Chapter 2

Question 1

Characteristics of cyber security threat actor types

Answer 1

• Internal / External
• Level of sophistication / Capability
• Resources / Funding
• Intent / Motivation

Question 2

The motivations of attackers

Answer 2

• Black-hat
• White-hat
• Gray-hat

Question 3

Different types of threat actors

Answer 3

Script kiddies - hack for reputation, proving their skill

• Many of them
• Unfocused
• Lack of skill
• Lack of resources (both time and money) - many work alone
• External

Hacktivists

• The measures that deter others might not deter them
• Hack for a higher purpose
• The skills vary
• The resources vary - many work alone
• External, sometimes internal

Criminal syndicates

• Financial gain - solely!
• Tend to stay in shadows
• The skills are moderate to highly skilled
• Tend to have more resources

Advanced persistent threats

• Espionage, intellectual property, economic assets
• High skill - advanced techniques, not just tools, attacks are persistent, zero-days
• Significant resources

Insiders

• Employees wage an attack against an organization, leaks
• Activist goals, financial gain
• Any skill level
• Usually work alone
• Varying resources

Competitors

• Corporate espionage
• Will often use disgruntled employee

Question 4

Zero-day attacks

Answer 4

Zero-days are security issues that have zero days passed since the threat has been known. APT-s often conduct their own research and get zero-days.

Question 5

Shadow IT

Answer 5

The situation is when people search and get the tools unapproved from the organization for the purpose of being more productive. This means the business means are not being met by the enterprise IT team.

Question 6

Threat vectors

Answer 6

Email and social media

• Most commonly exploited
• Easy to exploit
• Phishing, spam
• Can be executed towards many targets

Direct access

• Go to publicly accessible places (lobby, toilettes) and execute the attack
• Find unsecured network device, terminal, or server

Wireless networks
* Can be accessed from the parking lot

Removable media
* Drop cheap devices and wait for them to be plugged in

Cloud
* Attackers scan for publicly accessible cloud resources

Third-party risks
* Supply chain

Question 7

About Threat data and intelligence

Answer 7

• Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment
• Open source threat intelligence is threat intelligence that is acquired from publicly available sources
• Proprietary and Closed-Source Intelligence
• Threat maps provide a geographic view of threat intelligence - not reliable

Question 8

Assessing Threat Intelligence

Answer 8

• Is it timely? A feed that is operating on delay can cause you to miss a threat, or to react after the threat is no longer relevant.
• Is the information accurate? Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct?
• Is the information relevant? If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.

Question 9

STIX

Answer 9

• Structured Threat Information eXpression (STIX) is an XML language
• STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools

Question 10

TAXII

Answer 10

• Trusted Automated eXchange of Indicator Information (TAXII)
• intended to allow cyber threat information to be communicated at the application layer via HTTPS

Question 11

TTPs

Answer 11

• Adversary tactics, techniques, and procedures (TTPs)

Question 12

OpenIOC

Answer 12

• Open Indicators of Compromise (OpenIOC) format

* Similar to STIX