DCO
What are the six main elements or components to firewall rules?
1.Base protocol 2.Source address 3.Source port 4.Target address 5.Target port 6.Action
INFOCON/Enclave protective measure where ‐Highest readiness condition ‐Addresses intrusion techniques that cannot be defeated at lower INFOCONs ●E.g. kernel root kit ‐Significant impact to end-users for short periods
INFOCON 1
-The first formal study in the requirements process - consists of the following activities: ●Defining the capability required ●Gap analysis
●Capabilities Based Assessment (CBA)
INFOCON level where ‐Higher frequency validation process ‐Preplanning personnel training & pre-positioning of system rebuilding utilities ●Use of "hot spare" equipment = reduced rebuild time ‐Significant impact to users for short periods
INFOCON 2
INFOCON level where ‐Further increase in frequency of validation processes ‐Minor impact to end-users
INFOCON 3
INFOCON level where ‐Increases preparation for exercises ‐User profiles reviewed for dormant accounts ‐Increased frequency of validation process ‐Confirm state of network as good (unaltered) or bad (compromised) ‐Limited impact to users
INFOCON 4
INFOCON level where ‐Routine network ops (DoDINOps) ‐Normal readiness ‐Admins create snapshot of systems/network (known good "Baseline") ‐No impact to end-users
INFOCON 5
What are two vulnerabilities for lans?
Outdated components and misconfiguration
Incident response methodology where 1.Mitigating the risk 2.Restoring the integrity of the IS and return to operational state. 3.Implementing proactive/reactive defensive measures to prevent similar incidents
Response and Recovery
Which encryption type ‐Uses two different but mathematically related keys for encryption and decryption ‐ one is shared with users in a public space ‐ the other is only used by the key pair holder (never shared or distributed)
Asymmetric Encryption Algorithms (Public Key)
Which primary DCO mission is ‐Air Force cyber units conduct ongoing network defense operations to securely operate the DoDIN ‐If/when DoD detects indications of hostile activity quick-response capabilities ‐This DCO mission covers the majority of DoD's ops in cyberspace
1. Defend networks, systems and information
What are two rules for firewalls that define the general security stance?
Default deny (traffic is potentially malicious) and default allow (traffic is benign)
What are the three primary missions in DCO?
1. Defend networks\info 2. Prepare to defend the United States and its interests against cyberattacks of significant consequence 3. Provide integrated cyber capabilities to support military operations and contingency plans
‐Ensures only permitted individuals/systems are granted access to protected resources ‐Allows for authentication of users and assignment of special permissions ●e.g. Air Force members' access to NIPRNet or SIPRNet
Enterprise Identity and Access Management (EIAM)
Web-Based Threat where Aimed at harvesting login credentials or sensitive information
Fake Login Pages
True or false: insider threat is detected by traditional security measures
False ‐IDS, IPS, security logs often do not alert on authorized users
●Lowest level in the software chain ●Language of Reversing ●Differing computer architecture has its own set of assembly language instructions - x86 - x64 -arm -mips
Assembly Language
●Guidance that Provides organizations a starting point for developing a forensic capability, in conjunction with extensive guidance provided by legal advisors, law enforcement officials, and management
- NIST 800-86
What are the four phases of Forensics?
-Collection ●Identify, label, record, and acquire data from the possible sources of relevant data -Examination ●Forensically processing large amounts of collected data -Analysis ●Analyze the results of the examination to derive information that addresses the questions driving the analysis. -Reporting ●Present the evidence and the results of the analysis in a court of law
Reversing Tool where ●Program that converts instructions into a machine-code or lower-level form so that they can be read and executed by a computer. ●Takes in the ASCII source code and creates a binary file
-Compilers
Reversing Tool where ●Allow software developers to observe their program while it's running ●Two most basic features -Ability to set breakpoints -Ability to trace through code
-Debuggers
Reversing Tool where ●Tries to reverse compilation process to obtain the original source code file or something similar to it ●Takes executable binary file & attempts to produce readable high-level language code from it
-Decompilers
Windows-Based Forensic Tool that ●Easy-to-use file viewer that recognizes nearly 300 types of files -enables it to find evidence on most devices ●Works with media images created by several imaging utilities, including: -EnCase -SMART -dd
-Forensic Toolkit (FTK)
Unix-Based Forensic Tool that ●A popular, free, open source forensic software suite ●Collection of command-line tools that provides media management and forensic analysis functionality ●Supports Mac partitions and analyzes files from Mac file systems
-The Sleuth Kit (TSK)
What are the 5 strategic goals for DCO?
1. Build / maintain to conduct cyber ops 2. Defend the DoDIN/data & mitigate risks to DoD missions 3. Be prepared to defend the U.S. homeland and U.S. interests from cyber attacks 4. Build/maintain viable cyber options/plan to use those options to control conflict escalation/shape the conflict environment 5. Build/maintain international alliances and partnerships to deter threats/increase international security
Secure configuration where ‐Required by all enclaves connecting to the DISN ‐Initiated in parallel with request fulfillment process for new/additional connections
Assessment and Authorization (A&A) process
Advanced Persistent Threat that ●Most clandestine, discriminating, skilled group ●Adapts tools/techniques based on news reports about itself ‐Attack vectors ●Spear phishing ●Maintain surveillance on media outlets that could impact the reputation of its leaders ●Collects intelligence on military technology companies in the United States, Japan and Taiwan
APT12: People's Republic of China ‐Also known as CalcTeam (FireEye) ‐Associated malware ●Riptide ●Hightide ●Threebyte ●Waterspout Targets ●Western journalists ●U.S. military contractors ●Taiwanese and Japanese governments ●Japanese technology companies
Advanced Persistent Threat that ●Use of public websites to hide attacks in plain sight ●Loads malicious software directly into a computer's memory in a way that bypasses the hard drive ‐Attack vectors ●Uses Blackcoffeemalware as part of the first stage of its attacks ‐Includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands
APT17: Communist Party of China ‐Also known as Tailgator Team and Deputy Dog (FireEye) ‐Targets ●U.S. government entities ●Defense industry ●Law firms ●Information technology companies ●Mining companies ●Non-governmental organizations
Advanced Persistent Threat that ●Responsible for a major data breach at Community Health Systems (CHS) ●Exploited "Heartbleed" bug in VPN server within the CHS network ‐Threw thousands of messages at server until it was able to gain access Steals IP related to technologies, processes and expertise
APT18: People's Republic of China (suspected) ‐Also known as Wekby(FireEye) ‐Associated malware ●Gh0st remote access Trojan (RAT) ‐Targets ●Aerospace sectors ●Defense sectors ●Engineering sectors ●Healthcare companies ●Pharmaceutical companies ●Medical device companies
Advanced Persistent Threat that ●Has systematically stolen hundreds of terabytes of data from at least 141 organizations spanning 20 major industries ●Specifically targets industries that China identifies as strategic in its five-year plan ●Periodically revisits networks to which it has established access ‐Attack vectors ●Spear-phishing/backdoors to gain foothold ●Steals broad categories of intellectual property (IP), including: ‐Technology blueprints ‐Proprietary manufacturing processes ‐Business plans ‐Pricing documents ‐Partnership agreements ‐Emails and contact lists
APT1: Communist Party of China, Unit 6138 ‐Gained new unit number 61398, also known as Comment Crew (FireEye) Associated malware ●Ecltys Trojan, Backdoor.Barkiofork, Backdoor.Wakeminap, Trojan.Downbot, Backdoor.Dalbot, Backdoor.Revird, Trojan.Badname, Backdoor.Wualess Targets ●Corporations across a broad range of industries in English-speaking countries
Advanced Persistent Threat that ●Skilled team of developers and operators collecting intelligence on defense and geopolitical issues ●Likely receives ongoing financial support its government ●Gain insider information related to governments, militaries and security organizations
APT28: Russian Government ‐Also known as Tsar Team (FireEye) ‐Associated malware ●Chopstick ●Sourface ‐Targets ●Georgiaand eastern European countries and militaries ●North Atlantic Treaty Organization (NATO)
Advanced Persistent Threat that ●Adaptive and disciplined threat group ●Hides activity on victim's network, communicating infrequently mirroring legitimate traffic ●Monitors network defender to maintain control over systems ●Only compromised servers for CnC communication ●Counters attempts to remediate ●Maintains malware development cycle, altering tools to hinder detection
APT29: Russian Government ‐Associated Malware ●Hammertoss ●Uploader ●tDiscoverer ‐Targets ●Western European governments ●Foreign policy groups ●Other organizations with valuable information for Russia
Advanced Persistent Threat that ●Sustained activity since at least 2005 ●Extremely organized ●Structured malware development process ●Capability to infect air-gapped networks ‐Attack vectors ‐Downloaders, backdoors, registers ‐Central controller/several components infect removable drives to cross air-gapped networks and steal data
APT30: Communist Party of China ●Steals sensitive political, economic and military information about the region for government espionage ‐Associated malware ●Backspace ●Neteagle ●Shipshape ●Spaceship ●Flashflood
Advanced Persistent Threat that poses a threat to companies doing business, manufacturing or preparing to invest in the country ‐Attack vectors ●Leverages ActiveMimefiles that employ social engineering methods to entice victim into enabling macros which initializes malicious payload
APT32: Vietnamese Government (suspected) ‐Also known as OceanLotusGroup (FireEye) Associated malware ●Soundbite ●Windshield ●Phoreal ●Beacon ●Komprogo
Advanced Persistent Threat that ●Leverages zero-day vulnerabilities in widespread but infrequent phishing campaigns ●Main actor behind a major attack campaign called Operation Clandestine Fox
APT3: China (suspected) ‐Also known as UPS Team (FireEye) ‐Associated malware ●Shotput ●CookieCutter ●PlugX/Sogu ●Targets companies dealing in the following sectors: ‐Energy ‐Aerospace and defense ‐Construction and engineering ‐High-tech ‐Telecommunications ‐Transportation
Advanced Persistent Threat that ●Large threat group that consists of several subgroups ●Tends to focus on (satellite) telecommunications and technology companies based primarily in Southeast Asia ●Steals information such as pricing data, contract negotiations, inventories and product deployment data ‐Steals information on: ‐Emails ‐Procurement bids and proposals ‐Documents on unmanned aerial vehicles (UAVs) ‐Proprietary product specifications
APT5: Undisclosed ‐Associated malware ●Leouncia Targets ●Telecommunications and technology companies ●High-tech manufacturing firms and military application technology
Advanced Cyber Tech & Threat where ‐High Performing Computing (HPC) ●Russia has six HPCsystems capable of trillion computations per second. ‐Quantum Computing (QC) ●Researchers from the USTC, Chinese Academy of Sciences (CAS), and Tsinghua University are aggressively pursuing implementations for secure quantum communication protocols.
Advanced Computing Technologies
‐Any person or group of people conducting cyber operations on behalf of a government body ‐Among the most dangerous cyber threats in existence today ‐Often involved in large scale hacking campaigns ‐Receive funding and resources from government entities
Advanced Persistent Threats
What is the main purpose of a CCORI? What are the four phases of operations order?
Analyzes three levels of effort to review operational risk ●Mission ●Threat ●Vulnerabilities operations order ●Site selection ●Scoping/pre-inspection ●Inspection ●Post-inspection
●Encrypts info by breaking it down into blocks and encrypting data in each block ●Encrypts data in fixed sized blocks (commonly of 64 bits) ●Most common = Triple Data Encryption Standard (3DES) & Advanced Encryption Standard (AES)
Block ciphers
Advanced Cyber Tech & Threat where One of the critical infrastructure protocols in Internet traffic flow ‐These tables are built from "advertisements" of routing paths issued by ISPs ‐Can be manipulated to route traffic from one country to another
Border Gateway Protocol (BGP) Threat
Web-Based Threat where Code executed locally to deliver enhanced content to users JavaScript & VBscript= most popular for this exploitation
Browser Plug-in and Script-Based Exploits
‐"Noisiest" threat actor, due to: ●Rapid economic expansion ●Ineffective mitigation strategies for target countries ●Large population = large attack volume ‐Attacks lack sophistication andcreativity, but are still effective
China
Secure configuration\inspection where ‐Evaluates an organization's compliance with DOD security orders and directives ‐Assesses: ●Network vulnerabilities ●Physical and traditional security ●User education and awareness
Command Cyber Operational Readiness Inspections (CCORIs)
Eastern Europe and West Africa are most active cybercrime hubs ●Other areas where unemployment rates are high and salaries are low ‐Usually motivated by money and power ‐Previously lawful citizens with technical skills turn to cybercrime as means to escape poverty ‐Potential payout is huge on global scale (estimated $114 billion)
Criminal Syndicates
Web-Based Threat where Injection of malicious client-side script into a web application
Cross-Site Scripting (XSS)
Non-state sponsored threat where Agents that make use of cyberspace resources for intelligence collection
Cyber Espionage Agent
Non-state sponsored threat where ‐Group of volunteers using cyberattacks to achieve political goal ‐Utilize common communications channel ●E.g. internet forum, social media service ‐Do not get any monetary rewards for their services
Cyber Militias/Hacktivists
Cyber intelligence report that ‐Generated bi-weekly by the 624thOperations Center ‐Designed to keep Air Force members up-to-date on current threats ‐Strengthens situational awareness (SA) of threats that could affect Air Force personnel/systems ‐Can be accessed & downloaded from the AF Portal
Cyber Threat Bulletin
Secure configuration where ‐Provide non-product specific requirements to mitigate sources of security vulnerabilities consistently and commonly encountered across IT systems and applications
DISAs Security Requirement Guides (SRGs)
Enclave Type that ‐An enterprise level network that services multiple sites ‐A specialized, non-traditional enclave ‐Primary requirement is providing distributed, high-performance, application computing for globally distributed customers ‐May have numerous customers outside of the General Business enclave that need access to resources
Data Center
Protects sensitive data by providing information about how data is used ●e.g. transferring medical records via unencrypted channels (FTP, HTTP)
Data Loss Prevention
The process of removing sensitive data from a document or other message media in order to prevent unauthorized disclosure
Data Redaction
Ensures integrity and confidentiality of data
Data/File Encryption
Incident response methodology where ●incidents/vulnerabilities information is gathered and reported for analysis/response ●The point where anomalous cyber event is first noticed/identified
Detection of Events
The discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law
Digital Forensics
Attack delivered via WiFi, Ethernet, RF, Bluetooth e.g. MS08-067 exploit via MSF e.g. SQL injection on remotely targeted database
Direct Remote Attacks
Reversing Tool where ●Take a program's executable binary as input and generate textual files that contain the assembly language code for part/whole of program
Disassembler
Only those users specified by the owner may have some combination of read, write, and execute rights to file
Discretional Access Control (DAC):
What are the three types of Data Access Control?
Discretional Access Control (DAC): Mandatory Access Control (MAC): Role-Based Access Control (RBAC):
Web-Based Threat where Malware automatically downloads to user's system after visiting legitimate, but compromised website
Drive-By Attack
What are the seven web-based threats
Drive-By Attack Watering Hole Attack Cross-Site Scripting (XSS) IFrameRedirect Fake Login Pages Browser Plug-in and Script-Based Exploits Structured Query Language (SQL) Injection
What boundary protection device supports NAT?
Firewall
Enclave Type that ‐Used within an organization performing a single function with multiple managed elements operating under the same security policy ‐Primary roles: ●Provide services to the internal users ●provide very limited or no publicly accessible resources or services ‐Primary function = provide resources to internal network users ●e.g. Printing, e-mail, Internet access, etc., ●Grouping of controlled assets
General Business LAN
What are the three types of secure enclaves?
General Business LAN Data Center Network Operations Center
Cyber intelligence report that Many U.S. government agencies provide invaluable open-source and classified intelligence through agency specific reports ‐Some of these agencies include: ●Department of Homeland Security ●United States Computer Emergency Readiness Team (US-CERT) ●Department of Defense ●Federal Bureau of Investigation (FBI)
Government Agency Reports
Non-state sponsored threat where ‐Deeper knowledge and understanding of computer technology ‐Concerned with subtle details of operating systems, algorithms, and configuration files ‐Elite few of well trained and highly ambitious people
Hackers
takes advantage of being installed on the system to protect by monitoring and analyzing what other processes on the system are doing at a very detailed level ‐Another benefit is that encrypted network traffic can be analyzed after the decryption process has occurred
Host-Based IPS (HIPS)
Web-Based Threat where Malicious content (e.g. document, advertisement) embedded into a webpage
IFrameRedirect
Incident response methodology where ‐Purpose is understand the technical details, root cause(s), and potential impact ‐Understanding patterns of activity to characterize the threat/direct defensive strategies ‐Identifying the root cause
Incident Analysis Phase
●A collection of events or incidents sharing a common underlying cause for which an incident or event is reported ●Each cyber event or incident is associated with one or more categories as part of the incident handling process
Incident Categories
Current or former employee/contractor/business partner who has/had authorized access to an organization's network/system/data and intentionally misused that access to negatively affect the CIA of the organization's data/information systems.
Internal Threats
●Joint Analysis Report (JAR) resulting in analytic efforts between the DHS and the FBI ●Provides technical details regarding tools and infrastructure used by Russian civilian and military intelligence Services (RIS) to exploit: ‐networks and endpoints associated with the U.S. election ‐a range of U.S. Government, political, and private sector entities
JAR-16-20296A
MAC level where ●Most stringent protection measures ●Requires high integrity/high availability ●Info systems handle info vital to operational readiness, mission effectiveness, and contingency forces
MAC I
MAC level where ●Requires additional safeguards beyond best practices ●Requires high integrity and medium availability of info systems ●Info systems handle info important to the support of deployed and contingency forces
MAC II
MAC level where ●Requires best practice protective measures ●Requires basic integrity/basic availability ●Info systems handle info necessary for day-to-day business ‐do not provide short-term support deployed/contingency forces
MAC III
●binary code, or object code ●A CPU reads this code, which is nothing but sequences of bits that contain a list of instructions for the CPU to perform
Machine Code
Non-state sponsored threat where ‐Form of specialized black-hat hackers ●Develop original software for antagonistic or criminal purposes ●Usually highly skilled in computer programming and detection evasion ●Malware "creation kits" used as framework to allow custom malware creation
Malware Authors
Access control policy decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights
Mandatory Access Control (MAC):
Cyber intelligence report that ‐Annual report which uses insights, statistics, and case studies to show how tools and tactics of APT actors evolved since 2014 ‐Gathers/publicizes threat intelligence from millions of vms ‐Expert analysts monitor, interpret, and package the data ‐Include global and regional threat intelligence
Mandiant's Annual Cyber Threat Report
Prior to connecting with another activity, establish what?
Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) between the two sites
Often use creative, deceptive or novel attack methods due to lack of sophistication and brute force capabilities
Middle Eastern Region
- An alteration to a configuration item (CI) that, as a minimum, changes its form, fit, function, or interface
Modifications
‐Recently fixed "Zero-day" exploit ‐Attackers often exploit systems not yet remediated
N-Day Exploits
Enclave Type that is a single site performing management of multiple network enclave elements that may be based outside of General Business LAN enclave boundaries ‐Many of these enclaves within DoD, which serve to: ‐Manage & monitor different networks ‐Provide geographic redundancy
Network Operations Center
function in one of three modes: ●Signature Detection ‐Passively exams network traffic ●Anomaly Detection ‐Checks compliance w/ various protocol standards ●Hybrid
Network-Based IDS (NIDS)
designed to go one step further and actually try to prevent the attack from succeeding. This is typically achieved by inserting the the device inline with the traffic it is monitoring
Network-Based IPS (NIPS)
Perceives cyber attacks as means to "level the playing ground" against more advanced military forces ●Common attacks: ‐Spear-phishing ‐Watering hole ‐Intel gathering
North Korea
Exploits vulnerabilities associated with OS/applications Exploits lead to system access, privilege escalation, lateral movement within network Where can listing be found?
Operating System / Application-Based Exploits National Vulnerability Database (NVD) lists known cyber vulnerabilities ●https://nvd.nist.gov
Non-state sponsored threat where Most common actor in cyberspace ‐"Layer 8 Issue" ‐Weakest link ‐Includes: ●Home end-users ●Employees of companies, organizations or governments ●Mostly passive ‐May act indirectly as a "zombified" victim of a botnet
Ordinary Citizens
External threat where ‐Attacker uses legitimate credentials to move within network ●No need for plain-text password ‐Tool used for exploit = Metasploit Framework (MSF) PsExecmodule ●Uses Windows Server Message Block (SMB) service to login with password hash
Pass-the-Hash
Non-state sponsored threat where ‐Main motives are to aid or support one's own nation-state in an ongoing real-world conflict or war ‐Chinese hackers have traditionally been especially inclined toward ‐Google "JΞSŦΞR ✪ΔCŦUΔL³³º¹ (@th3j35t3r) · Twitter"
Patriot Hackers
Adversarial stage where ●Includes day-to-day/standard operations ●Provides necessary resources & directions ●The adversary's national strategy paired
Phase 0: Administer (Operational Planning) also where Resource Development takes place
What are the 5 phases that adversaries transition between?
Phase 0: Administer -Intent and resource development Phase 1: Prepare -Reconnaissance and staging Phase 2: Engage -Delivery and exploitation (to include C2) Phase 3: Propagate -Internal reconnaissance, lateral movement, and network persistence Phase 4: Effect -Exfiltration and attack
Adversarial stage where ●Conduct research on target networks ●Set up infrastructure/capabilities used during operations Passive reconnaissance, open source intel, social engineering, port scanning, vuln scanning, enumeration, etc happens here
Phase 1: Prepare
Adversarial stage where Consists of adversary actions against a target to gain initial access ‐Steps ●Delivery ●Exploitation ●C2 ●Covering tracks in C2 ●Beacon/Callbacks ●Covert Channel Beaconing
Phase 2: Engage
Adversarial stage where ●Guarantee ongoing & robust access to victim ●Propagate & achieve maintained presence on target/network ‐Steps ●Internal Reconnaissance ●Hashdumping ●Lateral Movement ●Network persistence ●Covering Tracks / Hiding in plain sight
Phase 3: Propagate
Adversarial stage where ‐Manipulation, disruption, denial, degradation, or destruction of computers, or communication systems. ‐Steps: ●Exfiltration of Data ●Data Manipulation
Phase 4: Effect
Incident response methodology where ‐Lessons learned ‐Initial root cause ‐Problems with executing mission ‐Missing policies and procedures ‐Inadequate infrastructure defenses ‐After Action Report
Post-Incident Response Phase
Incident response methodology where Process of initial analysis of cyber event to determine if it is reportable cyber event If the preliminary analysis is not done, some incidents may not be identified and reported
Preliminary Analysis and Identification
Incident response methodology where 1.Preventing cyber event from causing further damage 2.Maintaining control of the affected IS(s) 3.Ensuring forensically acquisition of data 4.Maintaining /updating incident report/actively communicating updates through the technical/operational command channels
Preliminary Response Action Phase
Which primary DCO mission is ‐If directed by POTUS/SECDEF to conduct cyber operations to counter imminent/on-going attack against U.S. homeland interests ‐DoD synchronizes capabilities with other government, law enforcement, and intel agencies
Prepare to Defend the United States and its interests against Cyberattacks of Significant Consequence
What are the four cryptographic goals?
Privacy (a.k.a. confidentiality) Authenticity Integrity Non-repudiation
Honeypot type that is aimed at decreasing the risk to company IT resources and providing advance warning about the incoming attacks on the network infrastructure
Production honeypots
Which primary DCO mission is ‐Ensure that the Internet remains open, secure, and prosperous, the United States will always conduct cyber operations under restraint, to protect human lives\prevent the destruction of property ‐USCYBERCOM may conduct cyber operations to deter or defeat strategic threats in other domains
Provide integrated cyber capabilities to support military operations and contingency plans
Enables cyber extortion for financial gain Criminals hide malicious links in seemingly normal emails/web page Prevents users from interacting with system, files, applications until ransom is paid in full One of the fastest growing malware threats
Ransomware
External threat where Can be an a legitimate, existing remote access tool, such as: ●Sysinternals ‐PSExec ●PowerShell
Remote Access Tools (RAT) Use of legitimate RATs often goes undetected on a network
Honeypot type that is focused on gaining intelligence information about attackers and their technologies and methods
Research honeypots
●Disassembling of malware & interpretation of assembly language ●shed light on the program algorithms (step-by-step procedure to be followed) ●Requires technical knowledge and specialized tools ●Only method of analysis that can produce a definitive understanding of a malware sample
Reverse Engineering
Access decisions are based on the roles that individual users have as part of an organization (e.g. admin)
Role-Based Access Control (RBAC):
Attributed malware used to extract money from US entities worldwide: ●Zeus ●Gozi ●SpyEye ●SpyZeus ●LigatsTrojans
Russia
home to many advanced cyber attack security researchers ●TTPs include ‐Weaponized email attachments ‐Varied attack patterns, exploits, data exfiltration methods ‐Extremely effective detection evasion ‐Human Intelligence usage (HUMINT)
Russia
Unix-Based Forensic Tool that ●Used by: -Law enforcement and government agencies -United States Military and Intelligence communities -Forensic Examiners and Private Investigators
SMART
What are the components for a lan vulnerability assessment?
Scanning engine and vulnerability database
Non-state sponsored threat where ●"Vandals or "graffiti artists" of the internet ●Someone with an inferior knowledge of programming or security ●More motivated by short-term ego-gratification ●Uses existing, well-known exploits or pre-made scripts ●Little thought or concern about consequences of damage they inflict ‐Google "Low Orbit Ion Cannon"
Script Kiddies
●A computing environment under single authority ●Has personnel/physical security measures ●"Sub-enclave" and "regional enclave" ‐Sub-enclaves are extensions of the private Intranet
Secure Enclaves
Secure configuration where ‐Published by DISA to assist sites in meeting the minimum requirements, standards, controls, and options for securing the enclave as a whole ‐Provide organizations with an overview of the applicable policy
Security Technical Implementation Guides (STIGs)
What are the two categories of activity?
Standard and target operations
activities performed consistently on a day-to-day basis to support multiple ongoing operations.
Standard ops
What are the two types of symmetric algorithms?
Stream and block ciphers
●Encrypts bits of data 1 bit/byte at a time ●Faster and smaller to implement than the other type ●Most common = Rivest Cipher 4 (RC4)
Stream ciphers
Web-Based Threat where SQL statement injected into web app performing unintended function on DB
Structured Query Language (SQL) Injection
Advanced Cyber Tech & Threat where exploits affect information and communication technology (ICT) devices, which are manufactured, assembled, and distributed from a multitude of individual component and through numerous distributors operations affect hardware, software, and firmware components
Supply Chain Threat (SCT)
Cyber intelligence report that Worldwide team of security engineers/threat analysts/researchers who develop content on the latest threats to organizations and end users ‐Publications provided by Symantec: ●Annual & monthly Threat Report ●White Papers cover an array of security topics ‐i.e. financial threats, ransomware, Trojans
Symantec's Security Response Publications
Which encryption type ‐Require both sender and receiver know/use the same key so they can encrypt/decrypt data ●Key must be secret, or else others w/ key access can decrypt data
Symmetric Encryption (Shared-Key)
Conducts DDoS attacks, phishing, and spamming campaigns against governments, online services, and media that are perceived to be hostile to the government
Syria Most prominent hacker group is the Syrian Electronic Army (SEA)
activities performed in support of an operation guided by a tasking.
Target Operations
When does the adversary shift from dat to day to preparation for operations?
Tasking ‐Upon receipt of delegated tasking, adversary transitions from day-to-day administration functions to preparation for operations
True or false When defining outbound and inbound rules, the source address and port are often set as ANY unless the rule is to apply to a specific system(s) or port(s)
True
CDs, DVDs, and USB used to deliver malicious code
Unauthorized Media
Occurs when attacker has direct physical access to target system
Unauthorized Physical Access
Focused attack on a website that a specific group of people frequent
Watering Hole Attack
‐Mathematical function that converts a numerical input value into another compressed numerical value ‐Values returned from hashing function = message digest
hash function Applications ●Password storage protection ●Data integrity checks ●Data file checksums ‐Provides assurance of data's integrity
What does a SIPRNet connections must comply with?
the documentation required by the SIPRNet Connection Approval Office (SCAO)
What is Encryption? and what are the two encryption classes?
‐Conversion of data into cipher text ‐Two encryption classes ●Symmetric (a.k.a. Secret Key) ●Asymmetric (a.k.a. Public Key)
List Reports provided to the public from government agencies:
‐DHS Publications ‐FBI Internet Crime Complaint Center (IC3) Reports ‐DHS and FBI Joint Analysis Report ●JAR-16-20296A
What are major characteristics of an insider threat?
‐Greed ‐Introversion ‐Financial Hardship ‐Vulnerability to blackmail ‐Reduced loyalty to the United States ‐Destructive, narcissistic or passive aggressive behavior
●A byte size ●A word size ●A dword size ●A qword size
●A byte is 8 bits ●A word is 16 bits = 2 bytes ●A dword is 32 bits = 4 bytes ●A qword is 64 bits = 8 bytes
-An analytical comparison of the operational effectiveness, suitability, risk, and life cycle cost of alternatives that satisfy validated capability needs -This helps decision-makers understand the tradespace for new materiel solutions to satisfy an operational capability need
●Analysis of Alternatives (AoA)
Incident Category where -Operations performed for training purposes and to support exercises
●CAT 0 - Training and Exercises
Incident Category where -Unauthorized access to account credentials that could be used to perform admin functions
●CAT 1 - Root Level Intrusion (Incident)
Incident Category where -Unauthorized access to account credentials that could be used to perform user functions
●CAT 2 - User Level Intrusion (Incident)
Incident Category where -Deliberate attempts to gain unauthorized access to an IS that are defeated by normal defensive mechanisms
●CAT 3 - Unsuccessful Activity Attempt (Event)
Incident Category where -Activity that denies, degrades, disrupts normal functionality of DoD system or network
●CAT 4 - Denial of Service (Incident)
Incident Category where -Activity that potentially exposes ISs to increased risk as a result of action or inaction of authorized user such as, failure to apply ●Security patches ●Connections across security domains ●Installation of vulnerable applications
●CAT 5 - Non-Compliance Activity (Event)
Incident Category where -seeks to gather information used to characterize ISs, apps, networks, and users that may be useful in formulating an attack ●E.g. mapping DoD information networks, IS devices and applications
●CAT 6 - Reconnaissance (Event)
Incident Category where -Installation of software designed and/or deployed by adversaries -Only includes malicious code that does not provide remote interactive control of compromised IS -Interactive active access may include automated tools that establish an open channel of communications to and/or from an IS
●CAT 7 - Malicious Logic (Incident)
Incident Category where -Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing, further review
●CAT 8 - Investigating (Event)
Incident Category where easily explained
●CAT 9 - Explained Anomaly (Event)
-The fundamental purpose is to ensure DoD acquires systems that work and meet specified requirements -provides knowledge of system design, capabilities, and limitations to the acquisition community to improve system
●Capabilities-Based Test & Evaluation (T&E) ●Developmental Testing ●Operational Testing ●Cyber Test
It describes the increment and provides an outline of the overall acquisition program strategy.
●Capability Development Document (CDD)
- Outlines an affordable increment(s) of militarily useful, logistically supportable, and technically mature capability that is ready for production
●Capability Production Document (CPD)
-Evaluates systems/sub-systems operating in the cyberspace, and the access pathways -Focuses on identifying system cyber vulnerabilities. Scoped through assessing a system's cyber boundary and risk to mission assurance. Risk analysis should consider threat and threat severity, likelihood of discovery, likelihood of attack, and system impact
●Cyber Testing
What are some detection and preventions techniques for insider threats?
●Data/File Encryption ●Data Loss Prevention (DLP) ●Data Access Monitoring ●Log Analysis ●Data Redaction ●Enterprise Identity and Access Management (EIAM) ●Data Access Control
1.Identifies and helps resolve deficiencies and vulnerabilities as early as possible. 2.Verifies compliance with specifications, standards, and contracts. 3.Characterizes system performance and military utility. 4.Assesses quality and reliability of systems. Determines fielded system performance against changing operational requirements and threats
●Developmental Testing
Windows-Based Forensic Tool that -A suite of computer forensics software, commonly used by law enforcement -Widely used and the "de-facto" standard in forensics -Made to collect data from a computer in a forensically sound manner ●employs checksums to help detect tampering
●EnCase
What are some negative impacts from an insider threat?
●Financial losses ●Negative publicity ●Loss of man-hours ●Disruption of operations ●Disruption of critical services ●Mission downtime ●Mission failure
-If the CBA recommends a materiel solution, the next step in the requirements process is this document -This documents the need for a new materiel approach to satisfy specific capability gaps.
●Initial Capabilities Document (ICD)
an urgent need identified by a warfighting commander that requires synchronization across multiple Service/agency providers to ensure complete and timely combat capability is provided to the Joint warfighter
●Joint Urgent Ops/Joint Emergent Op Needs (JUON/JEONs)
-The process of analyzing and capturing the capabilities of software artifacts suspected of being malicious code -Individuals analyzing or otherwise handling malware are expected to: ●Handle with Care ●Catalog all Software Artifacts ●Perform Analysis in an Isolated Environment
●Malware Analysis
●Controlled execution of the malware sample in an isolated environment instrumented to monitor, observe, and record run-time behavior ●Potential information be gained includes: -Network touch points (addresses, protocols, ports, etc.) -File system and registry activity -Vulnerabilities or weaknesses in particular run-time environments -System service daemon interactions -Success of remediation techniques in particular run-time environments -Suggestions of adversarial intent
●Malware Analysis (Run-Time)
●Focuses on examining and interpreting the contents of a malware sample ●Many files types can be analyzed without malware sample execution or disassembly, including: -Text files -Web page scripts -Source -Binary (requires reverse engineering)
●Malware Analysis (Static)
●Involves quick checks to characterize the sample within the context of the analysis mission ●Techniques include -File type identification -Strings extraction -Public source analysis -Comparative analysis with previously analyzed artifacts
●Malware Analysis (Surface Analysis) ●Potential information gained includes: -Identification of strings in binary files -Hashes -Antivirus software detection status -File sizes -File type identification -File attribute information
Name two popular hash functions
●Message Digest 5 (MD5) ●Secure Hash Function (SHA)
What are the components to a honeypot?
●Network device hardware ●Monitoring/logging tools ●Management workstation ●Alerting mechanism ●Keystroke logger ●Packet analyzer ●Forensic tools
-Data in the IS's hard drives and removable storage media that will not be changed when the machine is powered off. -Examples include: ●IS log files ●Event Viewer files ●Application logs ●Disk image-exact duplicate of the original disk, which includes files as well as hidden files, deleted data, slack space, swap files, and unallocated space
●Non-Volatile Data
-Determines operational effectiveness/suitability of systems under test -Determines if operational capability requirements have been satisfied. Assesses system impacts to peacetime/combat ops -Identifies\resolves deficiencies early, identifies enhancements, and evaluates changes in system configurations
●Operational Testing
-dynamic, agile, risk-management-based problem-solving approach, balancing critical cyber mission needs against organizational resource requirements\priorities -Driven by rapidity with which cyber operational needs\vulnerabilities emerge, provides flexible framework for innovative solutions to urgent cyber needs
●Real-Time Operations and Innovation (RTO&I)
Adversaries conducting an operation results in what three things?
●Resources used ●TTPs captured ●Intelligence gained; data, info, knowledge
-RTO&I Project Type where -Address urgent mission-critical Offensive Cyberspace Operations (OCO), Defensive Cyberspace Operations (DCO) and/or DoD Information Network (DODIN)/Air Force Information Networks (AFIN) operational needs
●Type 1: Immediate Needs
-RTO&I Project Type where -Generate capabilities to meet critical future threats or known vulnerabilities identified by Intelligence, Surveillance and Reconnaissance (ISR) or Operational Preparation of the Environment (OPE) activities, and/or provide mission assurance/risk mitigation in anticipation of future OCO, DCO and/or DODIN Operations
●Type 2: Known Short-Term Future Needs
-identify Service specific needs during a current conflict or crisis situation that if not satisfied in an expedited manner, will result in unacceptable loss of life or critical mission failure -The goal of the process is to deliver fielded capability within 180 days of a validated request
●Urgent Operational Needs (UONs)
-Analysts who perform analyses must be knowledgeable and have necessary tools to access and examine the following types of information on the affected IS(s): TWO TYPES OF DATA
●Volatile Data ●Non-Volatile Data
data type that 1.Open connections 2.Open ports and sockets 3.Routing information and configuration 4.Network interface status and configuration 5.Address resolution protocol (ARP) cache
●Volatile Data (Network Data)
-Any data stored in IS memory (system registers, cache, and RAM) that will be lost when the IS loses power or is shut down. 1.IS profile 2.Current IS data and time 3.Command history 4.Current IS uptime 5.Running processes 6.Open files, startup files, and clipboard data 7.Logged on users Dynamic-linkedlibraries(DLLs)orsharedlibraries
●Volatile Data (System Data)
