Book-Notes Section 3 Flashcards
STIX, XML, OASIS, HTML, TAXII, in the context of Threat indicator management exchange:
STIX (Structured Threat Information eXpression) – A standardized format for sharing cyber threat intelligence (CTI). It organizes information about threats, like indicators, attack patterns, and incidents, into a structured format.
TAXII (Trusted Automated eXchange of Indicator Information) – A transport protocol that enables the sharing of STIX data between organizations securely and automatically.
OASIS (Organization for the Advancement of Structured Information Standards) – A global non-profit group that develops and maintains standards like STIX and TAXII to ensure interoperability in cybersecurity.
XML (eXtensible Markup Language) – A format used for structuring and storing data. STIX data is often represented in XML.
HTML (HyperText Markup Language) – A webpage format used to display content on the internet. Unlike XML, which is for structuring data, HTML is for presenting it visually.
How They Work Together:
STIX structures the cyber threat information.
TAXII transports that STIX data between organizations.
OASIS develops and maintains the STIX and TAXII standards.
XML formats the data for sharing.
HTML is unrelated to threat intelligence exchange, but it’s often used to present CTI reports in a readable way.
Scenario:
A cybersecurity team at a financial company detects a new phishing attack that uses a malicious domain to steal login credentials. They want to share this threat information with other financial institutions to prevent further attacks.
How Each Term Fits In:
STIX → The team structures the phishing attack details using the STIX format.
Example STIX data includes:
Indicator: maliciousbanking-login[.]com (a phishing domain)
TTPs (Tactics, Techniques, and Procedures): The phishing page mimics an actual bank login page.
Observed Attack: Emails with fake security alerts urging users to click the link.
XML → The STIX data is formatted in XML so that computers can process it efficiently.
Example:
xml
Copy
Edit
<Indicator>
<Type>Domain Name</Type>
<Value>maliciousbanking-login.com</Value>
<Confidence>High</Confidence>
</Indicator>
TAXII → The team transports the STIX-encoded phishing threat data to a shared threat intelligence platform used by multiple banks.
TAXII ensures that the data is securely shared and updated in real time.
OASIS → The standards used (STIX and TAXII) were developed by OASIS, ensuring that different cybersecurity teams and tools understand and process the data in the same way.
HTML (Optional) → A cybersecurity analyst in another bank views the shared threat report on a web portal that presents the STIX data in an HTML dashboard, making it easy to read.
Final Outcome:
Other financial institutions receive the phishing threat data automatically via TAXII.
Their security systems (firewalls, email filters, threat detection tools) automatically block the malicious domain.
Potential phishing attacks are prevented before they happen.
What is Threat Intelligence?
Threat Intelligence (TI) is data collected, analyzed, and shared to help organizations detect, prevent, and respond to cyber threats. It helps cybersecurity teams understand attackers, their methods, and indicators of compromise (IOCs) to defend against attacks.
Gathering data from firewalls and IDS/IPS, analyzing it, and using it for defense is a key part of building a Threat Intelligence Program. However, a full Threat Intelligence Program is more than just collecting logs—it involves structured processes for collection, analysis, and action.
How Firewalls & IDS/IPS Contribute to Threat Intelligence
Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) are valuable data sources because they:
Detect malicious traffic (IDS)
Block known threats (IPS/Firewalls)
Log attack patterns, suspicious IPs, and anomalies
By analyzing these logs, security teams can: ✅ Identify Indicators of Compromise (IOCs) (e.g., attacker IPs, malicious payloads)
✅ Spot attack trends (e.g., repeated login attempts, SQL injections)
✅ Share findings with a Threat Intelligence Platform (TIP) or SIEM
If your company is generating its own threat feeds, then you’re acting as a Threat Intelligence Provider, rather than just a consumer. Here’s how it works:
Your Role as a Threat Intelligence Provider
1️⃣ Collect Raw Threat Data
Use internal sensors, honeypots, malware sandboxes, logs from firewalls, IDS/IPS, SIEM, and endpoint security tools.
Monitor dark web forums, OSINT sources, and attacker behavior.
2️⃣ Analyze & Enrich Data
Identify patterns, correlations, and trends in cyber threats.
Filter out false positives and duplicate IOCs.
Add context (e.g., “This IP is part of a C2 infrastructure used by XYZ malware”).
3️⃣ Generate Threat Feeds
Structure your intelligence into feeds containing:
✅ Malicious IPs
✅ Phishing URLs
✅ Malware file hashes
✅ C2 domains
Format them in STIX, TAXII, JSON, or CSV for easy integration.
4️⃣ Distribute to Customers
Sell or provide subscription-based threat feeds to organizations.
Integrate with SIEMs, firewalls, IDS/IPS, and SOAR platforms.
Offer an API or TAXII feed for automatic ingestion.
Do You Still Need External Threat Feeds?
Even as a Threat Intelligence Provider, you might still consume external feeds from other vendors to enhance your data.
Example: Your feeds focus on malware, but you may still integrate OSINT or dark web feeds to provide a more complete picture.
what’s C&C in the context of IoCs for ransomware?
C&C (Command and Control) refers to the server that attackers use to control infected devices.
How C&C Works in Ransomware:
Infection: A victim’s device gets infected with ransomware (e.g., through phishing or an exploit).
Contacting C&C: The ransomware connects to a C&C server controlled by the attacker.
Commands Sent: The C&C server may send instructions to:
Encrypt files on the victim’s device.
Generate encryption keys needed for locking the files.
Exfiltrate data before encryption (in double extortion attacks).
Send ransom notes demanding payment.
Communication Continues: The infected system may continue communicating with the C&C server for updates or to receive the decryption key after ransom payment.
Why C&C is an Important IoC?
Security teams monitor for suspicious traffic going to known C&C IPs or domains.
Blocking C&C communication can prevent further damage (e.g., stopping encryption or data exfiltration).
Detecting and analyzing C&C activity helps in identifying ransomware infections early.
what’s false positive?
false positive happens when a security system incorrectly flags something as a threat when it’s actually safe.
Example:
Your antivirus says a safe program is a virus.
A firewall blocks a legitimate website, thinking it’s malicious.
🔹 False positives waste time because security teams have to investigate harmless alerts.
what’s EDR?
EDR (Endpoint Detection and Response) is a security tool that monitors, detects, and responds to threats on computers, servers, or any device (called “endpoints”).
How It Works (In Simple Terms):
Monitors Endpoints – Keeps an eye on all activities happening on computers and devices.
Detects Threats – Identifies suspicious behavior, like malware or hacking attempts.
Responds Automatically – Can block attacks, isolate infected devices, or alert security teams to take action.
Why It’s Important?
🔹 Stops cyber threats before they spread.
🔹 Helps investigate attacks by providing logs and alerts.
🔹 Works in real-time to protect against modern cyber threats.
💡 Think of EDR as a security guard for your devices, watching everything and taking action when needed! 🚨
how does C&C uses encrypted HTTP connections, and why?
How C&C Uses Encrypted HTTP Connections (Simply Explained)
C&C (Command & Control) servers are used by hackers to remotely control infected devices (bots). To avoid detection, they often use encrypted HTTP connections (HTTPS).
Step-by-Step Process:
Malware Infection – A victim unknowingly downloads ransomware or a trojan, which secretly connects to the hacker’s C&C server.
Secure Communication (HTTPS) – Instead of sending plain, readable data, the malware uses encrypted HTTP (HTTPS/TLS) to talk to the C&C server.
Commands & Data Exchange – The hacker sends encrypted commands to the malware, like:
“Steal files”
“Download more malware”
“Encrypt files for ransom”
Hiding from Security Tools – Since HTTPS is commonly used for safe browsing, security tools may struggle to detect malicious traffic.
Why Do Hackers Use HTTPS?
✔ Encryption hides commands from security tools.
✔ Looks like normal web traffic, making detection harder.
✔ Prevents interception, so security teams can’t easily see the attack
what’s IRC via port 6667? and what’s the correlation between it and C&C HTTPS?
IRC (Internet Relay Chat) is an old-school communication protocol used for text-based messaging. Port 6667 is its default port for servers and clients to communicate. Hackers sometimes use IRC to control botnets (infected computers) because it’s lightweight and can handle many connections.
Why Hackers Moved from IRC to HTTPS?
🔹 IRC is outdated and often blocked by security tools.
🔹 HTTPS is encrypted, making it much harder to detect C&C activity.
🔹 Looks like normal web browsing, avoiding security alerts.
💡 Think of IRC C&C like old-school walkie-talkies, while HTTPS C&C is like encrypted phone calls—modern, stealthy, and harder to trace!
what’s DRM?
What is DRM (Digital Rights Management) in Simple Terms?
DRM (Digital Rights Management) is a technology used to control how digital content is used, shared, and copied. It’s like a digital lock that prevents unauthorized access or piracy.
How DRM Works:
🎵 Music & Movies – Streaming platforms (like Netflix, Spotify) use DRM to stop people from downloading or sharing their content illegally.
📚 E-books & Software – Kindle books or paid software often have DRM to ensure only authorized users can open them.
🎮 Video Games – Some games require online verification to prevent piracy.
Why is DRM Used?
✔ Protects copyrights and prevents piracy.
✔ Ensures only paying customers access content.
✔ Limits unauthorized sharing (e.g., one purchase per user).
💡 Think of DRM like a movie ticket—you paid for it, but you can’t copy the movie or share it with others! 🎟️🔒
what’s stalkerware?
Stalkerware is spyware designed to secretly track and monitor someone’s phone, computer, or tablet without their consent. It can:
📍 Track location (GPS).
📞 Record calls & messages (SMS, WhatsApp, etc.).
👀 Monitor apps & browsing history.
🎤 Turn on microphone & camera without the user knowing.
Who Uses It?
🚨 Abusive partners to spy on their victims.
🕵 Hackers & cybercriminals to steal personal info.
🔎 Employers (in some cases) to secretly monitor workers.
What is “Call Home” Functionality in the Context of Bloatware?
“Call home” functionality refers to when a piece of software (often bloatware) sends data back to the software creator or a third party. It typically happens without the user’s full awareness or consent. This is commonly used for tracking, analytics, or marketing purposes.
In the Context of Bloatware:
Bloatware is unnecessary or unwanted software that comes pre-installed on a device, often by the manufacturer or a third party. When bloatware has “call home” functionality, it may:
Send personal data (e.g., browsing history, location, or device information) back to the developer.
Track usage patterns, like how often you open an app or which features you use the most.
Download updates or advertisements without the user’s permission.
Why is “Call Home” a Concern?
Privacy risk: The data sent could include personal or sensitive information.
Slow device performance: Constantly sending data can slow down your device or consume bandwidth.
Annoyance: The user may not want unwanted software running in the background, especially if it’s collecting data without their knowledge.
Example:
Imagine you buy a new laptop, and it comes with a weather app that sends your location to the developer every time you open it. Even if you’re not actively using the app, it keeps “calling home” to report your location.
What is a Macro Virus in Simple Terms?
macro virus is a type of computer virus that hides inside documents, like Word or Excel files, and runs automatically when you open the file.
What is a Fileless Virus?
A fileless virus is a type of malware that does not leave a traceable file on your computer. Instead of attaching itself to a file or program, it runs directly in your computer’s memory or exploits system tools already present.
How it Works:
💻 The virus often uses legitimate software (like PowerShell, WMI, or other tools) to execute malicious actions without saving any files to your hard drive.
🚫 Since it doesn’t write files, traditional antivirus software that scans files won’t easily detect it.
🦠 The virus lives in your computer’s memory, where it can perform malicious tasks like stealing data, spying on you, or spreading to other systems.
What is a Registry Entry in Simple Terms?
The Windows Registry is a database that stores important settings and configurations for your computer.
How It Works:
Registry keys act like folders or directories that store values or settings.
These entries are used by the operating system and applications to understand how they should behave.
For example, there’s a registry entry that tells Windows which programs to run when you start your computer (like your antivirus, email client, etc.).
Why It’s Dangerous for Fileless Viruses:
A fileless virus can add a registry entry that tells the system to run malicious code when the computer starts up (during reboot).
Even if the virus leaves no files behind, this registry entry can reinfect the system each time it reboots, making it hard to remove.
In Simple Terms:
Think of the Registry like a digital notebook where your computer writes down important instructions. If a virus puts an instruction in that notebook to start itself again after rebooting, it can reinfect your computer every time you restart it.
What is Reputation-Based Protection System?
A reputation-based protection system is a security measure that checks the trustworthiness of files, websites, or applications before allowing them to interact with your system. It uses data from trusted sources to evaluate whether something is safe or potentially harmful.
Good reputation: Trusted files or websites that have been verified by security experts.
Bad reputation: Files or websites that are new, suspicious, or linked to malware.
If something is flagged as having a bad reputation, the system may block it from running to protect you.
How It Works:
A file or website is checked against a reputation database.
If it has a good reputation, it’s trusted and allowed.
If it has a bad reputation, it’s blocked or flagged as potentially harmful.
Differences between reinstalling and reimaging OS?
Key Differences:
Reinstallation gives you a fresh OS but may require extra steps for configuration and installing software.
Reimaging restores the system to a specific state (OS, settings, and software) from an image, usually much faster than reinstalling.
In a complex security environment where underlying systems cannot be trusted, using a bootable USB drive can help mitigate risks by providing a clean, isolated environment that isn’t vulnerable to the potentially compromised system.
