CEHv9 Module 01 Introduction to Ethical Hacking.

Page-40
The following areas in an organization might require more attention in terms of security:

- Encryption mechanisms
- Access control devices
- Authentication systems
- Firewalls
- Antivirus systems
- Web sites
- Gateways
- Routers and switches

There are two types of security policies:

Technical security policies – Describe how to configure the technology for convenient use.
Administrative security policies – Address how all persons should behave.
All employees must agree to and sign both the policies.

CEHv9 Module 01 Introduction to Ethical Hacking. Page-68

 Here are the triage analysis process steps:
1.Detection – Validate security alert or event as a real incident vs. false positive
2.Scoping – Quickly investigate incident to surface attack details, affected assets, related indicators, etc.
3.Severity Classification – Assign severity level (low/medium/high) based on potential impact and damage
4.Escalation – Report the incident to appropriate parties based on the severity threshold
5.Containment – Initiate containment of high/critical incidents to isolate and limit damage
6.Queuing – Add lower severity incidents to the queue for future response based on resources
7.Eradication – For severe events, execute steps to eliminate threats from the environment
8.Recovery – For severe events, start restoration of impacted systems and data
9.Circle Back – Continuously analyze and Triage new security alerts as they come in

Examples of Triage Cybersecurity Incidents

Heavy Traffic on Port 80 (Low-Priority)
Port 80 is the go-to port for Hypertext Transfer Protocol (HTTP) and web browsing. When there’s a spike in inbound requests to
port 80 across an organization’s internet-facing systems, it signals increased web traffic. This traffic spike on port 80 could stem
from employees downloading more work-related content and files off the web.

Phishing Attempt (Medium-Priority)

Malware Attack (High-Priority)

peed is critical. Triaging newly discovered malware entails immediately isolating the infection, blocking communication to
external C2 servers, and determining the root cause. How did it get on the infected system? Was it a trojan application, a
poisoned website, or user-activated?
https://www.ccslearningacademy.com/what-is-triage-in-cyber-security/
How does SIEM fit into cybersecurity triage?
SIEM solutions provide Centralized data and Alert collection,
helping analysts in the Rapid detection and Prioritization of
security threats. SIEM tools often feature risk-based alerting
and anomaly detection to facilitate effective triage.
What is the difference between triage and threat
intelligence?
While triage is focused on real-time detection, validation,
and prioritization of incidents, threat intelligence is about
collecting data on cyber threats and adversaries proactively.
Triage benefits from threat intelligence by gaining context
around threats, which helps in more accurate prioritization.
SIEM
•Centralized dashboard: Provide a single pane of glass to view
alerts from across systems
•Correlation analysis: Automatically link related events across
data sources
•Baseline profiling: Identify normal behavior to detect
anomalies
•Threat intel integration: Incorporate external IOCs and threat
feeds
•Risk scoring: Assign risk levels to alerts based on severity
•Machine learning: Leverage models to surface high-fidelity
threats
•Visual analytics: Present data visually to help analysts spot
trends
•Customizable workflows: Build incident response workflows
and playbooks
•Collaboration tools: Enable comment threads and tasks for
collaborative response
•Reporting features: Produce reports to document incidents
and steps taken
•Case management: Log all Triage steps and findings within
cases
•API integrations: Ingest alerts from proprietary security tools
Cyber Threat Intelligence (CTI) helps
organizations stay informed about new
threats so that they can protect themselves.
It's evidence-based information about cyber
attacks that cyber security experts organize
and analyze.

This information may include:

Mechanisms of an attack
How to identify an attack
Different types of attacks
Action-oriented advice
(about how to defend against attacks)

What is IOC?
Any evidence left behind by an attacker or malicious software that can
be used to identify a security incident. CTI also provide -
IOCs
What are tactics, techniques, and procedures (TTPs)? TTPs
TTPs are used to describe the behaviors, strategies and methods used Campaign details
by an attacker to develop and execute cyberattacks on enterprise Mitigation guidance
networks.
https://www.slideteam.net/types-of-social-engineering-attack-with-pretexting.html
Persistence refers to the techniques and strategies
that enable continued access to a system after the
initial point of compromise.