Domain 7: Security Operations Flashcards

• Database of all IT assets
• Includes firmware, software versions, locations, and ownership

• Central repository of asset configurations and settings
• Works with ITAM
• CI (Configuration Item): Individual entry in the CMDB

Includes:

• System admins
• Network admins
• Security admins
• DB admins
• Help-desk
• Custodians
• Operators (legacy term for sys admins)

Supervisor Responsibilities:

• Supervision (preventative)
• Training & Awareness (detective)
• Monitoring (detective – trust but verify)

• Attack occurs shortly after a vulnerability is discovered
• No vendor fix available yet, or fix is brand-new and not installed

• Event: Observable occurrence
• Hazard: Precondition that could lead to an event
• Incident: Adverse occurrence or policy violation

• IRT (Incident Response Team)
• CSIRT (Computer Security Incident Response Team)

1. Detection and Triage
2. Investigation
3. Containment
4. Analysis & Tracking
5. Mitigation
6. Recovery & Repair

• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons Learned

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

• User-ID
• Time & Date
• Event Description
  Note:
  User's name is less important (may not be unique)

Knowledge about current and emerging threats to help prevent or mitigate cyberattacks.
Sources:

• Cybersecurity newsletters
• Conferences
• Social media
• Dark Web research

Analyzing network activity to detect anomalous behavior.
Targets:

• Insider threats
• Compromised accounts
  Observes:
• User behavior
• Device usage
• Security events

Term coined by Gartner to describe tools that automate repetitive security tasks.

Benefits:

• Faster incident response
• Increased team productivity
• Improved efficiency

Security model managed through policy-driven software.

Features:

• Automates and monitors controls like IDS, network segmentation, and access controls
• Centralized management of security infrastructure

Splunk, SolarWinds, Datadog

Function:

• Aggregates and correlates logs from multiple sources
• Helps security managers understand the IT environment and detect threats

Reduce false positives without increasing false negatives.

Benefit:
Minimizes analyst fatigue and improves alert quality

• Clipping Levels: Only record violations above a set threshold
• Event Filtering: Focus on significant events that require attention

Pioneer in forensic science
Locard’s Principle of Exchange:

• Criminals bring something into the scene
• Criminals leave with something from the scene
  Key Idea: Every encounter leaves a trace

Mnemonic: M.O.M.

• Means – Did the suspect have the tools or ability?
• Opportunity – Was the suspect present or able to commit the act?
• Motive – Did the suspect have a reason?

Evidence based on what the witness was told, not what they personally know.

Note:
Not normally admissible in court.

Chronological documentation of evidence handling.

Must Track:

• Who had the evidence
• When it was handled
• How it was protected
  Stages:
  Identification, Gathering, Protection, Access, Presentation

Discover what happened.

Method:

• Gather info from witnesses and victims
• Resolve conflicting stories and timelines

Obtain testimony or confession to be used as evidence in trial.

Educates the jury on specialized topics.

Use:
Can be presented as evidence.

Mnemonic: S.T.R.I.C.

• S: No unlawful Search & Seizure
• T: Evidence must be Trustworthy & Reliable
• R: Evidence must be Relevant to the case
• I: Proper Identification and Protection
• C: Maintain Chain of Custody

1. Discovery
2. Protection
3. Recording
4. Collection and Identification
5. Analysis
6. Storage, Transportation, Preservation
7. Present in Court
8. Return to Owner

Start from volatile forms, then move to persistent forms.

1. Live system info (RAM, process list, unsaved work, encryption keys)
2. Virtual memory (paging/swap/temp files)
3. Physical media (hard drives, DVDs, USBs, printouts)
4. Backups & networks (backup media, servers, log files, cloud storage)

1. Install write-blocker (Forensic Disk Controller)
2. Hash the drive
3. Create forensic bit-level images
4. Hash the images to verify integrity
5. Use images for analysis

Disk areas with lingering data from deleted files.

Forensics Tip:
Inspect slack space for hidden data fragments.

• Direct/Testimony: Witness statements
• Real/Physical: Objects proving/disproving guilt
• Documentary: Records, photos, manuals
• Digital: Emails, backups, browser history
  • ⚠️ Less reliable due to tampering risks
• Demonstrative: Models, timelines, re-enactments

• Conclusive: Irrefutable, cannot be contradicted
• Corroborative: Supports existing evidence
• Circumstantial: Implies facts without direct proof

1. Media Analysis:

• Examines computers, storage devices, printers, faxes, smartphones, data, files, photos, recycle-bin, etc.

2. Software Analysis:

• Examines applications and their output
• Analyzes malware and its consequences

3. Network Analysis:

• Examines logs, ISP logs, tools used, and affected devices
• Traces email headers to locate sources

• Legal Hold: Notice to preserve relevant evidence
• eDiscovery: Locating and securing electronic evidence for trial
• Search Warrant: Court order for search and seizure
• Subpoena: Legal order for witness or evidence submission
• Wire Tapping: Eavesdropping on communications (requires warrant or consent)

• Financial Attacks: Fraud, credit card theft, salami attacks
• Business Attacks: Corporate espionage
• Military & Intelligence Attacks
• Hacktivist Attacks: Politically motivated hacking
• Terrorist Attacks
• Grudge Attacks
• Thrill Attacks: For fun or bragging rights
• Piracy of Intellectual Materials
• Wire & Mail Fraud

A secure communication path that ensures:

1. Tamper-resistant data
2. User awareness of authenticity
   • Example: SSL/TLS encryption

Network-Based IDPS:

• Scans network traffic for attacks or intrusions

Host-Based IDPS:

• Scans only the host it's installed on

Alternate Names for Host-Based IDPS:

• HBSS (Host-Based Security Solution)
• ESS (Endpoint Security Solution)
• EDR (Endpoint Detection and Response)

• Defense-in-Depth (layered security)
• Host-based detects internal threats
• Network-based can't read encrypted traffic
• Devices may be taken off-site

Signature-Based (Pattern Matching / Knowledge-Based):

• Uses known attack signatures
• Detects known threats

Behavior-Based (Anomaly-Based / Profile-Based):

• Learns normal behavior profiles
• Detects new or unknown threats
• May use AI for analysis
• Requires secure environment during learning phase

True Postive - correctly identifies an intrusion

True Negative - correctly identifies no intrusion

False Positive - mistakenly flags legitimate traffic as intrusion

False Negative - fails to detect an actual intrusion

IDS Placement – Internet-Side of Firewall

Advantages:

• Sees most attacks unfiltered from the Internet
• Better visibility into external attack types and frequency
• Can detect misconfigured firewalls if attacks exit the network

IDS Placement – LAN-Side of Firewall

Advantages:

• Detects misconfigured firewalls if attacks enter the network
• Better detection of insider threats
• Less noise from external traffic → fewer false alarms

Fake targets designed to lure attackers

Benefits:

• Protects real network
• Observes attacker behavior
• Acts as early-warning system
  Honey-net:
  A network of multiple honeypots

Sandboxed honeypot environment

Function:
Attacker is redirected here by IDS

• No harm can be done
• Used for safe observation

Recover data in case of deletion, corruption, or alteration

3-2-1 Rule:

• 3 copies of critical files
• 2 backups on different media
• 1 backup stored off-site

Onsite Backup:

• Stored at same location as source
• Enables rapid recovery

Offsite Backup:

• Stored at a different, remote location
• Protects against local disasters

Cloud Backup (Electronic Vaulting):

• Scalable, high availability
• Pay-as-you-go model

• Normal (Full): Resets archive bit on all files
• Incremental: Backs up files changed since last backup
• Differential: Backs up files changed since last full backup
• Crash and Restore: Used for full system recovery

Example Schedule:

• Monday: Full backup (file_a, file_b)
• Tuesday: Incremental (file_c)
• Wednesday: Incremental (file_d, file_e, file_f)
• Thursday: Differential
• Friday: Crash and Restore

A flag attached to each file that is turned on when the file is edited.

Used by:
Incremental and differential backups to determine which files to back up.

To restore a system:

• Always need the latest full backup
• Need all incrementals since the last full backup
• Only need the last differential if using differential backups

Summary:
Latest full + last night’s + all incrementals in-between

• Encrypt backup tapes
• Physically protect tapes during transport and storage
• Track first use-date and number of uses (tapes degrade over time)

• Grandfather-Father-Son
• Tower of Hanoi
• Six Cartridge Weekly

Purpose:
Avoid overwriting important backups and maintain historical copies

• Sensitive Files: Focus on Confidentiality
• Critical Files: Focus on Integrity and Availability
• Backups support all CIA elements

Checking the starting and ending sectors of each partition

Tool Example:
chkdsk (Microsoft command-line utility)

Type: Striping
Disks: 2–32
Purpose: Performance
Fault Tolerance: ❌ Not fault-tolerant

Type: Mirroring
Disks: Exactly 2
Purpose: Fault tolerance
Performance: ❌ Not for performance

Type: Striping with Distributed Parity
Disks: Minimum 3
Purpose: Performance + Fault tolerance
Fault Tolerance: Can lose any 1 disk

Type: Striping with Distributed Parity
Disks: Minimum 4
Purpose: Performance + Fault tolerance
Fault Tolerance: Can lose any 2 disks

Type: Mirrored RAID 0 or Striped RAID 1
Purpose: Combines performance and fault tolerance

Function: Local data storage and retrieval over LAN
Protocols: SMB/CIFS
Access: Direct user access

Function: Centralized storage for servers
Protocols: iSCSI, Fibre Channel, FCoE
Access: No direct user access; servers retrieve data

Function: Logical separation of a physical SAN
Analogy: Like VLANs for networks

Prevent sensitive data from leaving the organization

Types:

• Network-based DLP: Scans outgoing data at the perimeter
• Host-based DLP: Prevents copying, printing, or burning sensitive data on endpoints

NAS (Network Attached Storage):

• Connected via LAN
• Used by laptops/workstations
• File-level access
• Easier to manage, lower cost

SAN (Storage Area Network):

• Connected via Fibre Channel (FC) switches
• Used by servers
• Block-level access
• Higher performance, more complex

Mirrored Site

• Full equipment
• Full data
• MINS TO HOURS

Hot Site

• Full equipment
• HOURS TO 1 DAY

Warm Site

• Some equipments
• DAYS

Cold Site

• No equipment
• WEEKS+

• Also called mutual-aid agreement
• Two organizations agree to be each other's disaster recovery site

• Multiple live processing centers
• Used for redundancy and fault-tolerance

1. Press Conference Site
2. Command Center Site

• Backup site should be:
  • Far enough to avoid same disaster
  • Close enough for employee access

• Pre-arranged vendor agreements
• Ensures access to resources post-disruption

• Use job titles in DRP, not names
• People change roles or leave the company

• You call 5 people → they each call 5 more
• Ensures rapid communication during disaster

• Recovery = Over to backup site
  (Memory trick: "recover" has "over")
• Restoration = Back to original site
  (Memory trick: "restore" has "OR" for "original")

• Confirm incident is over
• Ensure safety of return
• Document losses (photos, insurance)
• Salvage assets
• Perform repairs/replacements
• Shut down alternate site
• Conduct lessons learned/post-mortem

• Each department gets a copy of the DRP
• Run through a checklist to verify coverage of relevant points

• Representatives meet to discuss the plan
• No actual actions performed

• Team physically walks to response locations
• Verbally reviews each step for effectiveness

• Practice drill
• Mobilize personnel to attempt reaching RTO (Recovery Time Objective)

• Run operations at alternate site in parallel with production

• Shut down production environment
• Run live operations at alternate site

• Minimum: Once per year
• Also test when significant changes are made

• Update plan after major changes
• Include version numbers on each copy
• Consider setting an expiration date (e.g., 1 year)

1. Archive obsolete plans
2. Collect old copies
3. Confirm collection (e.g., serial numbers)
4. Issue new plans
5. Destroy old plans

Fail Open

• System opens access upon failure
• Prioritizes high availability
• Example: Firewall fails and allows all traffic

Fail Closed

• System blocks access upon failure
• Prioritizes confidentiality/security
• Example: Firewall fails and blocks all traffic

Fail Secure

• Fails into a pre-defined secure state
• Example: Doors lock when system fails

Fail Soft

• System enters reduced functionality
• Hibernates or saves data
• Terminates non-essential functions

Fail Safe

• Prioritizes safety of people/property
• May compromise security
• Example: Doors unlock during failure

Fail Over

• Switches to a hot backup site
• Ensures continuity of operations