Pre-Assessment Exam Concepts to review:

Types of DDoS Attacks

1. Volumetric Attacks: These aim to consume the bandwidth of the target by overwhelming it with massive amounts of traffic. Examples include UDP floods and ICMP floods.

2. Protocol Attacks: These exploit weaknesses in the layers of the protocol stack, often targeting servers or firewalls. Examples include SYN floods and Ping of Death.

3. Application Layer Attacks: These target specific applications and focus on exploiting their vulnerabilities. An example is HTTP floods.

4. DNS Amplification Attacks: These use DNS servers to flood a target with traffic. They exploit the difference between the small request size and much larger response size.

5. NTP Amplification Attacks: Similar to DNS amplification, these utilize Network Time Protocol (NTP) servers to amplify traffic.

6. Memcached Attacks: These utilize vulnerable Memcached servers to generate a large amount of traffic directed at a target.

Network Security Groups (NSGs) are virtual firewalls in cloud environments, such as Microsoft Azure, that control inbound and outbound traffic to network resources. They consist of rules that allow or deny traffic based on specified criteria such as IP address, port number, and protocol. NSGs provide a way to enforce security policies at the virtual network level, helping to protect cloud applications and services from unauthorized access.

A Security Information and Event Management (SIEM) solution typically exhibits several key characteristics:

1. Centralized Log Management: SIEM aggregates and stores logs from various sources across the organization, making it easier to analyze security events.

2. Real-Time Monitoring and Alerting: SIEM solutions provide continuous monitoring of data to detect incidents and anomalies as they occur, often generating alerts for immediate attention.

3. Event Correlation: SIEM can correlate events from multiple sources to identify patterns and detect complex attacks that may not be evident from individual logs.

4. Threat Intelligence Integration: Many SIEMs integrate threat intelligence feeds to enhance detection capabilities and provide context for alerts.

5. Incident Response Capabilities: SIEM typically includes tools or workflows to assist with incident response, enabling effective management of security incidents from detection to resolution.

6. Compliance Reporting: SIEM solutions often provide reporting features that help organizations meet regulatory compliance requirements by maintaining records of security events and incidents.

7. Data Visualization: SIEM tools usually offer dashboards and visualization tools to help security teams easily interpret and analyze security data.

8. Forensics and Investigative Capabilities: SIEM enables security teams to conduct investigations post-incident by providing historical logs and analysis tools.

9. User Behavior Analytics (UBA): Advanced SIEM solutions may include UBA to help detect insider threats and unusual user activity based on established baselines.

These characteristics make SIEM solutions essential for organizations looking to enhance their security posture and effectively manage security incidents.