2 - Utilizing Threat Data and Intelligence
Kill Chain Step 4: Exploitation
The weaponized code is executed on the target system by this mechanism. For example, a phishing email may trick the user into running the code, while a drive-by-download would execute on a vulnerable system without user intervention.
Google Hacking Database (GHDB)
maintained by Offensive Security contains a list of search strings to locate such "Google Dorks" who are running vulnerable web application versions, have made files containing passwords available, or left a webcam publicly accessible. You can use this database to learn the search operators that return fruitful results.
Computer Emergency Response Team (CERT)
A group of experts who respond to cybersecurity incidents. Helpful in applying real-world solutions to various cybersecurity problems. They may be government contractors or employees of a major corporation.
Command and Control (C2) goals
1. Data theft. Sensitive company data, such as financial documents, can be copied or transferred to an attacker's server. 2. Shutdown. An attacker can shut down one or several machines, or even bring down a company's network. 3. Reboot. Infected computers may suddenly and repeatedly shutdown and reboot, which can disrupt normal business operations. 4. Distributed denial of service. DDoS attacks overwhelm server or networks by flooding them with internet traffic. Once a botnet is established, an attacker can instruct each bot to send a request to the targeted IP address, creating a jam of requests for the targeted server. The result is like traffic clogging a highway - legitimate traffic to the attacked IP address is denied access.
Lockheed Martin Kill Chain model
1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and control (C2 or C&C) 7. Actions on objectives
Pipl API
A comprehensive data API with developer-friendly client libraries and code samples for popular languages to easily add real-time identity information to your application. Automated Identity Verification, Fraud and Investigation Support
Script Kiddie
A derogatory term used to refer to non-serious hackers who are believed to reject the ethical principles held by professional hackers, which include the pursuit of knowledge, respect for skills, and a motive of self-education. Shortcut most hacking methods in order to quickly gain their hacking skills. They don't put much thought or time into gaining computer knowledge, but educate themselves in a fast manner in order to learn only the bare minimum. May use hacking programs written by other hackers because they often lack the skills to write their own.
STIX domain objects (SDO): Indicator
A pattern of observables that are "of interest," or worthy of cybersecurity analysis. Ideally, software would automate the discovery of correlations between observables based on a knowledge of past incidents and TTPs.
Trusted Automated eXchange of Indicator Information (TAXII)
A protocol that provides a means for transmitting CTI data between servers and clients over HTTPS and a REST API (Representational State Transfer Application Programming Interface). For example, a CTI service provider would maintain a repository of CTI data. Subscribers to the service obtain updates to the data to load into analysis tools over _________. This data can be requested by the client (referred to as a collection), or the data can be pushed to subscribers (referred to as a channel).
What type of threat research is best suited to configuring effective firewall rules?
A reputational threat feed can be used to block known bad IP address ranges and domains.
Indicator of Compromise (IoC)
A residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Can be definite and objectively identifiable, like a malware signature, but many require subjective judgment calls based on the analyst's experience and knowledge of organizational systems. Because these are often identified through anomalous activity rather than overt incidents, they can be open to interpretation. Therefore, it's important, whenever possible, to correlate multiple to produce a more complete and accurate narrative of events.
Shodan
A search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/ app type and version, plus vendor and ID information. It also gathers metadata, such as IP address, host name, and geographic location. As well as being a popular hacking tool for finding vulnerable Internet of Things (IoT) and industrial control system (ICS) devices, you can also use enterprise features of the site to monitor your own devices and networks.
Threat Modeling: Attack Vector
A specific means of exploiting some point on the attack surface.
Structured Threat Information eXpression (STIX)
A standardized language developed by MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee for describing cyber threat information. It has been adopted as an international standard by various intelligence sharing communities and organizations. It is designed to be shared via TAXII, but can be shared by other means.
STIX domain objects (SDO): Observed Data
A stateful property of the computer system or network or an event occurring within it. Examples of observables include an IP address, a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt. Observables would be generated by the logging and monitoring system.
Malware Information Sharing Project (MISP)
A threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. Not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organizations or people.
Zero-Day Malware
A threat that exploits an unknown computer security vulnerability. The term is derived from the age of the exploit, which takes place before or on the first day of a developer's awareness of the exploit or bug. This means that there is no known security fix because developers are oblivious to the vulnerability or threat. Attackers exploit these vulnerabilities through different vectors. Web browsers are the most common, due to their popularity. Attackers also send emails with attachments exploiting software attachment vulnerabilities.
nslookup command
A tool included in many operating systems that can look up IP addresses and perform other searches on DNS domains and servers.
Command and Control (C2)
A type of computer attack that uses a number of hosts to overwhelm a server, causing a website to experience a complete system crash. This type of denial-of-service attack is perpetrated by hackers to target large-scale, far-reaching and popular websites in an effort to disable them, either temporarily or permanently. This is often done by bombarding the targeted server with information requests, which disables the main system and prevents it from operating. This leaves the site's users unable to access the targeted website.
Threat Modeling: Adversary Capability Levels
Acquired and augmented Developed Advanced Integrated
Hacktivist
Act of hacking a website or computer network in an effort to convey a social or political message. In contrast to a malicious hacker who hacks a computer with the intent to steal private information or cause other harm, __________ engage in similar forms of disruptive activities to highlight political or social causes. An Internet-enabled strategy to exercise civil disobedience. Acts may include website defacement, denial-of-service attacks (DoS), redirects, website parodies, information theft, virtual sabotage and virtual sit-ins.
Your organization is planning to transition from using local clients to provisioning desktop instances via cloud-based infrastructure. Your CISO has asked you to outline a threat-modeling project to support selection and development of security controls to mitigate risks with this new service. What five methodologies should your outline contain?
Adversary capability analysis, total attack surface analysis, attack vector analysis, impact analysis, and likelihood analysis.
What elements of an event do the vertices in the Diamond Model represent?
Adversary, capability, victim, and infrastructure.
Threat Modeling: Total Attack Surface
All the points at which an adversary could interact with the system and potentially compromise it. To determine the __________, you must inventory the assets deployed on your network and the processes that those assets support.
whois command
An Internet service and protocol that searches and displays information pertaining to a domain name from repositories of domain name registrars worldwide. A free Internet service that enables a user to search a specific domain name's availability and, in the case that it's registered, the assigned entity/person to whom it is registered. Was first conceived in 1982 as an enhancement to the Nickname protocol that was developed by ARPANET.
You work for a PR and marketing company that handles highly sensitive information for its high-profile clients. Client records are stored in a database and file system hosted on your private corporate network. As well as client records, this includes media such as photos and videos. Most remote client communications and data transfers take place using a one-to-one encrypted messaging app, but you also accommodate some clients who prefer to use email. A high percentage of your staff work remotely, accessing data and services over a VPN. You are reviewing your security procedures in the light of some high-profile hacks of celebrity data. At this point, you want to understand the attack surface and attack vectors by which your private network could be compromised. Focusing on email, think of how email is processed as it is sent by a remote user and received by your company. What are the attack vectors against the company's email servers? How can these be related to adversary capability, assuming the levels to be advanced (most capable), developed, and augmented (least capable)?
An advanced adversary may be able to effect a compromise of the email server security, using a zero-day vulnerability. This type of exploit is expensive to develop, but if the client data is of sufficient value an adversary may consider it worthwhile. An advanced or even an augmented level adversary could exploit an unpatched vulnerability—consider the Exim mail server vulnerability (zdnet.com/article/exim-email-servers-are-now-under-attack), for example. An advanced or developed adversary could also exploit configuration errors in the mail server, such as allowing external users to impersonate a local sender. Any level of adversary could use phishing or similar techniques to send malicious code or attachments to recipients in the hope that it will not be identified by security filters.
What distinguishes an attack framework from an indicator management tool?
An attack framework, such as the kill chain, MITRE ATT&CK, or the Diamond Model, is a way of relating the events observed in an attack to a pattern or sequence. An indicator management tool, such as Structured Threat Information eXchange (STIX) or OpenIOC, is a way of packaging threat data so that it can be consumed by automated detection and analysis tools and shared as CTI by cooperating organizations.
OSINT: Publicly Available Information
An attacker can harvest information from public repositories and web searches. Available information includes categories such as the IP addresses of an organization's DNS servers; the range of addresses assigned to the organization; names, email addresses, and phone numbers of contacts within the organization; and the organization's physical address. This data is publicly available through Whois records, Securities and Exchange Commission (SEC) filings, telephone directories, and more.
DNS and Website Harvesting
An attacker might be able to obtain useful information by examining a company's domain registration records by running a whois lookup against the appropriate Registry. An attacker may also test a network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount of information about the way the network is configured.
Pipl SEARCH
An intuitive SaaS search product with interactive identity profiles of detailed personal, professional, social, demographic, contact and relationship information. Manual Review Teams, Investigators, Researchers and Analysts
OpenIOC
An open framework, meant for sharing threat intelligence information in a machine-readable format. It was developed by the American cybersecurity firm MANDIANT in November 2011. It is written in eXtensible Markup Language (XML) and can be easily customized for additional intelligence so that incident responders can translate their knowledge into a standard format. Organizations can leverage this format to share threat-related latest Indicators of Compromise (IoCs) with other organizations, enabling real-time protection against the latest threats.
OSINT: Metadata
Attackers can run metadata scans on publicly available documents using a tool like Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could glean useful information from its metadata, including the names of authors or anyone that made a change to the document. By using search engines, FOCA (elevenpaths.com/labstools/foca/index.html) can cross-reference files with other domains to find and extract metadata.
OSINT: Social media
Attackers can use social media sites like Facebook and LinkedIn to mine for an organization's information. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.
Total Attack Surface: Corporate data network
Consider access by external users (VPN, email/VoIP, FTP/internally hosted website, Wi-Fi, building security) and internal users (switch port security, management channels, unlocked workstations, and so on).
Total Attack Surface: Website/cloud
Consider the web application used for the front end, but also ways to access the application programmatically via an application programming interface (API). You might also consider the possibility of compromise from within the service provider's data center.
Adversary Capability Level: Integrated
Can additionally use non-cyber tools, such as political or military assets.
Adversary Capability Level: Advanced
Can exploit supply chains to introduce vulnerabilities in proprietary and open-source products and plan campaigns that exploit suppliers and service providers.
Adversary Capability Level: Developed
Can identify and exploit zero-day vulnerabilities and can deploy significant human and financial resources to attack planning and execution.
Organized Crime
Can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.
Following a serious data breach affecting a supplier company, your CEO wants assurance that your company is not exposed to the same risk. The supplier is willing to share threat data gathered about the breach with you. You advise a threat hunting program as the most appropriate tool to use. What should be the first step in this process?
Establish a hypothesis. You already have the basic scenario of the data breach at the supplier company. This will require documenting and developing. You can then move on to profiling threat actors and activities and developing threat hunting tactics to query indicators from your own systems.
Tactics, Techniques, and Procedures (TTP)
Describes an approach of analyzing an APT's operation or can be used as means of profiling a certain threat actor. Outline the way an adversary chooses to carry out his attack from the beginning till the end. Technological approach of achieving intermediate results during the campaign is described by techniques the attacker uses. Lastly, the organizational approach of the attack is defined by procedures which are used by the threat actor.
Threat Modeling
Designed to identify the principal risks and TTPs that a system may be subject to by evaluating the system both from an attacker's point of view and from the defender's point of view. For each scenario-based threat situation, the model asks whether defensive systems are sufficient to repel an attack perpetrated by an adversary with a given level of capability.
You work for a PR and marketing company that handles highly sensitive information for its high-profile clients. Client records are stored in a database and file system hosted on your private corporate network. As well as client records, this includes media such as photos and videos. Most remote client communications and data transfers take place using a one-to-one encrypted messaging app, but you also accommodate some clients who prefer to use email. A high percentage of your staff work remotely, accessing data and services over a VPN. You are reviewing your security procedures in the light of some high-profile hacks of celebrity data. At this point, you want to understand the attack surface and attack vectors by which your private network could be compromised. What countermeasures can be deployed for each email attack vector?
Effective patch management of both the server and client email software will provide mitigation against most threats. The server should be configured with security filters to reject spam and phishing emails and block malicious links and attachments. Security awareness training will help employees to recognize phishing attempts that do get past the server security.
As part of your threat hunting proposal, you need to identify benefits of the program. You have listed opportunities to close attack vectors, reduce the attack surface, and bundle critical assets within additional layers of security controls. What other benefit or benefits does threat hunting offer?
Firstly, threat hunting develops integrated intelligence capabilities by which you correlate cyber-threat intelligence (CTI) with locally observed indicators. Secondly, the queries, filters, and tactics used can be redeployed to improve detection capabilities in conventional monitoring systems.
Total Attack Surface: Bespoke software apps
Forms and controls on the application's user interface, interaction with other software via an API or file/data import process, and vulnerabilities from the host OS or platform.
Section 4: Unknow to Others / Unknown to US
Future vulnerability discoveries
Attack Vector: Physical
Gaining local access to premises in order to effect an intrusion or denial of service attack.
Echosec
Gathers critical information from hidden online sources to support threat intelligence and risk mitigation
Nation-State Actors
Have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals. Have been implicated in many attacks, particularly on energy and electoral systems. Their goals are primarily espionage and strategic advantage, but it is known that countries—North Korea being a good example—target companies purely for commercial gain. You should also realize that each state may sponsor multiple adversary groups, and that these groups may have different objectives, resources, and degrees of collaboration with one another.
Threat Classification
Historically, cybersecurity techniques depended very much on the identification of "static" known threats, such as viruses, rootkits, Trojans, and botnets. It is straightforward to identify and scan for this type of threat with automated software by matching the malicious code to a signature in a database of known malware. Unfortunately, many adversaries now have the capability to develop means of circumventing these security systems.
Known Threats
Historically, cybersecurity techniques depended very much on the identification of "static" threats, such as viruses, rootkits, Trojans, and botnets. It is straightforward to identify and scan for this type of threat with automated software by matching the malicious code to a signature in a database of known malware. Unfortunately, many adversaries now have the capability to develop means of circumventing these security systems.
You work for a PR and marketing company that handles highly sensitive information for its high-profile clients. Client records are stored in a database and file system hosted on your private corporate network. As well as client records, this includes media such as photos and videos. Most remote client communications and data transfers take place using a one-to-one encrypted messaging app, but you also accommodate some clients who prefer to use email. A high percentage of your staff work remotely, accessing data and services over a VPN. You are reviewing your security procedures in the light of some high-profile hacks of celebrity data. At this point, you want to understand the attack surface and attack vectors by which your private network could be compromised. What comes next in the chain of processing incoming email, and what attack vectors can adversaries exploit?
If it has not been rejected by the server, email is stored in a mailbox and accessed using a mail client. More sophisticated adversaries may be able to target mail client vulnerabilities to run exploits without user intervention, while less sophisticated ones will rely on the user manually opening a file or link.
Kill Chain Step 7: Actions on objectives
In this phase, the attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however.
Kill Chain Step 1: Reconnaissance
In this stage the attacker determines what methods to use to complete the phases of the attack. One significant issue here is that the attacker will not want to draw attention to him- or herself so will try to identify stealthy methods to proceed. The attacker discovers what they can about how the target is organized and what security systems it has in place. This phase may use both passive information gathering and active scanning of the target network. The outcome of the phase, if successful, will be one or more potential exploits. The attacker also needs to establish resources to launch the attack. To evade detection, this will normally mean a botnet of compromised hosts, which can be used as unwitting zombies to facilitate scans, DDoS attacks, and exploits, and then mask their origin.
STIX domain objects (SDO): Attack Pattern
Known adversary behaviors, starting with the overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and intrusion sets.
You work for a PR and marketing company that handles highly sensitive information for its high-profile clients. Client records are stored in a database and file system hosted on your private corporate network. As well as client records, this includes media such as photos and videos. Most remote client communications and data transfers take place using a one-to-one encrypted messaging app, but you also accommodate some clients who prefer to use email. A high percentage of your staff work remotely, accessing data and services over a VPN. You are reviewing your security procedures in the light of some high-profile hacks of celebrity data. At this point, you want to understand the attack surface and attack vectors by which your private network could be compromised. What remote access methods could an attacker exploit?
Many attacks use email to effect an initial compromise. There is also substantial risk from the remote devices used to access the VPN and from weak credentials being exploited to access the VPN directly. The messaging app could have vulnerabilities or there could be compromise of the endpoints used to access it. It is not mentioned in the scenario, but most companies have a website and the server underpinning that represents another vector. You might also consider the risk of an advertent or inadvertent insider threat, such as unauthorized use of a file-sharing service.
STIX domain objects (SDO): Course of Action (CoA)
Mitigating actions or use of security controls to reduce risk from attacks or to resolve an incident.
Open-Source Intelligence (OSINT)
Most companies and the individuals that work for them publish a huge amount of information about themselves on the Web and on social media sites. Some of this information is published intentionally; quite a lot is released unintentionally or can be exploited in ways that the company or individual could not foresee. An attacker can "cyberstalk" his or her victims to discover information about them via Google Search or by using other web or social media tools.
Behavioral Threat Research
Most threat sources cannot be identified from a single indicator. __________ correlates IoCs into attack patterns. For example, analysis of previous hacks and intrusions produces definitions of the tactics, techniques, and procedures (TTP) used to perform attacks.
Reputational Threat Research
One means of identifying a threat is to associate indicators that you discover in your logs with _________ data. A __________ source identifies IP address ranges and DNS domains that are associated with malicious activity, such as sending spam or participating in DDoS attacks. One example is the Talos Reputation Center (talosintelligence.com/reputation_center). This tracks activity and rates each source with a granular reputation score metric, plus a basic indicator—good, neutral, or poor. There are similar systems for file reputation that work based on a file's digital signature, computed using a cryptographic hash sum, such as SHA256.
Peekyou
PeekYou is a people search engine site that places people at the center of the Internet. It lets you discover the people most important and relevant to your life.
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
Provide access to a database of known tactics, techniques, and procedures (TTPs). This freely available resource tags each technique with a unique ID and places it in one or more tactic categories, such as initial access, persistence, lateral movement, or command and control. The sequence in which attackers may deploy any given tactic category is not made explicit. This means analysts must interpret each attack life cycle from local evidence. The framework makes TTPs used by different adversary groups directly comparable, without assuming how any particular adversary will run a campaign at a strategic level.
Section 1: Know to Others / Known to US
Published Vulnerabilities Known Viruses Brute-Force Attacks
Advanced Persistent Threat (APT)
Refers to a cyberattack launched by an attacker with substantial means, organization and motivation to carry out a sustained assault against a target. It employs stealth and multiple attack methods to compromise the target, which is often a high-value corporate or government resource. The attack is difficult to detect, remove, and attribute. Once the target is breached, back doors are often created to provide the attacker with ongoing access to the compromised system. The attacker can spend months gathering intelligence about the target and use that intelligence to launch multiple attacks over an extended period of time. Perpetrators are often after highly sensitive information, such as the layout of nuclear power plants or codes to break into U.S. defense contractors.
Threat Modeling: Adversary Capability
Refers to a threat actor's ability to craft novel exploit techniques and tools.
Commodity Malware
Refers to code that can be used in general circumstances and that is packaged for general sale, typically through dark web marketplaces.
Data Loss Prevention (DLP)
Refers to the identification and monitoring of sensitive data to ensure that it's only accessed by authorized users and that there are safeguards against data leaks. Major insider threats as well as more stringent state privacy laws triggered the adoption of DLP in 2006.
What control types are effective in dealing with structured insider threats?
Technical controls are less likely to be able to inhibit this, as the actors are more likely to be able to bypass them. Implementing operational and management controls, especially secure logging and auditing, is essential.
OSINT: HTML code
The HTML code of an organization's web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators. The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.
STIX domain objects (SDO): Campaign and Threat Actors
The adversaries launching cyberattacks are referred to in this framework as Threat Actors. The actions of Threat Actors utilizing multiple TTPs against the same target or the same TTP against multiple targets may be characterized as a campaign.
Kill Chain Step 2: Weaponization
The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.
Kill Chain Step 3: Delivery
The attacker identifies a vector by which to transmit the weaponized code to the target environment, such as via an email attachment or on a USB drive.
Email Harvesting
The general purpose of email harvesting is to identify who works at a company. Most companies use real names for email addresses. This makes it possible for the attacker to identify social media or personal web accounts operated by an employee and from there try to identify an exploit. An attacker will also want to try to match email addresses to job roles. In many circumstances a company may just publish information about senior staff and their job roles on its website or in promotional material such as a shares prospectus or the information filed with regulatory authorities.
Unknown Threats
The sophisticated nature of modern cybersecurity threats means that when classifying threats, it is important to be able to describe and analyze behaviors as well as enumerate known attack signatures. This type of threat classification underpins tools and procedures that can detect __________. This means threats that are unlikely to be detected by off-the-shelf tools.
Kill Chain Step 6: Command and control (C2 or C&C)
The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
What control types are effective in dealing with unintentional insider threats?
This is best tackled via security training and awareness, plus procedural controls to govern critical tasks. Monitoring statistics related to training use and documentation can help to identify employees or departments where there is elevated risk of inadvertent threats.
Kill Chain Step 5: Installation
This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.
Insider Threat Types
Threat arises from an actor who has been identified by the organization and granted some sort of access. Within this group of internal threats, you can distinguish insiders with permanent privileges, such as employees, from insiders with temporary privileges, such as contractors and guests.
IoC Examples
Unauthorized software and files Suspicious emails Suspicious Registry and file system changes Unknown port and protocol usage Excessive bandwidth usage Rogue hardware Service disruption and defacement Suspicious or unauthorized account usage
Attack Vector: Cyber
Use of a hardware or software IT system. Some examples of cyberattack vectors include email or social media messaging, USB storage, compromised user account, open network application port, rogue device, and so on.
Attack Vector: Human
Use of social engineering to perpetrate an attack through coercion, impersonation, or force. Note that attackers may use cyber interfaces to human attack vectors, such as email or social media.
Shadow IT
Users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Creates a new unmonitored attack surface for malicious adversaries to exploit.
Adversary Capability Level: Acquired and augmented
Uses commodity malware and techniques only (acquired) or has some ability to customize existing tools (augmented).
Unintentional Insider Threat Types
Usually arise from lack of awareness or from carelessness, such as users demonstrating poor password management.
Section 2: Unknow to Others / Known to US
Vulnerabilities we've discovered, but others have not
What role does TAXII play in indicator management?
Where Structured Threat Information eXchange (STIX) provides the syntax for describing indicators and other attack elements, the Trusted Automated eXchange of Indicator Information defines a protocol for transmitting STIX data between CTI producers and consumers.
Section 3: Know to Others / Unknown to US
Zero-day Exploits