BentleySec - Security Operations and Monitoring

Software and Systems Security

Given a scenario, analyze data as part of security monitoring activities.

Heuristics
Trend analysis
Endpoint

Malware

Reverse engineering

Memory
System and application behavior

Known-good behavior
Anomalous behavior
Exploit techniques

File system
User and entity behavior analytics (UEBA)

Network

Uniform Resource Locator (URL) and domain name system (DNS) analysis

Domain generation algorithm

Flow analysis
Packet and protocol analysis

Malware

Log review

Event logs
Syslog
Firewall logs
Web application firewall (WAF)
Proxy
Intrusion detection system (IDS)/Intrusion prevention system (IPS)

Impact analysis

Organization impact vs. localized impact
Immediate vs. total

Security information and event management (SIEM) review

Rule writing
Known-bad Internet protocol (IP)
Dashboard

Query writing

String search
Script
Piping

E-mail analysis

Malicious payload
Domain Keys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Sender Policy Framework (SPF)
Phishing
Forwarding
Digital signature
E-mail signature block
Embedded links
Impersonation
Header

Given a scenario, implement configuration changes to existing controls to improve security.

Permissions
Allow list (previously known as whitelisting)
Blocklist (previously known as blacklisting)
Firewall
Intrusion prevention system (IPS) rules
Data loss prevention (DLP)
Endpoint detection and response (EDR)
Network access control (NAC)
Sinkholing
Malware signatures

Development/rule writing

Sandboxing
Port security

Explain the importance of proactive threat hunting.

Establishing a hypothesis
Profiling threat actors and activities
Threat hunting tactics

Executable process analysis

Reducing the attack surface area
Bundling critical assets
Attack vectors
Integrated intelligence
Improving detection capabilities

Compare and contrast automation concepts and technologies.

Workflow orchestration

Security Orchestration, Automation, and Response (SOAR)

Scripting
Application programming interface (API) integration
Automated malware signature creation
Data enrichment
Threat feed combination
Machine learning
Use of automation protocols and standards

Security Content Automation Protocol (SCAP)

Continuous integration
Continuous deployment/delivery