578.1 Flashcards
What is the meaning of School Of Thought?
A perspective of a group with common opinions and disciplines.
What was Moonlight Maze?
First cyber attack in 1996. It was reanalyzed in 2016.
What was Penquin Turla?
Toolkit identified by Kaspersky Labs in 2014, which was based off of LOKI2
What is Intelligence?
Intel is the collection, processing, and analysis of information about a competitive entity and its agents, needed by an organization or group for its security and well-being.
It’s both, a product and a process.
Intelligence deals with all the things which should be known in advance of initiating a course of action.
Definition of: HUMINT
Human intel collection (interpersonal)
Definition of: GEOINT
Geospatial intel collection (satellites)
Definition of: MASINT
Measurement and signature intel (radar, nuclear detonation signatures, etc)
Definition of: OSINT
Open-source intel (libraries, public records, internet)
Definition of: SIGINT
Intel derived from signal intercepts (cell phone communications or tapping of com lines)
Definition of: ALL INT SOURCE
Intel derived from every available source on a subject or topic.
What is Counterintelligence?
Counterintelligence is the identification, assessment , and neutralization of adversary intelligence activities.
e.g. Operation Bodyguard
Who was Sherman Kent?
Father of intelligence analysis and creator of Kent’s analytic doctrine (9 points).
- Focus on Policymaker Concerns
- Avoidance of a Personal Policy Agenda
- Intellectual Rigor
- Conscious Effort to Avoid Analytic Biases
- Willingness to Consider Other Judgments
- Systematic Use of Outside Experts
- Collective Responsibility for Judgment
- Effective Communication of Policy-Support Informationen and Judgements
- Candid Admission of Mistakes
Who was Richards J. Heuer. Jr.?
Developed the Analysis of Competing Hypotheses
- Enumerate Hypotheses
- Support the Hypotheses
- Diagnostics
- Refine the Matrix
- Prioritize the Hypotheses
- Determine Evidentiary Dependence
- Report Conclusions
What is the definition of Analysis?
Detailed examination of the elements or structure of something. Breaking something down into its constituent parts to understand its operation.
We analyze observed activity & adversary intent.
Definition of: Data-Driven Analysis?
Requires good datasets and straightforward problems. Logically-driven and easily replicated by other analysts observing it.
Definition of: Conceptually-Driven Analysis?
Numerous unknowns and undefined variables and relationships.
What are the three types of pattern recognition?
Template Matching
Prototype Matching
Top-Down Matching
What is System 1 Thinking?
Intuitive Thinking
Fast, effective, often accurate.
System 1 thinking involves existing mental models.
What is System 2 Thinking?
Analytic thinking
Slow methodical, and conscious, e.g. Kill Chain & Diamond Model
What are Mental Models?
Mental models are experience-based assumptions and expectations of the way the world operates.
What is SAT?
Structured analytic techniques (SATs) are analyst approaches to better evaluate information while reducing the impact of bias.
What are the 6 categories of SAT?
Getting organized Exploration Techniques Diagnostic Techniques Reframing Techniques Foresight Techniques Decision Support Techniques
Decomposition
Breaking down a problem into its components.
Visualization
Capturing the parts of a problem in an organized, often visual, manner.
5 parts of the intel life cycle?
Planning and Direction Collection Processing and Exploitation Analysis and Production Dissemination
Define CTI
Analyzed information about the hostile intent, opportunity, and capability of an adversary that satisfies a requirement.
The analysis is on the threat
The focus is on the customer
Adversary or threat
Human behind the keyboard. Individual, team or gov.
Adversaries are your threat when they have the opportunity, intent, and capability for doing you harm.
Intel requirement
Simply worded and straight forward single question that drives the intel life cycle.
Intrusion
Any successful or failed attempt by the adversary to compromise a system.
Intrusion set
Linking of multiple intrusions together across 2+ phases of the kill chain.
Activity group
Are unique clusters of intrusions mathematically defined by analyst/team’s analytical weighting (confidence scoring)
Difference between intrusion set and activity group?
An intrusion set would be a clustering and linking of intrusions on key indicators, whereas an Activity Group is a cluster you’re tracking that’s specific to an analytical requirement or intelligence requirement. A slight nuance but Activity Groups are more formal and meet a more structured purpose.
Threat actor
Is the threat that is responsible for intrusions and is uniquely tracked across different intrusions.
Campaign or operation
Campaigns are identified as the mission focus of the adversary across multiple intrusions. A single intrusion or even a small amount (three to five) should not be seen as a campaign, as it is too small to derive a pattern and is highly subject to the analyst’s bias on what the adversary might be attempting to do.
Campaigns can be leveraged to help highlight a series of intrusions to a sector or group of victims such as a banking targeted campaign. However, always be aware that our collection gaps and visibility can misguide the campaign’s understanding.
TLP
Traffic light protocol
Victim
Individual, network or system compromised.
Target
Intended victim of an intrusion
Persona
fake name or identifier that an adversary takes.
TTP
Tactic, Technique and Procedure.
What is Tradecraft?
Is the combination of methods, capabilities, and resources (such as infrastructure) that an adversary leverages in the course of their actions.
Threats can be evaluated by
Intent + Opportunity + Capability
What is TTP?
Tactics: High-level approach to achieving the goal
Techniques: One step down, how the goal will be achieved.
Procedures: Granular view into the steps taken to achieve the goal.
What is an Indicator?
Data + Context
Indicator must indicate something. It describes an aspect of an intrusion. An ip address by itself is not an indicator. IP + C2 node = indicator.
Key Indicator
- Identify as many as possible
- Ideally, at least two in different adversary steps
- Ideally, across three or more intrusions
- Remain consistent across intrusions
- Uniquely distinguish an activity cluster
- Distringuis intrusions from benign activity
- Align to a phase of adversary activity
Sliding Scale of Cyber Security
- Architecture
- Passive Defense
- Active Defense
- Intelligence
- Offense
SSCS: Offense
- Very costly and poor return on investment
- Where not illegal, definitely not in the spirit of the law
- Take-down operations could be considered offensive in nature but often are not
If you suck at running defensive operations, do not assume offense is easier
SSCS: Intelligence
- Adversary Emulation
- Hypothesis Generation
- Team Restructuring
SSCS: Active Defense
- Threat Hunting
- Incident Response
- Network Security Monitoring
- Malware Analysis
SSCS: Passive Defense
- Tuning Defense
- Placement of Technologies
- Visibility and Collection
SSCS: Architecture
- Better Defensible Environments
- Addressing Important Vulnerabilities
- Better Development
Four types of threat detection
- Modeling (Environmental / Unknowns)
- Configuration Analysis (Environmental / Knowns)
- Threat Behaviors (Threat / Unknowns)
- Indicators (Threat / Knowns)
Pyramid of Pain
- TTPs
- Tools
- Network / Host Artifacts
- Domain Names
- IP Addresses
- Hash Values
Priority Intelligence Requirements
PIRs are those IRs that are seen as critical to mission success.
Three types of intendent audience / requirements
- Strategic
- Operational
- Tactical
Carbp
Cyber crime toolkit sold on Russian fraud forums with traditional capabilities such as VNC, RDP, sniffers, and keyloggers.
Carbanak
Malware bases on Carberp, used against over 100 banks.
What is a CMS?
Collection Management System
View of source of data, what is available in the data, and how that data is processed and exploited.
Explain the term System Analysis?
A system analysis is an intentionally developed set of mental models, templates, and prototypes that make up a system we are concerned with.
The four main points are:
- Tasks
- Structure
- Information Technology
- Individuals & Roles
What is Threat Modeling?
Brings data assests of the company and potential adversaries in relation.
Explain Target-Centric Intelligence Analysis?
- Nonlinear approach to the intel cycle
- Builds a conceptual model of a “target”
- Used as a foundation for further analysis
Explain the VERIS Framework?
The Vocabulary for Event Recording and Incident Sharing
- Four A’s (Action, Asset, Actor, Attribute)
- Captures metrics on events and incidents
- Strategic-evel counterpart to indicator sharing
What is Synthesis in CTI?
Synthesis involves pulling in data from both the targeted organization as well as outside entities, and reaching out to other digital forensics and incident response fields such as malware analysis and forensics.
What is Template Matching?
Template matching theory states that every object or experience is processed by the brain and stored as a template in long-term memory. Long-term memory is searched for a matching template to explain the situation.
What is Prototype Matching?
Prototype Matching is similar to template matching; however it does not search for an extact match of a template, but to an “average” of similar templates referred to as a prototype.
What is Top-Down Matching?
Top-down pattern matching uses previous knowledge to “fill in the gaps” when we do not have complete information.
What does an Adversary need to make themselves dangers?
Opportunity + Intent + Capability
What is the difference between victim and target?
There may be multiple victims involved in an adversary’s campaign before they reach their target. A target is the ultimate goal of the adversary.