578.2

Question 1

Kill Chain phases

Answer 1

1: Reconnaissance and Precursors
2: Weaponization
3: Delivery
4: Exploitation
5: Installation
6: Command and Control (C2)
7: Actions on Objectives

Question 2

What is the Kill Chain

Answer 2

• Deterministic process
• Describes stages of a single intrusion
• “Compromise” is successful completion
• Seven stages to defend

Question 3

KC - 1: Recon / Precursors

Answer 3

• Tasking
• Acquisition of tools
• Acquisition of infrastructure
• Identification of targets
• Organizational research

Question 4

KC - 2: Weaponization

Answer 4

• Configuring (Backdoors, Droppers)

- Packaging (Container, Exploit, First-stage binary)

Question 5

KC - 3: Delivery

Answer 5

• Mechanism in which payload gets to target
• Protocol-based (smtp, http)
• media-based (usb, cd / dvd)

Question 6

KC - 4: Exploitation

Answer 6

Disposition / Execution of exploit

Question 7

KC - 5: Installation

Answer 7

• Associated with persistence and invocation

- Droppers

Question 8

KC - 6: Command and Control (C2)

Answer 8

Associated with establishing communications

Question 9

KC - 7: Actions on Objectives

Answer 9

• Commands executed
• Additional tools transferred to the victim to facilitate on-system or on-network objectives
• Files exfiltrated
• Files modified

Question 10

Four vertices of the Diamond Model

Answer 10

Adversary
Capability / TTP
Victim
Infrastructure

Question 11

DM - Adversary

Answer 11

Any data related to perpetrators such as:

• Online presence
• Accounts
• Intent
• Human Choices

Individual or group behind an event. Two types:

• Adversary Operator (executing the action)
• Adversary Customer (benefits from the action)

Question 12

DM - Capability / TTP

Answer 12

Tools employed, techniques demonstrated:

• Exploits
• Backdoors
• Methods for staging data
• Situational awareness

Question 13

DM - Infrastructure

Answer 13

Any vehicle for delivering capabilities

Question 14

DM - Victim

Answer 14

The vicitm is the recipient of the capabilities, deployed across infrastructure by the adversary. It can be:

• Networks
• Systems
• People
• Organizations

Question 15

CoA

Answer 15

Course of Action. It helps answer:

• What is “action” in actionable indicators
• What options are available?
• How resilient am I?
• What capabilities do I lack?
• Where do I focus investment? Research?

The CoA is the complement (of the KC) of actions for network defenders.

Question 16

The 7 D’s of Action Matrix

Answer 16

Discover
Detect
Deny
Disrupt
Degrade
Deceive
Destroy

Question 17

CoA: Discover

Answer 17

Log searching
Post-hoc signature use
Heuristic searching

Question 18

CoA: Detect

Answer 18

Identification of known-bad activity
Future complement of discover
Triggers race condition to end of the kill chain
Robust instrumentation is key enabler
Pairs with other CoAs

Detection refers to identifying intrusion activity that may occur in the future and is one of the most basic actions one can take.

Question 19

CoA: Deny

Answer 19

Prevent occurrence outright

Question 20

CoA: Disrupt

Answer 20

Interfere so as to cause failure

Question 21

CoA: Degrade

Answer 21

Interfere to reduce efficacy. Slows down potentially malicious actions.

Question 22

CoA: Deceive

Answer 22

Provide misinformation to adversary or code.

Question 23

CoA: Destroy

Answer 23

Offensive action that reduces capacity to operate. Not legal for most entities. Examples:

• Hacking back
• Denial of service
• Arrest
• Physically destructive actions

Question 24

MITRE ATT&CK

Answer 24

Documentation of tactics and techniques (for intrusions)

Tactics
Techniques
Sub-techniques
Procedures

Question 25

Two options of KC phase 7 (Action on Objectives) analysis

Answer 25

Network pivoting
- C2 Victim Infrastructure
- C2 Decoding
Host pivoting
- Memory
- Disk

Question 26

Stage 5 Indicator (KC - Install) Pivoting Recommendations

Answer 26

Various local system logs
Centralized system and A/V logs
Temporal Triangulation
Temporal Clustering

Question 27

What is Network Flow Data?

Answer 27

Network flow data typically collected two ways:

• Networking gear to logging server (direct)
• Taps/mirrors + server running argus (indirect)

Applies to “Discover” course of action.

Question 28

What is Squid?

Answer 28

• Open-source proxy server
• Logs in plaintext, one line per HTTP request
• May be explicit or transparent

Question 29

What is FPC?

Answer 29

Full Packet Capture a.k.a. pcap

• Applies to Discover CoA
• Retention usually far less than logs

Question 30

What can we find in a disk image?

Answer 30

• User activity timelines

- File activity timelines

Question 31

What can we find in a memory image?

Answer 31

• Immediate state data
• Deobfuscated file data
• Running processes
• Open network connections

Question 32

Stage 4 Installation Pivoting Recommendations

Answer 32

• Focused keyword searches
• iframes
• Flash
• Timeline analysis / index.dat