP addresses.
Spyware
A type of Malware that locates and saves data from users without them knowing about it.
HIDS (host-based intrusion detection system)
A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host.
Reverse proxy
A type of proxy server that protects servers from direct contact with client requests.
Corrective
A type of security control that acts after an incident to eliminate or minimize its impact.
Physical
A type of security control that acts against in-person intrusion attempts.
Compensating
A type of security control that acts as a substitute for a principal control.
Preventative
A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.
Detective
A type of security control that acts during an incident to identify or record that it is happening.
Deterrent
A type of security control that discourages intrusion attempts.
Host Firewall
A type of software firewall installed on a host and used to protect the host from network-based attacks.
advanced persistent threat (APT)
A type of threat actor that is supported by the resources of its host country's military and security services.
nation-states
A type of threat actor that is supported by the resources of its host country's military and security services.
organized crime
A type of threat actor that uses hacking and computer fraud for commercial gain.
insider threat
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
Ping
A utility that sends an ICMP echo request message to a host.
zero-day
A vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability.
ARP
Address Resolution Protocol. Resolves IP addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.
Capability refers to a threat actor's ability to craft novel exploit techniques and tools. Which capability can exploit supply chains to introduce vulnerabilities in proprietary and open-source products?
Advanced
MITRE (corporate identity) identifies varying levels of capability of adversary exploitation techniques. ___________ ______________ can exploit supply chains to introduce vulnerabilities in proprietary and open-source products and plan campaigns that exploit suppliers and service providers.
Advanced capabilities
Your organization is planning to transition from using local clients to provisioning desktop instances via cloud-based infrastructure. Your CISO has asked you to outline a threat modeling project to support selection and development of security controls to mitigate risks with this new service. What five methodologies should your outline contain?
Adversary capability analysis, total attack surface analysis, attack vector analysis, impact analysis, and likelihood analysis.
Persistence
After exploiting a vulnerability in a system attackers install tools on that system to allow future access, even if the initial vulnerability is corrected.
Pivot
After exploiting a vulnerability in a system, attackers use the system as a base from which to target other systems on the same local network.
iptables
Allow a system administrator to alter the Linux kernel firewall. They can create rules determining whether a packet is dropped or accepted. Filters incoming, outgoing, and forwarding traffic.
Orphaned rules
Allow access to decommissioned sysstems/services
DNS Sinkhole
Altered DNS records to reroute botnet traffic
SNMP (Simple Network Management Protocol)
An Application-layer protocol used to exchange information between network devices.
GET request
An HTTP method in which the client requests data such as a webpage. The client might provide some data as part of the request in the query string of the URL.
Intrusion Prevention System (IPS)
An IDS that can actively block attacks.
Known-bad IP addresses
An IP address or range of addresses that appears on one or more blacklists.
known-bad IP addresses
An IP address or range of addresses that appears on one or more blacklists.
IPS (Intrusion Prevention System)
An active, inline security device that monitors suspicious network and/ or system traffic and reacts in real time to block it Also called a Network Intrusion Prevention System (NIPS).
hacktivist
An attacker that is motivated by a social issue or political cause.
Command and Control (C2)
An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
Aircrack-ng
An open source tool for penetration testing many aspects of wireless networks. Used to break WIFI Passwords.
Narrative reports
Analysis of certain adversary groups or a malware sample provided as a written document. These provide valuable information and knowledge, but in a format that must be assimilated manually by analysts. This is most useful at providing strategic intelligence to influence security control selection and configuration.
tactics, techniques, and procedures (TTP)
Analysis of historical cyber-attacks and adversary actions.
Flow Analysis
Analysis of network traffic statistics sampled by a collector.
Flow analysis
Analysis of network traffic statistics sampled by a collector.
Protocol analysis
Analysis of per-protocol utilization statistics in a packet capture or network traffic sampling.
Packet analysis
Analysis of the headers and payload data of one or more frames in captured network traffic.
A systems engineer suspects a new type of malware has impacted the company network. Which threat hunting approach does the engineer utilize in an attempt to find the origin of the malware? Select all that apply.
Analyze network traffic Identify the method of execution
Network Fingerprinting
Analyzes details of network communications to find oddities particular to a specific operating system and version.
Windows Defender
Anti-malware software embedded in Windows 8 that can detect, prevent, and clean up a system infected with viruses and other malware. Antispyware utility included in Windows 8/7/Vista.
Wireshark
Application that captures and analyzes network packets
track
Apply a rate limiter to the rule by only triggering it if a threshold of events is passed over a particular duration.
MAC filtering
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
Common SIEM Tools
ArcSight, QRadar, Splunk, Alien Vault, OSSIM
Sensor
As well as log data, the SIEM might collect packet captures and traffic flow data from sniffers. Often, the SIEM software can be configured in sensor mode and deployed to different points on the network. The sensor instances then forward network traffic information back to the main management instance.
Your company has suffered a data breach to an IP address subsequently found to appear on several threat reputation blacklists. What configuration change can you make to reduce the risk of further events of this type?
At a minimum, configure outbound filtering on the firewall to block connections to "known-bad" IP addresses. You could also consider denying outbound connections to destinations that have not been approved on a whitelist. This configuration is more secure, but will generate more support incidents.
What type of threat is NAC designed to mitigate?
Attaching devices that are vulnerable to exploits, such as unpatched systems, systems without up-to-date intrusion detection, unsupported operating systems or applications software, and so on.
Bespoke software apps attack surface
Bespoke software apps—Forms and controls on the application's user interface, interaction with other software via an API or file/data import process, and vulnerabilities from the host OS or platform.
reputation data
Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.
Integrated Advanced Adversary Capability
Can additionally use non-cyber tools, such as political or military assets.
Adversary Capability
Can exploit supply chains to introduce vulnerabilities in proprietary and open-source products and plan campaigns that exploit suppliers and service providers.
dig command
Can resolve a FQDN to an IP address on UNIX hosts.
Network Flow Data
Captures connection details
classtype
Categorize the attack.
airodump-ng
Command used to collect Wireless network traffic
shadow IT
Computer hardware, software, or services used on a private network without authorization from the system owner.
CIA Triad
Confidentiality, Integrity, Availability
Corporate data network attack surface
Consider access by external users (VPN, email/VoIP, FTP/internally hosted website, Wi-Fi, building security) and internal users (switch port security, management channels, unlocked workstations, and so on).
Website/cloud attack surface
Consider the web application used for the front end, but also ways to access the application programmatically via an application programming interface (API). You might also consider the possibility of compromise from within the service provider's data center.
Switched Port Analyzer (SPAN)
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.
website ripper (or copier)
Copying the source code of website files to analyze for information and vulnerabilities.
Threat hunting
Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.
Threat Hunting
Cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring.
Sender Policy Framework (SPF)
DNS record identifying hosts authorized to send mail for the domain.
Google Hacking Database (GHDB)
Database of search strings optimized for locating vulnerable websites and services.
Requirements
Define how security intelligence supports business goals Define use cases for security intelligence Identify legal and regulatory factors that impact collection and retention Identify data sources and anticipate technical requirements/constraints
Trend Analysis
Detects changes over time
Anomaly/Hueristic Analysis
Detects outlier data points
behavioral analysis
Detects unusual user activity
Analysis
Develop use cases with queries and filters designed to identify incident types. Correlate security event sources with cyber threat intelligence (CTI) sources. Consider use of artificial intelligence and machine learning to automate analysis.
___________ ____________ can identify and exploit zero-day vulnerabilities and can deploy significant human and financial resources to attack planning and execution.
Developed capabilities
Port Security
Disabling unused application/service ports to reduce the number of threat vectors.
Reverse Whois
Discovers domains associated with a name or email address.
nslookup command
Displays information about DNS names and their corresponding IP addresses, and it can be used to diagnose DNS servers.
ss
Displays network statistics on Linux systems
ipconfig /all
Enables the MAC address information to be displayed from the command prompt
Following a serious data breach affecting a supplier company, your CEO wants assurance that your company is not exposed to the same risk. The supplier is willing to share threat data gathered about the breach with you. You advise a threat hunting program as the most appropriate tool to use. What should be the first step in this process?
Establish a hypothesis. You already have the basic scenario of the data breach at the supplier company. This will require documenting and expanding on. You can then move on to profiling threat actors and activities and developing threat hunting tactics to query indicators from your own systems.
Extended Access Control Lists
Extended access control lists can filter data based on source and destination IP addresses, Layer 3 and 4 protocols, and specific port numbers.
As part of your threat hunting proposal, you need to identify benefits of the program. You have listed opportunities to close attack vectors, reduce the attack surface, bundle critical assets within additional layers of security controls. What other benefit or benefits does threat hunting offer?
Firstly, threat hunting develops integrated intelligence capabilities, where you correlate cyber threat intelligence (CTI) with locally observed indicators. Secondly, the queries, filters, and tactics used can be redeployed to improve detection capabilities in conventional monitoring systems.
Libpcap
Format TCPdump/windump,snort, and many other network tools use. Wireshark/tshark can read but generate pcapng files by default now
HTTP Methods
GET - used to retrieve a resource POST—Send data to the server for processing by the requested resource. PUT—Create or replace the resource. DELETE- can be used to remove the resource. HEAD—Retrieve the headers for a resource only (not the body).
Zenmap
GUI that enables you to enter Nmap commands and then provides some handy analysis tools.
Physical—attack vector
Gaining local access to premises in order to effect an intrusion or denial of service attack.
Banner Grabbing
Gathering information from messages that a service transmits when another program connects to it.
sid and rev
Give the rule a unique ID and provide version information.
White Box Testing
Have full knowledge of the environment
Black Box Testing
Have no knowledge of the environment
Gray Box Testing
Have partial knowledge of the environment
Syslog Message Components
Header (timestamp, source address) Facility (source of message on the sending system) Severity (Importance value from 0 to 7) Message (Details of situation)
Viruses/worms
High CPU or memory usage could be a sign of malware infecting a host.
Flow analysis tools can provide features such as:
Highlighting of trends and patterns in traffic generated by particular applications, hosts, and ports. Alerting based on detection of anomalies, flow analysis patterns, and custom triggers that you can define. Visualization tools that enable you to quickly create a map of network connections and interpret patterns of traffic and flow data. Identification of traffic patterns revealing rogue user behavior, malware in transit, tunneling, applications exceeding their allocated bandwidth, and so forth.
Standard Access Control List
I am an access control list type. I only use the source IP as the condition test.
Proprietary/Closed-Source Intelligence Sources
IBM X-Force Exchange (exchange.xforce.ibmcloud.com) FireEye (fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-subscriptions.html) Recorded Future (recordedfuture.com/solutions/threat-intelligence-feeds)
Network reconnaissance
If not performed sparsely, scans against multiple ports or across numerous IP addresses will be highly visible and provide an early warning of adversary behavior.
zone transfer
In DNS, the act of copying a primary name server's zone file to the secondary name server to ensure that both contain the same information.
likelihood
In risk calculation, the chance of a threat being realized, expressed as a percentage.
impact
In risk calculation, the cost of a security incident or disaster scenario. Also known as magnitude.
dissemination
In the security intelligence cycle, a phase in which information is published and presented to different audiences.
feedback
In the security intelligence cycle, a phase that aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs.
Open-Source Intelligence (OSINT)
Information from media (newspapers, television), public government reports, professional and academic publications, and other openly available.
Wireless Reconnaissance
Information is freely available to anyone who has a receiver to monitor communications
A security engineer writes a report on recent threat activities. A threat included on the report is under investigation for being intentional or unintentional. The report includes which threat type?
Insider
Which type of threat arises from an actor, identified by the organization, and granted some sort of access?
Insider
___________ ____________ can use a variety of non-cyber tools, such as political or military assets.
Integrated capabilities
Attack Pattern
Known adversary behaviors, starting with the overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and intrusion sets.
When considering a threat's motivation, questioning what an attacker stands to gain is helpful in determining which factor?
Likelihood
sudo -i
Linux interactive mode as super user giving root privilege's.
Data feeds
Lists of known bad indicators, such as domain names or IP addresses associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit code. This provides tactical or operational intelligence that can be used within an automated system to inform real-time decisions and analysis as part of incident response or digital forensics.
Forward Proxy
Located near the user/client and acts as an intermediary between a client and a content server to protect the client's IP address from being seen from the internet.
passwd name of account - l
Locks account in Linux
Bandwidth usage
Log each connection with its duration and traffic volume usage, which you can break down by connection, user, department, and other factors.
Address translation audit trail
Log network address translation (NAT) or port address translation (PAT) to provide useful forensic data, which can help you trace the IP address of an internal user that was conducting attacks on the outside world from inside your network. PAT forwards requests for services on the external IP address and port on the firewall to an address and port of a server behind the firewall.
Port and protocol usage
Log protocols and port numbers that are used for each connection, which you can analyze statistically for patterns or anomalies.
SOPHOS
Mac antivirus software
Commodity malware
Malicious software applications that are widely available for sale or easily obtainable and usable.
flow
Match a new or existing TCP connection, or match regardless of TCP connection state.
reference
Match an entry in an attack database, such as CAPEC or ATT&CK.
flags
Match whether flags in the packet have been set, such as TCP SYN and FIN both set.
Percent encoding
Mechanism for encoding characters as hexadecimal values delimited by the percent sign.
An attacker uses open-source intelligence to gather information on an organization. Which source does the attacker use to review Microsoft Office documents when planning an attack?
Metadata
Domain generation algorithm (DGA)
Method used by malware to evade blacklists by generating domain names for C&C networks dynamically.
domain generation algorithm (DGA)
Method used by malware to evade blacklists by generating domain names for C&C networks dynamically.
Fast flux
Method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records.
fast flux
Method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records.
Course of Action (CoA)
Mitigating actions or use of security controls to reduce risk from attacks or to resolve an incident.
NAC
Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC.
Information Sharing and Analysis Centers (ISACs)
Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members. Department of Homeland Security (dhs.gov/cisa/pcii-program)
Continuous Security Monitoring
Ongoing monitoring that involves regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations.
netcat (nc)
Opens raw network connections on Mac and Linux
Sharing with Incident Response
Operational intelligence sets day-to-day priorities and assists threat hunting. Tactical intelligence provides correlation to threats.
PCAP
Packet Capture. A file that contains packets captured from a protocol analyzer or sniffer.
Connections permitted or denied
Patterns within log data can help you identify holes in your security policies. A sudden increase in rates resulting in denied traffic can reveal when attacks were committed against your firewall.
Dynamic Port Security
Port-Security Learned dynamically from traffic. Stored in the address table
Static Port Security
Port-Security Manually configured by the administrator
Penetration Testing
Professional hacking to access data and computing power without being granted access; professional pen-testers are hired to identify and repair vulnerabilities and only work once, given written permission to obtain ungranted access.
Timeliness
Property of an intelligence source that ensures it is up-to-date.
Relevancy
Property of an intelligence source that ensures it matches the use cases intended for it.
Accuracy
Property of an intelligence source that ensures it produces effective results.
Confidence levels
Property of an intelligence source that ensures it produces qualified statements about reliability.
Sources
Proprietary Open source Information Sharing and Analysis Communities (ISAC)
Protocol Analyzers
Protocol analyzers can be hardware- or software-based. Their primary function is to analyze network protocols such as TCP, UDP, HTTP, FTP, and more.
Availability Analysis
Provides uptime information
open-source intelligence (OSINT)
Publicly available information plus the tools used to aggregate and search it.
OSINT (Open Source Intelligence) Sources
Publicly available information, Social media, HTML code, Metadata
airmon-ng
Puts wireless interface into promiscuous mode
Listener/collector
Rather than installing an agent, hosts can be configured to push updates to the SIEM server using a protocol such as syslog or Simple Network Management Protocol (SNMP). A process runs on the management server to parse and normalize each log/monitoring source.
Firewalking
Reconnaissance technique to enumerate firewall configuration and attempt to probe hosts behind it.
Packet sniffer
Recording data from frames as they pass over network media, using methods such as a mirror port or tap device.
ipconfig /renew
Renew the DHCP lease
dark web
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.
Promiscuous Rules
Rules that allow too much acces
Shodan
Search engine optimized for identifying vulnerable Internet-attached devices.
AND/OR—(Google Hacking)
Search strings use a logical OR between terms automatically. You can use the keyword AND to force results to contain both strings. You must type the operator in caps, or you can use the pipe (|) character for OR. You may also want to use the AND and OR keywords, but with parentheses. For example, compare:
Collection (and Processing)
Select and deploy a security and information event management (SIEM) solution Configure and install collectors and agents to retrieve and process data sources Select and integrate sources of cyber threat intelligence (CTI) Ensure secure storage and access control of security information
service --status-all
Service removal: list services
windump
Sniffers. The Windows version of tcpdump, the command line network analyzer for UNIX. Fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic according to various complex rules. It can run under Windows 95, 98, ME, NT, 2000, XP, 2003 and Vista.
Examples of IDS/IPS solutions include:
Snort, The Zeek Network Monitor(Bro), Security Onion
SIEM (Security Information and Event Management)
Software that can be configured to evaluate data logs from IDS, IPS, firewalls, and proxy servers in order to detect significant events that require the attention of IT staff according to predefined rules.
Spam Filter
Software that limits email traffic based on the email's content, attachments, or sender's address.
Feedback
Solicit opinions from intelligence producers and consumers. Improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle develops.
Data exfiltration
Spikes in database reads and/or high-volume network transfers might be an indicator of a ________________ event, especially if the endpoints involved do not typically see high-traffic levels. Exfiltration might also use file types and compression or encryption algorithms not typical of regular network users.
Viruses
Spread by human action
service httpd stop/start
Stops or starts service
Dissemination
Strategic intelligence addresses broad themes and objectives, affecting projects and business priorities over weeks and months. Operational intelligence addresses the day-to-day priorities of managers and specialists. Tactical intelligence informs the real-time decisions made by staff as they encounter alerts and status indicators.
Sharing with Vulnerability Management
Strategic intelligence informs new sources and types of vulnerabilities. Operational intelligence highlights current campaigns and exploits. Tactical intelligence provides detailed vulnerability, exploit, and remediation information
Sharing with Detection and Monitoring
Strategic intelligence provides insights about new detection and monitoring methods and tools. Operational intelligence highlights current campaigns and exploits. Tactical intelligence provides detailed detection and monitoring queries, filters, and data sources.
Sharing with Risk Management and Security Engineering
Strategic threat intelligence is important for establishing an up-to-date model of threat sources and actors. Threat intelligence should be shared with network and application operational security teams so that they can apply best practice to the controls.
You should disable an account before deleting. T/F
T
RDP (Remote Desktop Protocol)
TCP 3389
SNMP Trap
TCP/UDP 162 Informs of events like router down.
msg
Text to inform the responder what triggered the rule.
Port hopping
The C2 application might use any port to communicate and may "hop" between different ports. A modern firewall will be able to detect the use of unknown TCP or UDP applications, passing over ports that must be left open such as 80/443 (HTTP), 25 (SMTP), or 53 (DNS).
Microsoft EMET
The Enhanced Mitigation Experience Toolkit (EMET) protects against a variety of Windows exploits
Campaign and Threat Actors
The adversaries launching cyberattacks are referred to in this framework as Threat Actors. The actions of Threat Actors utilizing multiple TTPs against the same target or the same TTP against multiple targets may be characterized as a campaign.
2. Weaponization
The adversary codes an exploit to take advantage of a vulnerability that has been discovered through reconnaissance. The exploit code is coupled with a payload that will assist the attacker in maintaining and extending covert access.
1. Reconnaissance
The adversary gathers information about the network using network probes, Open Source Intelligence (OSINT), and social engineering. The aim is to map an attack surface and identify potential attack vectors.
7. Action on Objectives
The adversary uses the compromised system to achieve or progress towards goals, such as data exfiltration, DoS/vandalism, or escalating access across the target network or other connected networks.
Advanced persistent threats (APTs)
The attacker needs to use some sort of command and control (C2 or C&C) mechanism to communicate with the controller host on the Internet and this traffic will be present on the network, if you know what to look for. Some adversary techniques for communicating with the C2 server include
security operations center (SOC)
The location where security professionals monitor and protect critical information assets in an organization.
5. Installation
The payload is successfully installed on the target system using methods to remain undetected and achieve persistence.
Admission Control
The point at which client devices are granted or denied access based on their compliance with a health policy.
attack surface
The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
NetFlow
The primary tool used to monitor packet flow on a network.
Implicit Deny
The principle that establishes that everything that is not explicitly allowed is denied.
posture assessment
The process for verifying compliance with a health policy by using host health checks.
Threat modeling
The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system.
Threat Intelligence
The process of investigating and collecting information about emerging threats and threat sources.
Cyber threat intelligence (CTI)
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
Security intelligence
The process through which data generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated. At the start and end of the cycle, requirements and feedback phases establish goals and effectiveness.
security intelligence cycle
The process through which data generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated. At the start and end of the cycle, requirements and feedback phases establish goals and effectiveness.
Remediation
The result of a device not meeting a security profile or health policy, including gaining access to a guest or quarantine network.
You are investigating a data exfiltration event and have obtained the web server logs of the host that data was exported to over the Internet from the hosting provider. The logs contain only the external IP address of your company's router/firewall and a high-level TCP port number. How can you use the log to identify the local host on your network that was used to perform the exfiltration?
The router/firewall is performing port address translation. You can use the local router/firewall log to identify the local host from the port mapping recorded by the remote host.
You are analyzing DNS logs for malicious traffic and come across two types of anomalous entry. The first type is for a single label with apparently random characters, in the form: vbhyofcyae, wcfmozjycv, rtbsaubliq. The other type is of the following form, but with different TLDs: nahekhrdizaiupfm.info, tlaawnpkfcqorxuo.cn, uwguhvpzqlzcmiug.org. Which is more likely to be an indicator for DGA?
The second type is more likely to be a domain generation algorithm. A query for a single label with no top level domain (TLD) will not resolve over the Internet and so the first type cannot be used for C&C. The first type is typical of a local client testing DNS. The Chrome browser performs this test to see how the local ISP handles NXDOMAIN errors, for instance.
ipconfig
The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.
4. Exploitation
The weaponized code is executed on the target system and gains the capability to deliver the payload.
3. Delivery
The weaponized code is inserted into the environment using a selected attack vector, such as email attachment, phishing website/download, USB media, and so on.
Unified output
This creates machine-readable binary files. This is fast but requires an interpreter for a human to read.
6. Command and Control
This is also known as C&C or C2. The payload establishes a connection to a remote server, enabling the attacker to connect to the target and download or fabricate additional attack tools.
You are reviewing a router configuration and notice a route to the null() interface. Is this a configuration weakness and IoC or does it support a secure configuration?
This supports a secure configuration to mitigate DDoS. A route to a null interface is a means of dropping traffic (a black hole) without using as much resource on the router to process the unwanted connection.
Fast flux DNS
This technique rapidly changes the IP address associated with a domain. It allows the adversary to defeat IP-based blacklists, but the communication patterns established by the changes might be detectable.
Comma-separated values (CSV)
This uses character delimiters for fields and contents, making it easier to import into third-party applications or parse using regular expressions.
Tcpdump
This uses the pcap file format to record the packets underlying the event.
Syslog
This uses the syslog format to record event details, such as IP addresses, port numbers, and the rule or signature that was matched.
Evaluation
Timeliness Relevancy Accuracy Confidence Levels
email harvesting Methods
Trading lists from spammers or obtaining legitimate sales lead databases. Use a Google search against *@target.foo or use an automated scraper tool that scans pages and social media for email addresses. Test the email system for bounce backs against a dictionary of potentially valid addresses. Note that this is likely to alert the organization if they are running any sort of intrusion detection.
chief information security officer (CISO)
Typically the job title of the person with overall responsibility for information assurance and systems security. Sometimes referred to as Chief Information Officer (CIO).
Open-Source Intelligence Sources
US-CERT (us-cert.gov/ncas) National Cyber Security Center (ncsc.gov.uk) AT&T Security, previously Alien Vault Open Threat Exchange (OTX) (otx.alienvault.com) Malware Information Sharing Project (MISP) (misp-project.org/feeds) Spamhaus (spamhaus.org/organization) SANS ISC Suspicious Domains (isc.sans.edu/suspicious_domains.html) VirusTotal (virustotal.com)
A technology practice hires a new junior systems engineer. The engineer routinely plugs a personal laptop into the corporate network. Which threat type does the engineer present?
Unintentional
An engineer implements the Johari window to classify threats into quadrants. Which quadrant represents risks identified, but discarded?
Unknown knowns
Under which threat class category do completely new attack vectors and exploits belong?
Unknown unknowns
Darknets
Unused but monitored IP address space
Quotes (Google Hacking)
Use double quotes to specify an exact phrase and make a search more precise.
Cyber—attack vector
Use of a hardware or software IT system. Some examples of cyberattack vectors include email or social media messaging, USB storage, compromised user account, open network application port, rogue device, and so on.
Human—attack vector
Use of social engineering to perpetrate an attack through coercion, impersonation, or force. Note that attackers may use cyber interfaces to human attack vectors, such as email or social media.
NOT (Google Hacking)
Use the minus sign in front of a word or quoted phrase to exclude results that contain that string.
Acquired and augmented Adversary Capability
Uses commodity malware and techniques only (acquired) or has some ability to customize existing tools (augmented).
Google hacking
Using Google search operators to locate vulnerable web servers and applications.
DNS Harvesting
Using OSINT to gather info about a domain.
email harvesting
Using Open Source Intelligence (OSINT) to gather email addresses for a domain.
DNS harvesting
Using Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).
Null Interface
Virtual interface that provides an alternative method of filtering traffic
MBSA (Microsoft Baseline Security Analyzer)
Vulnerability Scanner used to determine whether windows is fully patched and configured securely.
Behavior Detection
Watches for deviations from normal patterns of activity
The Lockheed Martin kill chain identifies phases of an attack on systems. Evaluate the given descriptions and determine which one relates to Exploitation.
Weaponized code executed on a target system.
AppLocker
Windows software restriction (whitelisting) feature. Can import and export configs, audit configs, apply rules based on Group Policy.
Agent-based
With this approach, you must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage. Agents could be configured to forward event and application logs, such as the Elastic Stacks Beats agents (elastic.co/products/beats), or intrusion detection data, such as OSSEC (ossec.net).
Transparent Proxy
Work without the client or server's knowledge
What is the effect of running 'tcpdump -i eth0 -w server.pcap'?
Write the output of the packet capture running on network interface eth0 to the 'server.pcap' file.
URL modifiers—(Google Hacking)
You can add these to the results page URL to affect the results returned. Some examples include &pws=0 (do not personalize), &filter=0 (do not filter), and &tbs=li:1 (do not autocorrect search terms.)
You need to log Internet endpoints and bandwidth consumption between clients and servers on a local network, but do not have the resources to capture and store all network packets. What technology or technologies could you use instead?
You could use a NetFlow/Argus collector or simple network protocol (SNMP) collector. Another option is a sniffer such as Zeek/Bro that records traffic statistics and content selectively.
Signature Detection
_____ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
tcpdump
a command-line packet capture utility for Linux
Firewall logs
a log containing records of all inbound and outbound network traffic that passes through the network firewall.
Firewall
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
whois
a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. It is a source of information that can be used to exploit system vulnerabilities.
nslookup
a tool used to query the DNS system to find the IP addresses for domain names, and vice versa
An ____________ ____________ uses commodity malware and techniques only. Acquired techniques can further modify existing tools (augmented capability).
acquired capability
False negative error
an instrument inaccurately identifies the absence of a phenomenon. This is associated with decision accuracy.
false positive error
an instrument inaccurately identifies the presence of a phenomenon. This is associated with decision accuracy.
WHOIS
an internet utility program that obtains information about a domain name or IP number from the database of a domain name registry
Unknown knowns
are a vulnerability classification that represents risks that are documented or identified but are then disregarded or perhaps minimized in any importance.
Developed Adversary Capability
can identify and exploit zero-day vulnerabilities and can deploy significant human and financial resources to attack planning and execution.
Known Knowns
categorize any threats that are previously known and have a solution and documented resolution type (these may be minimized an any importance).
Honeynets
collection of honeypots connecting several honey pot systems on a subnet
arp -a
command prompt that will show IP addresses and corresponding MAC addresses of remote computers.
Honeypots
computers baited with fake data and purposely left vulnerable to study how intruders operate to prepare stronger defenses
Application Control
controls that prevent, detect, and correct transaction errors and fraud in application programs
Behavioral Threat Research
correlates IoCs into attack patterns. For example, analysis of previous hacks and intrusions produces definitions of the tactics, techniques, and procedures (TTP) used to perform attacks.
Network-related indicators of compromise (IoCs)
derive from packet capture and traffic flow data, plus logs and alerts from security and network appliances.
Antimalware
detects and eliminates malicious software that resides on a computer
chkconfig httpd off
disables service
PKI (Public Key Infrastructure)
enables users of a public network such as the Internet to securely and privately exchange data through the use of a pair of keys—a public one and a private one—that is obtained from a trusted authority and shared through that authority.
Social Engineering
hackers use their social skills to trick people into revealing access credentials or other valuable information
aireplay-ng
inject wireless traffic into networks
Signature Detection
involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder
QRadar
is IBM's SIEM log management, analytics, and compliance reporting platform.
ELK/Elastic Stack
is a collection of tools providing SIEM functionality:
ArcSight
is a vendor of SIEM log management and analytics software, now owned by HP, via the affiliated company Micro Focus.
Alien Vault and OSSIM (Open-Source Security Information Management)
is an SIEM product developed by Alien Vault (alienvault.com/products/ossim), who market commercial versions of it. AlienVault is now owned by AT&T and is being rebranded as AT&T Cybersecurity
Graylog
is an open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps.
Unknown unknowns
is described as the domain and area of completely new attack vectors and exploits.
Splunk
is one of the market-leading big data information gathering and analysis tools.
Known unknowns
malware may be malware that has a known signature but is not detected by off-the-shelf tools. Authors can use various obfuscation techniques to circumvent signature-matching.
Malware
software that is intended to damage or disable computers and computer systems.
Worms
spread on their own with no human interaction needed
ifconfig eth0
tells about the network card (shows MAC)
Anomaly Detection
the process of identifying rare or unexpected items or events in a data set that do not conform to other items in the data set
Trojan Horses
viruses that masquerade as useful programs or files