2B. Attack Frameworks and Indicator Management obj 1.1, 1.2

Question 1

Briefly describe reputational data

Answer 1

Blacklists of known threat sources (e.g., IP address ranges, malware signatures, domains)

Question 2

What are IoCs?

Answer 2

Residual signs of an asset that has been successfully compromised/breached (e.g., IP addresses, rogue hardware, unknown port/protocol usage, registry/file system changes)

Question 3

What is behavioural threat research?

Answer 3

The correlation of IoCs into attack patterns e.g., attacker might be using new IP address, but attack pattern resembles that of past attackers

Question 4

What are the stages of the Cyber Kill Chain?

Answer 4

1) Reconnaissance
2) Weaponisation
3) Delivery
4) Exploitation
5) Installation
6) C2
7) Actions on objectives

Question 5

Identify and describe stage one of the Cyber Kill Chain

Answer 5

1. Reconnaissance. During this stage, the adversary is gathering intelligence about their target. This can be open-source or direct acquisition (via scanning). Vulns may be identified.

Question 6

Identify and describe stage two of the Cyber Kill Chain

Answer 6

2. Weaponisation. In this stage, malware is combined with an exploit to create a payload that can be delivered to the target.

Question 7

Identify and describe stage three of the Cyber Kill Chain

Answer 7

3. Delivery. The payload is delivered to the target via a method (e.g., phishing, USB, water holing)

Question 8

Identify and describe stage four of the Cyber Kill Chain

Answer 8

4. Exploitation. The payload is executed and exploits a vulnerability. e.g., this can be initiated by a victim being tricked into running code via a phishing email, or a drive-by-download

Question 9

Identify and describe stage five of the Cyber Kill Chain

Answer 9

5. Installation. Remote access tools/backdoors are installed to achieve persistence.

Question 10

Identify and describe stage six of the Cyber Kill Chain

Answer 10

6. C2. The payload establishes a connection to a remote server that the adversary can use to gain remote access and install further tools/malware

Question 11

Identify and describe stage seven of the Cyber Kill Chain

Answer 11

Actions on objectives. The adversary takes actions to accomplish their goals (e.g., data exfiltration)

Question 12

What does STIX stand for?

Answer 12

Structured Threat Information eXpression

Question 13

What is STIX used for?

Answer 13

STIX is a language used to share CTI information in a standardised format. STIX v1 uses XML, while STIX v2 uses JSON.

Question 14

What are some of the STIX domain objects?

Answer 14

Attack pattern,
malware,
threat actor,
tools,
goals,
motivations

Question 15

What does TAXII stand for?

Answer 15

Trusted Automated eXchange of Indicator Information

Question 16

What is TAXII used for?

Answer 16

It is a protocol used for securely transporting/exchanging CTI information that uses the STIX syntax between different organisations and systems.

Question 17

Examples of how STIX can improve an organisation’s security

Answer 17

1) An organisation may use STIX data to identify patterns of suspicious activity on their network, and then respond to the activity with appropriate actions.
2) STIX data can be used to identify and prioritise vulnerabilities in an organisation’s network or system.

Question 18

Briefly describe OpenIOC

Answer 18

It is an XML-based framework that provides a standardised approach for describing artefacts found during an investigation. IOCs are made up of IOC Metadata (e.g., author and name of the IOC), References (e.g., case number, version of malware, etc), and the Definition (i.e., the content of the IOC e.g., the MD5, registry path, etc)