Alllllll Flashcards
Windows Registry
Information about files and services, locations of deleted files, evidence of applications being run
Autorun Keys
Programs set to run at startup (often associated with malware or compromise)
Master File Table (MFT)
Details of inactive/removed records
Event Logs
Logins, service start/stop, evidence of applications being run
INDX files and change logs
Evidence of deleted files, MAC timestamps
Volume Shadow Copies
Point-in-time information from prior actions
Recycle bin contents
Files that were intended to be deleted but forgotten
Hibernation files and memory dumps
Memory artifacts of commands run
Temporary Directories
Artifacts of software installation, user temporary file storage, or other limited lifespan data
Removable Drives
System logs may indicate drives were plugged in; data may be relevant to investigations
POP3 Port
Port 110
NTP Port
Port 123
SQL Server (2 Ports)
Port 1433 & 1443
Oracle Port
Port 1521
RADIUS (2 Ports)
Port 1812 & 1813
MySQL Port
Port 3306
STIX Protocol
XML Language. Current version includes things like attack patterns, identities, malware, threat actors and tools. Conveys data so humans and security technologies can understand
OpenIOC Protocol
Includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC
TAXII Protocol
Is intended to allow cyberthreat information to be communicated at the application layer via HTTPS, specifically designed to support STIX data exchange
3 Criteria for Intelligence
Timeliness, Relevancy and Accuracy
Requirements Gathering
Assess what security breaches or compromises you have faced, Assess what information could have prevented or limited the impact of the breach, assess what controls and security measures were not in place that would have mitigated the breach
Data Collection
Collect data from threat intelligence source to meet those requirements. Phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources
Threat Data Analysis
Allow for data to be consumed by the tools or processes that are used and then analyze the data itself. Output from this stage could be data fed into automated systems or other tools or written reports to distribute to leadership or others across your organization
Intelligence Dissemination
Data is distributed to leadership and operational personnel who will use the data as part of their security operations role
Feedback
Gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process and should be used to improve overall output of threat intelligence program
Reconnaissance (Cyber Kill Chain)
Identifies the target
Weaponization (CKC)
Building or acquiring a weaponizer that combines malware and an exploit into a payload that can be delivered to the target
Delivery (CKC)
When the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit
Exploitation (CKC)
Uses a software, hardware, or human vulnerability to gain access.
Installation (CKC)
Focuses on persistent backdoor access for attackers
C2 (CKC)
Access allows two-way communication and continued control of the remote system
Action on Objectives (CKC)
When mission’s goal is complete. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information
Common Configuration Enumeration (CCE)
Provides a standard nomenclature for discussing system configuration issues
Common Platform Enumeration (CPE)
Provides a standard nomenclature for describing product names and versions
Common Vulnerability Exposures (CVE)
Provides a standard nomenclature for describing security-related software flaws
Common Vulnerability Scoring System (CVSS)
Provides a standardized approach for measuring and describing the severity of security-related software flaws
Extensible Configuration Checklist Description Format (XCCDF)
A language for specifying checklists and reporting checklist results
Open Vulnerability and Assessment Language (OVAL)
A language for specifying low-level testing procedures used by checklists
Race Condition
Vulnerability is a defect in code that creates an unstable quality in the operation of a program arising from timing variances produced by programming logic. Time of Check (TOC)/Time of Use (TOU) Attacks vulnerability attacks occur
Dereferencing
Common flaw that occurs when software attempts to access a value stored in memory that does not exist. This type of error almost always leads to a crash unless caught by an error handler
Data Retention
Deliberate preservation and protection of digital data in order to satisfy business or legal requirements
Data Minimization
Principle that you can acquire and retain only the minimum amount of data required to satisfy the specific pupose for which the owner has authorized use of that data
Output Encoding
Translates special characters into an equivalent but safe version before a target application or interpreter reads it. Helps to prevent XSS attacks by preventing special characters from being inserted that cause the target application to perform an action
Data Classification
That describes the classification structure used by the organization and the process used to properly assign classifications to data
