Classifying Threats

Question 1

A threat that can be identified using basic signature or pattern matching

Answer 1

Known Threats

Question 2

Malware

Answer 2

Any software intentionally designed to cause damage to a computer, server,
client, or computer network

Question 3

A piece of software, data or sequence of commands that takes advantage of
a vulnerability to cause unintended behavior or to gain unauthorized access
to sensitive data

Answer 3

Documented Exploits

Question 4

A threat that cannot be identified using basic signature or pattern matching

Answer 4

Unknown Threats

Question 5

An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong

Answer 5

Zero-day Exploit

Question 6

Malicious code whose execution the malware author has attempted to hide
through various techniques such as compression, encryption, or encoding to
severely limit attempts to statically analyze the malware

Answer 6

Obfuscated Malware Code

Question 7

A malware detection method that evaluates an object based on its intended
actions before it can actually execute that behavior

Answer 7

Behavior-based Detection

Question 8

Refers to the process of combining and modifying parts of existing exploit code to
create new threats that are not as easily identified by automated scanning

Answer 8

Recycled Threats

Question 9

A classification of malware that contains obfuscation techniques to circumvent
signature-matching and detection

Answer 9

Known Unknowns

Question 10

A classification of malware that contains completely new attack vectors and
exploits

Answer 10

Unknown Unknowns

Question 11

A type of threat actor that is supported by the resources of its host country’s
military
and security services

Answer 11

Nation-state Actor

Question 12

A type of threat actor that uses hacking and computer fraud for commercial gain

Answer 12

Organized Crime

Question 13

A type of threat actor that is motivated by a social issue or political cause

Answer 13

Hacktivist

Question 14

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
Insider threats can be either intentional or unintentional

Answer 14

Insider Threat

Question 15

A threat actor who conducts an attack with a specific purpose

Answer 15

Intentional

Question 16

A threat actor that causes a vulnerability or exposes an attack vector without malicious intent
Shadow IT is a form of unintentional insider threat

Answer 16

Unintentional

Question 17

Malicious software applications that are widely available for sale or easily obtainable and usable

Answer 17

Commodity Malware

Question 18

A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it

Answer 18

Zero-day Vulnerability

Question 19

An attacker’s ability to obtain, maintain, and diversify access to network systems
using exploits and malware

Answer 19

Advanced Persistent Threat (APT)

Question 20

An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets

Answer 20

Command and Control (C2)

Question 21

Blacklists of known threat sources, such as malware signatures, IP address ranges,
and DNS domains

Answer 21

Reputation Data

Question 22

A residual sign that an asset or network has been successfully attacked or is continuing to be attacked

Answer 22

Indicator of Compromise (IoC)

Question 23

A term used for evidence of an intrusion attempt that is in progress

Answer 23

Indicator of Attack (IoA)

Question 24

A term that refers to the correlation of IoCs into attack patterns

Answer 24

Behavioral Threat Research

Question 25

Behavior patterns that were used in historical cyber-attacks and adversary actions ▪ DDoS ▪ Viruses or Worms ▪ Network Reconnaissance ▪ APTs ▪ Data Exfiltration

Answer 25

Tactics, Techniques, and Procedures (TTP)

Question 26

APT techniques to retain persistence

Answer 26

Port Hopping Fast Flux DNS

Question 27

An APT’s C2 application might use any port to communicate and may jump between different ports

Answer 27

Port Hopping

Question 28

A technique rapidly changes the IP address associated with a domain

Answer 28

Fast Flux DNS

Question 29

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion. Kill chain analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage

Answer 29

Lockheed Martin Kill Chain

Question 30

Lockheed Martin Kill Chain Stages

Answer 30

Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives

Question 31

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org) The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain

Answer 31

MITRE ATT&CK Framework

Question 32

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Answer 32

Diamond Model of Intrusion Analysis

Question 33

A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework STIX is expressed in JavaScript Object Notation (JSON) format that consists of attribute: value pairs

Answer 33

Structured Threat Information eXpression (STIX)

Question 34

A protocol for supplying codified information to automate incident detection and analysis

Answer 34

Trusted Automated eXchange of Indicator Information (TAXII)

Question 35

A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis

Answer 35

OpenIOC

Question 36

MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII

Answer 36

Malware Information Sharing Project (MISP)

Question 37

The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system Threat modeling may be used to analyze corporate networks in general or against specific targets like a website or application being deployed

Answer 37

Threat Modeling

Question 38

A formal classification of the resources and expertise available to a threat actor

Answer 38

Adversary Capability

Question 39

The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor ▪ The holistic network ▪ Websites or cloud-services ▪ Custom software applications

Answer 39

Attack Surface

Question 40

A specific path by which a threat actor gains unauthorized access to a system ▪ Cyber ▪ Human ▪ Physical

Answer 40

Attack Vector

Question 41

Likelihood - The chance of a threat being realized which is usually expressed as a percentage Impact - The cost of a security incident or disaster scenario which is usually expressed in cost (dollars)

Answer 41

Risk

Question 42

A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring

Answer 42

Threat Hunting

Question 43

A hypothesis is derived from the threat modeling and is based on potential events with higher likelihood and higher impact

Answer 43

Establishing a Hypothesis

Question 44

Involves the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be

Answer 44

Profiling Threat Actors and Activities

Question 45

Publicly available information plus the tools used to aggregate and search it

Answer 45

Open-Source Intelligence (OSINT)

Question 46

An Open Source Intelligence (OSINT) technique used to gather email addresses for a domain

Answer 46

Email Harvesting

Question 47

A public listing of all registered domains and their registered administrators

Answer 47

whois

Question 48

A method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack

Answer 48

DNS Zone Transfer

Question 49

Using Open Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on

Answer 49

DNS Harvesting

Question 50

A techniques used to copy the source code of website files to analyze for information and vulnerabilities

Answer 50

Website Harvesting