Classifying Threats Section 4 Flashcards

Question 1

Q

Name Some Threat Classifications

Answer

A

known threats, malware, documented exploits, unknown threats, 0-day exploits, obfuscated malware code, behavior-based detection (heuristics), recycled threats, known knowns, unknown known, known unknowns, unknown unknowns

Question 2

Q

Unknown Unknowns

Answer

A

A classification of malware that contains completely new attack vectors and exploits. Things that we don’t know, and we just don’t have any way to know about it yet. We must experiment more and more, and we have to do a lot more research, and try to figure these things out.

Question 3

Q

Ex of Unknown Unknowns

Answer

A

if there is a zero-day, we’ve never seen it before, and it’s doing something that we never thought was malicious behavior, this is an unknown unknown. Eventually we might find out ‘that thing they’re doing’ when you put them together, that’s a bad thing. Then it becomes a known unknown and if eventually we can get a signature for it, it will become a known known.

Question 4

Q

Known Unknowns

Answer

A

A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection. We don’t have a matching signature for this and that we can’t predict; we must research it to start reducing the uncertainty we have around this thing.
● We know that it is bad (that’s the known part) but we don’t know any signatures that are related with it, so we don’t have an easy way to block it. This is generally where you’re going to see a lot of behavior-based analysis done.

Question 5

Q

Unknown Known

Answer

A

▪ Something that is known to other people, but it may be known to you.

Question 6

Q

Ex of Unknown Known

Answer

A

● EX: There may be a signature out there inside the McAfee FW but there’s not one inside your firewall. So McAfee knows about it and they can stop it but we don’t know about it and we can’t stop it.

Question 7

Q

Recycled Threats

Answer

A

Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning.
● If we take different pieces and parts of different malware code and we put them together we can now bypass the signature-based detection of a known threat because it is now something new that we may be able to get through the system and by the anti-malware scans.

Question 8

Q

Behavior-based Detection (heuristics)

Answer

A

▪ A malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior.

Question 9

Q

Ex of Behavior-based Detection (heuristics)

Answer

A

if you send an email with an attachment in it, that attachment may be opened in a sandbox first, evaluated based on its behavior, see if it’s malicious or not and if it isn’t malicious then be sent into my inbox and if it is malicious, it can be sent out and destroyed.

Question 10

Q

Obfuscated Malware Code

Answer

A

Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware.
● Scramming or changing the code slightly randomly at different intervals essentially making it unknow. You’re making the signatures inaccurate so it can no longer be detected.

Question 11

Q

Zero-day Exploits

Answer

A

An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.
●Something someone found out in the wild to break into something that analysts don’t have a way to protect against.

Question 12

Q

Unknown threats

Answer

A

A threat that cannot be identified using basic signature or pattern. Much more dangerous for analyst.

Question 13

Q

Ex of unknown threats:

Answer

A

Zero-day exploits, obfuscated malware code, behavior-based detection, recycled threats, known unknowns and unknown unknowns.

Question 14

Q

Documented Exploits

Answer

A

A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data.

Question 15

Q

Ex of Documented Exploits

Answer

A

Static threats that are easily detected using signatures or hash values.

Question 16

Q

Malware

Answer

A

Any software intentionally designed to cause damage to a computer, server, client, or computer network.
● Viruses, rootkits, trojans and botnets.

Question 17

Q

Name some activities hackers perform

Answer

A

Social media profiling, social engineering, network scanning, fingerprinting, service discovery and packet capture.

Question 18

Q

What is fingerprinting and service discovery used for

Answer

A

to identify vulnerable services that they can exploit and attack.

Question 19

Q

Name the 8 main types of threat actors

Answer

A

Script kiddies, insider threats, competitor, organized crime, hacktivist, nation-state, APT, Supply chain threats

Question 20

Q

Script kiddie

Answer

A

Someone who has the least amount skill when it comes to being an attacker. They use other people’s tools as they don’t have the skill to make their own and they often don’t understand what they are doing and what kind of damage they may cause.

Question 21

Q

Insider threat

Answer

A

People who have authorized access to an organization’s network, policies, procedures, and business practices. This can be an employee or a former employee who has knowledge of the organization’s network, policies, procedures, and business practices.

Question 22

Q

What are they two types of insider threats? Describe each

Answer

A

Skilled: someone who is able to elevate their own user account permissions so they can now access data from across the entire network as a sys admin and then try to grab everything they can and sell it to a willing buyer.
Unskilled: may try to copy the org’s files onto a thumb drive and walk out the front door with them. Even though they were authorized to access those files, they may not have been authorized to remove them from the network or post them online and this results in some kind of data breach.

Question 23

Q

What enforcement technologies should organizations have in place to defend against insider threats

Answer

A

DLP, SIEM search (systems need to be properly configured to search through the SIEM to ID patterns of abuse in order to catch the malicious insider.)

Question 24

Q

it is important to have a solid cybersecurity strategy to counter Insider Threats including:

Answer

A

● Employee Education and Training
● Access Controls
● Incident Response Plans – helps to quickly detect, contain and deal with any kind of insider threat you may encounter.
● Regular Monitoring to detect unusual behavior

Question 25

Q

competitor

Answer

A

● A rogue business attempting to conduct cyber espionage against an organization. They are focused on stealing your proprietary data, disrupting your business, or damaging your reputation.

Question 26

Q

Often competitors will..

Answer

A

seek to use an employee as an insider threat in your organization to steal the data from you or they may try to break into your network via the internet.

Question 27

Q

Organized crime

Answer

A

● Focused on hacking and computer fraud to achieve financial gains. Organized crime gangs often run different schemes of scams using social engineering or conducting more technical attacks using ransomware to steal money from their victims.

Question 28

Q

T or F
Organized crime is typically well-funded and they use sophisticated attacks and tools

Question 29

Q

Hacktivist

Answer

A

● Politically-motivated hacker who targets governments or individuals to advance their political ideologies.

Question 30

Q

Nation State actors have..

Answer

A

with exceptional capability, funding, and organization with an intent to hack a network or system. They do not pick a network at random to attack but instead, they determine specific targets to achieve their political motives.

Question 31

Q

Not all ____ are ________ but almost all _______ are going to be considered ____

Answer

A

● Not all APT are nation-states, but almost all nation-states are going to be considered an APT.

Question 32

Q

How long are Nation States or an APT inside of a victimized network before defenders discover an intrusion?

Answer

A

At least 6-9 months but they can go longer.

Question 33

Q

Many nation-states tried to present themselves as…

Answer

A

a threat actor inside of the other groups, so they can maintain a plausible deniability. Often times, a Nation State might use the TTPs of a different Nation State as well in order to implicate them inside of an attack; this is called a false flag attack

Question 34

Q

A nation-state actor refers to a…

Answer

A

government or government affiliated group that conducts cyber-attacks.

Question 35

Q

Advanced persistent threat (APT)

Answer

A

●An attacker that establishes a long-term presence on a network in order to gather sensitive information

Question 36

Q

What is the main goal of an APT

Answer

A

to harvest sensitive data, intellectual property, and other sensitive information

Question 37

Q

What is the key difference between a Nation State and APT

Answer

A

▪Nation-state is affiliated with the government.
▪APT is a generic type of cyber-attack that establishes long-term presence on a network to gather sensitive information.

Question 38

Q

APT use a lot of..

Answer

A

tools that exist on the computer already which we refer to as living off the land.

Question 39

Q

Commodity Malware

Answer

A

▪Malicious software applications that are widely available for sale or easily obtainable and usable. Generic (off the shelf malware) and going against everyone.

Question 40

Q

where can Commodity Malware be found

Answer

A

these on the dark web/net and there are online marketplaces where you can buy RATs like Poison Ivy, Dark Comet, and Extreme Rat etc. and other types of malware. They’re available online for a fee, then you can download them and start using them as part of your attacks if you’re a bad guy.

Question 41

Q

what can identifying if malware is commodity or targeted help you determine

Answer

A

the severity of the incident

Question 42

Q

What kind of threat are APTs considered to be

Answer

A

known unknown threat

Question 43

Q

Is an APT a group or a single person

Answer

A

a group. Generally, you’re going to have a staff that has different realms of expertise. EX: one person whose jobs it is to break down the front door and get into the system. Another person whose job it is to establish persistence and make sure they don’t get kicked out. Maybe another person whose is a linguist who can assist in translating the information I’m getting.

Question 44

Q

Command and Control (C2)

Answer

A

▪An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

Question 45

Q

What do APTs often target

Answer

A

target financial institutions, healthcare companies, and governments to get large PII data sets and that can be turned into money.

Question 46

Q

What does it mean to establish persistence

Answer

A

▪The ability of a threat actor to maintain covert access to a target host or network.

Question 47

Q

Reputation Data

Answer

A

▪Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains. All of this data helps provide the basis for what we’re going to use inside our research because they tell us known things that we know are bad.

Question 48

Q

Indicator of Compromise (IOC)

Answer

A

residual sign that an asset or network has been successfully attacked or is continuing to be attacked.
▪An IoC is evidence that an attack was successful.

Question 49

Q

Ex of IOCs

Answer

A

▪Hash value
▪IP address
▪A file left behind on a system
▪Unauthorized software and files
▪Suspicious emails
▪Suspicious registry and file system changes
▪Unknown port and protocol usage
▪Excessive bandwidth usage
▪Rogue hardware
▪Service disruption and defacement.
▪Suspicious or unauthorized account usage

Question 50

Q

Indicator of Attack (IoA)

Answer

A

▪A term used for evidence of an intrusion attempt that is in progress right now.

Question 51

Q

What is Behavioral Threat Research

Answer

A

refers to the correlation of IoCs into attack patterns.
▪EX: if we took all of these different IOCs and if I see them in this particular order, that may indicate that adversary X has done this and if I see them in a different order, it might be that adversary Y has done this and that is based on their TTPs.

Question 52

Q

Tactics, Techniques, and Procedures (TTP)

Answer

A

●Behavior patterns that were used in historical cyberattacks and adversary actions. By learning these, you’re going to be able to start understanding the way your adversary thinks and how you could try to get one step ahead of them to prevent them from getting further into your networks.

Question 53

Q

What can high CPU, memory or network usage indicate?

Answer

A

o Viruses or Worms – if I start looking at your system and I have high CPU or memory usage, this could be a sign that there’s some kind of malware infecting your host, or you might see a virus detect alert if there’s a known signature, but again if this is a new piece of malware or a new virus or worm, you’re going to have to look for secondary effects like high CPU, high memory, high network usage and things like that.

Question 54

Q

What are two common ways C2 mechanisms in servers hide themselves

Answer

A

Port hopping and fast flux dns

Question 55

Q

Port hopping

Answer

A

▪An APT’s C2 application might use any port to communicate and may jump between different ports.
oIt may start using port 22 and if it thinks its being detected it will jump to port 1258 or whatever port it’s going to use. By jumping between these ports, it can try to evade detection.

Question 56

Q

fast flux dns

Answer

A

▪A technique that rapidly changes the IP address associated with a domain.
oWhat happens here is that you have one domain name, but multiple IP address associated with it. So even if you start blocking IP addresses, they can change the backend IP address and still route their communications to the C2 server. This allows an adversary to defeat your IP based blacklisting and it allows them to maintain communication and remain as an advanced persistent threat by maintain that C2 communication.

Question 57

Q

How can you detect fast flux dns

Answer

A

by looking at the communication patterns that emerge as these changes keep happening, because we’re going to see that your machine now went from this IP to that IP to a 3rd or 4th IP. That can be detected through our logs.

Question 58

Q

Data Exfiltration

Answer

A

▪The unauthorized transfer of data from a computer or other device.

Question 59

Q

What may be an indicator of data exfiltration

Answer

A

if you see file types or compression or encryption that’s being used on data and you normally don’t have that.

Question 60

Q

Name 3 different attack frameworks

Answer

A

▪ Lockheed Martin Kill Chain
▪ MITRE ATT&CK Framework
▪ Diamond Model of Intrusion Analysis

Question 61

Q

Lockheed Martin Kill Chain

Answer

A

▪Describes the stages by which a threat actor progresses a network intrusion.

Question 62

Q

What are the steps of the Lockheed martin kill chain

Answer

A

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2
Actions of Objectives

Question 63

Q

in the Lockheed Martin Kill Chain what is Reconnaissance (step 1)

Answer

A

oThe attacker determines what methods to use to complete the phases of the attack.
*Attackers don’t want to get caught while doing this so they try to be sneaky by using things like open source and passive information gathering so they can’t be detected.

Question 64

Q

In step 1 of the Lockheed Martin Kill Chain what type of scanning do attackers start with and why

Answer

A

*In this phase you can use both passive and active scanning techniques but generally we’re going to start out with passive info gathering and then move into active scanning.

Answer 64

A

o The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.
* You’re basically coding or creating the malware or the exploit you want to run, but you’re not running it yet. You’ve only creating it inside your own lab, you haven’t sent it to the victimized system.

Answer 65

A

oThe attacker identifies a vector by which to transmit the weaponized code to the target environment.
*This may be by email, dropping a USB drive loaded with that malware in their parking lot.

Answer 66

A

o The weaponized code is executed on the target system by your chosen mechanism.
o Ex: If you sent them an email with a phishing link and they click that link, the sending of the email was delivery. Clicking the link is when exploitation happens, and the code starts running. Or if you dropped the USB drive (delivery) and they plugged it into their system and the autorun started up that code, that would be exploitation.

Answer 67

A

oThis mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.
*If we had a stage one dropper (a type of malware that acts as the initial point of entry) that was run as part of exploitation, we now have downloaded and installed our phase two, giving us control of that system moving forward and that persistence that we’re looking for.

Answer 68

A

o The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
* At this point your ‘own this system’. You have access to is, you can remote into that system, and you can now run commands on that system. That’s what the C2 is all about.

Answer 69

A

o The attacker typically uses the access he has achieved from steps 1-6 to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives.
* That may be data exfiltration or some other goal or motive. Whatever their goal was originally with reconnaissance, they’ve now achieved that by being on the system; they have 2-way communication using command and control and now we can perform action on objectives.

Answer 70

A

o Detect, Deny, Disrupt, Degrade, Deceive, Destroy.

Answer 71

A

a linear method but there are newer methods out there that work in more of an iterative manner or allow you to think holistically across multiple lines of attack.

Answer 72

A

▪ A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

Answer 73

A

▪ an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain.

Answer 74

A

▪A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.

Answer 75

A

adversary, capability, infrastructure, and victim.

Answer 76

A

array of info that contains info on the adversary, the capability, the infrastructure, and victim.

Answer 77

A

use it inside of some sort of automated system, for instance, our SIEM, that can then help correlate all this info together for us.

Answer 78

A

o Structured Threat Information eXpression (STIX)
o Trusted Automated eXchange of Indicator Information (TAXII)
o OpenIOC
o Malware Information Sharing Project (MISP)

Answer 79

A

in JavaScript Object Notation (JSON) format that consists of attribute: value pairs.

Answer 80

A

attributes and values.

Answer 81

A

a stateful property of your computer system and what you’ve actually seen in the event occurring – like an IP or an executable file.

Answer 82

A

dig a little deeper on it to figure out if it’s an indicator of past compromise or a TTP.

Answer 83

A

known adversary behaviors starting with the overall goal of what they’re trying to attack and then elaborating down to some kind of specific technique or procedure.

Answer 84

A

people who are trying to attack you. we are trying to figure out.. Who are these people? What are their goals? What is their campaign?

Answer 85

A

the mitigating actions or security controls that you can use to reduce the risk from these different attacks and how to resolve these incidents.

Answer 86

A

creating a connection of this relationship of objects and this can do a lot of things for you as you start indicating what it was, what the targets were, and what things were attributed to it.

Answer 87

A

language for us to describe these things in a very easy way to share them automatically across our systems.

Answer 88

A

A protocol for supplying codified information to automate incident detection and analysis.

Answer 89

A

to transmit data back and forth between servers and clients over some kind of a secure connections like a secure web connection, HTTPS, using something like a REST API.
▪ Ex: if you have a CTI subscription with some service provider, they’re going to maintain their data repository but you as a subscriber need to get that information from them. The way you do this is by using TAXII.

Answer 90

A

connection mechanism, you can actually take STIX and provide it over TAXII

Answer 91

A

▪ A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis.

Answer 92

A

open-source tool. it has a lot of different information for each entry. Each entry is going to have a lot of different metadata there such as the author, category info, confidence level, usage license, plus a description and a definition.

Answer 93

A

provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII. It is also open source.

Brainscape's Knowledge GenomeTM

Classifying Threats Section 4 Flashcards

Brainscape's Knowledge Genome^TM