Ch.1 threat and Vulnerability Mgmt
Some of the unintentional activities that insiders may perform are:
-Accidental data deletion -Accidental data modification -Incorrect usage of privileges
who are the 5 most important groups to disseminate threat intelligence data to?
-Incident response -Vulnerability management -Detection and monitoring -security engineering -Risk management
While conducting APTs, which of the following types of information are looked at?(Choose all that apply) -Any and all data -Intellectual property (IP) secrets -Design -Critical business information
-Intellectual property (IP) secrets -Design -Critical business information
Which of the following options are the main sources of technology-based threats?(Choose all that apply) -Internet -Exploitation -Email -Removable media
-Internet -Email -Removable media
Which of the following options are technical constraints while running a vulnerability scan?(Choose all that apply) -Time of the scan -Availability of resources or assets -Licensing restrictions -Several target assets
-Licensing restrictions -Several target assets -Time of the scan Explanation: When running a vulnerability scan, there can be several technical constraints. Some key constraints are: Licensing restrictions: Depending on the type of product that you are using, you may have restrictions on running several scans per day or within a given period. Several target assets: There may be a limitation on the number of target assets that you can scan simultaneously. Availability of resources or assets: There can be a possibility that a certain set of assets or resources are not available at the time of the scan. For example, a live Web server may not be available for scanning.
What is the process that APTs follow?
-Recon: Define and research targets -Intrusion: Complete the initial intrusion - Compromise user credentials - Move laterally -Persistence: Stay low profile and build persistence -Exfiltrate data -Cover tracks
Which of the following options are key pillars of intelligence/information gathering? (Choose all that apply) -Relevance -Completeness -Accuracy -Timeliness
-Relevance -Completeness -Accuracy -Timeliness
Which of the following options are different phases of open-source intelligence? (Choose all that apply) -Result Delivery -Source Identification -Business Information Gathering -Data Harvesting
-Source Identification -Business Information Gathering -Data Harvesting
Which of the following options are serious issues caused by organized crime?(Choose all that apply) -Stealing industrial secrets and confidential organizational information -Extorting money using ransomware -Stealing intellectual property -Automated exploit kits
-Stealing industrial secrets and confidential organizational information -Extorting money using ransomware -Stealing intellectual property
Which of the following steps defines scope? (Choose all that apply) -Time of the scan -The type of scan that you can perform -The assets that you can scan -Infrastructure -Filtering
-Time of the scan -The type of scan that you can perform -The assets that you can scan
Which of the following options are types of threats? (Choose all that apply) -Theft -Unintentional -Intentional -Natural
-Unintentional -Intentional -Natural
Which of the following is a vulnerability scan that performs an in-depth scan of applications and systems to locate the vulnerabilities? choose the Best answer. -Internal -credentialed scans -Discovery scan -External -noncredentialed scans -Assessment scan
-assessment scans *credentialed scans would not be wrong, but the question did not mention anything about authentication or credentials.
What is OpenIoC
A method that helps trace IoCs in a standardized way by pointing out unusual network activity
what is the difference between acquired and Augmented ability?
Acquired means the actor uses off-the-shelf tools (like commodity malware), while augmented tools come from advanced groups who create or customize existing toolsets
In which phase of the Lockheed cyber kill chain would the adversary typically collect and transfer data from target systems to a remote server under their control
Action on objectives aka exfiltration
an engineer is investigating a suspected compromise by correlating IoCs into attack patterns, the engineer is able to identify several TTPs. What type of activity is the engineer performing
Behavorial threat research
what 3 tools do organized criminals commonly use?
Botnets, Automated exploit kits, and cloud based services
Name 5 proprietary intelligence sources
Business information Legal Data Educational records Banking information Medical records
What are the 4 pillars of intel gathering?
CART : Completeness, Accuracy, timeliness, and relevancy
Which of the following options are different characteristics of the diamond model?(Choose all that apply) Capacity Capabilities Victim Adversary
Capabilities Victim Adversary
Which of the following is a vulnerability scan that scans at the surface level to discover if assets exist on the network? -Internal -credentialed scans -Discovery scan -External -noncredentialed scans -Assessment scan
Discovery scans
What are ISACs and what do they do?
ISACs (Information sharing and analysis communities) protect the critical infrastructure of multiple industries.
Which type of insider is someone who has a relationship with an employee? -Pure insiders -Insider associates -Insider Affiliates -Outsider Affiliates
Insider Affiliate
which of the following uses both file format and the CTI version using STIX/TAXII -OpenIOC -MISP -IBM x-force exchange
MISP
Which of the following uses SNMP to create graphs showing traffic flows through network interfaces of routers and switches? -MRTG -Netflow -Zeek(Bro) -Netstat
MRTG
Name the 4 main things that a threat actor would look for in their analysis of a closed intelligence source and describe them
Marketing Strategies Manufacturing info: including future product info, formulas, or methods of production Financial info: including financial statements and order pipelines Research and Development: includes the research info on a product that is in beta
_____ reports metadata about network traffic, rather than capturing actual traffic. This data is often sampled. -MRTG -Netflow -Zeek(Bro) -Netstat
Netflow
which of the following publishes intel on GitHub in XML format? -OpenIOC -MISP -IBM -TAXII
OpenIOC
Which type of insider is an external entity that is not an employee and has no relationship with an employee. -Pure insiders -Insider associates -Insider Affiliates -Outsider Affiliates
Outsider affiliate
Simply list the different types of insiders
Pure insiders Insider associates Insider Affiliates Outsider Affiliates
What does STIX stand for and what is its main purpose
STIX (Structured Threat Information eXpression) is an expressive, extensible, human-readable, and automatable language primarily used to gather cyber threat information
Which of the following is a type of vulnerability scanner that pulls information from the system? -Internal -Server-based -Discovery based -External -Agent-based -Assessment based
Server-based
name 3 sources of OSINT
Social media, WHOIS repositories, search engines, etc
What does TAXII stand for and what is its main purpose
TAXII (Trusted automated exchange of indicator information) is a free method of sharing threat information in an automated way
what are the 3 different types of threats and their subsets?
Technological: Internet, E-Mail, Sofware vulnerability, and removable media Human: Intentional (deliberate) unintentional (inadvertently) Disaster: Man-made and Natural
Which type of insider is not directly a part of the organization but a third-party vendor or contractor with limited access to the company's resources? -Pure insiders -Insider associates -Insider Affiliates -Outsider Affiliates
The Insider Associate
Which type of insider is a legitimate user of the organization and is capable of causing the most damage? -Pure insiders -Insider associates -Insider Affiliates -Outsider Affiliates
The Pure insider
List the 7 different confidence levels
Unknown: 0% (has not been assessed as a threat) Discredited: 1% (possesses no threat) Improbable: 2-29% Doubtful: 30-49% Possible: 50-69% Probable: 70-99% Confirmed: 100%
which adversary characteristic describes actors that are able to exploit zero days and have both human and financial resources? -Developed -Advanced -Integrated -Acquired
a Developed adversary
what are the four basic categories of the diamond model?
adversary victim infrastructure capability
Which of the following options are common hurdles in vulnerability scanning activities?(Choose all that apply) -Network Bandwidth Consumption -Operational Schedules -Business Process Interruption -Correct Scoping
all of the above
which of the following is a method of sharing CTI data? (Choose all that apply) -OpenIOC -MISP -IBM
all of the above
which adversary characteristic describes actors that can exploit supply chains and compromise proprietary products to exploit service providers -Developed -Advanced -Integrated -Augmented
an advanced adversary
which adversary characteristic describes actors that can use non-cyber tools to exploit such as military or political assets -Developed -Advanced -Integrated -Acquired
an integrated adversary
True or false: STIX is an application that has been developed by the community to provide cyber threat information.
false It collects it, it does not provide it
What are threat vectors
processes, methods, or tools used by threat actors
what are the 5 phases of OSINT? describe them
source identification: ID sources for info gathering Data harvesting: collect data from sources Data processing: Filter out information that can help enumerate the target Data analysis: analyze the processed data Result delivery: information about the target is finalized
True or false: A threat is something that can potentially take advantage of a vulnerability to gain an advantage in altering, modifying, or deleting data and information.
true
