cyberOPS 13
Which top-level element of the VERIS schema would allow a company to document the incident timeline? Discovery and Response Incident Description Incident Tracking Victim Demographics
Discovery and Response
What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?
In the command and control phase of the Cyber Kill Chain, the threat actor establishes command and control (CnC) with the target system. With the two-way communication channel, the threat actor is able to issue commands to the malware software installed on the target.
Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
Install a web shell on the target web server for persistent access. In the installation phase of the Cyber Kill Chain, the threat actor establishes a backdoor into the system to allow for continued access to the target.
Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?
NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.
After containment, what is the first step of eradicating an attack?
identify all hosts that will need remediation so that the effects of the attack can be eliminated.
What is a chain of custody?
A chain of custody refers to the documentation of evidence collected about an incident that is used by authorities during an investigation.
What type of CSIRT organization is responsible for determining trends to help predict and provide warning of future security incidents?
Analysis Centers There are many different types of CSIRTs and related information security organizations. Analysis centers use data from many sources to determine security incident trends that can help predict future incidents and provide early warning. This helps to mitigate the damages that incidents can cause.
Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-facing web server?
Analyzing the infrastructure storage path used for files, security measures can be implemented to monitor and detect malware deliveries through these methods.
In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services? Media Impersonation Attrition Loss or theft
Common attack vectors include media, attrition, impersonation, and loss or theft. Attrition attacks are any attacks that use brute force. Media attacks are those initiated from storage devices. Impersonation attacks occur when something or someone is replaced for the purpose of the attack, and loss or theft attacks are initiated by equipment inside the organization.
1. Reconnaissance: The threat actor performs research, gathers intelligence, and selects targets. 2. Weaponization: The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems. 3. Delivery: The weapon is transmitted to the target using a delivery vector. 4. Exploitation: The threat actor uses the weapon delivered to break the vulnerability and gain control of the target. 5. Installation: The threat actor establishes a backdoor into the system to allow for continued access to the target. 6. Command and Control (CnC): The threat actor establishes command and control (CnC) with the target system. 7. Action on Objectives: The threat actor is able to take action on the target system, thus achieving the original obj
Cyber Kill Chain Model
When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system?
Employee awareness training and email testing. Auditing endpoints to forensically determine the origin of an exploit can help block future exploitations of systems.
Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident? Detection and analysis Preparation Containment, eradication, and recovery Post-incident activities
It is in the detection and analysis phase of the NIST incident response life cycle that the CSIRT identifies and validates incidents through continuous monitoring. The NIST defines four stages of the incident response life cycle.
Which NIST incident response life cycle phase includes training for the computer security incident response team on how to respond to an incident? Post-incident activities Containment, eradication, and recovery Detection and analysis Preparation
It is in the preparation phase of the NIST incident response life cycle phase that the CSIRT is trained on how to respond to an incident.
According to NIST standards, which incident response stakeholder isresponsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident
When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? Conduct full malware analysis. Train web developers to secure code. Collect email and web logs for forensic reconstruction. Build detections for the behavior of known weaponizers. Perform regular vulnerability scanning and penetration testing.
The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Amongother measures, such as regular vulnerability scanning and penetration testing, training web developers in securing code can help block potential exploitations on systems.
Which three aspects of a target system are most likely to be exploited after a weapon is delivered? Applications User accounts OS vulnerabilities Existing backdoors Domain name space DHCP configurations
The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Threat actors will use an exploit that gains the effect they desire, does it quietly, and avoids detection.
Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, and username and password) that the adversary uses for the intrusion event? Results Direction Resources Methodology
The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.
After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
Weaponization