4.4 Explain security alerting and monitoring concepts and tools.

🟠 Monitoring Computing Resources

• Systems: Monitor the health, performance, and security of servers, endpoints, and devices within the network.

• Applications: Track the availability, functionality, and security of software applications deployed across the network.

• Infrastructure: Monitor network components like routers, switches, firewalls, and other devices to ensure they function securely.

🟠 Activities

• Log Aggregation: Collect logs from systems, applications, and devices for centralized analysis.

• Alerting: Set up alerts to detect security incidents, anomalies, or deviations from normal behavior.

• Scanning: Regularly scan systems and networks to find vulnerabilities and misconfigurations.

• Reporting: Generate reports to give insights into performance, security, and compliance.

• Archiving: Archive logs and reports for historical analysis and compliance.

🟠 Alert Response and Remediation/Validation

• Quarantine: Isolate compromised systems to prevent further damage.

• Alert Tuning: Adjust thresholds to reduce false positives and focus on meaningful alerts.

🟠 Tools

• SCAP: Automates vulnerability management, security measurements, and compliance checks.

• Benchmarks: Use security benchmarks to assess system configurations.

• Agents/Agentless: Collect data using monitoring agents or agentless solutions.

• SIEM: Centralized platform for analyzing security event data to detect threats.

• Antivirus: Software to detect, prevent, and remove malicious software.

• DLP: Solutions to prevent unauthorized access or transmission of sensitive data.

• SNMP Traps: Monitor network devices and get notifications about significant events.

• NetFlow: Analyze network traffic patterns to detect anomalies and security threats.

• Vulnerability Scanners: Tools for identifying system weaknesses.

4.5 Modify enterprise capabilities to enhance security.

🟠 Firewall

• Rules: Define policies on traffic flow, specifying allowed or denied access based on criteria.

• Access Lists: Define rules to determine permitted or denied traffic based on IP addresses, ports, and protocols.

• Ports/Protocols: Manage access to specific ports and protocols, blocking unauthorized communication.

• Screened Subnets: Implement layered defenses to separate internal and external networks.

🟠 IDS/IPS (Intrusion Detection/Prevention Systems)

• Trends: Monitor patterns to detect and prevent threats in real-time.

• Signatures: Use predefined signatures to identify known threats.

🟠 Web Filter

• Agent-Based: Deploy software on endpoints to filter web traffic.

• Centralized Proxy: Route traffic through a central proxy to enforce filtering policies.

• URL Scanning: Inspect URLs to identify and block malicious websites.

• Content Categorization: Classify web content to restrict access based on policies.

• Block Rules: Define rules to block access to specific sites.

• Reputation: Evaluate website reputations to assess risks.

🟠 Operating System Security

• Group Policy: Enforce security settings on Windows systems.

• SELinux: Implement mandatory security policies on Linux systems.

🟠 Secure Protocols

• Protocol Selection: Choose secure protocols like HTTPS or SSH for encryption and authentication.

• Port Selection: Control access to secure protocols and block vulnerable ones.

• Transport Method: Ensure encryption (e.g., TLS/SSL) for secure data transmission.

• DNS Filtering: Block unauthorized DNS requests to prevent malicious access.

🟠 Email Security

• DMARC: Protect against email spoofing and phishing.

• DKIM: Verify email authenticity with digital signatures.

• SPF: Prevent email spoofing by validating sender domains.

🟠 File Integrity Monitoring

• Detect unauthorized changes to files or configurations.

🟠 DLP (Data Loss Prevention)

• Prevent unauthorized transmission of sensitive data.

🟠 NAC (Network Access Control)

• Enforce policies to control access based on device compliance.

🟠 EDR/XDR

• Monitor endpoints for threats and suspicious activity.

🟠 User Behavior Analytics

• Analyze user activities to detect anomalies and mitigate risks.

4.6 Implement and maintain identity and access management.

🟠 Provisioning/De-provisioning User Accounts

• Permission Assignments: Define user access rights based on roles and responsibilities.

• Identity Proofing: Verify user identity using methods like biometrics.

• Federation: Enable SSO across domains using a trusted identity provider.

• SSO: Allow users to access multiple systems with one set of credentials.

• LDAP: Protocol for centralized user authentication.

• OAuth: Grant limited access to third-party apps without sharing credentials.

• SAML: Standard for exchanging authentication and authorization data.

• Interoperability: Ensure systems work together seamlessly.

🟠 Access Controls

• Mandatory Access Control (MAC): Restrict access based on security labels.

• Discretionary Access Control (DAC): Allow owners to assign access permissions.

• Role-Based Access Control (RBAC): Assign permissions based on user roles.

• Rule-Based Access Control: Control access based on specific conditions.

• Attribute-Based Access Control (ABAC): Grant access based on user attributes.

• Time-of-Day Restrictions: Limit access based on time.

• Least Privilege: Provide only the minimum necessary access to users.

🟠 Multifactor Authentication (MFA)

• Biometrics: Use fingerprints or facial recognition for authentication.

• Hard/Soft Tokens: Use devices or apps to generate one-time passwords.

• Security Keys: Use physical devices for authentication.

🟠 Password Concepts

• Password Best Practices: Implement strong password policies.

• Password Managers: Tools to store and manage passwords securely.

• Passwordless: Use biometrics or hardware tokens instead of passwords.

🟠 Privileged Access Management

• Just-in-Time Permissions: Grant temporary access to privileged accounts.

• Password Vaulting: Store privileged account credentials securely.

• Ephemeral Credentials: Generate temporary credentials for specific tasks.

4.7 Importance of Automation and Orchestration for Secure Operations.

🟠 Use Cases of Automation and Scripting

• User and Resource Provisioning: Automate account and resource setup.

• Security Groups: Automate security group management and access controls.

• Ticket Creation and Escalation: Automate incident handling workflows.

• Enabling/Disabling Services: Automate access control and service management.

🟠 Benefits

• Efficiency/Time Saving: Reduces manual efforts and errors.

• Enforcing Baselines: Ensures consistent security configurations.

• Scaling in a Secure Manner: Scalable infrastructure while maintaining security.

• Employee Retention: Reduces repetitive tasks, improving job satisfaction.

• Reaction Time: Speeds up incident detection and response.

🟠 Other Considerations

• Complexity: Requires careful planning to avoid issues.

• Cost: Initial investment in automation tools and training.

• Single Point of Failure: Need for redundancy to avoid relying on a single automation system.

• Technical Debt: Poorly designed automation can lead to maintenance challenges.

4.8 Appropriate Incident Response Activities.

🟠 Process

• Preparation: Develop policies, plans, and tools for responding to incidents.

• Detection: Use systems like IDS and SIEM to identify incidents.

• Analysis: Investigate the scope and root cause of incidents.

• Containment: Isolate affected systems to limit damage.

• Eradication: Remove the root cause (e.g., malware, vulnerabilities).

• Recovery: Restore systems and services to normal operation.

• Lessons Learned: Review incidents to improve response plans.

🟠 Training

• Provide ongoing training for personnel to handle incidents effectively.

🟠 Testing

• Tabletop Exercise: Simulate scenarios to practice response strategies.

• Simulation: Conduct realistic incident simulations to evaluate effectiveness

🟠  Incident Response Activities

● Simulation

• Realistic simulations of security incidents to evaluate the effectiveness of the response plan, test communication between teams, and assess how well the organization handles a real incident.

● Lessons Learned

• Post-incident reviews help identify what went well, what didn’t, and how to improve processes, response times, and preventive measures for continuous improvement.

● Training

• Ongoing security awareness and response training for personnel ensure that everyone knows their role in an incident and can respond effectively when needed.

🟠  Testing Methods

● Tabletop Exercises

• Simulated events to evaluate team reactions, clarify roles, and fine-tune the overall process.

● Simulations

• These exercises help refine incident response strategies by mimicking realistic attack scenarios in a safe, controlled environment.

🟠 Digital Forensics

● Legal Hold

• Implementing measures to preserve potential evidence related to a security incident to ensure its integrity and admissibility in legal proceedings.

● Chain of Custody

• Documenting the chronological history of evidence from the time it is collected until it is presented in court, ensuring its integrity and authenticity.

● Acquisition

• Gathering and collecting digital evidence from various sources, including systems, networks, and storage devices, using forensically sound methods.

● Reporting

• Documenting findings, analysis, and conclusions from digital forensic investigations in comprehensive reports suitable for internal review and legal purposes.

● Preservation

• Ensuring the integrity and security of digital evidence throughout the forensic investigation process to prevent tampering, alteration, or loss.

● E-discovery

• Identifying, collecting, and preparing electronically stored information (ESI) for legal proceedings, including litigation, regulatory inquiries, and internal investigations.

🟠 Given a scenario, use data sources to support an investigation

Log Data

● Firewall Logs

• Records of activities and events related to network traffic passing through a firewall, including allowed and denied connections, intrusion attempts, and policy violations.

● Application Logs

• Records generated by applications detailing their activities, errors, and user interactions, providing insights into application behavior and performance.

● Endpoint Logs

• Records generated by endpoints (e.g., desktops, laptops, servers) detailing user activities, system events, and security-related events such as login attempts, file access, and malware detection.

● OS-Specific Security Logs

• Logs generated by operating systems containing security-related events such as authentication events, privilege changes, system file modifications, and audit trail records.

● IPS/IDS Logs

• Logs generated by Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) containing information about detected threats, attack signatures, and alerts triggered by suspicious network activities.

● Network Logs

• Logs generated by network devices such as routers, switches, and proxies, containing information about network traffic, connections, bandwidth usage, and network security events.

● Metadata

• Additional information associated with log entries, such as timestamps, source and destination IP addresses, user identifiers, event IDs, and severity levels, enhancing the context and analysis of log data.

Data Sources

● Vulnerability Scans

• Results and reports generated by vulnerability scanning tools, identifying security vulnerabilities, misconfigurations, and potential weaknesses within systems and networks.

● Automated Reports

• Scheduled or automated reports generated by security tools, systems, and monitoring solutions, providing summaries, trends, and analysis of security events and activities.

● Dashboards

• Visual representations of log data, metrics, and key performance indicators (KPIs) displayed in real-time or near real-time, enabling security analysts to monitor and analyze security posture and trends.

● Packet Captures

• Records of network traffic captured and stored for analysis, allowing security analysts to inspect packet contents, detect anomalies, and investigate network security incidents.