Cloud Security: Detecting, Responding to, and Recovering from Security Incidents

Questions and Answers

What is the main purpose of detecting security incidents?

• To monitor cloud assets for performance issues
• To identify vulnerabilities in cloud assets
• To quickly respond to and minimize the damage (correct)
• To prevent all security incidents from happening

What is a common characteristic of organizations and industries that experience security incidents?

• They have a strong security team in place
• They experience minor security incidents as a routine part of life (correct)
• They have a small number of assets to protect
• They have never experienced a security incident

What is the key difference between a bad breach and a really bad breach?

• The type of data stolen
• The number of assets affected
• The severity of the attack
• The time it takes to detect and respond to the breach (correct)

What is the primary goal of understanding attacker behavior and attack progression?

To detect attacks more quickly (B)

What is the focus of the previous chapters in this book?

Identifying and protecting cloud assets (B)

What is the likely outcome of not having adequate security measures in place?

Attackers will almost certainly attempt to gain unauthorized access (A)

What was the average time to identify a breach in a recent study of over 550 organizations?

277 days (D)

What is the estimated cost savings for companies that identify a breach in fewer than 200 days?

More than $1 million (C)

What is the primary purpose of resources like MITRE ATT&CK and the Lockheed Martin Cyber Kill Chain?

To describe the tactics and techniques used by attackers (C)

What is the main difference between the MITRE ATT&CK framework and the Lockheed Martin Cyber Kill Chain?

MITRE ATT&CK is more detailed, while the Kill Chain is more of an outline (C)

What is the recommended action for an incident response team regarding the MITRE ATT&CK framework and kill chain models?

Read through at least one kill chain model and understand some of the TTPs in the MITRE ATT&CK cloud matrix (B)

What is the benefit of understanding what attackers are likely to try during an active attack?

It can help incident response teams respond more effectively (B)

Flashcards are hidden until you start studying

Study Notes

Detecting, Responding to, and Recovering from Security Incidents

• Even with cloud security measures in place, security incidents can still occur, and it's essential to detect and respond to them quickly.
• Minor security incidents are a common part of life in some organizations and industries.
• Attackers will attempt to gain unauthorized access to assets, and it's crucial to detect them quickly, kick them out, and perform damage control.
• Understanding what attackers do and how attacks proceed is vital in detecting and responding to security incidents.

MITRE ATT&CK and Kill Chains

• Resources like MITRE ATT&CK and kill chains (e.g., Lockheed Martin Cyber Kill Chain, Unified Kill Chain) describe the tactics, techniques, and procedures (TTPs) used by attackers.
• MITRE ATT&CK is a detailed framework that shows different TTPs used in various phases of an attack and computing environments.
• Kill chains are more general outlines, listing common steps in the order attackers typically take them, such as:
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and control
  • Action on objectives
• It's recommended that incident response teams read and understand at least one kill chain model and some TTPs in the MITRE ATT&CK cloud matrix.
• Understanding attacker TTPs can help when responding to an active attack.

Importance of Quick Detection and Response

• The mean time to identify a breach is 277 days, according to a study of over 550 organizations.
• Companies that identify a breach in fewer than 200 days can save over $1 million compared to those that take more than 200 days.
• Quick detection and response can significantly reduce the impact of a security incident.