2024-06-10T08:52:05+03:00[Europe/Moscow] en true Cybersecurity Analyst, SOC, smaller companies will get security from where?, 7 things a SOC must have, the main point of a SOC, Security Operation Center (SOC), indicators of compromise, CISO (Chief Information Security Officer, What are some functions cybersecurity analyst preform, CSIRT (Computer Security Response Team), auditing security processes and procedures, how mitigate risks?, what are security controls?, CIA, CIANA, What is the purpose of a Risk management framework?, What do we use to classify different security controls, Technical Control or logical controls, Managerial Control, Operational, Administrative control, Preventative control, Detective Control, Corrective Control, Physical controls, deterrent control, Compensating Control, Responsive Control, Firewall, IPS, How to select security controls, what type of control is a encrypted hard drive on a laptop?, what type of control is digital signatures on an email?, what type of control is a cloud product with the ability to scale up and down using elasticity to meet demands?, how can you get the whole CIA?, how do you figure out what risk you are trying to solve?, Which role or position maintains the overall responsibility for systems security and information assurance within an organization?, Which type of control aims to minimize the impact of a security incident after it occurs?, Which security control functional type is used to identify and record any attempted or successful intrusion?, quality controls, Verification and Validation, Verification, Validation, Assessment, Evaluation, security audits, continuous monitoring, Defense in Depth, Personnel, separation of duties, third party consultant, Mandatory Vacations, Succession planning, Job descriptions, business processes in your company, Technology in your company, Networking in your company, what is SDN, Air gapped Network, Configuration Baseline, Detect Anomalies and Misconfigurations, System hardening, Embedded Systems and IoT devices, Configuration Hardening, Patching and Updating, some examples of automatic patching solutions, WSUS (Windows Server Update Services), APT (Aptitude Package Manager) and YUM, what is Security Intelligence?, What is Cyber Threat Intelligence?, what are the two forms cyber threat intelligence can come to us?, what is a narrative feed?, what is a data feed?, why an intelligence cycle?, what is the intelligence cycle?, Requirements (planning and direction), Collection (and processing), Analysis, Dissemination, What is Operational Intelligence, What is Strategic intelligence, What is tactical intelligence, What is feedback and review, What are the factors to weigh the value of intelligence, What is Timeliness, What is Relevancy?, What is accuracy?, what is confidence levels?, What is the MISP Project?, What is proprietary threat intelligence, what is Closed sourced threat intelligence?, What is open source threat intelligence, What is US-CERT, What is UK’s NCSC, What is AT&T Security, What is MISP, where to upload files you are not sure of?, what is SpamHuas, what are Threat feeds?, what is implicit knowledge flashcards
Start to The Diamond Model of Intrusion Analysis

Start to The Diamond Model of Intrusion Analysis

Customize
collection saved
Share
Long Term Learning Spaced Repetition
Add to Long Term Learning Desk
Fast learning Repeat this set of flashcards
Preview Test Spell
Play
Match
Review
  • Cybersecurity Analyst
    A senior position within an organization security team with direct responsibilities for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it. They are our network defenders, in charge of hardening and protecting our networks, server, desktops, laptop, any device that processes or use our information
  • SOC
    usually exists for larger corporations government agencies, and health care organizations because expensive to maintain
  • smaller companies will get security from where?
    they will outsource and use third party commercial SOC to provide Security as a Service
  • 7 things a SOC must have
    authority to operate, have motivated and skilled professionals, incorporate processes into a single center (Make sure SOC does not become a helpdesk or IT), equipped to preform incident response, be able to protect itself and the organization as large, can separate signal from the noise, collaborate with other SOCs for data sharing
  • the main point of a SOC
    should be the single point of contact for security, monitoring, and incident response
  • Security Operation Center (SOC)
    a location where security professionals monitor and protect critical information assists in an organization, where all the data comes in, think of it a security monitoring center to find indicators of compromise
  • indicators of compromise
    think of it as a fingerprint of something bad
  • CISO (Chief Information Security Officer
    lead and provide governance,
  • What are some functions cybersecurity analyst preform
    implement and configure security controls, working in a SOC or CSIRT, auditing security processes and procedures, conducting a risk assessment, vulnerability assessment, and penetration tests, maintain up-to-date threat intelligence
  • CSIRT (Computer Security Response Team)
    People who respond to data breaches, and cyber attacks
  • auditing security processes and procedures
    doing due diligence on third party services, providing employee training and doing assessments on your own systems
  • how mitigate risks?
    implementing effective security controls
  • what are security controls?
    a technology put in place to mitigate vulnerabilities and risk to ensure the confidentiality, integrity, availability, nonrepudiation, and authentication of data. any piece of hardware or software or a specific configuration of a device that helps us improve our security posture.
  • CIA
    Confidentiality, Integrity Availability
  • CIANA
    Confidentiality, Integrity Availability, Nonrepudiation, and authentication
  • What is the purpose of a Risk management framework?
    the purpose is so we aren’t always one step behind attackers to response. So, Security controls should be selected and deployed in a structured manner using a risk management framework
  • What do we use to classify different security controls
    NIST Special publication 800-53 AKA Security and privacy controls for information systems and organizations.
  • Technical Control or logical controls
    a type of control that can be implemented as a system (Hardware, software, firmware)
  • Managerial Control
    provide oversight over information security systems, such as risk identification, using different tools, high level overview of our security system such as regulations, procedures, documentation any information that help us choose one control over another
  • Operational
    implemented by people rather than systems such as adding security guards, provide training to people what to do when they get a spam in their inbox
  • Administrative control
    both operational and managerial, such a program like policies and procedures
  • Preventative control
    acts to eliminate or reduce the likelihood that an attack can succeed
  • Detective Control
    may not prevent or deter access but will identify and record any attempted or successful intrusions such as logs to record what happened or a security camera to record as well
  • Corrective Control
    acts to eliminate or reduce the impact of an intrusion event such as a patch management system to prevent an vulnerability from happening again
  • Physical controls
    security control that acts against in-person intrusion attempts such as bollard, locks, security cameras etc.
  • deterrent control
    control that discourages intrusion attempts
  • Compensating Control
    control that as a substitute for a principal control, think of not having enough money, but this is the best you can do because it is compensating
  • Responsive Control
    a system that actively monitors for potential vulnerabilities and attacks, then takes actions to mitigate them before they can cause damage such as a network firewall
  • Firewall
    monitors all incoming and outgoing traffic and blocks anything that is suspicious
  • IPS
    monitors for pattens such as repeated failed login attempts and block
  • How to select security controls
    think in terms of CIA. to make sure have proper coverage over CIA.
  • what type of control is a encrypted hard drive on a laptop?
    a confidentiality control, but not integrity and availability.
  • what type of control is digital signatures on an email?
    a integrity control, but not confidentiality and availability.
  • what type of control is a cloud product with the ability to scale up and down using elasticity to meet demands?
    an availability control
  • how can you get the whole CIA?
    you can combine different things together and is why you would use a risk management framework
  • how do you figure out what risk you are trying to solve?
    you ask yourself if it is a confidentiality, integrity or availability risk.
  • Which role or position maintains the overall responsibility for systems security and information assurance within an organization?
    CISO
  • Which type of control aims to minimize the impact of a security incident after it occurs?
    corrective control
  • Which security control functional type is used to identify and record any attempted or successful intrusion?
    a detective control
  • quality controls
    something done by the manufacturer, to determine if the device or software solution is free from defects, does it boot up and work properly, is device dead on arrival?
  • Verification and Validation
    when the product is software based, we use this for evaluating security controls
  • Verification
    a compliance testing product, aimed to answer question if this piece of hardware or software, meet the requirement of our design or framework
  • Validation
    answers the question does it do what we want it to do, is this the right fit for our specific environment.
  • Assessment
    about subjecting that product to a checklist of requirements like is the firewall successfully configured, is the antivirus security sweet installed on all our employee workstations
  • Evaluation
    more subjective, make sure the control is useful, to prove the control is properly doing its job.
  • security audits
    involved a predefined baseline and aimed to finding faults of non compliance of your environment versus that predefined base line. a regulation check
  • continuous monitoring
    a process for continuous risk assessment, track anything that can be involved in security incident, anything related to network traffic, data exposure, host endpoints, business operations, a proactive method that is costly and cost well trained and well paid staff, keep most staff at bay
  • Defense in Depth
    designing network or cyber security in different layers of defense, so if one layer is bypassed, the next control might succeed in protection, have multiple firewalls from multiple vendors for more complexity, “Designed for when you will be compromised”
  • Personnel
    people require training session, awareness, implementing multifactorial authentication into entire company,
  • separation of duties
    no single person will have enough permission to do whatever they want.
  • third party consultant
    will have some access to your network, consider as a potential threat, don't give more permissions than needed
  • Mandatory Vacations
    critical to avoid fraud and misuse of resources, prob for two weeks or a month of mandatory vacations so any attempts of misuse of resources could be detected
  • Succession planning
    must plan for situations for when key employees are lost forever, for any reason, what happens if one system admin had access for everything and then is let go, what to do then?
  • Job descriptions
    can contain alots of information about the network vendor, devices, technology, protocls, can be leaked to attackers through postings
  • business processes in your company
    how is the data flowing? what people is involved, how is the data handled?, how it is stored and transported, look for weaknesses, learn from trends and improve
  • Technology in your company
    Look for what components of software or hardware can be improved or replaced, upgraded, chain to improve security posture. Security as a service to improve security posture
  • Networking in your company
    Review your network design, segment your network as many parts as you can with VLANS, switches, routers, access rules, know how the traffic is flowing, remember how segmentation will help you isolate separate parts, use SDN
  • what is SDN
    Software defined networking, means everything you designed as a network is designed in code so you can reconfigure it on the fly, automatically
  • Air gapped Network
    completely disconnected at a physical level, from the internet as well, extreme, can update so easily, cant do remote access, stuff on that network can be a real security risk if exposed
  • Configuration Baseline
    You define what is normal so when something goes wrong, you should be able to detect it, this is what things should look like when things are okay when things are normal. Any new changes should have a base line attached
  • Detect Anomalies and Misconfigurations
    harder when configuration baseline is not known
  • System hardening
    Reduce the attack surface, generic term and implementing some measures to secure what’s left running
  • Embedded Systems and IoT devices
    difficult to secure when most don't have administrative interfaces that allows to overwrite the firmware or update the software, might need compensating controls
  • Configuration Hardening
    Deactivating Non critical components, disable unused accounts, patch and update, restrict peripherals, users permissions, ACL on resources, Install Security Suite
  • Patching and Updating
    the number one solution for most remediations, exploits often target known and patched vulnerabilities
  • some examples of automatic patching solutions
    Windows Update, WSUS, APT, YUM
  • WSUS (Windows Server Update Services)
    automated patch installtion method and provides local repo for patch info for WINDOWS
  • APT (Aptitude Package Manager) and YUM
    automated patch installation for LINUX
  • what is Security Intelligence?
    the process where data is generated and is then collected, processed, analyzed and disseminated to provide insights into the security status of information systems. Think inwards about how our systems are looking
  • What is Cyber Threat Intelligence?
    The investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape. think outward, malware outbreaks, hacker groups, zero day exploits, etc
  • what are the two forms cyber threat intelligence can come to us?
    Narrative reports and data feeds
  • what is a narrative feed?
    a written report that is a analysis of a certain adversary group or certain type of malware, created manually by a threat analyst. sold to different SOCs around the world, and is useful at the strategic level because allows to to decide where to put money. big picture
  • what is a data feed?
    a list of known bad indicators, indicators of compromises, domain names, IP addresses, hashes of exploit malware code. this is tactical level information that allows us to be very operational to allow us to do something with the data like block it. Specific.
  • why an intelligence cycle?
    because intelligence is a process you have to collect the data, plan to collect the data go through it, etc
  • what is the intelligence cycle?
    Requirements (Planning and direction), Collection (and processing), Analysis, Dissemination, Feedback
  • Requirements (planning and direction)
    Sets out the goals for the intelligence gathering effort. need to figure out what we want to collect, what to spend time money and resources on gathering. What are the things we want to measure? what can and cannot collect base on our government?
  • Collection (and processing)
    implemented by software tools such as SIEMs to gather data which is then processed for later analysis. need to normalize all data (make sure the data into a standard format where a SINGLE SIEM can use the data), make sure data is separated by category. need to use encryption, access controls etc on the SIEM
  • Analysis
    Performed against the given use cases from the planning phase and may utilize automated analysis, AI and machine learning. to separate into known good, known bad and unsure, uses AI to process the data
  • Dissemination
    Publishes information produced by analysts to consumers who need to act on the insights developed. Break it down into Strategic, Operation, and tactical levels of intelligence
  • What is Operational Intelligence
    intelligence that addresses the day to day priorities of managers and specialist, often a check list of things to worry and focus on today
  • What is Strategic intelligence
    address broad themes and objects over weeks months and years, as report done to executives, or a PowerPoint
  • What is tactical intelligence
    informs real time decisions made by staff as they encounter alerts and system indications
  • What is feedback and review
    Aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs. how to do things better overtime. such as lessons learned, measure success and evolving threat issues
  • What are the factors to weigh the value of intelligence
    Timeliness, relevancy, accuracy, and confidence level
  • What is Timeliness
    Ensures an intelligence source is up to date.
  • What is Relevancy?
    Ensures an intelligence source matches its intended use case
  • What is accuracy?
    ensures an intelligence source produces effective results
  • what is confidence levels?
    Ensures an intelligence source produces qualified statements about reliability
  • What is the MISP Project?
    used to grade data and estimative languages, evaluates base on source reliability and information content
  • What is proprietary threat intelligence
    provided as a commercial service offering where accesses to updates and research is subject to a subscription fee
  • what is Closed sourced threat intelligence?
    data derived from the providers own research and analysis efforts, such as a data from honeynets that they operate plus mined customer data
  • What is open source threat intelligence
    data that is available without paying
  • What is US-CERT
    an US Open- source intelligence
  • What is UK’s NCSC
    National Cyber Secuirty Centre, provides services like the US-CERT
  • What is AT&T Security
    open source intelligence
  • What is MISP
    Malware information sharing project, open source intelligence feed
  • where to upload files you are not sure of?
    VirusTotal to check if any file is a virus
  • what is SpamHuas
    focuses on Spam
  • what are Threat feeds?
    they are a form of explicit knowledge, which means you can write down, see feel touch.
  • what is implicit knowledge
    knowledge gain only by experience, can write down, only something you know based on years of experience