TestOut - CompTIA CySA+ Practice Questions 3.1.4
A threat actor obtains and releases confidential information about a political candidate to the public domain. The information damages the person's candidacy and helps the opposing party. These actions were likely performed by which type of threat actor? A. Hacktivist B. Insider threat C. Organized crime D. Script kiddie
A. Hacktivist Explanation Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. An insider threat arises from an actor to who the organization has identified and granted access. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.
A group that advocates for the protection of animal rights has recently begun carrying out cyberattacks against large food production companies. They have defaced websites, stolen confidential data, and disrupted operations. What type of threat actor group is this? A. Hacktivist B. Inside threat C. Criminal D. Nation-state
A. Hacktivist Explanation Hacktivist threat actors are individuals or groups that execute cyberattacks driven by political or social motives. This scenario describes a hacktivist threat actor. Insider threat actors are individuals with authorized access to an organization's systems and data who exploit this access to conduct malicious activities. Nation-state threat actors usually have ties to governments and engage in cyberattacks for political or economic advantages. Criminal threat actors seek financial gain and perpetrate attacks to obtain personal or confidential data, which they can sell on the black market or employ for fraud.
Threat actors can be divided into different types based on their methods and motivations. Which type of hacker works for a government and attempts to gain top-secret information by hacking other governments' devices? A. Nation-state B. Hacktivist C. Criminal D. Intentional
A. Nation-state Explanation A nation-state hacker works for a government and attempts to gain top-secret information by hacking other governments' devices. Many nations have invested in the development of their cybersecurity presence and are willing to use this presence to reach their political or economic goals. Election systems, energy grids, and intelligence agencies are common targets. Hacktivists often target government agencies, corporations, or other entities they are protesting. Hacktivists are known for defacing websites and executing denial-of-service attacks. Criminal organizations have also transitioned much of their operations to virtual settings. Because criminals often target individuals in different jurisdictions, prosecution can be very difficult. A threat actor does not necessarily have to be an outside hacker. He or she can be an internal threat or even someone who causes a security vulnerability through negligence.
Which of the following techniques are likely associated with advanced persistent threat (APT) activity? (Select three.) A. The exfiltration of personally identifiable information (PII) B. Trying out scripts found on a hacker blog C. Trusted Automated eXchange of Indicator Information (TAXII) D. Structured Threat Information eXpression (STIX) E. The presence of C&C F. Anti-forensic techniques G. OpenIoC
A. The exfiltration of personally identifiable information (PII) E. The presence of C&C F. Anti-forensic techniques Explanation Anti-forensic techniques involve deleting evidence of an intrusion to make detection and analysis more difficult. Command and Control (C&C) refers to techniques for maintaining communications with a compromised device and is often associated with APT actors. APT actors often focus on exfiltrating sensitive and valuable information like PII from a compromised network. PII could include credit card numbers, expiration dates, and security codes. Script kiddie refers to an unsophisticated actor who uses readily available hacker tools often found on a hacker blog. A script kiddie normally has a limited understanding of the tools they are using. The following are open-source standards used to share threat indicators: Structured Threat Information eXpression (STIX) Trusted Automated eXchange of Indicator Information (TAXII) OpenIoC
Someone with a casual interest in hacking techniques launches a random attack against a widely known enterprise using tools readily available online. What type of threat actor is likely behind this attack? A. Insider threat B. Hacktivist C. Script kiddie D. Organized crime
C. Script kiddie Explanation A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An insider threat arises from an actor to an organization that has identified and granted access. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.
While reviewing alerts, an analyst notices a new signature is generating a high volume of false positives. This appears to be the result of an error in the way the signature is written. This represents an issue with what attribute of threat intelligence? A. Reconnaissance B. Relevancy C. Timeliness D. Accuracy
D. Accuracy Explanation Accuracy describes the correctness of threat intelligence. Accurate information is free of errors and biases. Relevancy refers to the usefulness of a piece of information concerning a specific threat. Relevant information is actionable and gives an organization meaningful context. Timeliness is the speed of collection and dissemination of threat intelligence. Information rapidly disseminated is timely. Timeliness helps ensure that the information is up-to-date and remains maximally useful. Reconnaissance is an initial step in network exploitation. It involves gathering information that will be useful for conducting malicious activity. Companies often unintentionally provide information threat groups can use to their advantage.
Which type of threat actor only uses their skills and knowledge for defensive purposes? A. Nation-state hacker B. Semi-authorized hacker C. Hacktivist D. Authorized hacker
D. Authorized hacker Explanation An authorized hacker (also called a white hat hacker) is a skilled hacker who only uses their skills and knowledge for defensive purposes. Many organizations and companies now employ these security analysts, who understand a hacker's mindset. A semi-authorized hacker (also called a grey hat hacker) is something between an authorized and unauthorized hacker. He or she may cross ethical lines but usually has good intentions and isn't malicious like an unauthorized hacker (also called a black hat hacker). A hacktivist often targets government agencies, corporations, or any entity they are protesting. A nation-state hacker is a hacker who works for a government and attempts to gain top-secret information by hacking into other governments' systems.
The Department of Defense Cyber Crime Center's Vulnerability Disclosure Program and AT&T's Alien Labs Threat Exchange are examples of which type of intelligence source? A. InfraGard intelligence B. Closed-source intelligence C. Government intelligence D. Open-source intelligence
D. Open-source intelligence Explanation Open-source intelligence is obtained from sources that are available to the public. Because of the overwhelming number of threats, most organizations openly share threat-specific intelligence. This open-source approach helps organizations build extensive indexes of active threats. InfraGard provides a site for security collaboration between the FBI and industry professionals. Closed-source intelligence is obtained from private organizations. Unlike open-source intelligence, which is collaborative with the general public, closed-source intelligence is researched and documented solely by one organization. This data is typically kept private because it is sold or licensed by security companies or because it contains proprietary information. Although some of these sources are operated by the government, they are considered to be open-source intelligence and do not require government-level intelligence clearance.
An organization has chosen to automatically ingest indicators. This action is MOST likely intended to ensure what desired threat intelligence consideration? A. Relevancy B. APT C. Accuracy D. Timeliness
D. Timeliness Explanation Timeliness is the speed at which the system collects and disseminates threat intelligence. Information rapidly disseminated is timely. This helps ensure it is up-to-date and remains maximally useful. Relevancy refers to the usefulness of a piece of information concerning a specific threat. Relevant information is actionable and gives an organization meaningful context. Accuracy describes threat intelligence that is correct. Accurate information is free of errors and biases. Advanced persistent threat (APT) describes the type of activity advanced cyber actors conduct. This designation is most often associated with organized criminals and nation-states because it requires significant resources and coordination. This is not an attribute of threat intelligence.
Listen to exam instructions Which of the following provides the MOST accurate description of zero-days in vulnerability management reporting and communication? A. Zero-days are vulnerabilities that should only be tracked if actively exploited. B. Zero-days are moderately serious vulnerabilities that are mitigated by configuration management procedures. C. Zero-days are low priority vulnerabilities that can be ignored until a patch is available. D. Zero-days are vulnerabilities that require immediate attention and must track in a dashboard.
D. Zero-days are vulnerabilities that require immediate attention and must track in a dashboard. Explanation Zero-days are vulnerabilities to which there is no patch because they are not publicly known. Attackers can exploit these vulnerabilities to gain unauthorized access to systems and data. Zero-days are high-priority vulnerabilities that require immediate attention and must track in a dashboard. Zero-days require attention and must track regardless of whether there is current evidence that they are exploiting. Zero-days are high-priority vulnerabilities that cannot ignore. Zero-days are very serious vulnerabilities that configuration management may or may not mitigate. More often, they mitigate by patching rather than configuration changes.
