Chapter 2

Question 1

Closed-Source Intelligence

Answer 1

Commercial security vendors, government organizations, and other security-centric organizations own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their threat feeds.

Question 2

Timeliness - Threat Intelligence

Answer 2

A feed that is operating on delay can cause you to miss a threat or to react after the threat is no longer relevant.

Question 3

Accuracy - Threat intelligence

Answer 3

Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct?

Question 4

Relevancy - Threat Intelligence

Answer 4

If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.

Question 5

Structured Threat Information Expression (STIX)

Answer 5

Is an XML language originally sponsored by the U.S. Department of Homeland Security. STIX 2.0 (its current version as of this writing) defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. These objects are then related to each other by one of two STIX relationship object models: either as a relationship or as a sighting. A STIX 2.0 JSON description of a threat actor might read

Question 6

OpenIOC

Answer 6

The OpenIOC schema was developed by Mandiant, and it uses Mandiant’s indicators for its base framework. A typical IOC includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC; and the definition for the indicator of compromise, which may include details of the actual compromise.

Question 7

Intelligence Cycle

Answer 7

Requirements Gathering, Threat Data collection, Threat Data analysis, Threat Data dissemination, and Gathering feedback.

Question 8

Requirements Gathering

Answer 8

Assess what security breaches or compromises you have faced. Assess what information could have prevented or limited the impact of the breach. Assess what controls and security measures were not in place that would have mitigated the breach

Question 9

Data Collection

Answer 9

Once you have your information requirements, you can collect data from threat intelligence sources to meet those requirements. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.

Question 10

Data Processing & Analysis

Answer 10

The threat intelligence data that you gathered in the data collection stage will likely be in several different formats. Some may be in easy-to-access formats that your existing tools and systems can consume. Other data may be in plain-text or written form, or it may be almost entirely unformatted. In this stage you must first process the data to allow it to be consumed by whatever tools or processes you intend to use, and then you must analyze the data itself. The output from this stage could be data fed into automated systems or other tools, or written reports to distribute to leadership or others across your organization.

Question 11

Intelligence Dissemination

Answer 11

In the dissemination phase of the intelligence cycle, data is distributed to leadership and operational personnel who will use the data as part of their security operations role.

Question 12

Feedback

Answer 12

The final stage in the threat intelligence cycle is gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process, and it should be used to create better requirements and to improve the overall output of your threat intelligence program.

Question 13

Nation State

Answer 13

Actors often have the most access to resources, including tools, talent, equipment, and time. Nation-state threat actors have the resources of a country behind them, and their goals are typically those of the country they are sponsored by. Nation- state actors are often associated with advanced persistent threat (APT) organizations, and they have advanced tools and capabilities not commonly seen in the hands of other threat actors.

Question 14

Hacktivists

Answer 14

Are activists who use hacking as a means to a political or philosophical end. Hacktivists range from individual actors to large groups like Anonymous, and their technical capabilities and resources can vary greatly. When you are assessing threats from hacktivists, you need to carefully consider what types of hacktivists are most likely to target your organization and why.

Question 15

Insider Threats

Answer 15

Are threats from employees or other trusted individuals or groups inside an organization. They may be intentional or unintentional, but in either case, they can pose a significant threat due to the trusted position they have. Insider threats are frequently considered to be one of the most likely causes of breaches and are often difficult to detect.

Question 16

Adversary Capability

Answer 16

Assessing the resources, intent, and ability of the likely threat actor or organization.

Question 17

Attack Surface

Answer 17

Any system, device, network, application, staff member, or other target that a threat may target.

Question 18

Attack Vectors

Answer 18

The means by which attackers can gain access to their targets.

Question 19

Threat Reputation

Answer 19

It is most often paired with IP addresses or domains, but file reputation services and data feeds also exist, as well as other reputation-based tools.

Question 20

Reputation Damage

Answer 20

You’re more likely to run into the term in use when describing the impact or damage that a threat can cause.

Question 21

IOC’s

Answer 21

Indicators of compromise are forensic evidence or data that can help to identify an attack. Unlike the other assessment methods, indicators of compromise are used exclusively after an attack has started. Knowing which IOCs are associated with a given threat actor, or common exploit path, can help defenders take appropriate steps to prevent further compromise and possibly to identify the threat actor. It can also help defenders limit the damage or stop the attack from progressing.

Question 22

Diamond Model of Intrusion Analysis

Answer 22

Describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim. In this model, activities are called events, and analysts label the vertices as events that are detected or discovered. The model is intended to help analysts discover more information by highlighting the relationship between elements by following the edges between the events.

Question 23

Cyber Kill Chain

Answer 23

Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> C2 -> Actions on Objective

Question 24

Reconnaissance

Answer 24

Which identifies targets. In this phase, adversaries are planning their attacks and will gather intelligence about the target, including both open source intelligence and direct acquisition of target data via scanning. Defenders must gather data about reconnaissance activities and prioritize defenses based on that information.

Question 25

Weaponization

Answer 25

Involves building or otherwise acquiring a weaponizer that combines malware and an exploit into a payload that can be delivered to the target. This may require creating decoy documents, choosing the right command-and-control tool, and other details. The model emphasizes the fact that defenders need to conduct full malware analysis in this stage to understand not only what payload is dropped but how the weaponized exploit was made.

Question 26

Delivery

Answer 26

Occurs when the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit. Defenders in this stage must observe how the attack was delivered and what was targeted, and then will infer what the adversary was intending to accomplish. Retention of logs is also important in this stage, as defenders need them to track what occurred.

Question 27

Exploitation

Answer 27

Uses a software, hardware, or human vulnerability to gain access. This can involve zero-day exploits and may use either adversary-triggered exploits or victim-triggered exploits. Defense against this stage focuses on user awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities to ensure that organizations have a strong security posture and very limited attack surface.

Question 28

Installation

Answer 28

Focuses on persistent backdoor access for attackers. Defenders must monitor for typical artifacts of a persistent remote shell or other remote access methodologies.

Question 29

C2

Answer 29

Access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology.

Question 30

Action and Objectives

Answer 30

The final stage, occurs when the mission’s goal is achieved. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information. They may also cause damage to systems or data. Defenders must establish their incident response playbook, detect the actions of the attackers and capture data about them, respond to alerts, and assess the damage the attackers have caused.