Chapter 2- Threat Intelligence, Attack Frameworks Flashcards
How can we say the intelligence is valuable, what are the factors that make it so & effect that?
Timeline
Relevancy
Accuracy
Confidence Level
What are the 3 places you can get intelligence(information) from?
Proprietary
Closed-Source
Open-Source
What is OSINT?
Open-Source Intelligence= Method of obtaining info about a person or organization through public records, website, and social media (looking at your Facebook)
What is threat hunting?
Is a cyber security technique designed to detect presence of threat that have not been discovered by normal security monitoring
What is the difference between threat hunting and penetration testing?
Threat hunting is potentially less disruptive than penetrating testing
It is proactive(going out and hunting for threats other then waiting for it)
Penetration testing is breaking into your own system to demonstrate a weakness but with threat hunting we are analyzing data so pen testing is less distractive
How do you do threat hunting?
1- Establishing a hypothesis
(A hypothesis is derived from the threat modeling & is based on potential events w/ higher likelihood and higher impact. )
2-Profiling Threat Actors and Activities(Involves the creation of scenario that show how a prospective attacker might attempt an intrusion & what their objectives might be)
Threat hunting relies on the usage of the tools developed for_____ security monitoring
and incident response
why?
regular
*bc you are looking for “failed” regular monitoring security and responses
What do you analyze during a threat hunting?
(1) Analyze network traffic (start by looking outgoing network traffic going to suspicious domain or some C2 server based on threat research)
(2) Analyze the executable process list( see what programs & services are being run? And which ones are opening that network connection, are they valid connections or is it suspicious)
(3) Analyze other infected host(if is suspicious see if there is any same malicious process or using different things to avoid detection)
(4) Identify how the malicious process was executed(what allowed it to start up? Is there a way to block them?)
What are the disadvantages of Threat Hunting? & advantages?
Dis= consumes a lot of resources and time to conduct
Adv=
(1) Improve detection capabilities
(2) integrate intelligence
(3) reduces attack surface
(4) Block attack vectors
(5) identify critical assets
What are the 3 different Attack Models?
1- Lockheed Martin Kill Chain (older model)
2- MITRE ATT&CK Framework
3- Diamond Model of Intrusion Analysis
What are the 7-step method of Kill Chain?
▪Reconnaissance
-The attacker determines what methods to use to complete the phases of the attack
▪ Weaponization
-The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system
▪ Delivery
-The attacker identifies a vector by which to transmit the weaponized code to the target environment
▪ Exploitation
-The weaponized code is executed on the target system by this mechanism
▪ Installation
-This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system
▪ Command & Control (C2)
-The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack
▪ Actions on Objectives
-The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and
motives
-Kill chain analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage
MITRE ATT&CK Framework was developed after kill chain, why? & What is it?
*cuz kill chain has linear method= focusing on perimeter security.
o -It is a knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)
o -The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization
phases of the kill chain
What is this model used for (Diamond Model of Intrustion Analysis)
When an intrusion event occurs
What is Diamond Model of Intrusion Analysis?
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features:
adversary, (one’s opponent in a contest, conflict, or dispute)
capability,
infrastructure,
and victim
