578.5

Question 1

Axiom / PlugX interesting attributes

Answer 1

Originally a Chinese-based piece of malware that then propagated to other threat groups.

• More complex malware against harder targets
• Victim-specific C2 servers from compromised domains
• Wide variety of malware / tools
• Unique C2 naming convention
• Different teams and “hands off”
• Many of the victims could be mapped back to China’s 12th Five Year Plan

Question 2

Know the audience

Answer 2

Different audiences have different intel needs

Different audiences require data in different formats.

Question 3

YARA

Answer 3

pattern-matching tool used to create signatures.

Question 4

Types of strings in YARA

Answer 4

Text => double quotes
Hex => curly brackets
Reg Ex

Question 5

Validating Signatures and IOCs

Answer 5

1. IOCs require tailoring to avoid false psitives
2. Sec teams also must collect the right type of data to use IOCs against
3. Properly validated IOCs contribute to fast and effective response.

Question 6

Hacking Team

Answer 6

Italian security firm HackingTeam specialized in providing surveillance and exploitation services for governments and law enforcement.

1. Zero Day in embedded system
2. Unsecured Backups
3. Admin Passwords
4. GitHub Password
5. Source Code

Question 7

Operational Threat Intelligence

Answer 7

Is the focus for operational level audience members. Members that serve as the bridge between the strategic and tactical personnel. It should help identify knowledge gaps and foster partner sharing to minimize these gaps.

Question 8

Partners and Collaboration

Answer 8

The best producers of threat intelligence have great access to collecting data from outside their own networks and sources.

Key sources to consider:

• Government-private sharing
• Groups and email distributions

Question 9

Carnegie Mellon CERT

Answer 9

List of National CERTs

Question 10

STIX / TAXII, CybOX

Answer 10

Structured Threat Information eXpression. Describes threat information.

Trusted Automated eXchange of Indicator Information. Transport mechanism for STIX.

Cyber Observable eXpression. Descrives observables (IOCs).

Question 11

What are the three TAXII Implementations

Answer 11

• Source / Subscriber (Only Pull)
• Peer to Peer
• Hub and Spoke (Pull & Push)

Question 12

STIX Relationship Objects

Answer 12

Relationship and Sighting

Question 13

OASIS

Answer 13

OASIS is a technical committee taking input and governing STIX 2.1

Question 14

Steps of Sharing: Best practices

Answer 14

• Ensure authentication and logging
• Include references and appendixes
• Strip out all unneeded data
• Use standards that make sense for your organization
• Interfaces to share in common standards

Question 15

Metric types

Answer 15

• Organizational (Operational efficiency, Workload)

- Risk (Threat)

Question 16

Organizational Heat Maps

Answer 16

Use tools such as the MITRE ATT&CK Navigator to articulate where you have mitigations and detections.

Question 17

Mitigation Scorecard

Answer 17

The mitigation scorecard is one way to measure the utility of passive and mitigating courses of action.

Question 18

Analytical Completeness

Answer 18

The analytical completeness metric illustrates, over the four intrusion attempts against an organization from the previous week, the completeness of intelligence collection at each phase of the Kill Chain and Diamond Model.

Question 19

Strategic Threat Intelligence

Answer 19

Strategic threat intelligence is generally presented to executives with a focus on policy outcomes. Threat intelligence presented at this level should be the most polished and complete intelligence product possible.

Question 20

Making the Business Case for Security

Answer 20

Identify the technical needs and match them to the organization’s mission + Translate everything into your audience’s language = Understood, appreciated, and supported security efforts

Question 21

Expectations - Board of Directors

Answer 21

Understand the impact of threats to the organization.

Question 22

Expectations - C-Suite Personnel

Answer 22

Understand and validate resource investments for better security.

Question 23

Expectations - Cyber Threat Intel Analysts

Answer 23

The board of directors should be able to name the last APT campaign encountered.

Question 24

Reports

Answer 24

Should combine various sources of threat intelligence to present an overall and easily consumable narrative.

Question 25

Estimative Language

Answer 25

• Words that communicate (un)certainty
• Using estimative language
• Measured versus assessed uncertainty
• Avoid convoluting measured and subjective uncertainty

Question 26

Diamond model and analytic findings

Answer 26

Adversary - ASSESSMENT
Infrastructure - FACT
Capability - FACT
Victim - FACT

Question 27

Confidence Assessments

Answer 27

High confidence
Moderate confidence
Low confidence

Question 28

Four parts of an Assessment

Answer 28

Confidence + Analysis + Evidence + Sources

Question 29

Cloud Hopper

Answer 29

The focus of Operation Cloud Hopper was IT managed service providers (MSP). Targeting MSPs to get access to their clients.

Question 30

Observation types for CTI analysts

Answer 30

Communicating Broadly
Human Fingerprints
Timelines
Closing Thoughts

Question 31

Four types of attribution

Answer 31

• Actors
• Criminal
• Activity Groups
• States (direct / indirect)

Question 32

Four approaches to “true” attribution

Answer 32

• Adversary Admission
• Leaks
• Direct Access
• Intrusion Analysis

Question 33

Deriving Intent

Answer 33

Impact != Intent

Intent and impact are not always the same thing.

Question 34

The Basics of State Attribution

Answer 34

Understand the state deeply (History, Culture, Language, etc.)

Question 35

Categorize by threat definition

Answer 35

• Intent
• Opportunity
• Capability

Question 36

Categorize evidence using threat definition

Answer 36

• Identify evidence
• Categorize by threat definition
• Fill in categories where evidence is missing
• Cautiously leverage others’ assessments
• If missing category of evidence, assessment will be low confidence AT BEST

Question 37

Be Prepared for Information to Change

Answer 37

Understand and document the key evidence that went into the intelligence requirements you satisfied. Over time sometimes key evidence or our understanding of it changes.

Question 38

False Flag

Answer 38

False flags are a very specific type of operation where the purpose of the operation is redirecting the blame of the attack onto a third party.

Obfuscation, distractions, anti-forensic techniques, etc. are not false flags.

Question 39

What is Hitkit?

Answer 39

Piece of malware.

• Rootkit functionality
• Client tools for RAT functionality
• Kernel driver to monitor traffic

Seen as having state-related use cases.

Question 40

What is meant with “true attribution”?

Answer 40

Actually identifying the person or team behind the intrusion.

Question 41

What are technical opportunities?

Answer 41

• Email systems
• Zero-day with no patch
• Private registrars
• Access to protected network

Question 42

What are political opportunities?

Answer 42

• Legal authority
• Willful LE inaction
• Failed states

Question 43

What are logistical opportunities?

Answer 43

• Delayed CIRT action

- Organizations merger