578.3

Question 1

HEXANE

Answer 1

Identified mid-2018 with activity ongoing. Targeting oil and gas in the Middle East. Has links to other groups but is a unique cluster of tradecraft and victimology.

Question 2

Malware human fingerprints are?

Answer 2

Maps to the Capability / TTP vertices of the Diamond Model. Depending on your requirement, can support all four points of the Diamond Model. Human fingerprints include:

• Header metadata
• Code reuse
• Configuration data

Question 3

Malware configuration data - common types are:

Answer 3

PE version info
Mutexes
Text Formatting
Method of persistence
Communication details

Question 4

Where do you get malware?

Answer 4

• First party data
• Partners
• Sharing Groups
• Commercial datasets

Question 5

Common Malware analysis tools

Answer 5

VirusTotal
VT Enterprise
DC3 Malware Configuration Parser
malwareconfig.com

Question 6

What’s the five major points of data pivoting?

Answer 6

• Critical CTI analyst skills
• Might seem like common sense, but often overlooked
• Quickly builds knowledge between automic indicators
• Historically manual, time-intensive
• New tools help to automate

Question 7

What are the four steps of data pivoting?

Answer 7

Start -> Pivot -> Validate -> Identify

Question 8

Basic (most pivotable) indicator types

Answer 8

• IP addresses
• Domains
• Accounts
• Unique Strings

Question 9

C2 Domain registration

Answer 9

• Domains can be moved from IP to IP to allow for dynamic adversary infrastructure
• Typo-squatted domains can fool targeted users
• Three classes of C2 domains:
  ° Adversary registered
  ° Dynamic DNS domains (free or paid)
  ° Legitimate but compromised

Question 10

DDNS

Answer 10

Dynamic DNS Domains

Originally developed for use with dynamic addressing ISPs such as DSL. Have short Time to Live (TTL) to expedite propagation.

Question 11

ASN

Answer 11

Autonomous System Number. Determines organizational ownership of IP addresses.

Lookup tool: asn.cymru.com

Question 12

Passive DNS

Answer 12

Collection of DNS domain query responses collected passively.

Question 13

PDNS Providers

Answer 13

LookingGlass LGScout
Mnemonic
Farsight
RiskIQ / PassiveTotal
Internet Identity
OpenDNS
DomainTools

Question 14

Iris

Answer 14

Iris is a powerful engine looking for collocations between domains, IPs, registrars, ASNs, emails ,etc.

Question 15

GlassRAT

Answer 15

Uncovered in November 2015 by RSA. Previously undetected Trojan targeting Chinese nationals. In operation for at least 3 years.

Question 16

TIQ

Answer 16

Threat Intelligence Quotient.

The TIQ Test can be used to get an idea of the value of existing threat feeds you are using by evaluating the following:

• Novelty Test
• Overlap Test
• Population Test (by country / ASN)

Question 17

CIV

Answer 17

Collective Intelligence Framework is a management system for threat data by CSIRTGadgets.org. Integrates with tools such as: Splunk, ELK, Logstash, ArcSight.

Question 18

Additional OSINT Open-Source Tools

Answer 18

DataSploit
Discover
InfoGo
AlienVault OTX (Threat information feed)
Shodan
GCHQ's Cyber Chef
Recorded Future

Question 19

TLS Certificate

Answer 19

A digital certificate used in secure host-to-host network communications. Previously referred to as a SSL certificate. Not to be confused with a code signing certificate used to sign applications.

Question 20

TLS Certificate Scan Providers

Answer 20

Censys.io
Shodan.io
Circl.lu
RiskIQ

Question 21

TLS Cert Search Tips

Answer 21

• Start with pivoting between TLS certs and IP adr
• Then search Subject, Issuer, Not Before, and Not After fields
• Distinguish between self-signed, free, and paid certificates

Question 22

Maltego

Answer 22

Maltego is a link analysis tool that allows analysts to establish and define relationship between different nodes. It has two major concepts:

• Entities
• Links

Question 23

Malware maps to which pilar of the diamond model?

Answer 23

Capability

Question 24

What is “DC3 Malware Configuration Parser” used for?

Answer 24

This framework can be used to develop decoding modules for malware families that your adversaries use to target your users.

Question 25

What are the three classes of C2 domains?

Answer 25

• Adversary registered
• Dynamic DNS domains (free or paid)
• Legitimate but compromised