578.1

Question 1

What is the meaning of School Of Thought?

Answer 1

A perspective of a group with common opinions and disciplines.

Question 2

What was Moonlight Maze?

Answer 2

First cyber attack in 1996. It was reanalyzed in 2016.

Question 3

What was Penquin Turla?

Answer 3

Toolkit identified by Kaspersky Labs in 2014, which was based off of LOKI2

Question 4

What is Intelligence?

Answer 4

Intel is the collection, processing, and analysis of information about a competitive entity and its agents, needed by an organization or group for its security and well-being.

It’s both, a product and a process.

Intelligence deals with all the things which should be known in advance of initiating a course of action.

Question 5

Definition of: HUMINT

Answer 5

Human intel collection (interpersonal)

Question 6

Definition of: GEOINT

Answer 6

Geospatial intel collection (satellites)

Question 7

Definition of: MASINT

Answer 7

Measurement and signature intel (radar, nuclear detonation signatures, etc)

Question 8

Definition of: OSINT

Answer 8

Open-source intel (libraries, public records, internet)

Question 9

Definition of: SIGINT

Answer 9

Intel derived from signal intercepts (cell phone communications or tapping of com lines)

Question 10

Definition of: ALL INT SOURCE

Answer 10

Intel derived from every available source on a subject or topic.

Question 11

What is Counterintelligence?

Answer 11

Counterintelligence is the identification, assessment , and neutralization of adversary intelligence activities.

e.g. Operation Bodyguard

Question 12

Who was Sherman Kent?

Answer 12

Father of intelligence analysis and creator of Kent’s analytic doctrine (9 points).

1. Focus on Policymaker Concerns
2. Avoidance of a Personal Policy Agenda
3. Intellectual Rigor
4. Conscious Effort to Avoid Analytic Biases
5. Willingness to Consider Other Judgments
6. Systematic Use of Outside Experts
7. Collective Responsibility for Judgment
8. Effective Communication of Policy-Support Informationen and Judgements
9. Candid Admission of Mistakes

Question 13

Who was Richards J. Heuer. Jr.?

Answer 13

Developed the Analysis of Competing Hypotheses

1. Enumerate Hypotheses
2. Support the Hypotheses
3. Diagnostics
4. Refine the Matrix
5. Prioritize the Hypotheses
6. Determine Evidentiary Dependence
7. Report Conclusions

Question 14

What is the definition of Analysis?

Answer 14

Detailed examination of the elements or structure of something. Breaking something down into its constituent parts to understand its operation.

We analyze observed activity & adversary intent.

Question 15

Definition of: Data-Driven Analysis?

Answer 15

Requires good datasets and straightforward problems. Logically-driven and easily replicated by other analysts observing it.

Question 16

Definition of: Conceptually-Driven Analysis?

Answer 16

Numerous unknowns and undefined variables and relationships.

Question 17

What are the three types of pattern recognition?

Answer 17

Template Matching
Prototype Matching
Top-Down Matching

Question 18

What is System 1 Thinking?

Answer 18

Intuitive Thinking

Fast, effective, often accurate.
System 1 thinking involves existing mental models.

Question 19

What is System 2 Thinking?

Answer 19

Analytic thinking

Slow methodical, and conscious, e.g. Kill Chain & Diamond Model

Question 20

What are Mental Models?

Answer 20

Mental models are experience-based assumptions and expectations of the way the world operates.

Question 21

What is SAT?

Answer 21

Structured analytic techniques (SATs) are analyst approaches to better evaluate information while reducing the impact of bias.

Question 22

What are the 6 categories of SAT?

Answer 22

Getting organized
Exploration Techniques
Diagnostic Techniques
Reframing Techniques
Foresight Techniques
Decision Support Techniques

Question 23

Decomposition

Answer 23

Breaking down a problem into its components.

Question 24

Visualization

Answer 24

Capturing the parts of a problem in an organized, often visual, manner.

Question 25

5 parts of the intel life cycle?

Answer 25

Planning and Direction
Collection
Processing and Exploitation
Analysis and Production
Dissemination

Question 26

Define CTI

Answer 26

Analyzed information about the hostile intent, opportunity, and capability of an adversary that satisfies a requirement.

The analysis is on the threat
The focus is on the customer

Question 27

Adversary or threat

Answer 27

Human behind the keyboard. Individual, team or gov.

Adversaries are your threat when they have the opportunity, intent, and capability for doing you harm.

Question 28

Intel requirement

Answer 28

Simply worded and straight forward single question that drives the intel life cycle.

Question 29

Intrusion

Answer 29

Any successful or failed attempt by the adversary to compromise a system.

Question 30

Intrusion set

Answer 30

Linking of multiple intrusions together across 2+ phases of the kill chain.

Question 31

Activity group

Answer 31

Are unique clusters of intrusions mathematically defined by analyst/team’s analytical weighting (confidence scoring)

Question 32

Difference between intrusion set and activity group?

Answer 32

An intrusion set would be a clustering and linking of intrusions on key indicators, whereas an Activity Group is a cluster you’re tracking that’s specific to an analytical requirement or intelligence requirement. A slight nuance but Activity Groups are more formal and meet a more structured purpose.

Question 33

Threat actor

Answer 33

Is the threat that is responsible for intrusions and is uniquely tracked across different intrusions.

Question 34

Campaign or operation

Answer 34

Campaigns are identified as the mission focus of the adversary across multiple intrusions. A single intrusion or even a small amount (three to five) should not be seen as a campaign, as it is too small to derive a pattern and is highly subject to the analyst’s bias on what the adversary might be attempting to do.

Campaigns can be leveraged to help highlight a series of intrusions to a sector or group of victims such as a banking targeted campaign. However, always be aware that our collection gaps and visibility can misguide the campaign’s understanding.

Question 35

TLP

Answer 35

Traffic light protocol

Question 36

Victim

Answer 36

Individual, network or system compromised.

Question 37

Target

Answer 37

Intended victim of an intrusion

Question 38

Persona

Answer 38

fake name or identifier that an adversary takes.

Question 39

TTP

Answer 39

Tactic, Technique and Procedure.

Question 40

What is Tradecraft?

Answer 40

Is the combination of methods, capabilities, and resources (such as infrastructure) that an adversary leverages in the course of their actions.

Question 41

Threats can be evaluated by

Answer 41

Intent + Opportunity + Capability

Question 42

What is TTP?

Answer 42

Tactics: High-level approach to achieving the goal
Techniques: One step down, how the goal will be achieved.
Procedures: Granular view into the steps taken to achieve the goal.

Question 43

What is an Indicator?

Answer 43

Data + Context

Indicator must indicate something. It describes an aspect of an intrusion. An ip address by itself is not an indicator. IP + C2 node = indicator.

Question 44

Key Indicator

Answer 44

• Identify as many as possible
• Ideally, at least two in different adversary steps
• Ideally, across three or more intrusions
• Remain consistent across intrusions
• Uniquely distinguish an activity cluster
• Distringuis intrusions from benign activity
• Align to a phase of adversary activity

Question 45

Sliding Scale of Cyber Security

Answer 45

• Architecture
• Passive Defense
• Active Defense
• Intelligence
• Offense

Question 46

SSCS: Offense

Answer 46

• Very costly and poor return on investment
• Where not illegal, definitely not in the spirit of the law
• Take-down operations could be considered offensive in nature but often are not
  If you suck at running defensive operations, do not assume offense is easier

Question 47

SSCS: Intelligence

Answer 47

• Adversary Emulation
• Hypothesis Generation
• Team Restructuring

Question 48

SSCS: Active Defense

Answer 48

• Threat Hunting
• Incident Response
• Network Security Monitoring
• Malware Analysis

Question 49

SSCS: Passive Defense

Answer 49

• Tuning Defense
• Placement of Technologies
• Visibility and Collection

Question 50

SSCS: Architecture

Answer 50

• Better Defensible Environments
• Addressing Important Vulnerabilities
• Better Development

Question 51

Four types of threat detection

Answer 51

• Modeling (Environmental / Unknowns)
• Configuration Analysis (Environmental / Knowns)
• Threat Behaviors (Threat / Unknowns)
• Indicators (Threat / Knowns)

Question 52

Pyramid of Pain

Answer 52

• TTPs
• Tools
• Network / Host Artifacts
• Domain Names
• IP Addresses
• Hash Values

Question 53

Priority Intelligence Requirements

Answer 53

PIRs are those IRs that are seen as critical to mission success.

Question 54

Three types of intendent audience / requirements

Answer 54

• Strategic
• Operational
• Tactical

Question 55

Carbp

Answer 55

Cyber crime toolkit sold on Russian fraud forums with traditional capabilities such as VNC, RDP, sniffers, and keyloggers.

Question 56

Carbanak

Answer 56

Malware bases on Carberp, used against over 100 banks.

Question 57

What is a CMS?

Answer 57

Collection Management System

View of source of data, what is available in the data, and how that data is processed and exploited.

Question 58

Explain the term System Analysis?

Answer 58

A system analysis is an intentionally developed set of mental models, templates, and prototypes that make up a system we are concerned with.

The four main points are:

• Tasks
• Structure
• Information Technology
• Individuals & Roles

Question 59

What is Threat Modeling?

Answer 59

Brings data assests of the company and potential adversaries in relation.

Question 60

Explain Target-Centric Intelligence Analysis?

Answer 60

• Nonlinear approach to the intel cycle
• Builds a conceptual model of a “target”
• Used as a foundation for further analysis

Question 61

Explain the VERIS Framework?

Answer 61

The Vocabulary for Event Recording and Incident Sharing

• Four A’s (Action, Asset, Actor, Attribute)
• Captures metrics on events and incidents
• Strategic-evel counterpart to indicator sharing

Question 62

What is Synthesis in CTI?

Answer 62

Synthesis involves pulling in data from both the targeted organization as well as outside entities, and reaching out to other digital forensics and incident response fields such as malware analysis and forensics.

Question 63

What is Template Matching?

Answer 63

Template matching theory states that every object or experience is processed by the brain and stored as a template in long-term memory. Long-term memory is searched for a matching template to explain the situation.

Question 64

What is Prototype Matching?

Answer 64

Prototype Matching is similar to template matching; however it does not search for an extact match of a template, but to an “average” of similar templates referred to as a prototype.

Question 65

What is Top-Down Matching?

Answer 65

Top-down pattern matching uses previous knowledge to “fill in the gaps” when we do not have complete information.

Question 66

What does an Adversary need to make themselves dangers?

Answer 66

Opportunity + Intent + Capability

Question 67

What is the difference between victim and target?

Answer 67

There may be multiple victims involved in an adversary’s campaign before they reach their target. A target is the ultimate goal of the adversary.