Chapter 7 - Security Assessment Techniques
Gartner
A leading research company that created SOAR to be used for threat and vulnerability management, security incident response, and security operations automation.
Threat Hunting
A protective approach that aims to find an attacker before alerts are triggered.
Syslog
A standard for message logging that is available on most network devices (switches, routers, and firewalls) and many Unix and Linux systems. They listen for data messages coming from syslog clients and log these messages.
Fusion Analysis
A type of analysis used to gain more meaningful insights. Can compare internal telemetry data with external data to provide more insight.
SIEM System
Aggregates syslog data.
Internal Threat Data
Alert and event data from SIEM and other raw logs.
Reactive Approach
An approach that requires data (like SIEM data).
Web- application Scanners
Applies specifically to web applications, identifies vulnerabilities. A type of scan that scans from the outside.(DAST) dynamic application security testing.
Three Basic Functions of SIEM
Central management of security events Connect and normalize events for context and alerting others Report on data gathered from various sources
SOAR Solution
Combines Security Orchestration and Automation (SOA) with threat intelligence platforms (TIP) and incident response platforms (URP).
Cyber Kill Chain
Framework that is developed to track steps or phases that an attacker uses when penetrating an environment.
Comprehensive Vulnerability scan
Helps a company identify vulnerabilities, uncover common misconfigurations and understand any other security controls required.
Attributes of Threat Hunting
Hypothesis (forming a guess about threats based on clues); People (the security analyst knows the organization's environment); Assumptive (assumption that the organization is already breached); Iterative (frequent pivoting).
How SIEM works
Identifies internal and external threats Monitors activity and resource usage Conducts compliance reporting for internal and external audits(how well internal and external auditing is completed) Supports incident responses
Identifying vulnerabilities
Includes identifying outdated software versions that may contain flaws or misconfigurations.
Non-Credentialed(Scan)
Less invasive and provide outsider's point of view to company security More likely to have false negatives than credentialed scans Less false positives because of limited information
Credentials(Scan)2
More complete vulnerability scan with detailed results More likely to have false positives Reduces number of false negatives
Network Scanner
Probes hosts for open ports, catalogs information about the user and groups, looks for vulnerabilities.
Detective Approach
Relies on the use of algorithms and rules to find threats.
Log Aggregation
SIEM combining similar events to condense data volume and increase efficiency Consolidates data so that important events are not missed
Threat Hunting Sources
SIEM system and external sources.
External Threat Data
Structured threat information like STIX or unobstructed data from security advisors, bulletins, or OSINT tools.
Intelligence Fusion
The fusing together of internal and external threat feeds.
Mitigation
The organization can introduce a control to reduce the likelihood of vulnerability.
Remediation
The organization can patch up the vulnerability
Acceptance
The organization can take no action if the risk is low
Sentiment Analysis
The study of human emotions present within data (positive, negative, or neutral opinions/attitudes).
Goal of the Security Team
To disrupt the attacker and prevent them from moving across the attack chain.
Security Orchestration, Automation, and Response (SOAR)
Tools that are used to aggregate intelligence from internal and external sources to provide fusion analysis and other insights.
Non-Intrusive Scan
does not exploit vulnerabilities as part of the systems test helps organizations minimize disruptions from vulnerability testing
Credentials(Scan)1
examples are usernames and passwords Enables authorized access to a system
False positive
false identification of security risk time-consuming, burden on IT staff
Common Vulnerability Scoring System (CVSS)
framework that communicates the characteristics and severity score of vulnerabilities. EXAM ALERT: CVSS provides a score from 0 to 10 that indicates the severity of a vulnerability.
Identifying common misconfigurations
identifies common misconfigurations and may be capable of remediation.
False negative
lack of alert/no alert to an actual security issue can lead to security breaches
SIEM - EOI creation
pattern matching, anomaly detection, boolean logic, and Boolean logic with context-relevant data Creates alerts for immediate incidents to alert IT personnel
Passive Scanning
poses minimal risk to the assessed environment, designed to avoid interference with daily activities
Identifying the lack of security
provides an opportunity to remediate vulnerabilities/weaknesses.
Application Scanner
requires access to an application source code. Tests the application from inside. Supports all applications(SAST) static application security testing.
Log Collectors
responsible for aggregating/ingesting data from devices including security devices, network devices, servers, and applications
Network Vulnerability Scanner
software utility that scans a range of IP addresses, testing for the presence of vulnerabilities.
Common Vulnerabilities and Exposure(CVE)
standard for identifying vulnerabilities. Designed to allow vulnerability databases to be linked together. Primarily include a unique identifier assigned by the vendor where a patch has been provided to fix the vulnerability. EXAM ALERT: CVE is a list of publicly known vulnerabilities containing an ID number, description, and reference
Security Information and Event Management(SIEM)
to store and turn a large amount of data into knowledge that can be acted upon
Intrusive Scan
verify vulnerabilities by trying to exploit them execute with care: can cause damage/disrupt systems
US Government Facts on Security Assessments
vulnerability is discussed using the Open Vulnerability Assessment Language (OVAL), sponsored by the Department of Homeland Security's National Cyber Security Division (NCSD). OVAL is intended to be an international language to discuss vulnerabilities.