SecOps Generalist

Objectives and strategies of a SOC

Planning, Analysis, Efficiency

Which three aspects are essential when setting up a SOC? (Choose three.)

Careful planning
Functional layout
Rapid threat containment

Which two elements are crucial for a successful SOC? (Choose two.)

Highly skilled security analysts and Security automation and orchestration technologies

What is the primary function of a Security Operations Center (SOC)?

Detect, analyze, and respond to cybersecurity incidents

Who are the typical team members of a SOC?

Security analysts

What is one of the main challenges faced by SOC analysts during their daily work?

Pivoting from security console to security console to gather investigative clues

Which two limitations do current security tools have for SOC analysts?

Difficulty in prioritizing alerts for review
Lack of full context for investigations

In a typical alert investigation, what is the first step for a SOC analyst?

An organization forwards high-level security alerts to its SIEM

Which three steps are part of the daily SOC processes for analysts?

Threat intel data
Situational awareness update
Review summary data

According to a survey of security professionals, what percentage of alerts can organizations investigate?

Less than 7%

Adverse Event

any event that has negative consequences. Examples include a malware infection on a system, a server crash, or a user accessing a file that they are not authorized to view.

Security Incident

is a violation or imminent threat of violation of organizational cybersecurity policies, acceptable use policies, or security best practices.
Examples include loss of sensitive information, an intrusion to a network system, the use of a keylogger on an administrator's computer to infiltrate passwords, and a denial-of-service attack against a web service.

Incident Response Lifecycle

1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity

NIST

Cybersecurity Framework comprised of three main components: Core, Implementation Tiers, and Profiles.

NIST Core Component

provides a set of desired activities to be used in a cybersecurity implementation program to meet with the needs of any size organization. Activities are designed to complement the risk management process.

NIST Implementation Tier Component

help organizations to provide an organizational view for cybersecurity risk management and to discuss their risk appetite, budget, and priorities.
(Partial): Ad hoc, unstructured cybersecurity with minimal risk awareness.

(Risk-Informed): Some risk management, but not consistently applied.

(Repeatable): Standardized processes, cybersecurity integrated into business.

(Adaptive): Continuous improvement with real-time threat intelligence.

NIST Profile Component

process that provides organizations a way to strengthen their existing processes or implement new processes.
The Profiles allow a powerful communication within the organization.

NIST Special Publication 800-61

can help organizations better manage their computer security incidents. It includes step-by-step instructions for incident response teams to create an effective incident response policy and plan.

Federal Risk and Authorization Management Program (FedRAMP)

This U.S. government program covers a standard approach to assess security, provides an authorization process, and provides guidance about continuous monitoring for cloud products and services.

Features of FedRAMP: Effective Cloud Security

FedRAMP provides a framework for creating and managing repeatable processes for an effective cloud security for the government.

Features of FedRAMP: Marketplace

FedRAMP has established a marketplace for cloud services for collaboration across government agencies by use cases, tactical solutions, and lessons learned documentations.

Features of FedRAMP: Security Baselines

High with a set of 421 controls
Moderate with a set of 325 controls
Low with a set of 125 controls
LI SaaS with a set of 36 controls

FISMA

is a US federal law that establishes a framework for protecting government information and operations, requiring all federal agencies to develop, document, and implement agency-wide information security programs

MITRE ATT&CK Framework

is a knowledge base of tactics and techniques used by attackers.

ISO Standards

a set of globally recognized specifications that establish best practices for various industries and processes, ensuring consistency and quality

Which cybersecurity framework provides a step-by-step guide for incident response teams to create an effective incident response policy and plan, and recommends a review of each incident with post-incident activity?

NIST Special Publication 800-61

Which cybersecurity framework is designed to help organizations assess and improve their security posture regarding cyberattacks and is based on existing standards, guidelines, and practices?

NIST Cybersecurity Framework

Which framework provides standardized guidelines that can enable federal agencies to evaluate cyber threats and risks to their different infrastructure platforms, cloud-based services, and software solutions?

FedRAMP

Which two components of the NIST Cybersecurity Framework help organizations provide an organizational view for cybersecurity risk management and strengthen their existing processes or implement new processes?

NIST Implementation Tiers
NIST Profiles

What are the three main goals of the FedRAMP program?

Improve confidence in cloud security
Ensure consistent application of existing security policies
Increase automation for near real-time data with continuous monitoring

In the risk management process, what is the purpose of monitoring controls?

To evaluate the effectiveness of control measures and make necessary adjustments

What is the main difference between a SOC mission statement and its goals?

The mission statement is a high-level strategy document, while goals are the instruments to reach the main aims.

Which three steps are part of the risk management process in cybersecurity?

• Determine security controls

• Identify risks

• Perform risk analysis

Which two control types can be applied after a risk is identified, analyzed, and classified in the risk management process?

• Mitigate

• Transfer

What is the primary purpose of a Security Operations Center (SOC)?

To monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems

Device Telemetry

data about your endpoints, firewalls and other connected devices and typically shares it for analysis with systems such as XDR via a Cortex Data Lake.

Forensics

The practice of collecting, preserving, and analyzing electronic data to investigate cyber incidents and support legal proceedings. It focuses on uncovering evidence from digital devices.

Types of Collected Data

• Alert: Notification of an event

• Event: Any action performed by a person or technology

• Log: Details of an event

• Telemetry: Activity consistently gathered electronically and in real time from a given source

• Forensic (Raw): The complete contents of an item, without change or modification

What are the four main stages of the incident lifecycle?

Identify, investigate, mitigate, and continuously improve

Which stage of the incident lifecycle involves determining the best response method, such as quarantine, avoid, or restore?

Investigate Stage

In the continuous improvement stage, what is the main goal of tuning alerting procedures?

To reduce false positives and low-fidelity alerts

Which two types of data provide the information needed to perform investigations and validate breaches?

Telemetry
Log data

What is the primary role of a SOC analyst?

To provide remote monitoring, telephone support, and remote support for security teams globally

PCI DSS (Payment Card Industry Data Security Standard)

• Perform vulnerability assessments from the internet and intranet

• Perform manual or automatic dynamic application security testing (DAST) and static application security testing (SAST) for internal developed codes or external acquired applications

• Use a web application firewall (WAF) in applications and services on the internet

• Perform network segmentation checks with penetration tests

HIPPA (Health Insurance Portability and Accountability)

• Implement procedures for login monitoring

• Implement hardware, software, and procedural mechanisms for recording and examining activity in information systems that contain or use electronically protected health information (ePHI)

• Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports

GDPR (General Data Protection Regulation)

• Report any security incidents (such as vulnerabilities and personal data breaches) within 72 hours; must be able to detect potential security breaches

• Record IT activities

• Establish a Data Governance Committee and data management standards

• Hire a data protection officer and educate all employees about best data practices as per SOC

• Define roles and restrict data access to specific employees as per SOC

SOC 2 (System and Organization Controls 2)

• Identify risks

• Mitigate external threats

• Protect against unauthorized and malicious code

• Establish and follow a configuration and vulnerability management strategy

• Establish and follow a security event and anomaly detection and incident detection and response strategy

• Establish and follow an incident containment and remediation strategy

What three tools/technologies do SOC analysts use to address compliance needs?

SIEM, Vulnerability Management tool and Security Policies

Three essential features of a data loss protections solution:

Apply protective vigor
Protect sensitive data
Minimize Data Exposure through employee training

The following are essential information in data protection decisions:

Content: subject matter, type of file, and metadata
Context: location, device, and time
Character: role, ID, Behavioral analytics data

What are two features that are essential for data loss protection solution?

Apply protective rigor to organizations' intellectual property
Protect sensitive data from malicious insiders

What are the three types of information that a data loss prevention solution should collect and aggregate to make informed data protection decisions?

Content
Context
Character

How does a machine learning-driven data protection system help with data protection decisions?

It suggests compliance regulations to adhere to and enables the right data protection policies

Why is it difficult to identify sensitive data in an organization?

Distinguishing sensitive data patterns is challenging, and false positives may occur

What is the primary purpose of a data loss protection solution?

Monitor and stop unsafe data movement and sharing

Playbook

consists of the individual components or tasks that work together to create a comprehensive and automated workflow for incident response and security operations.

Playbook Trigger

requires a trigger to automatically execute within a security orchestration tool. This trigger can be any condition that, when met, starts the playbook.

Automated Playbook Task

use a visual piece of code, called automation, running in the background. Users can either select from pre-existing automation codes (most security orchestration tools will come with an out-of-the-box list) or code their automations for these type of tasks.

Manual Playbook Task

visual abstractions where users can enter any task comments and instructions that are meant to be performed manually.

Conditional Task

playbooks check the value of any incident-related artifact and execute different actions depending on the result.

Security Team Combined Tasks

Some playbooks need to combine human teams in task execution phases for security operations and incident response. 

What are the three building blocks of playbooks?

Playbook trigger
Automated playbook task
Conditional task

What is the main purpose of using playbooks in Security Orchestration, Automation, and Response (SOAR) systems?

To standardize processes and provide a consistent set of well-designed steps for incident response

In relation to Machine Learning, which two tasks can be improved within security orchestration platforms?

Incident assignment based on expertise
Reducing duplicate incidents

What are three main functions of security orchestration tools in the security landscape?

Collect and correlate data from multiple security products
Execute actions across products
Provide a platform to document analyst actions, comments, and incident evidence

What two factors are improved by security orchestration in an organization's security posture?

Efficiency
Consistency

Phases of the Attack lifecycle:

1. Reconnaissance

2. Weaponization and Delivery

3. Exploitation

4. Installation

5. C2 (command and control)

6. Actions on Objectives

In which phase of the attack lifecycle do attackers use data files or webpages weaponized with exploits to target the victim's vulnerable software?

Weaponization and Delivery

Which three techniques can be used by attackers to hide command and control (C2) communications?

Encryption with SSL, SSH, or custom applications
Circumvention via proxies or remote desktop access tools
Port evasion using network anonymizers or port hopping

Normal EPS (events per second)

shows the number of logs received during standard activity times.

Peak EPS (Events per second)

shows the number of logs received in anomaly situations, such as cyber attacks or malware activities. The limits of the system should be calculated in accordance with the Peak EPS value to prevent missing logs and other performance problems.

Three main components in the Syslog protocol:

Manufacturer: creates syslog content to be carried in a message

Collector: collects syslog messages

Transponder: forwards messages, accepts messages from sources or other relays, and sends messages to collectors or other transponders

Facility Code

is used to specify the type of program that is logging the message. Messages with different codes may be handled differently. The mapping between facility code and keyword is not uniform across operating systems and syslog implementations.

Parsing

is the process of dividing the data into pieces that are easier to process and store.

Normalization

converts the grouped data into a structure that can be used by and applied to data collected by multiple data sources. Data Parsing must be completed before this *** can be done

Data Enrichment

is the process of saving and adding other imported data to the data already obtained.
Ex. include location information of an IP address, domain names, email senders, file hash values, and reputation information.

Rule-Based Correlation

used to detect and report threat scenarios, also called usage scenarios. The usage scenario can be expressed as a nested expression consisting of a combination of events (content) and operators like AND, OR, NOT, and FOLLOWED BY.

Anomaly-Based Correlation

To detect these, the standards of the working system must be profiled correctly. When the basic structure of this profiling has been established, SIEM can identify anomaly models by warning about potential safety events.

Risk-Based Correlation

also called algorithmic correlation. This type of correlation calculates the risk score based on the content of an event. Risk scores can be calculated by using asset value, source IP address reputation, geographic location, reported user role, etc.

Cross-Correlation

querying between multiple data sources is needed to detect unknown threats. These practices are the only way to identify malicious activities such as privilege escalation and command-and-control communications. Helps to distinguish between abnormal and normal activities.

Which network data collection protocol uses UDP and port 123 by default?

NTP (Network Time Protocol)

IP Spoofing

use that technique in computer networks to mimic another computer IP address or hide their source IP address.

Unauthorized Packet Sniffing

to capture unencrypted traffic to infiltrate data or collect credentials across the network. Adversaries typically use the most common protocols, which are HTTP, SMTP, Telnet, and IMAP

Man-in-the-Middle Attacks

happens when an attacker places itself in-line between two devices that are communicating. The attacker's intent is to perform reconnaissance or manipulate the data that is being transferred as it moves between those entities. This attack can happen at Layer 2 or Layer 3.

Buffer Overflow Attack

The goal of an attacker when using this attack is to find a system memory-related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack.

What are two tools that are commonly used by attackers for network scanning?

NMAP and Nessus

What are three scenarios can lead to a man-in-the-middle attack?

Layer 2 ARP Poisoning attack

Layer 3 rogue router attack

IP spoofing attack

Virus

software programs that copy themselves throughout a computer or network.

Trojan Horse

malware that is disguised as a harmless program but actually gives the attacker full control and elevated privileges of an endpoint when installed

Worms

is malware that typically targets a computer network by replicating itself to spread rapidly.

Spyware and Adware

are malwares that collect information such as internet surfing behavior, login credentials, and financial account information on an infected endpoint and communicate it back to the attacker.

Watering Hole Attack

compromise websites that are likely to be visited by a targeted victim (e.g., an insurance company website that may be frequently visited by healthcare providers). The compromised website will typically infect unsuspecting visitors with malware (known as a “drive-by-download”).

PaaS

users do not manage or control the underlying cloud infrastructure, including network, servers, operating systems, and storage, but they do have control over the deployed applications and possibly configuration settings for the application-hosting environment.

IaaS

is a cloud security deployment model in which third-party providers offer computing infrastructure in a virtual environment so that any user in an organization can access it.

CASB (Cloud Access Security Broker)

are security policy enforcement points that sit between a cloud service provider and its users. The purpose of these is to help organizations discover their data across multiple environments, such as public or private clouds, SaaS applications, and on-premises data centers.

SASE (Secure Access Service Edge)

is a single, cloud-delivered technology or product that combines networking (WAN, VPN, ZTNA) and network security services (FWaaS, CASB, DNS, DLP). This type of architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data, thus allowing organizations to apply secure access no matter where their users, applications, or devices are located.

Container

A self-contained packaging mechanism in which an instance of an application can run a specific task or code.

What are three components that are essential for providing consistent, frictionless security in both PaaS and IaaS environments?

In-line protection
API-based protection
Host-based protection

What type of cloud security deployment is characterized by web-based software distribution where a third-party provider hosts applications for customers over the internet?

Software as a Service (SaaS)