CompTIA CySA+

- Known Unknowns - Unknown Unknowns

- A classification of malware that contains obfuscation techniques to circumvent signature matching and detection - A classification of malware that contains completely new attack vectors and exploits

Living Off The Land

- These are exploit techniques that use standard system tools and packages to perform intrusions; something which was already installed by an admin or came with the OS. This makes detection of intruders much more difficult. For example: using the system's native PowerShell or Bash Shell to execute code. This is frequently done these days by pentesters and attackers

- Magic Number or File Signature - 4D 5A in Hex, MX in ASCII, or TV in Base64 encoding - Strings

- This is the first two bytes of a binary header (machine code) that indicates its file type. For example: image file, executable file, etc. This is how you can identify certain types of files even if the extension has been changed. - What is this for a Windows portable executable file such as EXE, DLL, SYS, DRV, or COM? - This is a sequence of encoded characters that appears within an executable file and can be added to rule detection for flagging

- NAC (Network Access Control) - 802.1x

- This provides the means to authenticate users and evaluate device integrity before a network connection is permitted - The above relies upon this standard for encapsulating EAP (Extensible Authorization Protocol) communications over a LAN and provides port-based authentication

1. Elasticsearch (query/analytics): centralized data store 2. Logstash (log collection, parsing, & normalization): gets data from the Beats, then sends to Elastic 3. Kibana (visualization): this is where you go to look at the data, which comes from Elastic 4. Beats (endpoint collection agents): these are installed on various hosts

- What are the four parts which make up the ELK/Elastic Stack SIEM?

- Pipl.com - Peekyou.com - Echosec.net

- What are three OSINT aggregation sites?

- 0: Emergency; system is unusable - 1: Alert; action must be taken immediately - 2: Critical; critical conditions - 3: Error; error conditions - 4: Warning; warning conditions - 5: Notice; normal but significant condition - 6: Informational - 7: Debug

What are the Syslog message codes?

- IBM X-Force Exchange - FireEye - Recorded Future

What are three examples of Closed-Source or Proprietary Intelligence?

- Action field: usually set to Alert, but other options include log, pass (ignore), drop, and reject - Protocol - Source IP and Source Port #: usually set to a keyword (any) or variable ($EXTERNAL_NET or %HOME_NET) but can also be a static value - Direction: can be unidirectional "->" or bi-directional "<>" - Destination IP and Destination Port # - Customizable Rule Options will follow the above rules

What is the Snort Rule format for logs?

1. Strategic intelligence: addresses broad themes and objectives, affecting projects and business priorities over weeks and months. 2. Operational intelligence: addresses the day-to-day priorities of managers and specialists. 3. Tactical intelligence: informs the real-time decisions made by staff as they encounter alerts and status indicators.

What three levels does intelligence distribution or dissemination occur at?

1. How does the process interact with the Registry and file system? As it is launched, what is it doing? E.g. changing the Registry, putting files on the system, etc. 2. How is the process launched? Did the user launch it, did some service launch it, a scheduled task, etc? This will help you eliminate it if you need to turn it off 3. Is the image file located in the system folder or a temp folder? Many times, malware is launched from a temp folder. 4. What files are being manipulated by the process? When this launches, what is it touching? Does it just read files, change files, etc? 5. Does the process restore itself upon reboot after deletion? If so, that is an indicator of malware. 6. Does a system privilege or service get blocked if you delete the process? If so, this is another strong indicator of malware. 7. Is the process interacting with the network? Look for any communication going in and out, such as to a C2 server.

- What are seven questions you need to answer when a suspicious Windows process is found?

1. US-CERT: provides alert news and regular bulletins and analysis reports. Also has a bi-directional threat feed called the Automated Indicator Service 2. UK's NCSC (National Cyber Security Center): similar to US-CERT 3. AT&T Security (OTX): Previously Alienvault Open Threat Exchange, was purchased by AT&T 4. MISP (Malware Information Sharing Project): open source intelligence feed 5. Virus Total: can upload any file you are not sure of and it will check 40-50 different antivirus products 6. Spamhaus: focused on spam and email 7. SANS ISC Suspicious Domains: provides a feed on domains though to be malicious

- What are several sources of Open Source threat intelligence?

1. Conditional Analysis: uses signature detection and rule-based policies. Will usually have a logical statement such as IF, AND, OR, etc 2. Heuristic Analysis: uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious. Uses machine learning to alert on behavior that is similar enough to a signature or rule. This can find attackers who are doing something slightly different than a known signature 3. Behavioral Analysis: network monitoring system that detects changes in normal operating data sequences and finds abnormalities. Looks for deviations from a defined level or tolerance or baseline. 4. Anomaly Analysis: network monitoring system which uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range. It differs from behavioral analysis b/c it uses prescribed patterns like industry standards as a baseline rather than watching expected behavior of monitored devices

- What are the four main methods of security analysis?

1. Identification: ensure scene is safe, secure the scene to prevent evidence contamination, and identify scope of evidence to collect 2. Collection: ensure authorization to collect evidence is obtained, then document and prove the integrity of evidence as collected 3. Analysis: create a copy of evidence for analysis and use repeatable methods and tools during analysis 4. Reporting: create a report of the method and tools used in the investigation and present detailed findings and conclusions based on the analysis - Legal Hold

- What are the four main steps in digital forensics procedures? - What process is designed for preserving all relevant information when litigation is expected to occur?

1. Reconnaissance: attacker determines what methods to use to complete the phases of the attack 2. Weaponization: attacker gathers code with which to exploit a vulnerability on a system 3. Delivery: attacker identifies an attack vector to deliver the code 4. Exploitation: weaponized code is executed on target system 5. Installation: the code runs a remote access tool and achieves persistence on a system 6. C2 (Command & Control): weaponized code establishes an outbound channel to a remote server which can progress the attack 7. Actions on Objectives: attacker performs data exfiltration or other goals - To identify defensive courses of action to counter the progress of each stage of the attack

- What are the seven steps in the Lockheed Martin Kill Chain attack framework? - How is Kill Chain Analysis used?

1. Analysis must be performed without bias. For example: some organizations have one team who collects data and another who analyzes it 2. Analysis methods must be repeatable by third parties. If you give a copy of the evidence to someone else, they should be able to follow the same steps you took and achieve the same results. 3. Evidence must not be changed or manipulated

- What are the three rules of ethics in digital forensics?

1. Display From: this can be edited to say whatever you want. You have to look underneath to see the true email address. 2. Envelope From: if the email is rejected by a server, it will send it back to whatever is here. This can also be edited to anything you want. It is hidden from display clients 3. Received From/By: List of the MTAs (Mail Transfer Agents) which processed that email. Every time an MTA touches this email along it route through various servers from sender to destination, there is a chance the Received By could be changed. - Message Header Analysis tool found at TestConnectivity.microsoft.com. It allows you to copy and paste your email headers and breaks it down.

- What are the three sender address fields in emails which attackers commonly try to exploit because they are not displayed in clients but are inside headers? - What is an example of a tool which can help analyze email headers as opposed to manually reading through all of the text?

1. SPF (Sender Policy Framework): DNS record identifies hosts authorized to send mail for the domain, with only one SPF statement being allowed per domain. While you can only have one SPF statement, you can authorize multiple servers in that statement. 2. DKIM (DomainKeys Identified Mail): provides a cryptographic authentication mechanism for mail utilizing a public key published as a DNS record. It can replace or supplement SPF. When you send an email, your MTA calculates a hash value of the message headers, then signs the hash with its private key. It's like a digital signature for emails, but it verifies that the server sent the message, not that the individual person sent the message. 3. DMARC (Domain-Based Message Authentication, Reporting, and Conformance): framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record. It can use either SPF or DKIM, or even both. It specifies an alignment mechanism to verify that the domain identified in the rule header from field matches the domain in the envelope from field.

- What are three authentication methods you can use to configure your servers to help prevent email spoofing attacks?

1. Block incoming requests from internal or private, loopback, and multicast IP address ranges 2. Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc) 3. Configure IPv6 to either block all IPv6 traffic or allow it to authorized hosts and ports only. This is b/c many organizations still run IPv4 but do not bother configuring security for IPv6

- What are three basic principles for configuring firewalls ACLs?

1. Snort: open-source software available for Windows and some Linux distros which can operate in IDS or IPS mode 2. Zeek: open-source IDS for Linux that contains a scripting engine which can be used to act on significant events by generating an alert or implementing a shunning mechanism 3. Security Onion: open-source Linux platform which bundles many tools including Snort, Zeek, Suricata, Wireshark, and Network Miner with log management & incident management tools - Oinkcode

- What are three examples of an IDS/IPS? - What is a paid subscription service which gives you updated malware signatures?

1. Posture Assessment: process of assessing the endpoint for compliance with the health policy; basically checks a supplicant to see if the device meets standards for allowing a connection to the network. The health policy is a list of things we're going to check to see if the device has, such as firmware or OS patch level. 2. Remediation: process and procedures that occur if a device does not meet the minimum security profile. 3. Pre-and Post-admission Control: the point at which client devices are granted or denied access based on their compliance with a health policy. May perform periodic checks on a device after admission to the network has been granted

- What are three key features of a NAC solution?

1. Agent-based: something installed on individual devices which aggregates and normalizes data before sending to the SIEM 2. Listener/Collector: a host configured to push updates to the SIEM server using a protocol like Syslog or SNMP 3. Sensors: taps or SPANs inserted into the network. Collects packet capture and traffic flow data from sniffers positioned on the network. - Connectors or Plug-ins: these are software specifically designed to provide parsing and normalization functions for a SIEM - It has to synchronize time in order to correlate events, commonly done with UTC (Coordinated Universal Time) which is a standard and not a time zone. This is especially important for organizations operating in multiple time zones

- What are three sources of SIEM data collection? - How can a SIEM normalize all this data? - What is something else a SIEM needs to do with data aside from parsing and normalizing it?

1. Frequency-based Analysis: establishes a baseline for a metric and monitors the number of occurrences over time. 2. Volume-based Analysis: measure a metric based on the size of something, such as disk space used or log file size. For example: if your database utilization suddenly spikes to an atypically large size, it could be a sign of data exfiltration. 3. Statistical Deviation Analysis: uses concept of mean (average) and standard deviations to determine if data point should be treated as suspicious. - Narrative-based Threat Awareness and Intelligence

- What are three types of Trend Analysis? - What is a form of trend analysis that is reported in longform prose to describe a common attack vector seen over time? For example: "Bad guys use IRC chat to control botnets. We should block IRC chat."

1. Port Hopping: an APT is able to switch ports to communicate to avoid detection 2. Fast Flux DNS: a technique that rapidly changes the IP address associated with a domain - Endpoint Forensics: APTs are usually very sneaky and good at hiding their activity, so a deep forensic dive focusing on endpoints is usually the best way to catch them

- What are two common mechanisms that APTs use to hide their presence in a network? - What is typically the best method of detecting an APT?

1. tcpdump: a data-network packet analyzer computer program that runs under a command line interface and allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached 2. Wireshark: free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software, and communications protocol development - FPC (Full Packet Capture) - Flow Collector & Flow Analysis

- What are two commonly used packet sniffers? - This captures the entire packet including the header and the payload for all traffic entering & leaving the network - This is an alternative method to capturing network traffic to take up less space. It records metadata and statistics about network traffic rather than recording each frame. This allows you to get alerts based on anomalous activity

1. Forward Proxy: mediates the communications between a client and another server. Can filter or modify communications, and provides caching services to improve performance 2. Reverse Proxy: protects servers from direct contact with client requests. Provides for protocol specific inbound traffic 1. Non-transparent: server that redirects requests and responses for clients configured with the proxy address and port. This is where you know the proxy is there, like in your browser 2. Transparent (forced or intercepted): server that redirects requests and responses without the client being explicitly configured to use it

- What are two types of proxy servers? - What are two ways to classify proxies?

- NIST 800-53 - ISO 27001 - NIST 800-61 - NIST 800-39 - NIST 800-63B - NIST 800-82

- What document covers security and privacy controls for U.S. Federal information systems and organizations? - What is an international, proprietary framework which is similar? - What document covers computer security incident handling? - What document covers the overall risk management process? - What document covers digital identity guidelines for tings like IAM (Identity Access Management) and passwords? - What document covers Industrial Systems (ICS) security?

- MIME (Multipurpose Internet Mail Extensions): these allow a body of an email to support different formats such as HTML, rich text, binary data encoded as Base64 ASCII characters, and attachments. This is not bad in and of itself since MIME is what allows you to bold text, add images, etc in email, but it can be exploited to deliver attack payloads. - S/MIME - An Exploit is when message data contains scripts or objects that target a vulnerability in the mail client. An Attachment is when the message contains a file attachment in the hope that a user will open it - Embedded Link. To safeguard against this, never click on links from an email. Instead, copy it and paste it directly into your browser to see the full, actual URL.

- What extensions do attackers use to craft payloads for email attacks? - What version of this adds digital signatures and public key cryptography to these extensions? - What is the difference between an exploit and an attachment? - What is it called when attackers will type a friendly looking URL to try and get people to click on it, but it goes somewhere other than what the text says? How can you get around this?

- Data submitted via a URL is delimited by the "?" character - The "%3A" is actually the hex code for a colon or ":" so remember that when analyzing - Someone performed a search to find all xls (Excel spreadhseet) files containing the words "password" and are hosted on the site diontraining.com - It is the hex code for "@". If you see something like "*%40diontraining.com" it could mean someone was searching for all email addresses ending in "@diontraining.com"

- What information could you glean from the following search string if you found it in your proxy logs: https://www.google.com/search?&q=filetype%3Axls+password+site%3Adiontraining.com - What does %40 mean in hex code?

- Syslog-ng or rsyslog 1. Newer implementations can use port 1468 (TCP) for consistent delivery. 2. Newer implementations can use TLS to encrypt messages sent to servers 3. Newer implementations can use MD-5 or SHA-1 for authentication and integrity 4. Some newer implementations can use message filtering, automated log analysis, event response scripting, and alternate message formats

- What is a newer version of a Syslog server called? - What are new features and capabilities which have been introduced into newer Syslog implementations due to past security issues?

- Cousin Domains: this is a DNS domain that looks similar to another name when rendered by a MUA (Mail User Agent). For example, if the legit address is "diontraining.com", a cousin domain could be "diontraiMing.com" (swapped the N for an M) or "diontraning.com" (dropped the first I in Training).

- What is a problem which may not be solved by SPF, DKIM, or DMARC

- Reputation Data - Behavioral Threat Research - TTP (Tactics, Techniques, and Procedures)

- What is another term for blacklists of known threat sources such as malware signatures, IP address ranges, and DNS domains? - This term refers to the correlation of IoCs into attack patterns. For example, analysis of previous hacks and intrusions produces definitions of the tactics, techniques, and procedures (TTP) used to perform attacks. - These are behavior patterns that were used in historical cyber attacks

- Dropping traffic makes it harder for an adversary to identify port states accurately. A deny rule will send a rejection message back to the adversary giving them information they can use. - Firewalking - An attacker finds an open port on the firewall, sends a packet with TTL (Time To Live) of one past the firewall to find its hosts - By using NAT to prevent the attacker from identifying the address space behind the router, and blocking outgoing ICMP status messages

- What is the difference in a firewall dropping vs. rejecting traffic? - What is a technique to enumerate firewall configurations and hosts behind it? - How is this done? - How can you stop this?

1. CPU registers and cache memory 2. Contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files 3. Data on persistent mass storage (HDD, SSD, flash drives) 4. Remote logging and monitoring data (SIEM, logs, etc) 5. Physical configuration and network topology (e.g. this computer was talking to this switch, etc) 6. Archival media (backup tapes, offsite storage) - Do a memory dump because some parts of the registry such as the HKLM/Hardware will be stored in volatile memory, not stored on the hard disk

- What is the order of volatility for digital forensics collection? - What is the best way to analyze a Windows registry?

- To find out who works for an organization and attempt to match up their names with job roles through social media or the company's website - The Harvester - whois

- What is the purpose of email harvesting? - What is a linux tool used by pentesters to gather subdomain information and email addresses for an organization? - This is a public listing of all registered domains and their registered administrators. In other words, you can look up a website and find out who owns it

- Egress Filtering 1. Only allow whitelisted application ports and destination addresses 2. Restrict DNS lookups to trusted and authorized DNS services 3. Block access to known bad IP address ranges (blacklist) and any IP address space that is not authorized for use on your network 4. Block all internet access from host subnets that don't use it (such as ICS or SCADA)

- What is the term for ACL rules applied to traffic leaving a network to prevent malware from communicating with C2 servers? - What are four best practices for this?

- Services should be started by the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts. If a service is started by someone who has a username, it is probably malicious.

- What should Windows services be started by to help determine if they are legitimate or perhaps malware trying to masquerade a service?

- Explicit Knowledge: you can write it down, see it, and touch the knowledge - Implicit Knowledge: sort of like a gut feeling knowing something is wrong and what to do next based on work experience and being in certain situations before

- What type of knowledge is gained from a threat feed, such as an open-source intelligence service? - What type of knowledge can you only get from experienced cybersecurity practitioners?

- WAF (Web Application Firewall) - Standard firewalls can only apply rules at the IP and TCP/UDP layers based on ports or protocols in use. WAFs can parse the response and requests headers and see what's inside the HTML messages. Then, they can apply detection and filtering rules based on the contents - JSON

- A firewall specifically designed to protect software running on web servers and their backend databases from code or SQL injection, XML injection, XSS, and DoS attacks - How is this different from a standard packet filtering firewall? - What format do many of these use to store their logs?

- Fast Flux Network 1. You would see call-outs from your systems to random, weird IP addresses which look like 9O7SFDS879FS.com or something. 2. You may see a high rate of NXDOMAIN errors when resolving to DNSing your logs. These are the "This site cannot be reached" errors when trying to go to a website and it would finish with "DNS_PROBE_FINISHED_NXDOMAIN". It means your system tried looking up a domain name and couldn't figure it out. The DNS resolver can't resolve it for you - Use a Secure Recursive DNS Resolver: this allows one trusted DNS server to communicate with several other trusted DNS servers to hunt down the IP address and return it to the client. Do not use a generic DNS server

- A method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records using DGAs (Domain Generation Algorithms) - What are some ways you might be able to detect this activity? - How can you mitigate this activity?

- Johari Window 1. Open: known to self and known to others 2. Hidden: known to self, but not known to others 3. Blind: not known to self, but known to others 4. Unknown: not know either to self or others - The goal is for everyone to reach the "Open" level as far as new threats, malware, etc are concerned

- A model that describes the relationship between self-disclosure and self-awareness; based on the known-knowns, known-unknowns, etc. - What are the four sectors of this? - How does this relate to cybersecurity?

- Website Harvesting - Old or forgotten webpages, pages with weak code, etc - Sparse Attack: this favors patient attackers. For example: if very large organizations have a million different endpoints, one attacker doing one bad thing in a month may not be caught.

- A technique used to copy the source code of website files to analyze for information and vulnerabilities - What sort of vulnerabilities might you find with this? - This is a technique where attackers attempt to bury their activity inside of the "network noise"

1. The malware will use a dropper or downloader. It gets on your computer by running lightweight shell code on the target system, which becomes a dropper or first stage downloader, which goes out and downloads the rest of the code. Something tricks the user to start running the code. NOTE: the shellcode does not necessary open up a command prompt. 2. Maintain access: at this point, a second stage downloader starts which can download something like a RAT (trojan) to give C2 control over the machine to the attacker 3. Strengthen access: using the remote access tool from step 2, they will look around the network and start infecting other systems, find high value targets, and gain additional privileges. 4. Actions on objectives: they start performing their planned attack 5. Concealment: maintain persistence but cover tracks by deleting logs, etc to avoid detection.

- APTs frequently use Fileless Malware which uses shells. What five steps does this typically entail?

- By using DGAs (Domain Generation Algorithms). These are used by malware to evade blacklists by dynamically generating domain names for C&C networks 1. Attacker sets up one or more dynamic DNSS (DNS Services) 2. Malware code implements a DGA to create a list of new domain names. The algorithm contains a way to seed the creation of domains, and anyone else with the same key can use the same list. So if the malware and the bad guy's server both have it, they can keep jumping to the same new domain names 3. A parallel DGA is used to create name records on the DDNS service. Since we know what the malware will use, the DDNS service also need to have it so they can match up. If they use the same seed, they can keep up with each other. 4. The malware tries a selection of the domains it has created to connect to the C2 server 5. C&C server communicates with a new seed for the DGA to prevent being blocked

- How have threat actors been able to get around blacklists for certain IP ranges or domains? - What are the five steps involved in this process?

- DNS Zone Transfer - DNS Harvesting - Windows: nslookup, then "set type=any" (which says tell me all the records you know on this DNS server), then "ls-d websitename.com". If the target server is misconfigured, you can download all of their information from their DNS to your machine - Linux: dig axfr (the command for a zone transfer) targetwebsite.com attackerdestinationwebsite.com. If the server is vulnerable, it would copy over all the DNS entries over to the attacker's designated destination site - Attackers can go through this info and get things like IP addresses for servers, subdomains, etc

- The process of replicating the databases containing the DNS data across a set of DNS servers. Often used during the reconnaissance phase of an attack - What is the name for an attack like this which uses OSINT to gather information about a domain such as subdomains, the hosting provider, admin contacts, etc? - What Windows or Linux commands can this be done with?

- HTTP Methods 1. GET: principal method used with HTTP and is used to retrieve a resource 2. POST: used to send data to the server for processing by the requested resource 3. PUT: creates or replaces the requested resource 4. DELETE: removes the requested resource 5. HEAD: retrieves the headers for a resource only and ignores the body. NOTE: this is often used in pentesting when doing a banner grab b/c all you want to know is information about the server and the page, like the page title

- These are a set of request methods to indicate the desired action to be performed for a given resource (a resource is just something on a server). Includes commands such as GET and POST that are transmitted between Web servers and clients using the HTTP protocol. - What are five types of HTTP Methods?

- X-Headers

- These indicate custom headers that are controlled by SMTP server administrators

- ISAC (Information Sharing and Analysis Center) - CISP (Cybersecurity Information Sharing Partnership) 1. Critical Infrastructure: any physical or virtual infrastructure which would have a debilitating effect on the U.S. if it were incapacitated. Includes 16 different sectors defined by Homeland Security. The main focus in this sector is on ICS, SCADA, and embedded systems 2. Government: serves non-federal governments like state, local, tribal, and territorial 3. Healthcare: criminals will be looking for blackmail & ransom opportunities by compromising patient records or interfering with medical devices 4. Financial: helps prevent fraud and extortion of both consumers and financial institutions 5. Aviation: prevents disruptions and unsafe operations of air traffic control systems

- These were set up the U.S. They are not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members. - These are similar but were set up the UK - What are five examples of sectors which have these?

- URL Analysis 1. Resolving Percent Encoding, which is a mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding. A URL can contain unreserved (letters and numbers as well as - (dash), _ (underscore), period, and ~(tilde)) and reserved characters (colon, /, ?, #, @, !, $, etc) from the ASCII set 2. Assessing Redirection of the URL 3. Showing Source Code for Scripts in URL

- This activity is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it - What are three activities performed as a part of this?

- SPAN (Switched Port Analyzer) - Packet Sniffer - Packet sniffers should be placed inside the firewall and as close to important servers as possible. That way, the firewall will block most of the traffic and you can sniff what's left

- This allows for the copying of ingress and/or egress communications from one or more switch ports to another. It essentially makes a copy of everything coming in or out of a port, then puts that on a duplicate port so you can monitor it - This is a piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or TAP (Test Access Port) device - Where should this second type of device/software be placed in your network?

- MISP Project - It breaks down into evaluation of source reliability and information content. - Source Reliability is given a letter grade A (No Doubt of authenticity & trustworthiness; highest grade) through F (Cannot Be Judged, lowest grade) - Information Content is given a number 1 (Confirmed, highest rank) through 6 (Cannot Be Judged, lowest rank)

- This codifies the use of the admiralty scale for grading data and estimative language and can be used to help establish a Confidence Level for intelligence sources - How does this work?

- iptables - Windows Firewall (easier to read because they put comment lines above it which start with hashtags #) - Blinding Attack

- This is a Linux-based firewall which uses the Syslog format for its logs - This is a Windows-based firewall which uses the W3C extended log file format - This occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed

- Work Product Retention - During discovery and disclosure in a trial, when it comes to digital evidence like a hard drive, you would have to give a copy of the hard drive to the opposing team, but you do not have to give them your entire analysis. They have to do their own analysis. It is up to each side in a case whether to give forensic analysis to the other side. - The attorney has to hire and contract the analyst, not the attorney's firm

- This is a contractual method of retaining forensics investigators so that analysis is protected from disclosure by the work product doctrine. - What exactly does this mean? - Who has to hire the analyst?

- Black Hole - Router level, because traffic can be sent to the Null Interface. The whole purpose of the null interface is to drop traffic and not respond to it, so it doesn't take any special configuration, ACLs, etc. - Black holing uses less resources, but legitimate users can lose access, too - Black holing is good to use against Dark Nets, which are unused physical network ports or unused IP address space within a local network often used by attackers. For example: if you have a bunch of unused IP addresses in a range for your company network, you should route all of the unused IPs into a black hole in case an attacker should gain access to one. - Sinkhole; this is better for finding the cause of the DoS attack

- This is a means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic - Is this more efficient to do at the router or firewall level? - What is a drawback to this? - What is a good use case for this? - What is something similar to this which instead directs DoS traffic into another network for analysis?

Program Packer

- This is a method of compression that malware can use where an executable file is mostly compressed, but the part which isn't compressed contains code to decompress the executable. It is a self-extracting archive

- Email Internet Header - MUA (Mail User Agent) - MDA (Mail Delivery Agent): will ensure the sender is authorized to send a message from that domain. Can be done via digital certificates or username/PW - MTA (Mail Transfer Agent): routes email to recipient using DNS - SMTP

- This is a record of the email servers involved in transferring an email message from a sender to a recipient. Usually hidden from display clients - This is your email client, where you create or receive your emails - Where is the first place an email goes after you send it and what does this do? - Where does the email go if it has to be sent to a recipient on a different server/domain? - What protocol is used during this process?

- VirusTotal - MAEC (Malware Attribute Enumeration and Characterization) Scheme - Yara: this creates Yara Rules which are tests for matching certain string combinations within a given data source (binary, log file, packet capture, or email)

- This is a site where you can send email attachments containing the files you would like scanned. Inspects items with over 70 antivirus scanners and URL/domain blacklisting services - This is a standardized language for sharing structured information about malware that is complimentary to STIX and TAXII to improve the automated sharing of threat intelligence - This is a multi-platform program running on Windows, Linux, and Mac OS for identifying, classifying, and describing malware samples

- Sysinternals - Process Explorer - autoruns: this allows to save a baseline file, then you can run it again if you believe your system has become infected with malware, and it gives you an option to compare the two files to see any differences

- This is a tool suite which can help with behavioral analysis. It is designed to assist with troubleshooting issues with Windows. They help to build up a baseline to identify what "normal" is. - This tool helps filter out legitimate activity (known-good) to find anomalous behavior - This tool can help with developing a good known baseline

- BEC (Business Email Compromise) - Forwarding

- This is an impersonation attack in which the attacker gains control of an employee's account and uses it to convince other employees to perform fraudulent actions. - This is when a phishing email is formatted to appear as if it is part of a reply chain. Usually done by compromising the account of a lower-level employee to try and pretend instructions in the fake email thread have come from someone higher up

- Port Security 1. Physical Port Security: controls physical access to hardware 2. MAC Filtering: ACL which only allows approved MAC addresses to connect to the network 3. NAC (Network Access Control): collected protocols, policies, and hardware which authenticate and authorize access to a network - Disable any web administrative interfaces and use SSH shells instead for increased security. The web admin front ends may be vulnerable to XSS and other web-based attacks, allowing threat actors to access the systems

- This is disabling unused application/service ports on hosts and firewalls to reduce the number of threat vectors. - What are three different types of this? - What is a best practice for getting around the fact that many appliances (including IPS and IDS systems, firewalls, switches, etc) run on embedded OSs which may have patching and update limitations?

- Security Intelligence - CTI (Cyber Threat Intelligence) 1. Narrative reports—Analysis of certain adversary groups or a malware sample provided as a written document. These provide valuable information and knowledge, but in a format that must be assimilated manually by analysts. This is most useful at providing strategic intelligence to influence security control selection and configuration 2. Data feeds—Lists of known bad indicators, such as domain names or IP addresses associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit code. This provides tactical or operational intelligence that can be used within an automated system to inform real-time decisions and analysis as part of incident response or digital forensics.

- This is looking inward at the process through which data generated in the ongoing use of information systems is collected, processed, integrated, evaluated, analyzed, and interpreted to provide insights into the security status of those systems. For example: this could reveal a DDoS attack has taken place based on logs and traffic data - This is looking outward and providing data about the external threat landscape, such as active hacker groups, malware outbreaks, zero-day exploits, and so on. - What are two formats the second thing above is typically produced in?

- Obfuscated Malware Code - Recycled Threats

- This is malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware - This refers to the process of combining and modifying parts of multiple existing exploit & malware codes to create new threats that are not as easily identified by automated scanning

- Google Hacking - GHDB (Google Hacking Database) - Google Dorks 1. Quotes: double quotes "" specify an exact phrase and make a search more precise 2. NOT: uses minus sign "-" in front of a word to remove search results which include that string 3. AND/OR: "AND" will require both search terms while "OR" will require either search term 4. Scope: use different keywords to select the scope of the search. For example: "Filetype: PDF" will return only PDF file results containing the search terms 5. URL Modifiers

- This is manipulating a search string with additional specific operators to search for vulnerabilities or very specific information. - What is a repository of many different pre-run search strings? - What is a nickname for one of these pre-run strings? - What are five different ways you can manually create a string?

- HTTP Response Codes: these codes are usually three digits that will tell you some information that the server wants you to know. NOTE: individual codes do not need to be memorized for the exam. - A code 200 indicates a successful GET or POST request (OK). Code 201 indicates where a PUT request has succeeded in creating a resource - Any code in the 3xx range, such as 301, indicates that a redirect has occurred by the server - Any code in the 4xx range indicates an error in the client request. Code 400 indicates a request could not be parsed by the server. Code 401 indicates a request did not supply authentication credentials. Code 403 indicates insufficient permissions. Code 404 is very common and means a client has requested a non-existent resource - Codes in the 5xx range indicate a server-side issue. Code 500 indicates a general error on server-side of application. Code 502 is a bad gateway when server is acting as a proxy. Code 503 indicates an overloading of the server causing unavailability. Code 504 is a gateway timeout which means an issue with the upstream server

- This is the header value returned by a server when a client requests a URL - What are a few examples?

- Execution Control 1. SRP (Software Restriction Policies): can be configured as a GPO (Group Policy Object). Creates a whitelist file for different system locations where executables and scripts can launch from. For example: it may say that no scripts can be run from a temp folder. 2. AppLocker: improves configuration options and defaults of SRP. Can be applied to user & group accounts instead of just a computer. Can only be used inside Enterprise and Ultimate editions of Windows 3. WDAC (Windows Defender Application Control): allows you to create a code integrity policy which can be used on its own or in conjunction with AppLocker. Can be based on version-aware or digital signatures for a particular application using an image hash or file path. 1. MAC (Mandatory Access Control) 2. LSM (Linux Security Modules): SELinux and AppArmor are well-known examples - Through Configuration Management

- This is the process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software. It can be configured as a whitelisting or blacklisting approach - What are three ways this can be done in Windows? - What are two ways this can be done in Linux? - How are all of these settings managed?

- WMIC (Windows Management Instrumentation Command-line) - awk

- This program is used to review log files on a remote Windows machine - This is a scripting engine geared toward modifying and extracting data from files or data streams in Unix, Linux, and macOS systems

- Floss; it will go through and find anything which looks like an ASCII character and pipe it into a .txt file for reading - IDA; this may not be useful if the malware is encrypted - Debugger. For example, Ollydbg. This may not be useful if the malware is designed to recognize and react when its being read by a debugging program - Process Dump; once this file is created, you can take it back to IDA and it should be more useful if the malware was originally encrypted when you attempted static analysis

- This tool can pull out ASCII strings from a binary and can be used for static analysis of malware - This tool has a free version. It is a de-compiler which can help do static analysis on programs. - This type of program allows you to run a program step by step to see what it does - This tool allows you to capture what happens while malware is being executed, and is very useful if the malware can detect when it's being run in a step-by-step debugger. It creates a file of the unpacked malware being run straight from memory. It also creates a hash value database for all good processes on a clean system, and this can be compared with what the malware changes.

- Code 220: indicates the server is ready - Code 250: indicates the message is accepted. If you send a message to an SMTP server, it will send this back - Code 421: indicates the service is not available. You can get this if the server is down or turned off when you try to send an email - Code 450: indicates that the server cannot access the mailbox to deliver the message. Can happen if it lacks permissions or if the mailbox doesn't exist due to a typo. - Code 451: indicates the local server aborted the action due to a processing error. - Code 452: indicates the local server has insufficient storage space available

- What are codes you should know for SMTP email log analysis?

1. Splunk: market-leading big data information gathering and analysis tool. Can import machine-generated data via a connector or visibility add-on. Very good at connecting different data systems. Has a user-friendly dashboard UI and can be installed locally or in the cloud. 2. ELK/Elastic Stack: collection of free and open-source SIEM tools that provides storage, search, and analysis functions. Is made up of four parts. Local install or cloud-based 3. ArcSight: a SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations such as SOX, HIPPA, and PCI DSS. Has a UI dashboard 4. QRadar: a SIEM log management, analytics, and compliance reporting platform created by IBM. Also has a dashboard. 5. Alien Vault and OSSIM (Open-Source Security Information Management): a SIEM solution originally developed by Alien Vault, now owned by AT&T and rebranded as AT&T Cybersecurity. It can integrate other open-source tools such as Snort IDS and OpenVAS vulnerability scanner. Also has an integrated web admin tool and a dashboard for users 6. Graylog: open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps

- What are six types of SIEM tools on the market and some characteristics of each? NOTE: for the exam, you don't need to know specifics or how to use these, just recognize that they are SIEMs

1. Requirements (Planning & Direction): sets goals for intelligence gathering effort. Shows how intelligence will support business goals. May also create use cases here. Consider special factors & constraints such as regulations 2. Collection and Processing: usually implemented by software suites such as SIEM. Data is put into a consistent format so analysis tools can operate on it. Scripting or manual processing may be required. Data must be kept secure. 3. Analysis: after data has been captured and normalized, anomalies are identified. Use cases, AI, and machine learning are useful here. 4. Dissemination: publishing information from analysis to consumers who need to act on it. Has many forms from status alerts to analyst reports. Should be tailored for the audience. This occurs at strategic, operational, and tactical levels. 5. Feedback: goal is to improve all other phases. Would include lessons learned, measurable success, how to address evolving security threats, as well as input collected from intelligence producers and consumers to improve the implementations of intelligence requirements

What are the five phases of the Security Intelligence Lifecycle?

1. STIX (Structured Threat Information eXpression): KNOW STIX FOR THE EXAM! A standard terminology for IoCs and ways of indicating relationships between them that's included as part of the OASIS CTI (Cyber Threat Intelligence) framework. Expressed in JavaScript Object Notation (JSON) format that consists of attribute:value pairs. If you see something in JSON format on the exam, it's probably STIX. It is built from high-level STIX Domain Objects (SDOs) that contain multiple attributes and values 2. TAXII (Trusted Automated eXchange of Indicator Information): protocol for supplying codified information to automate incident detection and analysis. Subscribers use this to obtain updates for their analysis tools. 3. OpenIOC: framework developed by Mandiant that uses XML formatted files for supplying codified information to automate incident detection and analysis 4. MISP (Malware Information Sharing Project): provides a server platform for threat intel sharing, proprietary format, supports open IOC definitions, and can import and export STIX over TAXII

What are the four most common formats for sharing data about threats?

1. Technical—The control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls. Technical controls may also be described as logical controls. 2. Operational—The control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls. 3. Managerial—The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. 4. Compensating: this acts as a substitute for a principal control, but must give the same level of security assurance as the control it is replacing, e.g. a physical barrier blocking a section of open fence, or developing a workaround for an embedded OS which cannot be patched or updated

What are the four types of Security Control Categories?

1. Adversary Capability: do they have acquired and augmented tools (commodity)? Do they have Developed capability (zero-day)? 2. Attack Surface: holistic network (routers, switches, etc), websites or cloud services, custom software applications (APIs) 3. Attack Vector: cyber, human (social engineering), physical (on premises)

What are three main areas of consideration when doing Threat Modeling?

1. Lockheed Martin Kill Chain: describes the stages by which a threat actor progresses a network intrusion. This is a very linear model 2. MITRE ATT&CK Framework: most explicit detail regarding how to mitigate or detect a given threat; a knowledge base which lists specific adversary tactics, techniques, and common knowledge. Uses a matrices model which lists different types of attacks and ways someone might carry that out 3. Diamond Model of Intrusion Analysis: used to represent an intrusion event. Framework for analyzing cybersecurity incidents by exploring relationships between four core features: adversary, capability, infrastructure, and victim

What are three major types of attack frameworks?

1. NetFlow: Cisco developed means of reporting network flow information to a structured database. Became the standard people used under the name IP FIX (IP Flow Information eXport). Can define traffic flow based on packets which share similar characteristics. Provides metadata, but not entire packet captures 2. Zeek (Bro): Hybrid tool which passively monitors a network and only logs data of potential interest. So it samples data like NetFlow, but will capture entire packets when it finds something interesting. Also performs normalization of the data and stores it as tab delimited or JSON (Java Script Object Notation) formatted .txt files. Those files can then be used with other tools. 3. MRTG (Multi Router Traffic Grapher): this creates graphs showing traffic flows through the network interfaces of routers and switches by polling appliances using SNMP. This will give you a visual graph to look for patterns emerging, such as a spike in traffic between 2:00-4:00 AM

What are three tools used for Flow Analysis?

1. Proprietary: a commercial service offering where you have to pay a subscription for access to the info, which is updated regularly 2. Closed-Source: also usually subscription based; the data is derived from a provider's own research and analysis efforts such as data from honeynets they operate and anonymized info mined from user systems. FireEye is one example of this 3. Open-Source: data is freely available without a subscription. May include threat feeds similar to commercial providers as well as reputation lists and malware signature databases

What are three ways you can gain information for threat intelligence?

IOA (Indicator of Attack)

What is similar to an IOC (Indicator Of Compromise) but is an indication that an attack is in progress, rather than an indication that an attack was successful?

1. Use ACLs to restrict access to designated host devices. This means there should be a limited number of laptops or desktops which have the authorization to go into the management area on these devices, and they should only be able to do it from certain places. 2. Monitor the number of designated interfaces. E.g. are you going to allow anyone to connect over any port, or will there be only five ports in your office that have that connection back to those firewalls and network appliances? 3. Deny internet access to remote management. The switches and firewalls should not be completely cut off from the internet, only the management side of them should be. Connecting via secure VPN should be required for remote management. Port security very important here to prevent rogue devices accessing your network.

What are several best practices to secure network appliances such as IPS/IDS, firewalls, and switches?

Data Enrichment

This automatically combines multiple disparate sources of information together to form a complete picture of events for analysts to use during an incident response or when threat hunting

OSINT (Open Source Intelligence)

This is a method of obtaining information about a person or organization through public records, websites, and social media

Shodan

This is a search engine optimized for identifying vulnerable internet-attached devices such as thermostats, webcams, and other IoT devices

1. System Idle (PID 0) and System (PID 4): kernel-level binaries that are the parent of the first user-mode process (Session Manager SubSystem - ssms.exe) 2. Client Server Runtime SubSystem (csrss.exe): manages low-level Windows functions and it is normal to see several of these running (as long as they are launched from %SystemRoot%\System32 and have no parent). If they have a parent, it may be malware trying to masquerade as this process. 3. WININIT (wininit.exe): manages drivers and services and should only have a single instance running as a process 4. Services.exe: hosts nonboot drivers and background services. This process should only have one instance of services.exe running as a child of wininit.exe with other service processes showing a child of services.exe or svchost.exe. Malware frequently tries to masqerade as this so look closely 5. Local Security Authority SubSystem (lsass.exe): handles authentication services for the system and should have a single instance running as a child of wininit.exe. 6. WINLOGON (winlogon.exe): manages access to the user desktop and should have only one instance for each user session with the Desktop Window Manager (dwm.exe) as a child process 7. USERINIT (userinit.exe): sets up the shell (typically explorer.exe) and then quits. Should only see this briefly after logon. 8. Explorer (explorer.exe): typical user shell launched with user's account privileges rather than SYSTEM's and likely to be the parent for all processes started by the logged on user. - These help you to know what "normal" looks like to avoid false positives

- What are eight legitimate processes you will always see running on a normal Windows system through the Process Explorer tool? - Why is it important to be aware of these?

1. Any process name that you don't recognize. Doesn't automatically mean it's bad, but you should look online at Microsoft's support site to double check it 2. Any process name that is similar to a legitimate system process. For example: "scvhost" instead of the legitimate "svchost". Or, any names which look scrambled or randomly generated. 3. Process that appear without an icon, version information, description, or company name. 4. Processes that are unsigned, especially if from a well-known company like Microsoft 5. Any process whose digital signature doesn't match the identified publisher. They may have stolen the developer's private key. 6. Any process that does not have a parent/child relationship with a principal Windows process 7. Any processes hosted by Windows utilities like Explorer, Notepad, Task Manager, etc 8. Any process that is packed (compressed), highlighted purple in Process Explorer

- What are eight signs of a suspicious Windows process?

1. Code Injection: malicious code is inserted into otherwise legitimate files or data transmissions. 2. Masquerading: dropper replaces a genuine executable with a malicious one 3. DLL Injection: dropper forces a process to load as part of a DLL so that the DLL and the malicious code get loaded 4. DLL Sideloading: dropper exploits a vulnerability in a legitimate program's manifest to load a malicious DLL at runtime 5. Process Hollowing: dropper starts a process in a suspended state and rewrites the memory locations containing the process code with the malware code. It essentially takes over some place in memory and puts malicious code in there.

- What are five methods that a dropper can use to run and eventually install malware?

1. Application: events generated by applications and services. 2. Security: audit events like failed logons or access denied 3. System: events generated by the OS and its services 4. Setup: events generated during the installation of Windows 5. Forwarded Events: events that are sent to the local host from other computers. These are newer and can send data directly to a SIEM 1. Information: used for successful events 2. Warning: used for events that may become problems such as low disk space 3. Error: something resulting in reduced functionality or not working 4. Audit Success/Failure: event which indicates a user or service either fulfill or did not fulfill the system's audit policies

- What are five types of Windows event logs? - What are the four levels of severity of these logs?

1. Time-based: define access periods for given hosts 2. Location-based: geolocation 3. Role-based or Adaptive NAC: re-evaluates a device's authorization when it is used to do something. A regular user laptop may be granted access to the network, but if it tries to jump on a management subnet, it will be rejected 4. Rule-based: complex admissions policy that enforces a series of logical statements such as IF...AND...OR rules

- What are four things other than the Health Policy which you can use to grant or deny a device access to the network?

1. Connections that are permitted or denied 2. Port and protocol usage in the network 3. Bandwidth utilization with the duration and volume of usage 4. An audit log of the address translations (NAT/PAT) that occurred - They will be in vendor specific formats - From top to bottom; the most important rules should placed at the top. If traffic meets the criteria for that rule, it proceeds to the next one.

- What are four types of useful data that firewall logs can provide? - What format are firewall logs typically in? - In what order do the rules in a firewall's ACL process?

1. Risk Management: identifies and prioritizes threats and vulnerabilities to reduce their negative impact. This is usually grouped with Security Engineering b/c you use the information in Risk Management to design your systems based on the threats you've identified and prioritized 2. Incident Response: organized approach to addressing and managing the aftermath of a cybersecurity attack or security breach. Tactical level intelligence is most useful here b/c you need to know what IP address are they coming from, what are they doing in the network, etc 3. Vulnerability Management: identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Use this with threat analysis to find vulnerabilities you hadn't even thought of for example, doing an updated vulnerability scan when WannaCry came out 4. Detection and Monitoring: observing activity to identify anomalous patterns for further analysis. Threat intelligence allows you to add more signatures, rules, and definitions to tune systems

- What are four ways you can perform threat analysis sharing as part of the Dissemination phase of the Security Intelligence Lifecycle?

1. Unauthorized software & files 2. Suspicious emails 3. Suspicious registry and file system changes 4. Unknown port and protocol usage 5. Excessive bandwidth usage 6. Rogue hardware 7. Service disruption and defacement 8. Suspicious or unauthorized account usage

An IOC (Indicator Of Compromise) is a sign that an initial attack was successful. What are eight types of IoCs?

Shadow IT

Computer hardware, software, or services used on a private network without authorization from the system owner. Something which is not sanctioned and has not gone through change management process, such as someone setting up a rogue access point in their office.

SIEM Queries

These extracts records from among all the data stored in a SIEM for review, or to show as a visualization

Sguil

This application comes bundled with Security Onion and helps to deal with real-time alerts. As logs are generated by different detection systems, this is able to see those and helps to view the alerts and identify different options to pivot between analysis tools and be able to look at different indicators

1. Anti-virus: software capable of detecting and removing viruses and malware 2. Host-based IDS/IPS: monitors a computer for unexpected behavior or drastic changes to the system's state 3. EPP (Endpoint Protection Platform): software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption. Mostly based on signature detection. 4. EDR (Endpoint Detection and Response): software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. Mostly based on behavioral and anomaly analysis. 5. UEBA (User and Entity Behavior Analytics): system that can provide automated identification of suspicious activity by user accounts and computer hosts. Requires a solid baseline. These are heavily dependent on advanced computing techniques like AI and machine learning. Microsoft Advanced Threat Analytics and Splunk are two examples.

What are five different endpoint protection tools which help with security and analysis?

1. Implementing and configuring security controls 2. Working in a SOC (Security Operations Center) or CSIRT (Computer Security Incident Response Team) 3. Auditing security processes and procedures 4. Conducting risk & vulnerability assessments & pentesting 5. Maintaining up to date threat intelligence

What are five roles & responsibilities of a Cybersecurity Analyst?

1. Observed Data: A stateful property of the computer system or network or an event occurring within it, generated by the logging system. Examples of observables include an IP address, a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt 2. Indicator: A pattern of observables that are "of interest," or worthy of cybersecurity analysis 3. Attack pattern: Known adversary behaviors, starting with the overall goal and asset target (tactic), and elaborated over specific techniques and procedures 4. Campaign and threat actors: The adversaries launching cyberattacks are referred to in this framework as Threat Actors 5. COA (Course of Action): Mitigating actions or use of security controls to reduce risk from attacks or to resolve an incident.

What are five types of STIX Domain Objects (SDO)?

1. Unified Output: machine readable binary file, cannot be read by humans. 2. Syslog: can be integrated with SIEMs or read directly 3. CSV: common data format which uses commas to delimit fields; can be imported into 3rd party app, parsed with regular expressions, or opened as a spreadsheet 4. Tcpdump (pcap): very useful b/c it captures all packets underlying the event 5. Input directly into a SIEM

What are five types of output formats for IDS/IPS logs?

1. Commodity Malware: malicious software that is widely available for sale or easily obtainable and usable 2. Zero-day Malware: something new with no recorded signature which typically exploits a zero-day vulnerability 3. APT (Advanced Persistent Threat): can refer to nation-state threat actors, but can also refer to an attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware 4. C2 Node (Command & Control): aka a "Botmaster" controlling a botnet; an infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets

What are four different types of malware?

1. Timeliness: ensures the intelligence source is up to date 2. Relevancy: ensures the intelligence source matches the use case intended for it. E.g, info about attacks against Mac OS will not be relevant if you are using Windows or Linux 3. Accuracy: ensures that an intelligence source produces effective results. Information needs to be valid and true, eliminate false positives, etc 4. Confidence Level: ensures the intelligence source produces qualified statements about reliability; a grade of how good overall we think the information is based on the other factors

What are four factors you can use to weigh the value of intelligence sources?

1. Analyze network traffic: look for anything suspicious like connections to a C2 node 2. Analyze the executable process list: look for any strange or invalid processes running 3. Analyze other infected hosts: look for similarities, how they are hiding/persisting, if they are all running similar processes 4. Identify how the malicious process was executed: what allowed it to start up? Is there a way we can block it?

What are four things you can do when threat hunting?

1. Msg: text which informs the responder what triggered the rule, basically like a comment 2. Flow: will match a new or existing TCP connection or match regardless of the TCP connection state 3. Flags: will tell you whether to match flags in the packet such as the TCP SYN, FIN, REST, etc 4. Track: applies a rate limiter to the rule, only triggering if the threshold of events pass over a certain duration. For example: if a bad guy comes in once every minute, flag it, but if it's only once every hour, ignore it. 5. Reference: can match an entry to an attack database. 6. Classtype: will categorize the attack. For example: is this brute force, DoS, etc? 7. Sid and Rev: a Snort ID (S+I+D...get it?), and it may include the revision number of that rule with is the Rev

What are seven types of rule options you can set up with Snort rules?