CISSP

Question 1

Cyber threat intelligence

Answer 1

Cyber threat intelligence is the collection and analysis of threat trends to identify potential or actual threats to the organization. As a result, organizations will be better prepared to create preventative and
detective cybersecurity measures

Question 2

Passive footprinting

Answer 2

Passive footprinting collects information about the target
without directly interacting with it. This typically involves combing through the target’s website, job sites, forums, among other sites

Question 3

Active footprinting

Answer 3

Active footprinting
collects information about the target through direct interaction, such as e-mailing, calling, and visiting the target’s physical location

Question 4

Open-source intelligence

Answer 4

Publicly available information

Question 5

Proprietary/closed-source intelligence

Answer 5

Info with restricted access (e.g. police record)

Question 6

Timeliness Intelligence

Answer 6

timely receipt/operationalization (impact > intelligence cost)

Question 7

Accuracy Intelligence

Answer 7

Must save organizations more in success than errors/mistakes

Question 8

Relevancy intelligence

Answer 8

Must address a threat and allow for effective action; usable delivery format

Question 9

OpenIOC

Answer 9

OpenIOC is an open cyber threat sharing framework designed for exchanging threat data with other parties in a machine-readable standard format for defining/recording/sharing artifacts. Businesses use OpenIOC to share IOCs with other businesses that serve the threat intelligence communities worldwide

Question 10

STIX

Answer 10

Structured Threat Information eXpression (STIX). Describes cyber threat information (motivation, abilities, capabilities, response)

Question 11

TAXII

Answer 11

Trusted Automated eXchange of Indicator Information (TAXII), describes how threat info (STIX) can be shared (hub-and-spoke; source/subscriber; peer-to-peer); discovery, collection management, inbox, poll

Question 12

Known Threats vs. Unknown Threats

Answer 12

Known Threats This is our low-hanging fruit, like spam and viruses, which have been seen
before. It can be found through open-source intelligence (OSINT)

Unknown Threats is considered a malicious code that has not been seen before

Question 13

Zero-day

Answer 13

Zero-day is unknown vulnerabilities or malware that have no patches

Question 14

APT

Answer 14

Advanced persistent threats (APTs) are skilled attackers supported by extremely large resources such as military or government-sponsored

Question 15

Nation-state (Threat actors)

Answer 15

Nation-state threat actors are frequently among the most sophisticated adversaries, with dedicated infrastructure, training resources, and operational support behind their activities. Their activities are characterized by extensive planning and coordination and often reflect the strong government or military influence behind them

Question 16

Hacktivists (Threat actors)

Answer 16

Hacktivists are threat actors that typically operate with less resourcing than their nation-state counterparts, but nonetheless, work to coordinate efforts to bring light to an issue or promote a cause. They often rely on readily available tools and mass participation to achieve their desired effects against a target

Question 17

Organized crime

Answer 17

Organized crime: Threat actors operating on behalf of organized crime groups are becoming an increasingly visible challenge for enterprise defenders to confront. Profit-driven groups that target PII, credit cards etc

Question 18

Insider Threat Actors

Answer 18

Insider threat actors work within an organization and represent a particularly high risk of causing catastrophic damage due to their privileged access to internal resources

Question 19

Intelligence Cycle

Answer 19

The intelligence cycle is a core process used by most governments and business intelligence and security teams to process raw signals into finished intelligence for use in decision-making.

Requirements: The requirements phase involves the identification, prioritization, and refinement of uncertainties about the operational environment that the security team must resolve to accomplish its mission.

Collection: At this phase, the plan that was previously defined is executed, and data is collected to fill the intelligence gap

Analysis: The Analysis is the act of making sense of what you observe. With the use of automation, highly trained analysts will try to give meaning to the normalized, decrypted, or otherwise processed information by adding context to the operational environment.

Dissemination: Distributing the requested intelligence to the customer occurs at the dissemination phase.

Feedback: Once intelligence is disseminated, more questions may be raised, which leads to additional planning and direction of future collection efforts

Question 20

Commodity Malware

Answer 20

Commodity malware includes any pervasive malicious software that’s made available to threat actors via sale or also call Malware-as-a-Service

Question 21

H-ISAC

Answer 21

Health Information Sharing and Analysis Center to obtain updated health-related threat intelligence

Question 22

FS-ISAC

Answer 22

Financial Services Information Sharing and Analysis Center. The FS-ISAC is the global financial industry’s go-
to resource for all physical and cyber threat intelligence sharing.

Question 23

A-ISAC

Answer 23

Aviation Information Sharing and Analysis Center. Aviation cybersecurity concerns are significant enough that multiple ISACs have
sprouted around the globe

Question 24

ND-ISAC

Answer 24

National Defense Information Sharing and Analysis Center

Question 25

MITRE ATT&CK

Answer 25

MITRE ATT&CK is Attack frameworks tactics. The ATT&CK “tactics” describe the why of an adversary’s attack, and the “techniques” describe the how for achieving the tactic’s goal. For example, the adversary’s tactic might be Execution, and the technique could be PowerShell

Question 26

Credential Stuffing

Answer 26

Credential stuffing is the use of usernames and passwords already obtained from a previous data breach in another organization to see if the same usernames and passwords are valid in the target organization

Question 27

Vlan hopping

Answer 27

Vlan hopping can be accomplished with a switch spoofing method, where an attacker imitates a trunking switch by using the VLAN’s tagging and trunking protocol (Multiple VLAN Registration Protocal, IEEE 201.Q or Dynamic Trunking protocol)

Question 28

Diamond Model of Intrusion Analysis

Answer 28

Diamond Model mapping out an attacking adversary moving toward an intended goal by exercising a capability over infrastructure against a victim.

Question 29

Kill Chain

Answer 29

Cyber Kill Chain are some of the most popular attack frameworks that help Cybersecurity professionals around the world analyze the tactics, techniques, and procedures of adversaries based on specific attack scenarios

Question 30

Reputational

Answer 30

Reputation data tends to describe suspicious DNS names, e-mail addresses, file hashes, IP addresses, URLs, and websites. Then, because it’s now easier for us to determine “friend” or “foe,” threats are formally assigned reputational scores. Higher scores indicate generally positive reputations, whereas lower scores indicate generally negative reputations. This information can then be automatically or manually distributed globally as part of threat intelligence sharing platforms.

Question 31

Indicator of compromise (IoC)

Answer 31

indicator of compromise (IoC) A piece of data or other artifacts that may indicate that a system or the network has been attacked or otherwise compromised

Question 32

Common vulnerability scoring system (CVSS)

Answer 32

The Common Vulnerability Scoring System is the de facto standard for assessing the severity of vulnerabilities. Therefore, you should be familiar with CVSS and its metric groups: base, temporal, and environmental. These groups represent various aspects of a vulnerability. Base are those characteristics that do not change over time, temporal describes those that do, and environmental represents those that are unique to a user’s environment

Question 33

eFuse

Answer 33

In computing, an eFuse is a microscopic fuse put into a computer chip. This technology was invented by IBM to allow for the dynamic real-time reprogramming of chips. In the abstract, computer logic is generally “etched” or “hard-wired” onto a chip and cannot be changed after the chip has finished being manufactured.

Question 34

Data masking

Answer 34

Data masking is simply the obfuscation of parts of certain data elements, such as a Social Security number. An administrative assistant might require access to the last four digits of a person’s SSN to identify that person within the context of their work, but they don’t need access to the entire SSN

Question 35

Civil law

Answer 35

A type of law that usually pertains to the settlement of disputes between individuals, organizations, or groups and having to do with the establishment, recovery, or redress of private and civil rights. Civil law is not criminal law. It is also called tort law and is mainly for redress or recovery related to wrongdoing

Question 36

Criminal law

Answer 36

A type of law pertaining to crimes against the state or conduct that is detrimental to society. Violations of criminal statutes are punishable by law and can include monetary penalties and jail time

Question 37

Moore’s law

Answer 37

The belief that processing power of computers will double about every 18 months due to technological improvements.

Question 38

Administrative law

Answer 38

A body of regulations, rules, orders, and decisions to carry out regulatory powers, created by administrative agencies

Question 39

Trade secret

Answer 39

A trade secret is a confidential design, practice, or method that is proprietary or business related. For a trade secret to remain valid, the owner must take precautions to ensure that the data remains secure. Examples of these precautions include encryption, document marking, and physical security.