Cyber Defense and Countermeasures - D340

on Linux, where to find Unauthorized changes to user accounts or group membership?

User and group settings are stored in /etc/passwd and /etc/group configuration files on Linux systems

What is the role of Governance Teams

Governance teams are responsible for creating and maintaining organizational policies used to direct the work of technical teams. Governance defines the organization's expectations of its employees and its approach to cybersecurity.

What are Cybersecurity service-level objectives (SLOs)

standards that organizations and their leadership must meet to ensure the security of their network

What are the 4 risk responses?

Avoid, Accept, Mitigate, Transer

What is threat modeling?

The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system.

What are the 3 security control classes?

Technical, Operational, Managerial

Describe Technical security control

Also called Logical controls, implemented as a system (hardware, software, or firmware)

Describe Operational security control

Implemented by people rather than systems )security guards and training programs)

Describe Managerial security control

Gives oversight of the information system (isk identification or a tool allowing the evaluation and selection of other security controls)

What are the 5 security control function types?

Preventative, Detective, Corrective, Compensating, Responsive

Describe Preventative security control function type

acts before an incident to eliminate or reduce the likelihood that an attack can succeed (ACLs, irewalls, Anit-Maleware, SOPs)

Describe Detective security control function type

Does not prevent or deter access, but acts during an incident to identify or record that it is happening (ex. Logs).

Describe Corrective security control function type

acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack (backup system, patch management system)

Describe Compensating security control function type

Takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Describe Responsive security control function type

Serves to direct corrective actions after an incident has been confirmed. Often documented in a playbook

What are ways to Reduce your Attack Surface?

Asset Inventory, Access Control, Patching/updating, Network Segmentation, Removing unecessary components, Employee training

What are the benefits of a centralized configuration management system?

Allows an administrator to configure settings on a management server and then push to endpoints in an automated way, enables consistency since the configuration is defined once and applied to many systems, and the configuration is enforced, meaning the central management server will overwrite changes made to an individual endpoint's

Explain user and entity behavior analytics (UEBA)

A system that can provide automated identification of suspicious activity by user accounts and computer hosts.

What does the tool FOCA do?

Fingerprinting Organizations with Collected Archives (FOCA) is a metadata scanner that can be used on publically available documents (MS Office docs, etc.)

Explain the difference beween the two threa tintelligence data types

Strategic - provides a high-level view of the threat landscape, emerging trends, tactics, and techniques threat actors use.

Operational - provides more granular details about specific threats: indicators of compromise, malware analysis, and network forensics.

What are the three attributes of Threat intelligence data?

Timliness, Relevancy, Accuracy

What is an ISAC?

Information Sharing and Analysis Centers (ISACs) provide critical infrastructure owners and operators with cybersecurity information and services. They facilitate the sharing of threat information and best practices between the public and private sectors, allowing for the protection of vital assets.

What is the main platform for Cyber threat intelligence sharing?

Cyber Threat Alliance (CTA)

what is AIS?

Automated Indicator Sharing (AIS) is the exchange of machine-readable cyber threat indicators and defensive measures. It is managed by US Cybersecurity and Infrastructure Security Agency (CISA). AIS enables participants to share indicators and defensive measures against cyber threats

What are the 2 main machine-redable ormats used by AIS systems?

Trusted Automated eXchange of Indicator Information (TAXII) message exchange and Structured Threat Information eXpression (STIX)

What is the function of managed security service providers (MSSP)?

A third-party provider for security configuration and monitoring service. Provide knowledge, skills, resources, and analytic tools to help organizations locate unusual activities and hidden threats efficiently (threat hunt).

What are the 3 main threat hunting areas?

Misconfiguration Hunting— misconfigured systems, services, or applications that attackers could exploit, including searching for weak passwords, open ports, or unpatched software.

Isolated Network Hunting— air-gapped networks or networks with limited connectivity to the internet can still be targeted by exploiting vulnerabilities in connected systems or through physical access.

Business-critical Asset Hunting— databases, servers, or applications. unauthorized access attempts, unusual traffic patterns, or suspicious activity that could indicate an attack. Also, new user creation, money transfer, access permission approvals, etc.

What is stored in Windows registry?

The Windows registry is a database for storing operating system, device, and software application configuration information.

What are the following registry keys: HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE (HKLM) database governs system-wide settings.

HKEY_USERS database includes settings that apply to individual user profiles, such as desktop personalization.

HKEY_CURRENT_USER is a subset of HKEY_USERS with the settings for a logged-in user.

What is the Linux equivalent of registry files?

Configuration Files (text files)

What are the 4 main common configuration file formats?

Initialization file (INI)—Uses key-value pairs associated using "=".

eXtensible Markup Language (XML)—Uses tag formatting similar to HTML and is often used by APIs to exchange information.

Yet Another Markup Language (YAML)—YAML files use ":" and careful indentation to associate groups of settings and are an increasingly popular format.

JavaScript Object Notation (JSON)—Similar formatting to YAML with the addition of {} and [] brackets to group settings.

What is a system process and what do they do?

System processes are background tasks to manage system resources, (memory, network connections, and hardware devices). System processes can also be used to launch applications and perform other tasks. ex. antivirus scans, disk defragmentation, user authentication, printing, and system updates

How do VMs differ from containers?

VMs use a hypervisor to translate system components to alos multiple instances of OSs and components to run on the same hardware.

Containers do the same, except allocate portions of bins/libraries to each instance so there's no need for separate OS's. One OS can act as a separate OS for many instances

What is a cloud deployment model?

the specific architecture of cloud services. ex. technology, resources, locations of data, applications, and services a Cloud provides: public, private, and hybrid

What is Serverless Computing?

software that runs functions within virtualized runtime containers in a cloud rather than on dedicated servers. Applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. When the client requires some operation to be processed, the cloud spins up a container to run the code, performs the processing, and then destroys the container. Billing is based on execution time rather than hourly charges.

What are the benefits of serverless computing?

Serverless platforms eliminate the need to manage physical or virtual server instances, so there is little to no management effort for software and patches, administration privileges, or file system security monitoring. There is no requirement to provision multiple servers for redundancy or load balancing.

Serverless architecture depends heavily on the concept of event-driven orchestration to facilitate operations.

What are the 3 types of network segmentation?

Physical segmentation - separating different network zones using separate switches, routers, and cabling.

Virtual segmentation - using software to create virtual networks within an existing network, allowing different types of traffic to be separated and isolated. Virtual segmentation is associated with cloud computing environments, where networks are defined using features provided by the virtualization platform.

Logical segmentation - using software to create logical divisions within a single network using Virtual LANs, or VLANs.

What are the 3 planes of software defined networking (SDN)?

Control plane—Makes decisions about how traffic should be prioritized and secured, and where it should be switched.

Data plane—Handles the actual switching and routing of traffic and imposition of access control lists (ACLs) for security.

Management plane—Monitors traffic conditions and network status.

explain northbound/Southbound API in software defined networks (SDN) applications and controllers and appliances

The interface between the SDN applications and the SDN controller is described as the "northbound" API, while between the controller and appliances is the "southbound" API.

What are the benefits of SDN?

Reduces the risks associated with managing a large / complicated network. It allows for automated deployment of network links, appliances, and servers. SDN is a critical component driving the adoption of automation and orchestration technologies.

What are the The key benefits of a Zero Trust?

Greater security

Better access controls

Improved governance and compliance

Increased granularity

What is Secure Access Service Edge (SASE)?

A networking and security architecture that provides secure access to cloud applications and services while reducing complexity. It combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN.

SASE simplifies network and security services, and offers identity and access management, secure web gateways, and Zero Trust

How is passwordless authentication achieved?

Biometrics

Explain the diference between Single Sign On (SSO) and Federation

SSO - Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

Federation - A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems. (ex. using Google account credentials to access other apps/services)

What is OpenID?

An identity federation method that enables users to be authenticated on cooperating websites by a third-party authentication service.

What is Security Assertion Markup Language (SAML)?

An XML-based data format used to exchange authentication information between a client and a service.

What is a cloud access security broker (CASB)?

Enterprise management software designed to mediate access to cloud services by users across all types of devices.

What are the the functions of a CASB?

Enable single sign-on authentication and enforce access controls

Scan for malware and rogue or noncompliant device access.

Monitor and audit user and resource activity.

Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

What are the three ways a CASB can be implemented/

Forward Proxy, Reverse Proxy, API

What 3 components do DLP usually consist of?

Policy Server—To configure classification, confidentiality, privacy rules and policies, and to log incidents and compile reports.

Endpoint Agents—To enforce policy on client computers, even when they are not connected to the network.

Network Agents—To scan communications at network borders and interface with web and messaging servers to enforce policy.

Remediation is the action the DLP software takes when it detects a policy violation. What are the 4 methods?

Alert only—The copying is allowed, but alerts an administrator.

Block—The user is prevented from copying the original file but retains access to it.

Quarantine—Access to the original file is denied to the user

Tombstone—The original file is quarantined and replaced with one describing the policy violation and how the user can release it again.

What are the 5 different data types?

PII, Personal Health Information (PHI), Personally Identifiable Financial Information (PIFI), Cardholder data (CHD), Intellectual property (IP)

What is PKI?

A suite of tools designed to support public/private key management, integrity checks via digital signatures, and authentication, as well as non-repudiation of users and/or devices through the use of private key encryption.

What are the 5 Logging Levels?

DEBUG: used for debugging purposes

INFO: used for informative messages

WARNING: used to indicate a potential problem

ERROR: used to indicate a serious problem

CRITICAL: used to indicate a critical problem

What is the Syslog severity scale?

0-7 (8 levels); 0 = emergency - most severs, 7 = debug - least severe

How do SIEM & SOAR work together?

Security information and event management (SIEM) automates the collection, analysis, and response to security-related data.

Security orchestration, automation, and response (SOAR) describes the process of using technology to automate the work of identifying, analyzing, and responding to security threats often flagged by a SIEM.

*Instead of sending the alert to a security analyst for manual review, the alert is instead forwarded to a SOAR platform. The SOAR performs a series of tasks grouped within preestablished playbooks in response to the alert.

What is Data Enrichment?

Data enrichment combines and analyzes data from disparate sources to gain a greater understanding of the threat landscape.

What are Webhooks?

Automated messages sent from applications to other applications containing information about an event, such as the time it occurred, the data associated with it, and any other relevant information.

They are used to trigger automated actions, such as sending an email or updating a database.

What are the difrences between regulations and standards?

Regulations describe legal requirements and ramifications, standards (ISO and NIST) detail compliance (oftentimes provided in prescriptive form).

ISO and NIST do not create laws and regulations; rather laws and regulations identify a requirement to implement the best practice guidance authored by these agencies.

What are the NIST and ISO cyber framework numbers?

NIST = special publication (SP) 800 series documents, as well as the Risk Management Framework and Cybersecurity Framework

ISO = cybersecurity framework commonly referred to as ISO 27k.

Can regeulations and standards be contained as one authority?

Yes - Examples include the General Data Protection Regulation (GDPR) and Children's Online Privacy Protection Act (COPPA)

Briely describe OWASP

Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of web applications and services.

Describe CMMI.

Capability Maturity Model Integration (CMMI) describes five levels of maturity within the operational or software capabilities of an organization.

Level 1: Initial—Processes do not exist, and work is reactive in nature.

Level 2: Managed—Many work activities are defined via processes, but work is still frequently reactive in nature.

Level 3: Defined—The majority of work is welldefined via processes, and proactive measures are inplace.

Level 4: Quantitatively Managed—All work is welldefined via processes, proactive measures are in place, and the work outputs are tracked and analyzed.

Level 5: Optimizing—Work is well defined via processes, and work is proactive, measured, analyzed, and continuously improved.

Describe CSA STAR

the Cloud Security Alliance Security, Trust & Assurance Registry

measures the security capabilities and privacy controls of a cloud service provider against the CSA Cloud Controls Matrix (CCM).

Describe COPPA

Children's Online Privacy Protection Act (COPPA) - Applies under the age of 13

What are the most common web application vulnerabilities?

cross-site scripting (XSS), SQL injection, path traversal, broken authentication and authorization, and insecure direct object references

OWASP Top Ten

Broken Access Control

Cryptographic Failures

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

Explain Center for Internet Security (CIS) benchmarks

A broad set of over 100 configuration guidelines covering different aspects of IT security, designed to be flexible and scalable.

What are the 4 main phases of PCI DSS implementation?

Assess, Plan, Execute, Maintain

What is the diference between Agent/Agentless vulnerability scanning?

Agent-based scans require the installation of small, special-purpose software utilities designed to collect information from the endpoint and pass it to the vulnerability scanner.

static vs dynamic analysis

Static = manual inspection of source code in order to identify vulnerabilities in programming techniques.

Dynamic = examination of code during runtime

What are DoD STIGS?

Department of Defense (DoD) Security Technical Implementation Guides (STIGs)

What are 3 categories of DoD STIGS?

Category I—Any vulnerabilities that will immediately cause a breach of confidentiality, availability, or integrity.

Category II—Any vulnerabilities resulting in loss of confidentiality, availability, or integrity and can lead to a Category I vulnerability, injury, damage to equipment, or degrade a mission.

Category III—Any vulnerabilities that degrade controls implemented to protect against the loss of confidentiality, availability, or integrity and can lead to a Category II vulnerability, delay recovering from an outage, or negatively affect the accuracy of data.

Describe Operational Technology (OT)

hardware and software technologies used to manage physical devices, processes, and events.

Examples of OT include industrial control systems, robotics, sensors, Programmable Logic Controllers (PLCs), and SCADA systems, as well as the networks and devices used to operate them.

What are Industrial Control Systems (ICSs)?

mechanisms for workflow and process automation. These systems control machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services.

What are Supervisory Control and Data Acquisition (SCADA) systems?

industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.

takes the place of a control server in large-scale, multiple-site ICSs.

What are Programmable Logic Controller (PLC)?

Used in industrial settings and are a form of digital computer designed to enable automation in assembly lines, autonomous field operations, robotics, etc.

Explain Security Content Automation Protocol (SCAP)

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

Explain CVSS

CVSS is based on the concept of risk. It considers the likelihood of a vulnerability being exploited on a particular system and the potential impact on that system. CVSS is not designed to measure the exploitability of a vulnerability, nor does the scoring take into account the cost of fixing the vulnerability.

What is a CVSS Vector String?

additional information provided alongside a CVSS score to provide more context around the scoring metrics used to calculate the overall CVSS score. The vector string is broken into fields that include the vulnerability identifier, the impact, the environmental concerns, etc.

What are the ranges of CVSS scores?

0-9+

0= none, .1-3.9 = Low, 4.0-6.9 = Medium, 7.0-8.9 = High, 9+ = Critical

What metrics are CVSS scores based on?

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C), Integrity (I), and Availability (A)

CVSS scoring system is grouped into what three categories?

Impact—The potential damage or harm caused by the vulnerability.

Exploitability—The ease and likelihood of exploiting a vulnerability.

Remediation—The cost and effort required to fix the vulnerability.

What are the 3 Types of Vulnerability Management Reports

Vulnerability management dashboard— a live view of critical data (graphs, charts, status indicators), can convey much information in a single view and are easily accessed.

Vulnerability summary report

Detailed vulnerability report

T/F: You should use automation in vulnerability reporting?

True. Use automation in as many processes as possible to make the entire process more consistent, reliable, efficient, and easy to maintain.

What things go into a vulnerability report?

Details regarding the type of vulnerability

The number of instances

The affected systems

The risk levels

Recommendations

What are the 2 types of complaince reports?

Regulatory compliance reports

Internal compliance reports

What are KEY PERFORMANCE INDICATORS (KPI)?

tracking metrics, such as the number of security incidents and the time it takes to detect them. KPIs also allow organizations to compare their cybersecurity efforts against other organizations and industry averages.

What is a Service level objectives (SLOs)?

a benchmark by which security operations can measure their performance and help ensure they meet leadership's expectations. Additionally, SLOs should be flexible and adaptable as the cybersecurity landscape and organization's capabilities change over time.

Why is an Action Plan important

Action plans provide direction and focus, enabling organizations to achieve strategic goals and objectives.

Action plans are a critical component in response to a vulnerability report.

What are some possible inhinitors to remediating vulnerabilities?

MoU might outline uptime, data access, response times, and other performance or access characteristics that conflict with the changes or maintenance tasks identified in response to mitigating vulnerabilities.

SLA - Same reason as MoU

Organizational governance

Business Process Interruption

Degraded Functionality

Legacy Systems

Proprietary Systems

What are the 5 phases of Incident Response Process?

Preparation: (Harden systems, Create incident response resources and procedures)

Detection & Analysis: (Categorize notifications as incidents, Assess incident priority (triage), Notify stakeholders)

Containment: (Limit, isolate, restrict)

Eradication & Discovery: (Sanitize, re-secure (patch, logging, hardening). If more IOCs found, go back to Detection & Analysis phase, if not continue on.

Post-Incident Activity: (summary reports, lessons learned, after action reports). Implement recommendations from lessons learned, which loops back to Preparation phase.

What are the 3 main ways for Testing of Response Plans?

Tabletop Exercises—does not involve a mock incident or full incident simulation. Used to test the effectiveness of their communication and response plans.

Mock Incidents—Scenario-based simulations to test incident response plan actually in practice. Mock incidents can include simulations of different types of incidents that might occurs.

Full incident simulations—Mock incidents to include full set of people involved in responding to an incident, to test the entire response process, including communication protocols and the effectiveness of the different response teams.

What are Incident response playbooks?

A checklist of actions to perform to detect and respond to a specific type of incident.

The most effective incident response playbooks are tailored to an organization's specific security needs and provide detailed guidance on responding to various security incidents.

What is the most accurate Incident Response testing method?

penetration testing

Define BC/DR

business continuity (BC): efforts the to keep the organization running during / after a disaster. How the it continues to operate in the face of adversity and effort needed to work through the event and then restore operations to normalcy.

Disaster recovery (DR) is a component of an overall business continuity plan. Disaster recovery plans focus on the immediate needs of a disaster when things are the most frantic and pressing. The tasks required to bring critical systems back online

How does SIEM and SOAR work together for Incident Response?

SIEM platforms funnel data into outputs easily understood by analysts. They also enable outputs to be automatically pre-analyzed by SOAR tools.

security orchestration, automation, and response (SOAR) platforms are integrated with SIEM. SOAR can proceed using a flowchart where the next steps are contingent upon the outputs of the previous step and document the worked performed. Events SOAR cannot resolve are forwarded for manual review by a human analyst.

What are the 4 phases of a forensic investigation?

1. Identification. Ensure that the scene is safe, Ensure that the scene is safe, and Identify the scope of evidence to be collected.

2. Collection. Collect evidence using tools and methods that will withstand legal scrutiny. Document and prove the integrity of evidence as it is collected

3. Analysis. Create a copy of evidence (verified with hashes), Use repeatable methods to analyze the evidence, use tools which will produce trustworthy and legally defensible results.

4. Reporting/Presentation. Create a report to present findings.

What is the general order for data aquisition?

1. CPU registers and cache memory (including cache on disk controllers, GPUs, and so on)

2. Contents of system memory (RAM), including the following:

Routing table, ARP cache, process table, kernel statistics

Temporary file systems/swap space/virtual memory

3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space

4. Remote logging and monitoring data

5. Physical configuration and network topology

6. Archival media

In forensics, what is used to validate data integrity?

Hashing - Hash original and copies to prove copies were not altered during collection/analysis