Cysa Review Activities

What distinguishes an unknown threat from a known threat?

A known threat can be identified by automated detection tools, such as an antivirus scanner, intrusion detection system (IDS), or vulnerability scanner. Unknown threats are those that cannot be identified from a static signature. You can distinguish between known unknowns, which are threats that may follow some general pattern observable from previous or similar threats, and unknown unknowns, representing completely new threat actors, sources, and techniques.

What type of visualization is most suitable for identifying traffic spikes?

A line graph is a good way of showing changes in volume over time.

Which network-related potential indicator of compromise has been omitted from the following list? Bandwidth consumption, irregular peer-to-peer communication, rogue device on the network, scan/sweep, unusual traffic spike, common protocol over non-standard port.

Beaconing.

As a relatively small company, with no dedicated SOC, what is the main risk from deploying a threat intelligence feed?

Being overwhelmed with low-priority alerts.

Which of the following processes would you NOT expect to be running under services.exe? Csrss.exe, Lsass.exe, Svchost.exe, SearchIndexer.exe, Spoolsv.exe.

Csrss.exe and Lsass.exe.

Why is it necessary to include marketing stakeholders in the incident response process?

Data breaches can cause lasting reputational damage, so communicating failures sensitively to the media and the wider public and protecting the company's brand is important

What type of security information is primarily used to detect unauthorized privilege IoCs?

Detecting this type of IoC usually involves collecting security events in an audit log.

You are explaining containment techniques to a junior analyst. What distinction can you make between isolation-based and segmentation-based containment?

The terms are often used interchangeably, but segmentation is a network-specific method of containment that uses virtual LANs (VLAN), routing/subnets, and firewalls to restrict a host or group of hosts to an isolated network segment. This might be used as a sandbox or honeynet to perform further analysis. Isolation is any method of preventing a suspect host, account, or app from communicating with other hosts, including powering it off, pulling its network cable, and so on.

How do you run a specific Nmap script or category of scripts?

Use the --script argument with the script name or path or category name.

You are presenting an overview of security solutions to senior management. Using no more than one or two sentences for each, what are the main characteristics of EPP, EDR, and UEBA?

An endpoint protection platform (EPP) bundles a number of security functions—signature-based malware detection and IDS, firewall, encryption, and so on—into a single software agent managed by a single console. Endpoint detection and response (EDR) focuses on logging and alerting functions rather than prevention per se. The aim is to alert administrators to an intrusion and allow them to respond quickly. User and entity behavior analytics (UEBA) is a server-side process that applies machine learning generated algorithms to security data to identify malicious behaviors by user and device accounts.

In mobile digital forensics, what is the difference between manual and logical extraction?

Manual extraction refers to using the device's user interface (UI) to observe and record data and settings. Logical extraction refers to using standard export, backup, synchronization, and debug tools to retrieve data and settings.

What remote access methods could an attacker exploit?

Many attacks use email to effect an initial compromise. There is also substantial risk from the remote devices used to access the VPN and from weak credentials being exploited to access the VPN directly. The messaging app could have vulnerabilities or there could be compromise of the endpoints used to access it. It is not mentioned in the scenario, but most companies have a website and the server underpinning that represents another vector. You might also consider the risk of an advertent or inadvertent insider threat, such as unauthorized use of a file-sharing service.

Security monitoring has detected the presence of a remote access tool classified as commodity malware on an employee workstation. Does this allow you to discount the possibility that an APT is involved in the attack?

No. While targeted malware is associated with highly resourced threat actors such as advanced persistent threats (APT), there is nothing to prevent such actors from using commodity malware as well, such as during the initial stages of a campaign. You need to evaluate other indicators to identify the threat actor involved and whether the presence of commodity malware is an isolated incident or part of a wider campaign.

4.What is the function of the -A switch in Nmap?

Performs service detection (verify that the packets delivered over a port correspond to the "well known" protocol associated with that port) and version detection (using the scripts marked "default").

Review the open-source feeds available at misp-project.org/feeds. What type of threat intelligence do these provide?

Principally domain/IP blacklisting.

What is PHI?

Protected Health Information (PHI) comprises data such as medical and insurance records and hospital/lab test results.

On what type of server(s) are spoofing mitigation records for common frameworks published?

Records for Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are all published to DNS servers.

What steps would you take to investigate irregular peer-to-peer communication?

Start an incident response ticket and log all actions taken. Identify the IP addresses involved. On a LAN, work out the identity of each host and the accounts and services running on them. On the Internet, use IP reputation services and geolocation to identify the host(s). Raise the logging and packet capture level to monitor the communications. Try to identify the traffic—if it contains sensitive data, consider closing the channel to prevent further release of information.

2A bespoke application used by your company has been the target of malware. The developers have created signatures for the application's binaries, and these have been added to endpoint detection and response (EDR) scanning software running on each workstation. If a scan shows that a binary image no longer matches its signature, an administrative alert is generated. What type of security control is this?

This is a technical control as it is implemented in software. In functional terms, it acts as a detective control because it does not stop malware from replacing the original file image (preventative control) or restore the original file automatically (corrective control).

You must contain a host that is suspected of effecting a violation of security policy. No methods of live evidence acquisition are available. What is your best course of action to preserve the integrity of evidence?

Using a software shut-down routine risks changing data on the host disk, so if live memory acquisition cannot be performed, pulling the plug to terminate processes is the best course of action. This process should ideally be video recorded with an explanation as to why this course of action is being taken.

What role does TAXII play in indicator management?

Where Structured Threat Information eXchange (STIX) provides the syntax for describing indicators and other attack elements, the Trusted Automated eXchange of Indicator Information defines a protocol for transmitting STIX data between CTI producers and consumers.

As part of your threat hunting proposal, you need to identify benefits of the program. You have listed opportunities to close attack vectors, reduce the attack surface, and bundle critical assets within additional layers of security controls. What other benefit or benefits does threat hunting offer?

**Firstly, threat hunting develops integrated intelligence capabilities by which you correlate cyber-threat intelligence (CTI) with locally observed indicators. **Secondly, the queries, filters, and tactics used can be redeployed to improve detection capabilities in conventional monitoring systems.

Why might a host-related IoC manifest as abnormal OS process behavior rather than as a malicious process?

A malicious process is relatively easy to identify. Advanced malware disguises its presence using techniques such as process hollowing and DLL injection/sideloading to compromise legitimate OS and application processes.

What type of threat research is best suited to configuring effective firewall rules?

A reputational threat feed can be used to block known bad IP address ranges and domains.

Your organization is planning to transition from using local clients to provisioning desktop instances via cloud-based infrastructure. Your CISO has asked you to outline a threat-modeling project to support selection and development of security controls to mitigate risks with this new service. What five methodologies should your outline contain?

Adversary capability analysis Total attack surface analysis Attack vector analysis Impact analysis Likelihood analysis.

What elements of an event do the vertices in the Diamond Model represent?

Adversary, capability, victim, and infrastructure.

Focusing on email, think of how email is processed as it is sent by a remote user and received by your company. What are the attack vectors against the company's email servers? How can these be related to adversary capability, assuming the levels to be advanced (most capable), developed, and augmented (least capable)?

An advanced adversary may be able to effect a compromise of the email server security, using a zero-day vulnerability. This type of exploit is expensive to develop, but if the client data is of sufficient value an adversary may consider it worthwhile. An advanced or even an augmented level adversary could exploit an unpatched vulnerability—consider the Exim mail server vulnerability (zdnet.com/article/exim-email-servers-are-now-under-attack), for example. An advanced or developed adversary could also exploit configuration errors in the mail server, such as allowing external users to impersonate a local sender. Any level of adversary could use phishing or similar techniques to send malicious code or attachments to recipients in the hope that it will not be identified by security filters.

What distinguishes an attack framework from an indicator management tool?

An attack framework, such as the kill chain, MITRE ATT&CK, or the Diamond Model, is a way of relating the events observed in an attack to a pattern or sequence. An indicator management tool, such as Structured Threat Information eXchange (STIX) or OpenIOC, is a way of packaging threat data so that it can be consumed by automated detection and analysis tools and shared as CTI by cooperating organizations.

Your company has suffered a data breach to an IP address subsequently found to appear on several threat reputation blacklists. What configuration change can you make to reduce the risk of further events of this type?

At a minimum, configure outbound filtering on the firewall to block connections to "known-bad" IP addresses. You could also consider denying outbound connections to destinations that have not been approved on a whitelist. This configuration is more secure, but will generate more support incidents.

What are your strategic, operational, and tactical requirements for threat intelligence?

At a strategic level, identify sector-specific threat actors and adversary tactics plus new vulnerabilities and exploits in software and financial systems. At operational and tactical levels, you will need to ensure developers are updated about alerts and threats, especially industry-specific ones. You might use security feeds to block suspicious domains/IP address ranges and perform threat hunting for correlated indicators. While you are currently using locally-hosted network services, you will need to consider threat intelligence platforms that can integrate well with cloud hosting.

What type of threat is NAC designed to mitigate?

Attaching devices that are vulnerable to exploits, such as unpatched systems, systems without up-to-date intrusion detection, unsupported operating systems or applications software, and so on.

You suspect that a host is infected with malware but cannot identify a suspect process using locally installed tools. What is your best course of action?

Contain the host within a sandbox for further analysis. The best approach is to monitor the host for outbound network connection attempts. If the host attempts to connect to suspicious domains or IP address ranges, you can identify the process responsible.

Which two factors affecting severity level classification have been omitted from the following list? Downtime, detection time, data integrity, economic, system process criticality, reverse engineering.

Data correlation means combining locally observed indicators with cyber-threat intelligence (CTI) to identify adversary capabilities and motivations. Recovery time should be considered independently of downtime as complex systems may require lengthy work to fully remediate and protect against future attacks.

Why are CPU, memory, and disk space consumption IoCs used to identify incidents?

Detailed analysis of processes and file systems is detailed and time-consuming work. Anomalous resource consumption is easier to detect and can be used to prioritize cases for investigation, though there is a substantial risk of numerous false positives.

What secure communications methods are suitable for incident response?

During a serious event, the essential point is to assume that internal communication channels might be compromised. Third-party messaging products with end-to-end encryption should be secure enough for most institutions, but those processing extremely sensitive information might require the use of bespoke products.

4.What countermeasures can be deployed for each email attack vector?

Effective patch management of both the server and client email software will provide mitigation against most threats. The server should be configured with security filters to reject spam and phishing emails and block malicious links and attachments. Security awareness training will help employees to recognize phishing attempts that do get past the server security.

Following a serious data breach affecting a supplier company, your CEO wants assurance that your company is not exposed to the same risk. The supplier is willing to share threat data gathered about the breach with you. You advise a threat hunting program as the most appropriate tool to use. What should be the first step in this process?

Establish a hypothesis. You already have the basic scenario of the data breach at the supplier company. This will require documenting and developing. You can then move on to profiling threat actors and activities and developing threat hunting tactics to query indicators from your own systems.

True or false? A port that is reported as "closed" by Nmap is likely to be one protected by a firewall.

False. A closed port responds to probes with an RST because there is no service available to process the request. This means that the port is accessible through the firewall. A port blocked by a firewall is in the "filtered" state.

True or false? Syslog uses a standard format for all message content.

False—syslog messages have a PRI code, header, and message structure, but the format of messages is application-specific.

Which two factors do you need to account for when correlating an event timeline using an SIEM?

First, you need to validate that all log sources were synchronized to the same time source. Second, you need to account for any variations in time zone for the different sources.

What are the characteristics to use to evaluate threat data and intelligence sources?

Firstly, you can distinguish sources as either proprietary/closed-source, public/open-source, or community-based, such as an ISAC. Within those categories, data feeds can be assessed for timeliness, relevancy, and accuracy. It is also important for analyst opinions and threat data points to be tagged with a confidence level.

Which class of data criticality factor has been omitted from the following list? PII, PHI, SPI, IP, financial and corporate information.

High value asset (HVA)—a system supporting a mission essential function (MEF).

A hard disk has been removed from a computer so that it can be subjected to forensic evidence collection. What steps should you take to complete this process?

Ideally, record or document the process. Attach the disk to a forensic workstation, using a write blocker to prevent contaminating the source-disk contents. Make a cryptographic hash of the disk contents. Make an image of the disk contents. Make a cryptographic hash of the image and verify it matches the source disk hash. Make a copy of the image and validate with a cryptographic hash. Perform analysis on the copy of the image.

Which four phases outline the procedures involved in a forensics investigation?

Identification, collection, analysis, and reporting.

3.What comes next in the chain of processing incoming email, and what attack vectors can adversaries exploit?

If it has not been rejected by the server, email is stored in a mailbox and accessed using a mail client. More sophisticated adversaries may be able to target mail client vulnerabilities to run exploits without user intervention, while less sophisticated ones will rely on the user manually opening a file or link.

What options are there for ingesting data from a unified threat management (UTM) appliance deployed on the network edge to an SIEM?

If supported, you could deploy agent software to the UTM. If an agent is not supported, you can push data to the SIEM using a protocol such as syslog. In the latter case, you will still need to use a filter to parse and normalize the logs. Most SIEMs come with filters for the major appliance platforms, but if not supported directly, you will need to configure a custom filter.

Review the CTI produced by the Financial Services ISAC at fsisac.com/what-we-do/intelligence.What additional types of information are provided?

Industry-specific alerts and indicators plus separate reporting for analysts (technical reports and webinars) and senior leadership (C-suite).

Despite operating a patch management program, your company has been exposed to several attacks over the last few months. You have drafted a policy to require a lessons- learned incident report be created to review the historical attacks and to make this analysis a requirement following future attacks. How can this type of control be classified?

It is implemented as an administrative control as it is procedural rather than technical in nature. Additionally, it is a managerial control rather than an operational control as it seeks oversight of day-to-day processes with a view to improving them. In terms of function, you can classify it as corrective, as it occurs after an attack has taken place.

Which source of security data can be used to detect pass the hash and golden ticket attacks?

Log-on and credential use events in the Windows Security log for the local host and on the domain.

You are assisting an incident responder with an overview of application-related IoCs. What are the unexpected output indicators of intrusion events?

One approach is to analyze network protocol response packets for unusual size and content. Another is to correlate error messages or unexplained string output in the application UI. Attacks may attempt to layer form controls or objects over the legitimate app controls. Finally, there may be obvious or subtle defacement attacks against websites and other public services.

What operational control can you use to prevent the abuse of domain administrator accounts by pass-the-hash attacks?

Only allow this type of account to log on directly to domain controllers or to specially hardened workstations, used only for domain administration. Use lower privilege accounts to support users over remote desktop.

Review the platform provided by a commercial solution, such as fireeye.com/solutions/cyber-threat-intelligence.html, noting the market review provided by Forrester (fireeye.com/content/dam/fireeye-www/products/pdfs/pf/intel/rpt-forrester-threat-intel-services.pdf). What are some of the differentiators from an open-source feed?

Range of threat collection sources from enterprise networks and analyst-driven dark web and nation-state research, tailoring of sources to different industry segments, support for developing use cases, and tailored reporting of strategic, operational, and tactical intelligence to different consumers within the customer organization.

What are the phases of the intelligence cycle?

Requirements (often called planning and direction), collection (and processing), analysis, dissemination, and feedback.

What type of evidence can be retrieved from system memory analysis?

Reverse engineer the code used by processes, discover how processes are interacting with the file system (handles) and Registry, examine network connections, retrieve cryptographic keys, and extract interesting strings.

Is any other type of server other than SMTP required to implement S/MIME?

Secure/Multipurpose Internet Mail Extensions (S/MIME) requires that the user is issued a digital certificate containing his or her public key, signed by a certificate authority (CA) server.

What is a CoA matrix?

Security controls can be defined in terms of their function (preventive, detective, deterring, and so on). A course of action (CoA) matrix maps the controls available for each type of function to adversary tools and tactics.

To preserve evidence of a temporary file system mounted to a host, which system device must you target for evidence collection?

System memory (RAM)

Which framework assures the most comprehensive spoofing mitigation for email services?

The Domain-based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are being utilized effectively. It also provides a reporting mechanism.

What are the principal techniques for reverse assembling malware code?

The binary machine code can be disassembled to assembly code and potentially decompiled to high-level pseudocode. Another technique is to extract strings from the process image.

Which default port do you need to allow on any internal firewalls to allow a host to send messages by syslog to an SIEM management server?

The default port for syslog is UDP 514. If the syslog implementation is using reliable delivery, the default TCP port is 1468.

Your firewall log shows that the following packet was dropped—what application protocol was the sender trying to access? IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=172.16.0.192 DST=192.168.0.22 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4018 DF PROTO=TCP SPT=2584 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

The destination port (DPT) is 135, which is Microsoft Remote Procedure Call (RPC). This advertises what RPC services are available in a Windows environment.

Working with the same data file, write the command to show only the lines where the destination IP address is 10.1.0.10 and the destination port is 21.

The easiest way to do this is to pipe the result from one grep command into another. Remember that you need to escape characters such as periods and commas. The $ operator in the second command is a handy way of selecting the destination port, which is at the end of the line. grep "10\.1\.0\.10\," iptables-csv | grep "21$" Note that you need to include the comma delimiter to avoid selecting partial source IP addresses. The regex "10\.1\.0\.10" would match 10.1.0.102.

You need to analyze the destination IP address and port number from some firewall data. The data in the iptables file is in the following format: DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPT Jan 11 05:33:59,lx1 kernel: iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242,TCP,2564,21 Write the command to select only the necessary data, and sort it by destination port number.

The following command selects columns 6 (destination IP address) and 14 (destination port) and then sorts by column 2—remember that the piped output to the sort command has two columns, not 14. The -n switch makes the sort order numeric rather than alphabetical. cut -d "," -f6,14 iptables | sort -t "," -k2 -n

You are investigating a data exfiltration event and have obtained the web server logs of the host that data was exported to over the Internet from the hosting provider. The logs contain only the external IP address of your company's router/firewall and a high-level TCP port number. How can you use the log to identify the local host on your network that was used to perform the exfiltration?

The router/firewall is performing port address translation. You can use the local router/firewall log to identify the local host from the port mapping recorded by the remote host.

You are analyzing DNS logs for malicious traffic and come across two types of anomalous entry. The first type is for a single label with apparently random characters, in the form: *vbhyofcyae *wcfmozjycv *rtbsaubliq The other type is of the following form, but with different TLDs: *nahekhrdizaiupfm.info *tlaawnpkfcqorxuo.cn *uwguhvpzqlzcmiug.org Which is more likely to be an indicator for DGA?

The second type is more likely to be a domain generation algorithm. A query for a single label with no top level domain (TLD) will not resolve over the Internet, so the first type cannot be used for C&C. The first type is typical of a local client testing DNS. The Chrome browser performs this test to see how the local ISP handles NXDOMAIN errors, for instance.

Describe one advantage and one disadvantage of using the -T0 switch when performing an Nmap scan.

This sets an extremely high delay between probes, which may help to evade detection systems but will take a very long time to return results.

You are reviewing a router configuration and notice a route to the null() interface. Is this a configuration weakness and IoC, or does it support a secure configuration?

This supports a secure configuration to mitigate DDoS. A route to a null interface is a means of dropping traffic (a black hole) without using as much resource on the router to process the unwanted connection.

Why might a forensics investigator need to be hired on a work product retention basis?

To protect analysis of evidence from disclosure to opposing counsel, should a court case be involved.

What types of controls address risks from unintentional insider threats?

Training and awareness programs reduce the chance that insiders will generate risks from ignorance. Procedural controls help to mitigate risks from carelessness and inattention. The presence of elevated risk from inadvertent threat can be assessed by monitoring training adoption and effectiveness metrics.

What is the principal challenge in scanning UDP ports?

UDP does not send ACK messages so the scan must use timeouts to interpret the port state. This makes scanning a wide range of UDP ports a lengthy process.

Your border firewall uses a default allow policy, but you want to block outgoing requests for UPnP. Which port do you need to create a deny rule for?

UDP port 1900.

What two types of space on a disk are analyzed by file-carving tools?

Unallocated space (clusters marked as free for use in file-write operations) and slack space (cluster portions that were not overwritten when a new file was created).

In the context of digital forensics, what is VMI?

Virtual Machine Introspection (VMI) is a set of tools, commonly implemented by the hypervisor, to allow querying of the VM state when the instance is running, including dumping the contents of system memory for analysis.

What is the effect of running 'tcpdump -i eth0 -w server.pcap'?

Write the output of the packet capture running on network interface eth0 to the 'server.pcap' file.

Your chief information security officer (CISO) wants to develop a new collection and analysis platform that will enable the security team to extract actionable data from its assets. The CISO would like your input as far as which data sources to draw from as part of the new collection platform, worrying that collecting from too many sources, or not enough, could impede the company's ability to analyze information. Is this a valid concern, and how can it be addressed within an intelligence life-cycle model?

Yes, it is a valid concern. The requirements (or planning and direction) phase of the intelligence cycle can be used to evaluate data sources and develop goals and objectives for producing actionable intelligence to support use cases demanded by intelligence consumers. You can also mention that the feedback phase of the cycle provides the opportunity to review sources and determine whether they are delivering valuable intelligence.

Which two main classes of attack would you suspect if you observe a bandwidth consumption IoC from a client workstation on the local network to a host on the Internet?

You are most likely to suspect a data exfiltration attack, but it is also possible that the host has been infected with a bot and is being used for DDoS or spam.

What are the main types of IoCs that can be identified through analysis of the Registry?

You can audit applications that have been most recently used (MRU) and look for use of persistence mechanisms in the Run, RunOnce, and Services keys. Another common tactic for malware is to change file associations via the Registry.

You need to log internet endpoints and bandwidth consumption between clients and servers on a local network, but do not have the resources to capture and store all network packets. What technology or technologies could you use instead?

You could use a NetFlow/Argus collector or simple network protocol (SNMP) collector. Another option is a sniffer such as Zeek/Bro that records traffic statistics and content selectively.

Your company is interested in implementing routine backups of all customer databases. This will help uphold availability because you will be able to quickly and easily restore the backed-up copy, and it will also help uphold integrity in case someone tampers with the database. What controls can you implement to round out your risk mitigation strategy and uphold the components of the CIA triad?

You should consider the confidentiality component. The backups contain the same privileged information as the live copy and so must be protected by confidentiality controls. Access controls can be used to ensure that only authorized backup operators have access to the data. Encryption can be used as an additional layer of protection.

PKI (Public Key Infrastructure)

enables users of a public network such as the Internet to securely and privately exchange data through the use of a pair of keys—a public one and a private one—that is obtained from a trusted authority and shared through that authority.

What is the advantage of the Nmap "grepable" output format?

grep is a Linux command for running a regular expression to search for a particular string. Nmap's grepable output is easier for this tool to parse.