Chapter 10. Intrusion Event Categories
8. What is the main value of activity-attack graphs? a. Used to make security product purchasing decisions b. To predict future attacks c. An alternative to threat intelligence d. To map out an attacker's attack history
A. Activity-attack graphs are good for both current and future attack data. That data, however, is always changing and wouldn't typically represent a single product that is needed for purchase. Deciding what to purchase would require more than this type of information.
1. Which of the following is not true about the Diamond Model of Intrusion? a. Adversaries use an infrastructure or capability to access a victim. b. Meta-features are not a required component of the Diamond Model. c. Technology and social metadata features establish connections between relations. d. A diamond represents a single event.
A. Adversaries must use both some form of infrastructure and the capability to access the victim.
5. What is the difference between delivery and exploitation according to the kill chain? a. Delivery is how the attacker communicates with the victim whereas exploitation is the attack used against the victim. b. Exploitation is an example of a delivery step in the kill chain. c. Exploitation and delivery are different names for the same step. d. Delivery is how the attack is delivered whereas exploitation is the type of attack.
A. Although answer D is close, answer A provides the best definition. Delivery is how the attacker communicates while exploitation is the attacker taking advantage of a vulnerability.
1. Which of the following is not an example of weaponization? a. Connecting to a command and control server b. Wrapping software with a RAT c. Creating a backdoor in an application d. Developing an automated script to inject commands on a USB device
A. Connecting to a command and control server would be C2, not weaponization.
3. Which is true regarding the difference between Installation and Command and Control? a. Installation does not provide keyboard access to the attacker b. Installation is a form of exploitation c. Command and Control comes prior to Installation d. Command and Control is the final step of the kill chain
A. Installation is when the malware is installed while Command and Control is when that software provides keyboard access to the attacker.
Activity-attack graphs
Activity-attack graphs can be used to highlight the attacker's preferences for attacking the victim as well as alternative paths that could be used for predicting future attacks.
10. Which of the following is a true statement? a. Firewalls are best for detecting insider threats. b. Behavior-based technologies are best for detecting insider threats. c. Antivirus is effective for detecting known threats. d. Insider threats are best detected with signature-based security.
B. An insider threat could be an attacker who has breached the network and is now moving around like other users. The best approach to detect this is to look for unusual behavior, such as systems connecting to new systems for the first time, internal recon, data exfiltration, and so on.
3. An activity-attack graph is useful for determining which of the following? a. Logging attacks seen by an adversary b. Highlighting the attacker's preferences for attacking the victim as well as alternative paths that could be used c. Developing reactive but not proactive security planning d. An alternative to threat intelligence
B. Answer B defines what an activity-attack graph is best for. Answers A and C lack the proactive planning value offered by activity-attack graphs. Answer D is simply incorrect.
2. Which of the following steps in the kill chain would come before the others? a. C2 b. Delivery c. Installation d. Exploitation
B. Delivery is the earliest option out of the choices listed.
6. Which statement is true about the C2 stage of an attack? a. The malware post-compromise phoning back to the attacker is the C2 stage. b. The attacker accesses the internal network through a breached system. c. The attacker pivots inside the network. d. The attacker connects to another internal system inside the breached network.
B. The attacker accessing the internal network through a breached system is an example of C2. Answers C and D are actions that happen after the attacker gets network access. Answer A doesn't give the attacker keyboard access yet.
7. Which of the following is the best explanation of the command and control phase of the kill chain? a. When the compromised system opens ports for communication b. When the attacker accesses the breached network using a keyboard c. When the malware reaches back to a remote server for instructions d. When the attacker breaches a network
B. The command and control (C2) stage is best defined as when the attacker completes the delivery of the attack and now can access the breached network.
6. Which of the following is not an example of reconnaissance? a. Searching the robots.txt file b. Redirecting users to a source and scanning traffic to learn about the target c. Scanning without completing the three-way handshake d. Communicating over social media
B. This is a man-in-the-middle attack and is something done as an attack, not as research.
10. Which of the following is not a metadata feature of the Diamond Model? a. Direction b. Result c. Devices d. Resources
C. Devices are the victim, or what is attacked. Direction is additional data about delivery. Result is extra data about the attack. Resources provide more details about what is being used to attack the victim.
9. Which of the following is the best explanation of early detection of threats in the kill chain? a. Starting analysis at the reconnaissance phase to begin detection weaponization b. Starting analysis at the delivery phase to begin detection at the exploitation phase c. Starting analysis at the reconnaissance phase to begin detection at the delivery phase d. Starting analysis at the exploitation phase to begin detection at the installation phase
C. It's best to start doing analysis early so you can detect when an adversary attempts to communicate with you and then attack. Waiting for the attack is okay, but proactive measures, such as making it hard for attackers to communicate with you, is the best and earliest detection approach.
5. Which of the following statements would represent the delivery stage of a ransomware attack? a. The ransomware encrypts the hard drive. b. Ransomware is pushed onto a system through an exploit. c. The user connects to a malicious website that attacks the system. d. The exploit page identifies a vulnerability and launches an attack.
C. The user connecting to a malicious website would represent how the attack is delivered. You might think answer B is correct; however, that is how the ransomware is installed—hence, the installation stage post-exploitation.
2. Which of the following is a false statement about activity threads in the Diamond Model? a. Activity threads are the relationship between diamonds. b. Activity threads can spread across to other attacks. c. Activity threads can involve more than one victim. d. Activity threads are possible attacks the attacker could use against the victim.
D. Activity threads represent attacks that the attacker has already used.
8. Which of the following is an example of an action step from the kill chain? a. Attacking another target b. Taking data off the network c. Listening to traffic inside the network d. All of the above
D. Attacking internal targets or stealing data could be goals. Sometimes listening to traffic is the goal. For example, hackers might breach a company and use inside information to affect stock trading decisions. This was done by a group, which is believed to have made millions doing this.
4. Which of the following is not an example of a capability in the Diamond Model? a. Hacker tools b. Exploit kits c. Malware d. Email
D. Email would be an infrastructure.
7. Which is a false statement about the Diamond Model? a. Lines in the Diamond Model represent how the attacker reaches the victim. b. Diamonds represent an adversary, victim, capability, and infrastructure. c. Diamonds can be grouped together, known as activity threads. d. Meta-features provide useful context and are core to the model.
D. Meta-features are not required.
9. Which technology would not be considered part of the "during" phase of the Cisco BDA model? a. Antivirus b. Intrusion prevention c. Application layer firewall threat detection d. Port security
D. Port security would be more of a "before" technology. It involves preventing attackers from having the chance to attack the network by physically plugging in an unauthorized device.
4. Which of the following is not a step in the kill chain? a. Weaponization b. C2 c. Installation d. Data exfiltration
D. The final step is "action." One example of an action could be to remove data. Action is not a required step of an attack and not part of the kill chain. For example, an attacker's goal could be to take down the network from within.
Activity Threads
Diamonds can be grouped together into activity threads to identify related attacks.
Installation
Installation in regard to the kill chain refers to installing the previously developed weapon and being capable of maintaining persistence inside the target system or environment.
Reconnaissance
Reconnaissance is an information-gathering stage focused on researching the target.
C2
The command and control phase is when the adversary connects to the compromised system and has "hands-on-keyboard" access inside the environment.
Delivery
The delivery phase determines how the attack developed during the weaponization phase is delivered.
Exploitation
The exploitation phase is when the attack is launched against a vulnerability in the targeted victim.
Action and Objectives
The final stage of the kill chain is action and objectives, which represents the adversary moving on to accomplishing the goal for launching the attack.
Weaponization
Weaponization is when an attack is developed based on data found during the reconnaissance phase.
Meta-features of an event
are not core to the diamond model but provide useful context. such as a timestamp, kill chain phase, result of the attack, direction of the attack, attack method, and resources used.
Diamond Model of Intrusion
is designed to represent an incident, also called an event, and is made up of four parts: Adversary Capabilities Infrastructure Victim
Analytic Pivoting
is key for modeling the event. describe moving between each part of an attack.
Incident response team's GOAL
is to identify an event as early as possible in the kill chain.
CYBER KILL CHAIN MODEL
was first introduced by Lockheed Martin Steps of the Kill Chain Model: Reconnaissance Weaponization Delivery Exploitation Installation Command and control (C2) Actions on objectives