Mod 2
Diamond Model of Intrusion Analysis
A framework for examining network intrusion events.
Cyber Kill Chain™
A framework that outlines the steps of an attack.
MITRE ATT&CK
A knowledge base of attacker techniques that have been broken down and classified in detail.
Structured Threat Information Expression (STIX)
A language and format used to exchange cyber threat intelligence represented with objects and descriptive relationships.
advanced persistent threat (APT)
A new class of attacks using innovative attack tools that silently extract data over an extended period of time.
advanced persistent threats (APTs)
A new class of attacks using innovative attack tools that silently extract data over an extended period of time.
Common Vulnerability Scoring System (CVSS)
A numeric score assigned to a vulnerability based on a complex formula.
dissemination
A phase of the intelligence cycle that distributes threat data and information to the appropriate stakeholders.
feedback
A phase of the intelligence cycle that examines how effective the threat intelligence was.
Collection
A phase of the intelligence cycle that is the process of gathering information to address the most important intelligence requirements.
analysis
A phase of the intelligence cycle that processes data into a format usable by the organization.
requirements
A phase of the intelligence cycle that sets the high-level goals for the threat intelligence program.
threat modeling
A proactive strategy for evaluating risks by identifying potential threats and developing tests to detect and respond to those threats.
framework
A series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment.
threat actor
A term used to describe individuals or entities who are responsible for cyber incidents against enterprises, governments, and users.
Trusted Automated Exchange of Intelligence Information (TAXII)
An application protocol for exchanging cyber threat intelligence over Hypertext Transfer Protocol Secure (HTTPS).
indicator of compromise (IoC)
An indication that a malicious activity is occurring but is still in the early stages of an attack.
OpenIoC
An open framework for sharing OSINT in a machine-readable format.
Adversary capability
Assessing the attacker's intent, ability, capability, skills, tenacity, and available resources.
Organized crime
Attackers connected with an organized criminal syndicate.
nation-state actors
Attackers sponsored by a government for launching cyberattacks against their foes.
hactivists
Attackers that are strongly motivated by ideology.
zero-day attacks
Attacks that are unknown vulnerabilities and give victims no time to prepare or defend against the attacks.
IoC
Bernard is a security administrator for a large company that uses certain network statistics to determine whether malicious activity is occurring. In which of the following is there evidence of when these network statistics point to malicious activity occurring? IoT IoC IoH IoA
Zero-day
Bettye manages a server for which a major vulnerability was recently reported in one of the services that her company uses. However, a patch currently is not available to fix the vulnerability, so she needs to ensure that the firewall and other protections in place will prevent a threat actor from exploiting the vulnerability. Which of the following describes the type of vulnerability on the server she manages? APT DDoS Ransomware Zero-day
security engineering
Building systems to resist attacks.
The Common Vulnerability Scoring System will allow the organization to prioritize which vulnerabilities it should mitigate first or implement compensating controls for.
Carl is a new cybersecurity analyst. His manager has just asked him to implement a vulnerability scanner that uses the CVSS. Which of the following best describes why he would want to use it? The cybersecurity virtual scanning software will help protect the company's virtual machine infrastructure from attacks specific to virtualized and hypervisor-based technologies. The computerized vector scanning system will determine which attack vectors are most vulnerable to the threat of malicious threat actors who can exploit weaknesses in the company's infrastructure. The Common Vulnerability Scoring System will allow the organization to prioritize which vulnerabilities it should mitigate first or implement compensating controls for. The central vulnerability scanning service will allow the company to automate scans easily from a centralized system rather than have to install components on individual servers and systems.
known threats vs. unknown threats
Classifying threats by comparing the knowledge of the threat actor to security personnel.
Intelligence Cycle
Collection, Processing, Analysis, Dissemination and Feedback
CART
Completeness, Accuracy, Timeliness, Relevancy, Confidence Levels
risk management
Controlling threats to assets.
threat data and intelligence
Details about threats that can be used to create defenses.
Shadow IT
Dmitry, a system administrator, has just received an e-mail from Ivan, the vice president of the sales department. Ivan asks him if it would be possible to pull some data into a cloud-based CRM that the sales department started using a few months ago. However, Dmitry was completely unaware that the sales department had started using this technology as they had never requested the IT department's involvement. Which of the following best describes this scenario? Shared-Services IT Advanced Persistent Threats Tiered Service Model Shadow IT
insider threat
Employees, contractors, and business partners who manipulate data from the position of a trusted employee.
Healthcare Ready
Focuses on strengthening supply chains
Reconnaissance
Georgios has just returned from a cybersecurity conference where he learned about the methodology that threat actors use to attack their victims or intended victims. Which of the following steps in this methodology are a primary reason why he may be concerned about what information employees share online? Weaponization Delivery Reconnaissance Exploitation
Total attack surface
Graciela is attempting to determine the extent of vulnerabilities that exist for her organization. Some of the servers that she manages are public facing while others are internal servers. She is attempting to determine how many servers will be accessible from the Internet. Which of the following is she trying to determine? Total attack surface Adversary capability Likelihood Attack vector
KRI
Gunnar is building a database of upper and lower bounds of measurements of normal network activity. Which of the following terms is best used to describe these metrics? KRI IoC NMS AoI
incident response
Handling a cyberattack or data breach.
Scanning the web application for vulnerabilities Encrypting the data Secure transport protocols
How can web application data be protected in transit?(Choose all that apply) Scanning the web application for vulnerabilities Encrypting the data Ensuring that two factor authentication is enabled for all users using a web application Secure transport protocols
c. Time of attack
Hyat has been asked to research the variables that are used as a basis for the Common Vulnerability Scoring System (CVSS). Which of the following is NOT a variable used in CVSS? a. Access vector b. Attack complexity c. Time of attack d. Confidentiality of data
vulnerability management
Identifying and addressing security vulnerabilities.
ISAC
Information Sharing and Analysis Center
reputational research
Looking into past actions to determine if a security incident is an isolated security failure or is part of a pattern of poor security or underlying malicious behavior.
commodity malware
Malware sold by other threat actors that can be customized for specific attacks.
Nation-state
Misaki is concerned about employees mistakenly sending confidential files and information to clients when the client has a similar name to internal employees. Which of the following is she concerned about? Nation-state Hacktivist Insider threat Organized crime
attack frameworks
Models of the thinking and actions of today's threat actors.
information sharing and analysis communities
Organizations that share OSINT.
b. Hactivists proudly wear the name "hactivist."
Parvin is conducting research on hactivists. Which of the following would she NOT find about hactivists? a. The name is a combination of the words "hack" and "activism." b. Hactivists proudly wear the name "hactivist." c. Hactivists have defaced websites in order to make a political statement. d. Disinformation campaigns are a favorite tactic of hacktivists.
Closed source intelligence
Proprietary data that is owned by an entity that has an exclusive right to it.
behavioral research
Research into human behavior as it relates to cybersecurity.
FS-ISAC
Resilience of infrastructure, share threat and vulnerability info in finance sector, Help the org in training.
Hacktivists
Sarah works for a large meat processing plant that makes extensive use of industrial control systems that control the processing line motors and systems in the plants. During a production run one day, the entire production line shuts down. The company recently has received threats from a few individuals claiming to be fans of a well-known animal rights organization if the company did not shut down these plants. Which of the following is most likely the source of these attacks? Nation-state actors Hacktivists Insider threats Organized crime
a. OpenIoC
Shahnaz is researching security appliances and needs the devices to accept threat data and intelligence using a standard machine-readable open framework. Which technology would Shahnaz require to be a feature of the security appliance? a. OpenIoC b. XRML c. SQL d. NoSQL
OSINT
Source Identification, Data Harvesting, Data Processing, Data Analysis, Result Delivery
STIX
Structured Threat Information eXpression
Nation-state
Takumi works for a large movie studio. He receives an alert from a monitoring system that their servers are under attack after the studio announces a movie that parodies a foreign leader. The traffic appears to be coming from that specific country. Which of the following threat actor types is most likely the source of the attack? Nation-state Hacktivist Insider threat Organized crime
Email harvesting
Terry and Alex have been hired as consultants to determine the security posture of an organization. They have written a custom tool that will crawl social media networks and other popular sites looking for certain pieces of valuable information they can use as part of an attack. Which of the following is this tool most likely used for? DNS harvesting MAC address harvesting Email harvesting IP address harvesting
accuracy
The correctness of public information sharing center data.
Impact
The effect or influence of the attack on the enterprise.
relevancy
The helpfulness of public information sharing center data.
Attack vector
The method used to compromise a vulnerability.
Likelihood
The probability of an attack occurring and being successful.
intelligence cycle
The process through which raw cybersecurity data becomes useful threat intelligence information.
Total attack surface
The sum total of the number of different attack points.
open source intelligence (OSINT)
Threat intelligence that is freely available.
MITRE ATT&CK
Tiffany is studying and learning as much as she can about cybersecurity in hopes of becoming a penetration tester. Which of the following might she use find useful in her studies? 40 CFR BBB ISO/TC 901 CAA MITRE ATT&CK
False
True or false: A rootkit enables an attacker to gain logs of all keystrokes typed on a victim's machine.
True
True or false: Closed-source intelligence is also known as proprietary intelligence.
True
True or false: FS-ISAC focuses on the financial sector.
False
True or false: STIX is an application that has been developed by the community to provide cyber threat information.
TAXII
Trusted Automated eXchange of Intelligence Information
APT
Tyrese, a cybersecurity analyst, is performing an audit of user accounts when he discovers a handful of accounts that do not appear to represent actual employees at his organization. As he continues to investigate, he finds the accounts were created around four months ago and only connect to resources from outside the network. Which of the following might he have discovered? APT DDoS Zero-day attack Ransomware
detection and monitoring
Uncovering and managing vulnerabilities.
c. Commodity malware
What is the name for malware that is sold by attackers to other attackers and can be customized? a. Custom malware b. Proprietary malware c. Commodity malware d. ATTACK malware
d. Brokers
What is the name of attackers that sell their knowledge of a weakness to other attackers or to governments? a. Trustees b. Dealers c. Investors d. Brokers
Reveals debugging information of the application
What is the purpose of triggering a null pointer dereference? Reveals debugging information of the application Causes unexpected behaviour of the application Causes improper error handling Causes a user to access incorrect resources
a. A proactive strategy for evaluating risks
What is threat modeling? a. A proactive strategy for evaluating risks b. Using CVS data as input into a threat engine c. Using old threat intelligence data to create new threat intelligence data d. A standard for assigning a qualitative label to a threat
a. MITRE ATT&CK
Which attack framework is a knowledge base of attacker techniques that have been broken down and contain classification in detail? a. MITRE ATT&CK b. Diamond Model of Intrusion Analysis c. Cyber Kill Chain d. AXITI
d. Knowns
Which is not a category of threats based on the Johari window of cybersecurity threats? a. Known knowns b. Unknown unknowns c. Unknown knowns d. Knowns
c. Unknown unknowns
Which of the following categories describes a zero-day attack? a. Known unknowns b. Unknown knowns c. Unknown unknowns d. Known knowns
c. Total attack surface
Which of the following components is the sum total of the number of different attack points? a. Fault aggregation b. Vulnerability platform c. Total attack surface d. Attack vector
c. AIS
Which of the following enables the exchange of cyber threat indicators between parties through computer-to-computer communication?
a. Database vulnerability repositories (DVR)
Which of the following is NOT a source of threat intelligence? a. Database vulnerability repositories (DVR) b. File and code repositories c. Dark web d. Vulnerability databases
c. Data processing
Which of the following is NOT a step of the intelligence cycle? a. Analysis b. Dissemination c. Data processing d. Collection
d. APTs require the use of SQL injection attacks.
Which of the following is NOT correct about an Advanced Persistent Threat (APT)? a. APTs are most commonly associated with nation-state actors. b. APTs use innovative attack tools. c. Once a system is infected by an ATP, it silently extracts data over an extended period of time. d. APTs require the use of SQL injection attacks.
b. The foes of nation-state actors are only foreign governments.
Which of the following is NOT correct about nation-state actors? a. Governments are increasingly employing their own state-sponsored attackers. b. The foes of nation-state actors are only foreign governments. c. Nation-state actors are considered the deadliest of any threat actors. d. These attackers are highly skilled and have deep resources.
c. STIX
Which of the following is a language and format used to exchange cyber threat intelligence? a. TAXII b. BRICK c. STIX d. FLOWII
Attack surface
Which of the following is not one of the four components of the Cyber Kill Chain? Victims Infrastructure Attack surface Capabilities
Result Delivery Source Identification Data Harvesting
Which of the following options are different phases of open-source intelligence?(Choose all that apply) Result Delivery Source Identification Business Information Gathering Data Harvesting
Completeness Relevance Timeliness Accuracy
Which of the following options are key pillars of intelligence / information gathering?(Choose all that apply) Completeness Relevance Timeliness Accuracy
Port 443
Which of the following port uses encrypted network traffic? Port 443 Port 53 Port 80 Port 3389
Apache MySQL
Which of the following services need to be started for the DVWA application to function?(Choose all that apply) Tomcat DNS Service Apache DHCP services MySQL
d. Feedback
Which phase of the intelligence cycle feeds back into the requirements phase? a. Dissemination b. Analysis c. Financial d. Feedback
b. STRIDE
Which threat model has as its primary focus the developer? a. MAGELLAN b. STRIDE c. Trike d. PASTA Hide Feedback
c. White hat hackers
Which type of hacker attempts to probe a system with an organization's permission for weaknesses and then privately report back to that organization? a. Gray hat hackers b. Black hat hackers c. White hat hackers d. Green hat hackers
Aviation ISAC
sharing info for cybersecurity in Aviation
