SY0-601 Chapter 2
Edward Snowden was a gov contractor who disclosed sensitive gov documents to journalists to uncover what he believed were unethical activities. What two terms best describe Snowden? A: Insider B: State Actor C: Hacktivist D: APT E: Organized Crime
A&C: Insider/Hacktivist
Zero-Day Attacks
discover vulnerabilities unknown to other hackers or cyber security teams, can store information in repository for later use. Very dangerous because they are unknown to product vendors.
Closed-Source Intelligence
doing one's own information gathering, proprietary, may want to keep threat data secret
Insiders
occur when an employee, contractor, vendor, or others with authorized access to information/systems wage an attack against the organization. These can be of any skill level
Email and social media (TV)
one of the most commonly exploited threat vectors, uses phishing, spam or other attacks, only needs 1 user to login to go into effect.
Threat Maps
provide a geographic view of threat intelligence, used to gain insight into the sources of the attacks, NOTORIOUSLY unreliable.
Vulnerability Databases
provides valuable insight into the types of threats being discovered by researchers
Open-Source Intelligence
threat intelligence that is acquired by publicly available sources
Is it timely? (TAF)
A feed that is operating on delay can cause you to miss a threat
Dark Web
A network run over standard internet connections but using multiple layers of encryption to provide anonymous communication
What type of assessment is particularly useful for identifying insider threats? A: Behavioral B: Instinctual C: Habitual D: IOCs
A: Behavioral
Of the threat vectors listed here, which one is most commonly exploited by attackers who are at a distant location? A: Email B: Direct access C: Wireless D: Removable media
A: Email
Which of the following threat actors typically has the greatest access to resources? A: Nation-State Actors B: Organized Crime C: Hacktivists D: Insider threats
A: Nation-State Actors
Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology? A: Shadow-IT B: System Integration C: Vendor Management D: Data Exfiltration
A: Shadow-IT
Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack? A: Supply Chain B: Removable media C: Cloud D: Direct Access
A: Supply Chain
Which one of the following threat research tools is used to visually display information about the location of threat actors? A: Threat Map B: Predictive analysis C: Vulnerability Feed D: STIX
A: Threat Map
Tom's organization recently learned that the vendor is discontinuing support for the customer relationship management (CRM) system. What should concern Tom the most from a security perspective? A: Unavailability of future patches B: Lack of technical support C: Theft of customer information D: Increased Costs
A: Unavailability of future patches
Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes kolin's work? A: White Hat B: Grey Hat C: Black Hat D: Green Hat
A: White Hat
Structured Threat Information eXpression (STIX)
An XML structured language for expressing and sharing threat intelligence. originally sponsored by U.S. Dept. of Homeland Security
Wireless Networks (TV)
Attackers do not need to gain physical access to the network, because they can get close enough to access the organizations network remotely.
Cloud (TV)
Attackers may routinely scan virtual remote based services looking for files with improper access controls, security flaws, or accidentally published API Keys
Which of the following measures is not commonly used to assess threat intelligence A: Timeliness B: Detail C: Accuracy D: Relevance
B: Detail
Which of the following attackers is most likely to be associated with an APT? A: Nation-State Actor B: Hacktivist C: Script Kiddie D: Insider
B: Hacktivist
Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol's technical specification. What resource would best meet his needs? A: Academic Journal B: Internet RFCs C: Subject Matter Experts D: Textbooks
B: Internet RFCs
Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information? A: Vulnerability Feed B: IoC C: TTP D: RFC
B: IoC
Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository? A: Product Manuals B: Source Code C: API Keys D: Open Source Data
C: API Keys
Which one of the following information sources would not be considered an OSINT (Open Source Intelligence) source? A: DNS Lookup B: Search Engine research C: Port Scans D: WHOIS inquiries
C: Port Scans
What language is STIX based on? A: PHP B: HTML C: XML D: Python
C: XML
Is the information accurate? (TAF)
Can you rely on what it says? How likely is it that the threat assessment is valid?
Which of the following is the best example of a hacktivist group? A: Chinese Military B: U.S. Government C: Russian Mafia D: Anonymous
D: Anonymous
What organization did the U.S. help create to help share knowledge between organizations in specific verticals? A: DHS B: SANS C: CERTS D: ISACs
D: ISACs
Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose? A: STIX 1.0 B: OpenIOC C: STIX 2.0 D: TAXII
D: TAXII
Removable Media (TV)
Devices such as usb drives to spread malware and launch attacks, may leave devices in public area hoping someone will insert them into their device
Is the information relevant? (TAF)
If it describes the wrong platform, software, or reason for the organization to be targeted it is irrelevant
Third-Party Risk (TV)
Interfere with an organizations supply chain to gain access to devices before they arrive at the organization
Script Kiddies
People who use hacking techniques but have limited skill, rely almost entirely on automated tools. Their motivations revolve around trying to prove their skill.
Threat Vectors
The means that threat actors use to obtain access
Criminal Syndicates
Their motive is simply illegal financial gain, with skill levels of moderate to high. Involved in cybercrimes such as cyber-dependent crimes, Child sex exploitations, Payment Fraud, Dark Web, Terrorism, and/or Cross-Cutting Crime Factors.
Hacktivist
Use hacking techniques to accomplish some activist goal, including defacing a website they disagree with or attacking a network due to political affiliation. measures that might deter most people are less likely with this group.
Open Indicators of Compromise (OpenIoC)
XML-Based framework, includes metadata like the author, name of the IOC, and description of the indicator.
Confidence Score
allows organizations to filter and use threat intelligence based on how much trust they can give it.
Direct Access (TV)
attackers may seek to gain access by physically entering an organization's facility such as a lobby or a store, by using unsecured network jacks on the wall.
Trusted Automated eXchange of Indicator Information (TAXII)
companion to STIX, intended to allows cyber security threat information to be communicated at the application layer via HTTPS
STIX use
defines objects like attack patterns, identities, malware, threat actors, and tools. then related by either a relationship or a sighting
Information Sharing and Analysis Centers (ISACs)
helps owners and operators share threat information and provide tools and assistance to their members. allowing in-depth sharing of threat information for both physical and cuber threats
Threat Feeds
intended to provide up to date detail about threats in a way that your organization can leverage
Advanced Persistent Threats (APTs)
involves high level consistent attacks over a significant period of time, with motives varying from political to economic.
Competitors
may engage in corporate espionage designed to steal sensitive information from another organization in order to create a business advantage. May include stealing customer information, proprietary software, confidential product plans, or any other information
Threat Intelligence
set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment, can also be used for predictive analysis
Indicators of Compromise (IoCs)
telltale signs that an attack has taken place and may include file signatures, log patterns, or other evidence