3.3 IDS and SIEM
What is the purpose of SIEM?
Security Information and Event Management (SIEM) products aggregate IDS alerts and host logs from multiple sources then perform correlation analysis on the observables collected to identify Indicators of Compromise and alert administrators to potential incidents.
A user reports that an essential design draft document has disappeared and in its place is a file describing a policy violation.
Should you suspect the reporting user of having attempted to exfiltrate the data? Not necessarily. The Data Loss Prevention (DLP) solution might have been configured to quarantine the file for all users if any policy violation was detected. You should check the DLP monitor alerts or logs.
What is a blinding attack?
A blinding attack attempts to disable a NIDS either by overwhelming the sensor or switch spanning port to cause it to drop packets or to generate large numbers of false positives and overwhelm the alerting engine or make administrative oversight of the system much more difficult.
What sort of maintenance must be performed on signature-based monitoring software?
Definition / signature updates.
True or false? When deploying NIDS, the sensor and management engine must be deployed to the same host.
False - the management / alerting server can be installed to a different host and aggregate feeds from multiple sensors.
True or false? Host-based IDS cannot be combined with network-based IDS?
False; though products from different vendors may not be interoperable.
What are examples of passive detection?
Logging or alerting intrusion incidents.
How could out-of-band IDS monitoring be configured and what advantage would this have over in-band monitoring?
Out-of-band means configuring a link that is not shared with "ordinary" hosts on the main enterprise network. This could be established using VLANs or physically separate cabling and switches. Out-of-band monitoring reduces the chance of an adversary being able to compromise the intrusion detection process.
What feature of server logs is essential to establishing an audit trail?
That the logs are tamper-proof (or at the very least tamper-evident).
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a spanning port.
Anti-virus software has reported the presence of malware but cannot remove it automatically. Apart from the location of the affected file, what information will you need to remediate the system manually?
The string identifying the malware. You can use this to reference the malware on the A-V vendor's site and hopefully obtain manual removal and prevention advice.
What difficulty is inherent in monitoring the way users exercise privileges granted to them (to access particular files for instance)?
This is likely to generate a large amount of raw data (numerous events), which will be difficult to analyze.
If you suspect a process of being used for data exfiltration but the process is not identified as malware by A-V software, what types of analysis tools will be most useful?
Use a process monitor to see which files the process interacts with and a network monitor to see if it opens (or tries to open) a connection with a remote host.
If a Windows system file fails a file integrity check, should you suspect a malware infection?
Yes - malware is the most likely cause.