.08 RG Vocab threats & threat actors

Question 1

Threat Modeling

Answer 1

A form of risk assessment that simulates aspects of the attack and
defense sides of a logical entity, such as a piece of data, an application, a host, a system,
network, or an environment

Question 2

Tactics, Techniques, and Procedures (TTPs)

Answer 2

A method that threat actors or groups use
when they want to compromise a target

Question 3

Tactics

Answer 3

Represent the why of a technique and describes what an adversary is trying to
accomplish

Question 4

Techniques

Answer 4

Represent how the threat actor achieves a tactical objective

Question 5

Procedures

Answer 5

The detailed steps or how the technique is applied to execute the attack

Question 6

Indicators of Attack (IoAs)

Answer 6

Contextual-based attributes of suspicious activity that may lead
to a security breach/attack

Question 7

Indicators of Compromise (IoCs)

Answer 7

System artifacts or observables associated with an attack

Question 8

Threat Modeling

Answer 8

Threats are always present when operating a business, software, system, or network.
Understanding threats and how they impact business functions and security posture is
essential for delivering value and services. One means of understanding these threats is a
form of risk assessment known as threat modeling.
Threat modeling is defined by NIST (n.d.) as a form of risk assessment that simulates aspects
of the attack and defense sides of a logical entity, such as a piece of data, an application, a
host, a system, a network, or an environment. Think of threat modeling as using an attacker’s
lens to uncover design flaws in the entity (software, network, environment, tool, etc.) you are
modeling.
Threat modeling provides a structured process for identifying security requirements,
quantifying threat vulnerability criticality, selecting and prioritizing remediation efforts, and
validating the success of such efforts.
When performing threat modeling, four primary questions are asked:

Question 9

Diagram

Answer 9

What are you building? How does your environment look?

Question 10

Identify threats

Answer 10

What could be exploited in your environment or software?

Question 11

Mitigate

Answer 11

How do you defend identified threats?

Question 12

Validate

Answer 12

Have you performed each step above? And were you successful

Question 13

Threat modeling produces the following artifacts

Answer 13

● Abstraction of the system (description of the subject to be modeled)
● Profiles of potential attackers, including goals and methods (TTPs)
● Potential threats to the system
● Actions that can be taken to mitigate each threat
● A catalog of future threats (assumptions for the changing threat landscape)
Threat modeling has several advantages for a security professional. These include the
opportunity to make cybersecurity spending and control decisions based on data, gain
enhanced visibility into systems and environments, and inform the overall organization’s
defensive strategy.

Question 14

Harden

Answer 14

includes application, credential, platform, and message hardening (recall from
modules 2 and 3 of this course that security hardening entails measures taken to
reduce the vulnerability of a system).

Question 15

Detect is the analysis stage. It has the following subcategories

Answer 15

o File analysis
o Identifier analysis
o Message analysis
o Network traffic analysis
o Platform analysis
o Process analysis
o User behavior analysis

Question 16

Isolate

Answer 16

is where you contain the threat.

Question 17

Deceive

Answer 17

is where you give them a false target.

Question 18

Evict

Answer 18

is where you stop the threat.

Question 19

Indicators of Compromise (IoCs)

Answer 19

Security breaches and cyberattacks can occur in various forms, from unrecognized files in a
system, unusual or unexplained configurations, to suspicious network behavior. In addition
to TTPs, information about cyber threats also includes indicators of compromise (IoCs).
According to NIST Special Publication 800-150 (2016), IoCs are defined as “system artifacts or
observables associated with an attack”. IoCs are evidence and clues that an intrusion or
security breach has taken place on the network. IoCs are helpful to investigators to evaluate
and discover more details about an attack, what tools were used in the attack, and possibly,
who is behind the attack and its impact.
A good analogy for IoCs is breadcrumbs left by an attacker. The detection of IoCs after or
during a cyberattack can be automated, sending a notification trigger or alarm to the incident
response team.
Common IoCs include:

Question 20

Suspicious activity by privileged user accounts

Answer 20

Cybercriminals can use the
privilege of escalation to carry out their cyberattacks. This type of IoC can be evidence
of an internal or external attack.

Question 21

Activity from strange geographic regions

Answer 21

While this type of IoC is subjective to the
area being monitored, monitoring network IP addresses and where they are
connecting from is a simple way to detect cyberattacks

Question 22

Security tools disabled or not-operating:

Answer 22

Various types of malware can disable the
antivirus (AV) or endpoint protection software on a system. Suppose a system has its
security tools or AV software disabled. In that case, this may be evidence of a
cyberattack against the system.

Answer 23

Repeated authentication failures

Question 24

Indicators of DDoS attacks

Answer 24

Evidence of Denial-of-Service attacks are apparent clues
of a cyberattack.

Question 25

As a security professional, knowing how to effectively spot clues of cyberattacks plays a
critical role in the risk management process as well as maintaining the confidentiality,
integrity, and availability of the network

Answer 25

statement.

Question 26

Indicators of Attack (IoAs)

Answer 26

Indicators of attack (IoAs) are contextual-based attributes of suspicious activity that may lead
to a security breach/attack. Contextual-based refers to the fact that the importance of the
attribute is relative to the situation. For example, a person seen walking around a house may
or may not be a threat depending on the situation. IoAs are viewed as early warning signs or
clues that can indicate suspicious activities. Various incident response tools will include IoA
analysis and monitoring capabilities to allow system analysts to effectively detect and mitigate
IoAs. Ignored or misdiagnosed IoAs lead to IoCs.

Question 27

Differentiate between IoAs and IoCs

Answer 27

● IoAs become a threat based on the situation and what it means in that situation,
whereas IoCs are valid threats.
● IoAs help prevent/mitigate an attack before it succeeds, whereas IoCs support
after-the-fact forensics of the attack.

Question 28

Target Retail Stores Breach

Answer 28

The Target breach was just the beginning of a series of massive retail data assaults that would expose critical weaknesses in enterprise data security and payment systems. Two years later, Target has largely recovered from the breach in terms of both consumer trust and financial impact.

Question 29

Colonial Pipeline Breach

Answer 29

The DarkSide ransomware gang hit the networks of Colonial Pipeline, which supplies roughly half of all the fuel on the US East Coast, on May 6 (according to breach information filed last week).