Chapter 2: Explaining Threat Actors and Threat Intelligence
A security engineer investigates a recent system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector? A.) Threat B.) Vulnerability C.) Risk D.) Exploit
A
A user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department's sanction. Identify the type of threat that is a result of this user's action. A.) Unintentional insider threat B.) Malicious insider threat C.) Intentional attack vector D.) External threat with insider knowledge
A
Which of the following could be considered as an insider threat? (Select all that apply.) A.) Former employee B.) Contractor C.) Customer D.) White box hacker
A and B
A contractor has been hired to conduct penetration testing on a company's network. They have used the company's website to identify employees. They have found several of the employees' Facebook pages and have found a popular restaurant the employees like to go to after work for a drink. A member of the team goes to the restaurant and starts small talk with the employees. The member discovers that several key positions are vacant in the IT department and that there are shortfalls in terms of information security. What reconnaissance phase techniques has the contractor used? (Select all that apply.) A.) Open Source Intelligence (OSINT) B.) Scanning C.) Social engineering D.) Persistence
A and C
An attacker's ability to obtain, maintain and hide in a network system using exploits and malware. Persistence refers to the tester's ability to reconnect to a compromised host.
Advanced Persistent Threat (APT)
All the points at which a malicious threat actor could try to exploit a vulnerability.
Attack Surface
This is the path through which a threat actor gains access to a secure system; which can be through an employee's negligent software installation.
Attack Vectors
The Department of Homeland Security's (DHS) ___________________________ is especially aimed at Information Sharing and Analysis Centers (ISACs), but private companies can join too. It is based on the STIX and TAXII standards and protocols.
Automated Indicator Sharing (AIS)
An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing? A.) Open Source Intelligence (OSINT) B.) An Information Sharing and Analysis Center (ISAC) C.) A vendor website, such as Microsoft's Security Intelligence blog D.) A closed or proprietary threat intelligence platform
B
Narrative commentary describing examples of attacks and tactic, technique, or procedures gathered through primary research sources.
Behavioral threat research
A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol? Structured Threat Information eXpression (STIX) Automated Indicator Sharing (AIS) Trusted Automated eXchange of Indicator Information (TAXII) A code repository protocol
C
What is Open Source Intelligence (OSINT)? A.) Obtaining information, physical access to premises, or even access to a user account through the art of persuasion B.) The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources C.) Using web search tools and social media to obtain information about the target D.) Using software tools to obtain information about a host or network topology
C
When exploring the deep web, a user will need which of the following to find a specific and hidden dark web site? A.) The Onion Router (TOR) B.) Dark web search engine C.) A specific URL D.) Open Source Intelligence (OSINT)
C
One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile? (Select all that apply.) A.) Education B.) Socioeconomic status C.) Intent D.) Motivation
C and D
______________ is a system or procedure put in place to mitigate a risk. An example is policies or network monitoring to identify unauthorized software.
Control
A company has one technician that is solely responsible for applying and testing software and firmware patches. The technician goes on a two-week vacation, and no one is tasked to perform the patching duties during this time. A critical patch is released and not installed due to the absence. According to the National Institute of Standards and Technology (NIST), what has the delay in applying the patch caused? A.) Control B.) Risk C.) Threat D.) Vulnerability
D
These hold signatures of known malware code.
File/code repository
These are _________________________ -Unauthorized software and files -Suspicious emails -Suspicious registry and file system changes -Unknown port and protocol usage -Excessive bandwidth usage -Rogue hardware -Service disruption and defacement -Suspicious or unauthorized account usage
Indicator of compromise (IoC)
These are set up to share industry-specific threat intelligence and best practices in critical sectors, such as the aviation industry.
Information Sharing and Analysis Center (ISAC)
These people intentionally exceeds or misuses his or her access for purposes of sabotage, financial gain, or business advancement.
Malicious insider
This is cybersecurity-relevant information harvested from public websites and data records. Refers to using web search tools and social media to obtain information about the target.
Open-source intelligence (OSINT)
This operate on a paid subscription basis. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars.
Proprietary or closed threat intelligence platforms
This is the likelihood and impact of a threat actor exercising a vulnerability.
Risk
Using software tools to obtain information about a host or network topology is considered_________________
Scanning
This is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks
Script Kiddies
The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources is considered a _________________.
Security Policy
This provides the syntax for describing cyber threat intelligence (CTI).
Structured Threat Information eXpression (STIX)
This software used to establish a network overlay to the Internet infrastructure to create the darknet. This along with other software like Freenet or I2P, anonymizes the usage of the dark net.
The Onion Router (TOR)
This is the potential for a threat agent to exercise a vulnerability. Can be intentional or unintentional
Threat
This protocol provides a means for transmitting cyber threat intelligence (CTI) data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over this.
Trusted Automated eXchange of Indicator Information (TAXII)
These represent accidents, oversights, and other mistakes. In this sense, training is crucial to ensuring employees are educated about security measures.
Unintentional threat actors
These people often post proprietary intelligence on their websites and blogs, free of cost, as a general benefit to their consumers
Vendors
NIST defines this as a weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
Vulnerability
They are given complete access to information about the network, which is useful for simulating the behavior of a privileged insider threat, but they are not an insider threat.
White box hacker
A______________________________ can be used to find dark web sites by key word. However, some sites are hidden from these search engines, and require a URL to access them.
dark web search engine
Anyone who has or had authorized access to an organization's network, system, or data is considered an__________________. Could be a former or current employee, business partners, and contractor.
insider threat
Access to dark web sites, especially those hidden from search engines, are accessed pretty much only through the ________________.
website's URL