CySA+ Practice Exam Textbook
Roger is evaluating threat intelligence information sources adn finds that one source results in quite a few false positive alerts. This lowers his confidence level in the source. What criteria for intelligence is not being met by this source?
Accuracy. An intelligence soure that results in false positive errors is lacking in accuracy because it is providing incorrect results to the organization. Those results may still be timely and relevant, but they are not correct. Expense is not one of the three intelligence criteria.
During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be? A. Determine the reason for the ports being open. B. Investigate the potentially compromised workstation. C. Run a vulnerability scan to identify vulnerable services. D. Reenable the workstation's local host firewall
Determine whether there is a legitimate reason for the workstatiion to hve the listed ports open.
Consider the threat modeling analysis shown here. What attack framework was used to develop this analysis? Adversary Infrastructure Capability Victim
Diamond
A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running?
MySQL. My SQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses port 5432, and Microsoft SQL uses 1433/1434.
Brad is working on a threat classification exercise, analyzing known threats and assessing the possibility of unknown threats. Which one of the following threat actors is most likely to be associated with an advanced persistent threat (APT)? A. Hacktivist B. Nation-state C. Insider D. Organized crime
Nation-state. It is possible for any of these threat actors to be affiliated with an APT, but the highest likelihood is that a sophisticated APT threat would be associated with a nationstate, rather than a less-resourced alternative.
Olivia is considering potential sources for threat intelligence information that she might incorporate into her security program. Which of the following sources is most likely to be available without a subscription fee? Vulnerability feeds Open source Closed Source Proprietary
Open source Open source intelligence is freely available information that does not require a subscription fee. Closed source and proprietry intelligence are synonyms and do not involve payments to the providers. Vulnerability feed may be considered threat intelligence, but they normally come with subscription fees.
During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering? What is her best option?
Perform a DNS brute-force attack. While it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization's IPS!nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be detected since they are harder to conceal. Cynthia shouldn't expect to be able to perform a zone transfer, and if she can, a well-configured IPS should immediately flag the event.
What markup language provides a standard mechanism for describing attack patterns, malware, threat actors, and tools?
STIX. Structured Threat Information eXpression is an XML language orignally sponsored by the U.S. department of Homeland Security. In its current version, STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. TAXII is designed to support STIX data exchange between security components over HTTPS. OpenIOC is an XML framework for the exchange of indicators of compromise (IOCs). STIX uses XML, but XML itself does not provide a mechanism for describing security infomraiotn until used as a vehicle for expressing STIX objects.
