1.0 Attacks, Threats, and Vulnerabilities
1.7 Techniques used in Security Assessments
Threat Hunting - Detecting and locating threats/vulnerabilities
Intelligence Fusion - Aggregating raw data and logs into a database
Threat Feeds - Information alerts, often 3rd party provided
Advisories and Bulletins - Security reports
Maneuver - Deployment of security tools and automated deployment
Vulnerability Scans
False Positives - Flagged event that doesn’t pose a threat
False Negatives - Vulnerability is on a device, but does not get flagged/detected
Log Reviews - Pull data sourced from device logs
Credentialed - Scan as if you have authorized account access
Non-Credentialed - Scan as if you have no access
Intrusive - Tries to use found exploits
Non-Intrusive - Only looks for exploits, but does not use them
Application - Scans software (anti-virus)
Web Application - Scans for XSS (cross-site scripting), sql/code injections
Network - Scans network for open ports and other network vulnerabilities
Common Vulnerabilities and Exposures (CVE) - Reference for public knowledge on known exploits.
Common Vulnerability Scoring System (CVSS) - Scoring system to indicate severity of known exploits.
Configuration Review - Scan device or software for misconfigurations
Syslog/Security Info and Event Management (SIEM) - Software, central hub for security info
Review Reports - Generate reports based on diverse data
Packet Capture - Monitor network traffic
Data Inputs - Feed raw data into SIEM (authentications, VPN connections, firewall logs, denied network traffic)
User Behavior Analysis - Set a baseline and use it as a risk-trigger
Security Monitoring - Constant monitoring of real-time info flow, track stats, send alerts when risk is found, automated ticket generation
Security Operations Center (SOC) - Centralized location to do security monitoring.
Log Aggregation - Database all logs
Log Collectors - Retrieves/accepts and stores all logs.
Security Orchestration, Automation and Response (SOAR) - Automate tedious and routine tasks, connecting multiple tools together, auto-responsive to maintain real-time security.