Cybersecurity Operations

Ace your homework & exams now with Quizwiz!

Probabilistic analysis

Estimates the potential success of an exploit by estimating the likelihood that if one step in an exploit has successfully been completed that the next step will also be successful

Deterministic analysis

Evaluates risk based on what is known about a vulnerability

Benign events

Event that should not trigger alerts

A benign event should trigger an alert T/F?

False

Which type of incident has occurred when nothing is reported, however an exploit has occurred?

False negative

Which type of alert has happened when an alert is received, but no incident has occurred?

False positive

False positives are desirable T/F?

False, although they do not indicate that an undetected exploit has occurred, they are costly since cyber analysts must investigate any "False-alarms"

True negatives are not desireable T/F?

False, true negatives are desireable because they indicate that benign normal traffic is correctly ignored, and erroneous alerts are not being issued

Zeek

Formerly known as Bro which is a NIDS that uses more of a behavior-based approach to intrusion detection

Three core functions of Security Onion:

Full packet capture and data types, network-based and host-based intrusion detection systems, and alert analyst tools

RT

Real-time

Probabilistic analysis is useful in which network security analysis scenario?

Real-time network security analysis

HTTP, DNS, and TCP transactions

Recorded by Zeek and pcaps

content:

Refers to content of the packet

What does the variable present in the Rule Options?

Represents the portion of the rule that is enclosed in parenthesis

What additional features can Suricata include?

Reputation-based blocking and support for Graphics Processing Unit (GPU)

True positives are the desired type of alert T/F? and what does this mean?

True, this means that the rules that generate alerts have worked correctly

Alert ID

Two-part number that represents the sensor that has reported the problem and the event number for that sensor

Snort includes a set of default categories that have one of ______ priority values a.) Two b.) Three c.) Four d.) Five

c.) Four

The values for these variables are configured in the which snort file?

snort.conf

The alert will be sent if what literal text appears anywhere in the packet data?

uid=0(root)

Detection rules should be overly conservative T/F?

True

Two categories of an alert that was not generated

True and False negative

Alerts can be classified in which two categories?

True and False positive

Which type of alert would have no incident reported and no incident has occurred?

True negative

Which type of alert is it when an alert is received, and an exploit has been verified?

True positive

Which variables appear in the snort rules?

$HOME_NET and $EXTERNAL_NET

Rule Header

Contains the action to be taken, source and destination addresses and port, and the direction of traffic flow

With CNT, the system has determined that this set of events is:

Correlated

Three common sources for Snort rules are:

- GPL - ET - VRT

Fields available for the real-time events:

- ST - CNT - Sensor - Alert ID - Date/Time - Event Message

Security Onion Analysis Tools:

- Sguil - Kibana - Wireshark - Zeek

The Five-tuples of alert information includes the following:

- SrcIP - SPort - DstIP - DPort - Pr

Four priority levels:

1. Very low 2. Low 3. Medium 4. High

Snort

A Network Intrusion Detection System (NIDS) that is a important source of alert data that is indexed in the Sguil analysis tool

classtype:

A category for the attack

Zeek

A network traffic analyzer that serves as a security monitor

While detecting with CNT, What do the high numbers represent about the event?

A security problem or the need for tuning of the event signatures to limit the number of potentially spurious events that are being reported

sid:

A unique numeric identifier for the rule

CapME

A web application that allows viewing of pcap transcripts rendered with the tcpflow or Zeek tool

Rule Location

Added by Sguil to indicate the location of the rule in the Security Onion file structure and in the specified rule file

What does Kibana allow?

Allows querying of NSM data and provides flexible visualizations of data

Native multithreading

Allows the distribution of packet stream processing across multiple processor cores

False Negative

An undetected incident has occurred

Detection modules:

CapME, Snort, ZeekBRO, OSSEC, Wazuh, Suricata

What features does Kibana provide?

Data exploration and machine learning data analysis

Analysis assumes that all of the information to accomplish an exploit is known

Deterministic

Analysis can only describe the worst case

Deterministic

Assumes that for an exploit to be successful all prior steps in the exploit process must also be successful

Deterministic

What are two general approaches used to evaluate risks of exploits?

Deterministic and probabilistic analysis

When true positives are suspected, a cybersecurity analyst is sometimes required to

Escalate the alert to a higher level for investigation

Which types of endpoint mechanisms does Wazuh provide?

Host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response

The available sensors and their identifying numbers can be found where in the Sguil Window?

In the Agent Status tab of the pane which appears below the events window on the left

Where can the associated rule can be viewed in Sguil Window?

In the right-hand pane, just above the packet data

Rule Options

Includes the message to be displayed, details of packet content, alert type, source ID, and additional details, such as a reference for the rule or vulnerability

Excess benign events

Indicate that some rules or other detectors need to be improved or eliminated

What can Snort also allow?

Individual IP addresses, blocks of addresses, or lists of either to be specified in rules

What can a cybersecurity analyst also be responsible for?

Informing security personnel that false positives are occurring to the extent that the cybersecurity analyst's time is seriously impacted

Wazuh

Is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including

ET (Emerging Threats)

Is a collection point for Snort rules from multiple sources

False negatives are dangerous T/F?

True, they indicate that exploits are not being detected by the security systems that are in place

OSSEC

Is a host-based intrusion detection system (HIDS) that is integrated into Security Onion and actively monitors host system operations, including conducting file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection

Wireshark

Is a packet capture application that is integrated into the Security Onion suite and can be opened directly from other tools and will display full packet captures relevant to an analysis

Kibana

Is an interactive dashboard interface to Elasticsearch data

Security Onion

Is an open-source suite of Network Security Monitoring (NSM) tools that run on an Ubuntu Linux distribution

reference:

Is often a link to a URL that provides more information on the rule

Sensor

Is the agent reporting the event

Date/Time

Is the timestamp for the event, usually for the first event

What does deterministic analysis assume?

It assumes that for an exploit to be successful all prior steps in the exploit process must also be successful

Syslog messages

Multiple sources

Suricata uses what type of threading method?

Native multithreading

True Negative

No security incident has occurred. The activity is benign

What are security alerts?

Notification messages that are generated by NSM tools, systems, and security devices

HIDS

OSSEC, Wazuh

Asset management and monitoring

Passive Asset Detection System (PADS)

Analysis assumes that port numbers that will be used by an exploit can only be predicted with some degree of confidence

Probabilistic

Analysis estimates the likelihood that an exploit has been ultimately successful

Probabilistic

Analysis is useful in real time network security analysis in which numerous variables are at play

Probabilistic

Emerging Threats is a division of which incorporation?

Proofpoint Inc.

What does Sguil provide in Security Onion?

Provides a console that integrates alerts from multiple sources into a timestamped queue

Sguil

Provides a high-level console for investigating security alerts from a wide variety of sources and serves as a starting point in the investigation of security alerts

Alerts can be generated based on what values?

Rules, signatures, anomalies, or behaviors

How can the ranges of ports be specified

Separates the upper and lower values of the range with a colon

The GPL ruleset can be downloaded from the ____________ website and it is included in ________________

Snort, Security Onion

NIDS

Snort, Zeek, and Suricata

Older Snort rules that were created by which program and distributed under a which GPL?

Sourcefire, GPLv2

Security Onion can be installed as which two platforms?

Standalone installation or as a sensor and server platform

What does Probabilistic analysis rely on?

Statistical techniques that are designed to estimate the probability that an event will occur based on the likelihood that prior events will occur

msg:

Text that describes the alert

The identifying numbers can also be used in which area of the Sguil Window?

The Alert ID column

Pr

The IP protocol number for the event

In order to display the associated rule, which checkbox needs to be selected?

The Show Rule checkbox

Alert

The action to be taken is to issue an alert, other actions are log and pass

False Positive

The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger

True Positive

The alert has been verified to be an actual security incident

When using Sguil in Security Onion, instead of using a dedicated workflow management system such as Request Tracker for Incident Response (RTIR), what would a cybersecurity analyst use to orchestrate an NSM investigation

The analyst would an output of an application such as Sguil

CNT

The count for the number of times this event has been detected for the same source and destination IP address

DstIP

The destination IP for the event

DPort

The destination Layer 4 port for the event

->

The direction of flow is from the source to the destination

How does CNT report events?

The field lists the events once with the number of times it has been detected in this column

Event Message

The identifying text for the event

ip

The protocol

rev:

The revision of the rule that is represented by the sid

Two sections of a snort rule:

The rule header and the rule options

SPort

The source (local) Layer 4 port for the event

SrcIP

The source IP address for the event

the sid is hyperlinked to which source on the internet

The source of the rule

any any

The specified source or destination is any IP address and any Layer 4 port

ST

The status of the event

What does the variable in the Rule Options contain?

The text message that identifies the alert, metadata about the alert, such as a URL that provides reference information for the alert, the type of rule, and a unique numeric identifier for the rule and the rule revision

What do variables do in the snort rule?

They simplify the creation of rules by eliminating the need to specify specific addresses and masks for every rule

Suricata

Uses a signature-based approach and can also be used for inline intrusion prevention

What is the structure of the options section of the rule?

Variable

Snort uses _____________ to represent internal and external IP addresses

Variables

When can an RSA occur?

When newly obtained rules or other threat intelligence is applied to archived network security data

Which detection module can Suricata be similar to?

Zeek

ET rules are open source under a _____________ license a.) BSD b.) GNU GPL

a.) BSD

Rule Location is sometimes added by a.) Sguil b.) Snort c.) Wireshark d.) Zeek

a.) Sguil

Alerts will generally include _____-tuples information when available a.) Two b.) Three c.) Five d.) Seven

c.) Five


Related study sets

Global Environment of Business Test 2

View Set

Ch 3: 21st century thinking about leadership and management

View Set

Career Planning and Development-Planning Your Career

View Set

CH 36 Care of patients with Dysrrhythmias

View Set

ANSI 3903 Chapter 15- Buffaloes, Camels, Lamoids, yaks

View Set

Chapter 9: Choosing Your Courses and Major

View Set