Start to The Diamond Model of Intrusion Analysis Test and Flashcards

Cybersecurity Analyst

A senior position within an organization security team with direct responsibilities for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it. They are our network defenders, in charge of hardening and protecting our networks, server, desktops, laptop, any device that processes or use our information

SOC

usually exists for larger corporations government agencies, and health care organizations because expensive to maintain

smaller companies will get security from where?

they will outsource and use third party commercial SOC to provide Security as a Service

7 things a SOC must have

authority to operate, have motivated and skilled professionals, incorporate processes into a single center (Make sure SOC does not become a helpdesk or IT), equipped to preform incident response, be able to protect itself and the organization as large, can separate signal from the noise, collaborate with other SOCs for data sharing

the main point of a SOC

should be the single point of contact for security, monitoring, and incident response

Security Operation Center (SOC)

a location where security professionals monitor and protect critical information assists in an organization, where all the data comes in, think of it a security monitoring center to find indicators of compromise

indicators of compromise

think of it as a fingerprint of something bad

CISO (Chief Information Security Officer

lead and provide governance,

What are some functions cybersecurity analyst preform

implement and configure security controls, working in a SOC or CSIRT, auditing security processes and procedures, conducting a risk assessment, vulnerability assessment, and penetration tests, maintain up-to-date threat intelligence

CSIRT (Computer Security Response Team)

People who respond to data breaches, and cyber attacks

auditing security processes and procedures

doing due diligence on third party services, providing employee training and doing assessments on your own systems

how mitigate risks?

implementing effective security controls

what are security controls?

a technology put in place to mitigate vulnerabilities and risk to ensure the confidentiality, integrity, availability, nonrepudiation, and authentication of data. any piece of hardware or software or a specific configuration of a device that helps us improve our security posture.

CIA

Confidentiality, Integrity Availability

CIANA

Confidentiality, Integrity Availability, Nonrepudiation, and authentication

What is the purpose of a Risk management framework?

the purpose is so we aren’t always one step behind attackers to response. So, Security controls should be selected and deployed in a structured manner using a risk management framework

What do we use to classify different security controls

NIST Special publication 800-53 AKA Security and privacy controls for information systems and organizations.

Technical Control or logical controls

a type of control that can be implemented as a system (Hardware, software, firmware)

Managerial Control

provide oversight over information security systems, such as risk identification, using different tools, high level overview of our security system such as regulations, procedures, documentation any information that help us choose one control over another

Operational

implemented by people rather than systems such as adding security guards, provide training to people what to do when they get a spam in their inbox

Administrative control

both operational and managerial, such a program like policies and procedures

Preventative control

acts to eliminate or reduce the likelihood that an attack can succeed

Detective Control

may not prevent or deter access but will identify and record any attempted or successful intrusions such as logs to record what happened or a security camera to record as well

Corrective Control

acts to eliminate or reduce the impact of an intrusion event such as a patch management system to prevent an vulnerability from happening again

Physical controls

security control that acts against in-person intrusion attempts such as bollard, locks, security cameras etc.

deterrent control

control that discourages intrusion attempts

Compensating Control

control that as a substitute for a principal control, think of not having enough money, but this is the best you can do because it is compensating

Responsive Control

a system that actively monitors for potential vulnerabilities and attacks, then takes actions to mitigate them before they can cause damage such as a network firewall

Firewall

monitors all incoming and outgoing traffic and blocks anything that is suspicious

IPS

monitors for pattens such as repeated failed login attempts and block

How to select security controls

think in terms of CIA. to make sure have proper coverage over CIA.

what type of control is a encrypted hard drive on a laptop?

a confidentiality control, but not integrity and availability.

what type of control is digital signatures on an email?

a integrity control, but not confidentiality and availability.

what type of control is a cloud product with the ability to scale up and down using elasticity to meet demands?

an availability control

how can you get the whole CIA?

you can combine different things together and is why you would use a risk management framework

how do you figure out what risk you are trying to solve?

you ask yourself if it is a confidentiality, integrity or availability risk.

Which role or position maintains the overall responsibility for systems security and information assurance within an organization?

CISO

Which type of control aims to minimize the impact of a security incident after it occurs?

corrective control

Which security control functional type is used to identify and record any attempted or successful intrusion?

a detective control

quality controls

something done by the manufacturer, to determine if the device or software solution is free from defects, does it boot up and work properly, is device dead on arrival?

Verification and Validation

when the product is software based, we use this for evaluating security controls

Verification

a compliance testing product, aimed to answer question if this piece of hardware or software, meet the requirement of our design or framework

Validation

answers the question does it do what we want it to do, is this the right fit for our specific environment.

Assessment

about subjecting that product to a checklist of requirements like is the firewall successfully configured, is the antivirus security sweet installed on all our employee workstations

Evaluation

more subjective, make sure the control is useful, to prove the control is properly doing its job.

security audits

involved a predefined baseline and aimed to finding faults of non compliance of your environment versus that predefined base line. a regulation check

continuous monitoring

a process for continuous risk assessment, track anything that can be involved in security incident, anything related to network traffic, data exposure, host endpoints, business operations, a proactive method that is costly and cost well trained and well paid staff, keep most staff at bay

Defense in Depth

designing network or cyber security in different layers of defense, so if one layer is bypassed, the next control might succeed in protection, have multiple firewalls from multiple vendors for more complexity, “Designed for when you will be compromised”

Personnel

people require training session, awareness, implementing multifactorial authentication into entire company,

separation of duties

no single person will have enough permission to do whatever they want.

third party consultant

will have some access to your network, consider as a potential threat, don't give more permissions than needed

Mandatory Vacations

critical to avoid fraud and misuse of resources, prob for two weeks or a month of mandatory vacations so any attempts of misuse of resources could be detected

Succession planning

must plan for situations for when key employees are lost forever, for any reason, what happens if one system admin had access for everything and then is let go, what to do then?

Job descriptions

can contain alots of information about the network vendor, devices, technology, protocls, can be leaked to attackers through postings

business processes in your company

how is the data flowing? what people is involved, how is the data handled?, how it is stored and transported, look for weaknesses, learn from trends and improve

Technology in your company

Look for what components of software or hardware can be improved or replaced, upgraded, chain to improve security posture. Security as a service to improve security posture

Networking in your company

Review your network design, segment your network as many parts as you can with VLANS, switches, routers, access rules, know how the traffic is flowing, remember how segmentation will help you isolate separate parts, use SDN

what is SDN

Software defined networking, means everything you designed as a network is designed in code so you can reconfigure it on the fly, automatically

Air gapped Network

completely disconnected at a physical level, from the internet as well, extreme, can update so easily, cant do remote access, stuff on that network can be a real security risk if exposed

Configuration Baseline

You define what is normal so when something goes wrong, you should be able to detect it, this is what things should look like when things are okay when things are normal. Any new changes should have a base line attached

Detect Anomalies and Misconfigurations

harder when configuration baseline is not known

System hardening

Reduce the attack surface, generic term and implementing some measures to secure what’s left running

Embedded Systems and IoT devices

difficult to secure when most don't have administrative interfaces that allows to overwrite the firmware or update the software, might need compensating controls

Configuration Hardening

Deactivating Non critical components, disable unused accounts, patch and update, restrict peripherals, users permissions, ACL on resources, Install Security Suite

Patching and Updating

the number one solution for most remediations, exploits often target known and patched vulnerabilities

some examples of automatic patching solutions

Windows Update, WSUS, APT, YUM

WSUS (Windows Server Update Services)

automated patch installtion method and provides local repo for patch info for WINDOWS

APT (Aptitude Package Manager) and YUM

automated patch installation for LINUX

what is Security Intelligence?

the process where data is generated and is then collected, processed, analyzed and disseminated to provide insights into the security status of information systems. Think inwards about how our systems are looking

What is Cyber Threat Intelligence?

The investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape. think outward, malware outbreaks, hacker groups, zero day exploits, etc

what are the two forms cyber threat intelligence can come to us?

Narrative reports and data feeds

what is a narrative feed?

a written report that is a analysis of a certain adversary group or certain type of malware, created manually by a threat analyst. sold to different SOCs around the world, and is useful at the strategic level because allows to to decide where to put money. big picture

what is a data feed?

a list of known bad indicators, indicators of compromises, domain names, IP addresses, hashes of exploit malware code. this is tactical level information that allows us to be very operational to allow us to do something with the data like block it. Specific.

why an intelligence cycle?

because intelligence is a process you have to collect the data, plan to collect the data go through it, etc

what is the intelligence cycle?

Requirements (Planning and direction), Collection (and processing), Analysis, Dissemination, Feedback

Requirements (planning and direction)

Sets out the goals for the intelligence gathering effort. need to figure out what we want to collect, what to spend time money and resources on gathering. What are the things we want to measure? what can and cannot collect base on our government?

Collection (and processing)

implemented by software tools such as SIEMs to gather data which is then processed for later analysis. need to normalize all data (make sure the data into a standard format where a SINGLE SIEM can use the data), make sure data is separated by category. need to use encryption, access controls etc on the SIEM

Analysis

Performed against the given use cases from the planning phase and may utilize automated analysis, AI and machine learning. to separate into known good, known bad and unsure, uses AI to process the data

Dissemination

Publishes information produced by analysts to consumers who need to act on the insights developed. Break it down into Strategic, Operation, and tactical levels of intelligence

What is Operational Intelligence

intelligence that addresses the day to day priorities of managers and specialist, often a check list of things to worry and focus on today

What is Strategic intelligence

address broad themes and objects over weeks months and years, as report done to executives, or a PowerPoint

What is tactical intelligence

informs real time decisions made by staff as they encounter alerts and system indications

What is feedback and review

Aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs. how to do things better overtime. such as lessons learned, measure success and evolving threat issues

What are the factors to weigh the value of intelligence

Timeliness, relevancy, accuracy, and confidence level

What is Timeliness

Ensures an intelligence source is up to date.

What is Relevancy?

Ensures an intelligence source matches its intended use case

What is accuracy?

ensures an intelligence source produces effective results

what is confidence levels?

Ensures an intelligence source produces qualified statements about reliability

What is the MISP Project?

used to grade data and estimative languages, evaluates base on source reliability and information content

What is proprietary threat intelligence

provided as a commercial service offering where accesses to updates and research is subject to a subscription fee

what is Closed sourced threat intelligence?

data derived from the providers own research and analysis efforts, such as a data from honeynets that they operate plus mined customer data

What is open source threat intelligence

data that is available without paying

What is US-CERT

an US Open- source intelligence

What is UK’s NCSC

National Cyber Secuirty Centre, provides services like the US-CERT

What is AT&T Security

open source intelligence

What is MISP

Malware information sharing project, open source intelligence feed

where to upload files you are not sure of?

VirusTotal to check if any file is a virus

what is SpamHuas

focuses on Spam

what are Threat feeds?

they are a form of explicit knowledge, which means you can write down, see feel touch.

what is implicit knowledge

knowledge gain only by experience, can write down, only something you know based on years of experience

what is OSTINT

A method of obtaining information about a persons organization through public records, websites and social media

what are ISACS?

non profits organization that share security intelligence. they gather information directly from good people working in their specific industries, their info are very specific and very relevant.

What are examples of ISACs for different industries

there are ISACS for health care, financial sectors, aviation sector, government sector, and even elections, etc.

what part of the Threat Intelligence Circle do ISACs and sharing intelligence fall into?

fall into Dissemnation phase

What are the use cases for sharing intelligence information?

use cases are Risk management, Security Engineering, Vulnerability Management, and Detection and Monitoring.

How does Risk management and Security Engineering play with sharing intelligence?

you share information to upgrade themselves, choosing the right security controls and software development security. to reduce attack surface.

How does Incidence response work with sharing security intelligence

to be better informed when bad things happen such as being compromised and under attack

How does Vulnerability management work with sharing security intelligence

this is strategic, high level/big picture, the point of vulnerability management program is to keep a close eye on your infrastructure and to identify any new vulnerabilities. it is proactive to ensure always up to date on our security posture

Detection and Monitoring with sharing intelligence

more information allows to fine tune your defenses, avoid false positives, avoid false negatives, and keep it running and up to date

How to do vulnerability management?

assign responsibilities, document everything and everything is up to date, need management support, keep inventory about our devices, our assets, collect and backup our information, then assign risks and prioritize each item, choose the right tools for assessing vulnerabilities and fix ASAP

Known threats with signatures

known threats are not enough anymore, as the level of sophistication of threats increased so much and observe its behavior than detecting signatures

what are unknown threats?

threats that wont be detected by signatures, but look for behavior because it is very advance, or is very new aka zero day which means until a patch is developed for it

what does zero day refer to?

refers to vulnerability but also the attack that exploits it

what is the Johari Window?

the 4 combinations of things that are known or unknown by us. what WE know versus what OTHERS know

what are known knowns?

these are threats we know and understand and what to do about it, we just need to act

what unknown knowns?

these are things we could understand, but are not aware of. it is knowledge that you don't know that it exists, such as zero days

what are unknown unknown?

these are those we don't even know how little we known. these are attacks we are not even aware they exists

what are bug Bounties?

They are rewards for finding and reporting vulnerabilities in software products of a company.

What are APTs

Advanced Persistence, Threats. They use advanced tools, coordinated group, designed to be undetected and are malicious actor, they remove all traces they are well funded government support

Bad Actors

Organized Crime for financial gain, Cyberterrorism not for financial gain, Hacktivists driven by moral justice, Nation states are state sponsored for military advantage, Script Kiddies are people who are beginner hackers who only use scripts not knowledgable, Recreational Hackers do it for recreational, Professional hackers who work under contractual agreements, Suicide Hackers are people who have nothing to lose and does not care if caught, Insider threats are colleagues who have access to systems

Insider threats

Intentional or unintentional, dangerous access already granted, anger, financial gain etc, Shadow IT

Shadow IT

integrating devices software, cloud services into the company without the knowledge of IT, such as hidden switches on wireless access points, or cloud services store all configuration data on drobox

Commodity Malware

available to everyone, most common type of malware, still dangerous as people don't use antivirus

Signature Based Detection

checks the byte patten in files, processes, packets to recognize malware. Tougher with encrypted data. still widely used

How can Malware avoid Detection?

create a malware that has no signature match or too complex that requires context and multiple signature

What are Indicators of Compromise (IoC)?

Look for abnormal behavioral and stop looking for signatures. such as URLs, new files, file execution, a process running in memory, a file signature indicating a RAT, file hashes, Registry entries, Too much Resources, new apps, protocols, new devices, exfiltration

Automated HIPs/HIDS, Correlation SIEMs, Good or bad checking

to identify IoCs

what is the Reputational Method

associate a IoCs with some reputation data, asking if this IoCs has ever been connected to an attack such as IP addresses, URLs, File Hashes, Email Body (to detect Spam), checking Reputational databases provided by major vendors

What is the Behavior Method

used to determine if IoCs is good or bad. What does it do (connections, files, settings) correlate IoCs to attack patterns, they check what is happening and if it looks like its an attack.

What is Baselining

defining what is “normal’ to determine what strays from the normal, in behavior method.

What does TTPs stand for?

Attack Tactics, Techniques, and Procedures used by a hacker to conduct an attack, only for known attacks

TTP for DDOS

connecion distribution, see high amounts of traffics

TTP for Malwares/worms

Look for high Resource usage, high memory, high disk use

TTP for Reconnaissance

Connection patterns, Check if we are being scanned, short lived connections, or trying to connect on large number of ports

TTP for APTs

check for remote control traffic, Port hopping which looks like quick and random changing of ports for identical connections. Check for Fast Flux DNS which is quick changes in DNS resolved addresses. Check for Data Exfiltration: sensitive data or files leaving the network

Threat Modeling

the overarching concept that compasses Attacks, Signatures, Reputation, IoCs and more

What is STIX

is the one standardized way of describing the relationships with information sharing, IoCs, and dissemination.

What does STIX stand for?

it stands for Structured Threat Information Expression. Version 2 based on JSON.

What are SDOs

STIX domain Objects make up STIX. such as observed data, indicators, TTP (attack patterns), Campaigns, Threat Actors. COA (Course of action, or what can you do to resolve)

What is TAXII protocol

a protocol to transport the STIX threat intelligence. basically a REST API that transport threat information over HTTPs

What the two defined services used in TAXII for sharing information

a Collection which means data can be requested by the client and data is stored in a database or repository. a Channel relies on data being pushed to client instead of being requested so clients just subscribe to a TAXII data feed whenever new information gets pushed to clients.

what is MISP

an open source threat sharing platform

what is a Attack framework?

it is a standardized way of describing what's happening before, during and after an attack. who is the attacker, what kind of resources are being attacked, and how the attack is being conducted

how does knowing the attack framework help us?

it helps us with Threat Modeling, as end of day, it is a way of describing an attack

What is the Lockheed Martin Cyber Kill Chain?

Defines the attack phases (lifecycle), mainly to APTs, goes into IoCs, TTPs, mitigation methods, to reconstruct an attack after it already happens, and campaign analysis

order in The Cyber Kill chain

Reconnaissance (attacker gets to know you), Weaponization (attacker chooses or develops the exploit in order to get ready to attack), Delivery (delivery's the weaponized bundle via email web, USB, etc), Exploitation (Attacker exploits a vulnerability to execute code on victims system, may be remotely activated or automatically TO GAIN ACCESS), Installation (Install malware on the asset such as creating new user, new firewall rules to allow attacker access, attacker feels as home), C2 (Command and Control phase, Command channel for remote manipulation of victims), Actions on Objective ( Attacker can complete orginal goal or goals

a downside of Cyber Kill chain

because the model is so focused on outsider threat, it ignores insider threats and cloud environments as well, harder to determine what phase of attack you are currently in if attacker erases their tracks. too simple

- main method of defending in cyber kill chain reconnaissance phase

Reduce Attack surface, Dont overshare info

- main method of defending in cyber kill chain Weaponization phase

Update patch and fixes, install technical controls to prevent

- main method of defending in cyber kill chain Delivery phase

Mass storage restrictions and user training

- main method of defending in cyber kill chain Exploitation phase

Update, Patch, fix, repeat, Disable unnesccary services

- main method of defending in cyber kill chain Installation phase

Endpoint Security, User Awareness

- main method of defending in cyber kill chain Command and Control (C2) phase

Endpoint security and filtering outbound traffic

- main method of defending in cyber kill chain Actions on Objective phase

Access control systems aka read only, DLP solutions, usually not much to do

what is the ATT&CK framework (MITRE)

a database of cyberattack tactics and techniques used to developed threat models

what is purpose of ATT&CK framework

to analyze the attack and check what applies to you and how to mitigate them, basically like see what's happening to you, and check this framework to see the mitigation options available for your specific scenario

Diamond Model of Intrusion Analysis

focuses on a single intrusion event, by describing the relationships between 4 core features, Adversary, Capability, Victim and Infrastructure. Given enough information, the analyst is able to reach the other connected points.

the issue with the Dimond model

seems very oversimplified and each point has additional meta features as well. actually is overcomplicated, but designed for automatic processing, used by machines

What are Diamond Model Activity Threads

they show how an attacker behaves during an attack. multiple threads are possible for multiple attackers and victims

Why are Diamond threads important

because they show when an attacker pviots within the network and compromised additional targets in the same environment

Flashcards: Start to The Diamond Model of Intrusion Analysis