Chapter 2 Flashcards

1
Q

Closed-Source Intelligence

A

Commercial security vendors, government organizations, and other security-centric organizations own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their threat feeds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Timeliness - Threat Intelligence

A

A feed that is operating on delay can cause you to miss a threat or to react after the threat is no longer relevant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Accuracy - Threat intelligence

A

Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Relevancy - Threat Intelligence

A

If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Structured Threat Information Expression (STIX)

A

Is an XML language originally sponsored by the U.S. Department of Homeland Security. STIX 2.0 (its current version as of this writing) defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. These objects are then related to each other by one of two STIX relationship object models: either as a relationship or as a sighting. A STIX 2.0 JSON description of a threat actor might read

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

OpenIOC

A

The OpenIOC schema was developed by Mandiant, and it uses Mandiant’s indicators for its base framework. A typical IOC includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC; and the definition for the indicator of compromise, which may include details of the actual compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Intelligence Cycle

A

Requirements Gathering, Threat Data collection, Threat Data analysis, Threat Data dissemination, and Gathering feedback.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Requirements Gathering

A

Assess what security breaches or compromises you have faced. Assess what information could have prevented or limited the impact of the breach. Assess what controls and security measures were not in place that would have mitigated the breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data Collection

A

Once you have your information requirements, you can collect data from threat intelligence sources to meet those requirements. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data Processing & Analysis

A

The threat intelligence data that you gathered in the data collection stage will likely be in several different formats. Some may be in easy-to-access formats that your existing tools and systems can consume. Other data may be in plain-text or written form, or it may be almost entirely unformatted. In this stage you must first process the data to allow it to be consumed by whatever tools or processes you intend to use, and then you must analyze the data itself. The output from this stage could be data fed into automated systems or other tools, or written reports to distribute to leadership or others across your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Intelligence Dissemination

A

In the dissemination phase of the intelligence cycle, data is distributed to leadership and operational personnel who will use the data as part of their security operations role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Feedback

A

The final stage in the threat intelligence cycle is gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process, and it should be used to create better requirements and to improve the overall output of your threat intelligence program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Nation State

A

Actors often have the most access to resources, including tools, talent, equipment, and time. Nation-state threat actors have the resources of a country behind them, and their goals are typically those of the country they are sponsored by. Nation- state actors are often associated with advanced persistent threat (APT) organizations, and they have advanced tools and capabilities not commonly seen in the hands of other threat actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Hacktivists

A

Are activists who use hacking as a means to a political or philosophical end. Hacktivists range from individual actors to large groups like Anonymous, and their technical capabilities and resources can vary greatly. When you are assessing threats from hacktivists, you need to carefully consider what types of hacktivists are most likely to target your organization and why.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Insider Threats

A

Are threats from employees or other trusted individuals or groups inside an organization. They may be intentional or unintentional, but in either case, they can pose a significant threat due to the trusted position they have. Insider threats are frequently considered to be one of the most likely causes of breaches and are often difficult to detect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Adversary Capability

A

Assessing the resources, intent, and ability of the likely threat actor or organization.

17
Q

Attack Surface

A

Any system, device, network, application, staff member, or other target that a threat may target.

18
Q

Attack Vectors

A

The means by which attackers can gain access to their targets.

19
Q

Threat Reputation

A

It is most often paired with IP addresses or domains, but file reputation services and data feeds also exist, as well as other reputation-based tools.

20
Q

Reputation Damage

A

You’re more likely to run into the term in use when describing the impact or damage that a threat can cause.

21
Q

IOC’s

A

Indicators of compromise are forensic evidence or data that can help to identify an attack. Unlike the other assessment methods, indicators of compromise are used exclusively after an attack has started. Knowing which IOCs are associated with a given threat actor, or common exploit path, can help defenders take appropriate steps to prevent further compromise and possibly to identify the threat actor. It can also help defenders limit the damage or stop the attack from progressing.

22
Q

Diamond Model of Intrusion Analysis

A

Describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim. In this model, activities are called events, and analysts label the vertices as events that are detected or discovered. The model is intended to help analysts discover more information by highlighting the relationship between elements by following the edges between the events.

23
Q

Cyber Kill Chain

A

Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> C2 -> Actions on Objective

24
Q

Reconnaissance

A

Which identifies targets. In this phase, adversaries are planning their attacks and will gather intelligence about the target, including both open source intelligence and direct acquisition of target data via scanning. Defenders must gather data about reconnaissance activities and prioritize defenses based on that information.

25
Q

Weaponization

A

Involves building or otherwise acquiring a weaponizer that combines malware and an exploit into a payload that can be delivered to the target. This may require creating decoy documents, choosing the right command-and-control tool, and other details. The model emphasizes the fact that defenders need to conduct full malware analysis in this stage to understand not only what payload is dropped but how the weaponized exploit was made.

26
Q

Delivery

A

Occurs when the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit. Defenders in this stage must observe how the attack was delivered and what was targeted, and then will infer what the adversary was intending to accomplish. Retention of logs is also important in this stage, as defenders need them to track what occurred.

27
Q

Exploitation

A

Uses a software, hardware, or human vulnerability to gain access. This can involve zero-day exploits and may use either adversary-triggered exploits or victim-triggered exploits. Defense against this stage focuses on user awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities to ensure that organizations have a strong security posture and very limited attack surface.

28
Q

Installation

A

Focuses on persistent backdoor access for attackers. Defenders must monitor for typical artifacts of a persistent remote shell or other remote access methodologies.

29
Q

C2

A

Access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology.

30
Q

Action and Objectives

A

The final stage, occurs when the mission’s goal is achieved. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information. They may also cause damage to systems or data. Defenders must establish their incident response playbook, detect the actions of the attackers and capture data about them, respond to alerts, and assess the damage the attackers have caused.