578.2 Flashcards

1
Q

Kill Chain phases

A

1: Reconnaissance and Precursors
2: Weaponization
3: Delivery
4: Exploitation
5: Installation
6: Command and Control (C2)
7: Actions on Objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Kill Chain

A
  • Deterministic process
  • Describes stages of a single intrusion
  • “Compromise” is successful completion
  • Seven stages to defend
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

KC - 1: Recon / Precursors

A
  • Tasking
  • Acquisition of tools
  • Acquisition of infrastructure
  • Identification of targets
  • Organizational research
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

KC - 2: Weaponization

A
  • Configuring (Backdoors, Droppers)

- Packaging (Container, Exploit, First-stage binary)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

KC - 3: Delivery

A
  • Mechanism in which payload gets to target
  • Protocol-based (smtp, http)
  • media-based (usb, cd / dvd)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

KC - 4: Exploitation

A

Disposition / Execution of exploit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

KC - 5: Installation

A
  • Associated with persistence and invocation

- Droppers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

KC - 6: Command and Control (C2)

A

Associated with establishing communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

KC - 7: Actions on Objectives

A
  • Commands executed
  • Additional tools transferred to the victim to facilitate on-system or on-network objectives
  • Files exfiltrated
  • Files modified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Four vertices of the Diamond Model

A

Adversary
Capability / TTP
Victim
Infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

DM - Adversary

A

Any data related to perpetrators such as:

  • Online presence
  • Accounts
  • Intent
  • Human Choices

Individual or group behind an event. Two types:

  • Adversary Operator (executing the action)
  • Adversary Customer (benefits from the action)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DM - Capability / TTP

A

Tools employed, techniques demonstrated:

  • Exploits
  • Backdoors
  • Methods for staging data
  • Situational awareness
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DM - Infrastructure

A

Any vehicle for delivering capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DM - Victim

A

The vicitm is the recipient of the capabilities, deployed across infrastructure by the adversary. It can be:

  • Networks
  • Systems
  • People
  • Organizations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CoA

A

Course of Action. It helps answer:

  • What is “action” in actionable indicators
  • What options are available?
  • How resilient am I?
  • What capabilities do I lack?
  • Where do I focus investment? Research?

The CoA is the complement (of the KC) of actions for network defenders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The 7 D’s of Action Matrix

A
Discover
Detect
Deny
Disrupt
Degrade
Deceive
Destroy
17
Q

CoA: Discover

A

Log searching
Post-hoc signature use
Heuristic searching

18
Q

CoA: Detect

A
Identification of known-bad activity
Future complement of discover
Triggers race condition to end of the kill chain
Robust instrumentation is key enabler
Pairs with other CoAs

Detection refers to identifying intrusion activity that may occur in the future and is one of the most basic actions one can take.

19
Q

CoA: Deny

A

Prevent occurrence outright

20
Q

CoA: Disrupt

A

Interfere so as to cause failure

21
Q

CoA: Degrade

A

Interfere to reduce efficacy. Slows down potentially malicious actions.

22
Q

CoA: Deceive

A

Provide misinformation to adversary or code.

23
Q

CoA: Destroy

A

Offensive action that reduces capacity to operate. Not legal for most entities. Examples:

  • Hacking back
  • Denial of service
  • Arrest
  • Physically destructive actions
24
Q

MITRE ATT&CK

A

Documentation of tactics and techniques (for intrusions)

Tactics
Techniques
Sub-techniques
Procedures

25
Q

Two options of KC phase 7 (Action on Objectives) analysis

A
Network pivoting
- C2 Victim Infrastructure
- C2 Decoding
Host pivoting
- Memory
- Disk
26
Q

Stage 5 Indicator (KC - Install) Pivoting Recommendations

A

Various local system logs
Centralized system and A/V logs
Temporal Triangulation
Temporal Clustering

27
Q

What is Network Flow Data?

A

Network flow data typically collected two ways:

  • Networking gear to logging server (direct)
  • Taps/mirrors + server running argus (indirect)

Applies to “Discover” course of action.

28
Q

What is Squid?

A
  • Open-source proxy server
  • Logs in plaintext, one line per HTTP request
  • May be explicit or transparent
29
Q

What is FPC?

A

Full Packet Capture a.k.a. pcap

  • Applies to Discover CoA
  • Retention usually far less than logs
30
Q

What can we find in a disk image?

A
  • User activity timelines

- File activity timelines

31
Q

What can we find in a memory image?

A
  • Immediate state data
  • Deobfuscated file data
  • Running processes
  • Open network connections
32
Q

Stage 4 Installation Pivoting Recommendations

A
  • Focused keyword searches
  • iframes
  • Flash
  • Timeline analysis / index.dat