CySA+ 180.L2 - Exploring Threat Intelligence and Threat Hunting Concepts

Question 1

What is Threat intelligence and threat hunting?

Answer 1

strategies used to detect and protect against active threats.

Question 2

Threat intelligence

Answer 2

describes gathering and analyzing data to help identify potential threats and determine the most effective way to
mitigate them.

Threat intelligence enables the proactive identification of malicious
activity and the capabilities and objectives of different threat actor groups.

Question 3

Threat hunting

Answer 3

describes actively searching for signs of malicious activity on an organization’s network.

Threat hunting involves using various tools and techniques to search for potential threats, such as analyzing log files, monitoring suspicious traffic, and performing manual searches.

Question 4

Threat actors

Answer 4

a person, group, or organization responsible for malicious
activities.

They are often motivated by financial gain, political gain, or simply a
desire to cause harm.

Question 5

Threat Actor Types

Answer 5

• Nation-State
• Organized Crime
• Hacktivist
• Insider Threat
• Script Kiddie
• Supply Chain Access

Question 6

attacks can be characterized as either

Answer 6

opportunistic or targeted

Question 7

Opportunistic attacks

Answer 7

can be launched without much
sophistication or funding simply by using tools widely available on the Internet.

Question 8

Targeted attack

Answer 8

use highly sophisticated tools and might be backed by a budget that can allocate resources and skilled professionals to achieving its aims.

Question 9

Nation-State

Answer 9

Developed cybersecurity expertise for military and commercial goals.

The goals of nation-state actors are primarily espionage and strategic advantage,

Mandiant’s APT1 report influenced understanding of modern cyberattack life cycles.

Nation-state actors have been implicated in many attacks, particularly on energy
and electoral systems.

Question 10

Organized Crime

Answer 10

Organized crime groups leverage the global nature of the Internet to conduct their illicit activities from various locations around the world, often spanning multiple jurisdictions.

Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.

Question 11

Blackmail

Answer 11

a form of extortion where someone threatens to reveal embarrassing, damaging, or incriminating information about another person unless they are given money or some other form of benefit.

Question 12

Hacktivist

Answer 12

A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda.

Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

Political, media, and financial groups and companies
are probably most at risk, but environmental and animal advocacy groups may
target companies in a wide range of industries.

Question 13

Insider Threat

Answer 13

an actor who has been identified by the organization and granted some sort of access.

Within this group of internal threats, you
subdivide the threat to 1) insiders with permanent privileges, such as employees, and 2) insiders with temporary privileges, such as contractors and guests.

Question 14

Intentional insider - Threat Actors

Answer 14

An intentional insider is very much aware of their actions and has a clear intent and goal.

Question 15

Unintentional insiders

Answer 15

An unintentional insider may cause a vulnerability to be realized by misconfiguring a system or service in IT, clicking links and opening attachments in phishing emails, or by acquiring and using unauthorized software and/or cloud services, also referred to as Shadow IT.

Question 16

Script Kiddie

Answer 16

someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks.

Script kiddie attacks might have no specific target or reasonable goal other than gaining attention or proving technical abilities.

Question 17

Supply Chain Access

Answer 17

A common trend observed in attacks involves identifying the vendors and/or products an organization uses on an ongoing basis.

For example, a vendor may supply software products so an attacker can work to gain access to the software supplier, whose security practices may be lackluster, to insert malicious code into the vendor software prior to delivery to the target organization.

Question 18

Advanced Persistent Threat (APT)

Answer 18

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time.

One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack.

Question 19

Forensics

Answer 19

in the context of cybersecurity, refers to the process of collecting, analyzing, and interpreting digital evidence to investigate and respond to security incidents or cybercrimes.

Question 20

Command and Control (C&C or C2)

Answer 20

the centralized system used by attackers to manage and control compromised devices or networks.

It allows attackers to issue commands, receive data, and coordinate malicious activities remotely.

Question 21

Rootkit

Answer 21

malware that can give a threat actor the highest privileges to control your computer without your consent or knowledge.

Question 22

Advanced Persistent Threat (APT) typically targets

Answer 22

Large organizations, such as financial institutions, companies
in healthcare, and other organizations that store large volumes of personally
identifiable information (PII), especially when the PII describes important
government and political figures.

Historically, APTs have been observed targeting governments to carry out political objectives, interfere in elections, or spy on another country.

As APT groups are identified and profiled, they are assigned
unique number identifiers and code names.

Question 23

Advanced Persistent Threat (APT) - Advance Nature

Answer 23

They are rarely executed by lone attackers using publicly available exploits.

Advanced Persistent Threats (APTs), typically carried out by well-resourced and organized threat actors.

APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution.

APTs spend considerable time gathering intelligence on their targets to develop highly specific exploits.

APT groups often combine many
different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.

most APTs are interested in
maintaining access—or persistence—to networks and systems. Because of this,
APTs are some of the most notorious and harmful threats to organizations and governments

Question 24

Orchestrated Attacks

Answer 24

APT groups often combine many
different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.

through the use of spear-phishing emails followed by malware deployment and lateral movement within the target network.

Question 25

Tactics, techniques, and procedures (TTPs)

Answer 25

Core concept in computer security that describe a method that threat actors or groups use when they want to compromise a target.

Cybersecurity teams leverage the documented TTPs attributed to various threat actor groups to fingerprint how adversaries conduct cyberattacks to compromise organizations.

Question 26

profile, or fingerprint

Answer 26

Cybersecurity analysts carefully deconstruct and document methods used by well-known threat actor groups to create a profile, or fingerprint, that identifies them.

These profiles can also help improve an organization’s defensive capabilities by
understanding the methods attackers will use to gain access to their environment.

Question 27

TTPs - Improving Defensive Capabilities:

Answer 27

Understanding attacker methods enhances an organization’s defensive capabilities.

Enables Organizations to anticipate and counter potential attacks more effectively.

Question 28

Behavioral analysis

Answer 28

identifies abnormal behaviors,

Question 29

Threat information
feeds

Answer 29

insight into popular attack patterns and active threat actors.

This information helps defensive teams identify if any associated TTPs appear in their environments.

Question 30

User and Entity behavior analytics (UEBA)

Answer 30

UEBA is a critical risk management solution that leverages ML algorithms and behavior analytics to provide comprehensive user and entity insights.

A system that can provide automated identification of suspicious activity by user accounts and computer hosts.

By delving into these insights, security teams can identify anomalies and take measures to mitigate potential impacts.

Question 31

Adversarial Tactics, Techniques, and Common Knowledge
(ATT&CK)

Answer 31

ATT&CK - A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

Question 32

Open-Source Intelligence (OSINT)

Answer 32

The collection and analysis of data gathered from open sources (overt sources and publicly available information) to produce actionable intelligence.

OSINT sources are diverse and include social media, blog posts, news articles, chat forums, and many other sources.

Once potential threats are identified, threat-intelligence sharing platforms can help identify specific details about them, such as origin, methods, and potential targets, and track how they evolve.

OSINT can allow an attacker to develop any number of strategies for compromising
a target.

Question 33

Reconnaissance - OSINT

Answer 33

Reconnaissance is often the precursor to more direct attacks.

Understanding reconnaissance techniques and applying them to your own company and networks
will reveal how much useful information is being unintentionally provided to threat groups.

You can also use reconnaissance as a counterintelligence tool to build up profiles of potential or actual adversaries.

Question 34

Publicly available information - OSINT

Answer 34

An attacker can harvest information from public repositories and web searches.

Available information includes categories such as the IP addresses of an organization’s DNS servers; the range of
addresses assigned to the organization; names, email addresses, and phone
numbers of contacts within the organization; and the organization’s physical address. This data is publicly available through Whois records, Securities and Exchange Commission (SEC) filings, telephone directories, and more.

Question 35

WHOIS

Answer 35

A protocol used to query databases that store information about registered domain names and IP addresses.

Question 36

Securities and Exchange Commission (SEC)

Answer 36

a U.S. government agency responsible for regulating the securities industry, enforcing federal securities laws, and overseeing securities markets.

Its primary mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.

The SEC achieves these objectives by requiring companies to disclose important financial information to the public

Question 37

Social Media - OSINT

Answer 37

Attackers can use social media sites like Facebook and LinkedIn to find an organization’s information.

Depending on how much an organization or an organization’s employees choose to share publicly, an attacker may find, posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.

Question 38

HTML code - OSINT

Answer 38

The HTML code of an organization’s web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators.

The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.

Question 39

Metadata - OSINT

Answer 39

Metadata—Attackers can run metadata scans on publicly available documents
using a tool like Fingerprinting Organizations with Collected Archives (FOCA).

For example, Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could extract useful information from its metadata, including the names of authors or anyone that made a change to the document. By using search engines, FOCA (https://github.com/ElevenPaths/FOCA) can cross-reference files with other
domains to find and extract metadata.

Question 40

Defensive OSINT

Answer 40

Intelligence gathering that focuses on identifying threats.

• Government bulletins
• CERT (computer emergency response team )
• CSIRT (computer security incident response team)
• Deep/Dark web:
• Internal sources

It also helps create a strategy to minimize the impact of an attack before it occurs.

The most critical component of defensive cybersecurity OSINT is identifying potential attackers and their attack methods beforehand.

Question 41

Government bulletins - OSINT

Answer 41

The government is responsible for protecting the country’s constituents and the national infrastructure and publishing a wide variety of information and advice regarding observed threats.

For example, the Department of Homeland Security and the Cybersecurity and Infrastructure
Agency publish several types of cybersecurity guidance, including basic
informational content and binding operational directives that federal agencies must implement.

Question 42

CERT

Answer 42

Computer Emergency Response Team (CERT)

The goal of a CERT is to mitigate cybercrime and minimize damage
by responding to incidents quickly.

They work with local law enforcement,
federal agencies, and other organizations to help prevent cyberattacks. CERTs
coordinate responses to major events like natural disasters or terrorist attacks.
Because of this, CERTs can provide knowledge and information regarding
trending and observed attacks.

Question 43

CSIRT

Answer 43

Computer Security Incident Response Ream (CSIRT)

a group that is responsible for responding to security incidents involving computer systems.

The team typically consists of information security professionals, network administrators, system administrators, legal representatives, and other stakeholders.

The team’s goal is to respond to security incidents quickly and effectively while minimizing the impact to the organization.

Question 44

Deep/Dark web

Answer 44

The dark web serves as an operating platform for many cybercrimes. Threat actors utilize the dark web to organize their efforts and sell products such as credit card numbers, drugs, weapons, and malware.

Observing this activity can provide insight to threat actor activities, future attacks, information regarding current tactics, and evidence of previously undiscovered breaches.

Question 45

Internal Sources

Answer 45

It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the environment being protected.

Activity logs are a goldmine of information and operational insight and must be continuously collected and analyzed.

Question 46

Proprietary/Closed-Source Intelligence Sources

Question 47

Threat intelligence data

Answer 47

Threat intelligence data refers to information collected, analyzed, and contextualized to identify and assess potential security threats.

Data can come from various sources, including open-source, human, and technical intelligence.

Threat intelligence data is categorized into two broad types: strategic and operational.

Question 48

3 important attributes of Threat intelligence data

Answer 48

timeliness,
relevancy, and
accuracy

Question 49

2 Categories of Threat intelligence data

Answer 49

strategic and operational

Question 50

Strategic threat intelligence

Answer 50

provides a high-level view of the threat landscape, including emerging trends, tactics, and techniques threat actors use.

Question 51

operational threat intelligence

Answer 51

provides more granular details about specific threats, such as indicators of compromise, malware analysis, and network forensics.

Question 52

The primary goal of threat intelligence data

Answer 52

The primary goal of threat intelligence data is to offer actionable insights and recommendations for enhanced security.

Question 53

Timeliness - Threat intelligence data

Answer 53

The speed at which threat data is collected and disseminated to ensure it is up-to-date and relevant.

Question 54

Relevancy - Threat intelligence data

Answer 54

The usefulness of the data in the context of a specific threat and the actionable insights and meaningful context it provides.

Question 55

Accuracy - - Threat intelligence data

Answer 55

The reliability and correctness of the threat data.

For example, ensuring it is free from errors, bias, or false information.

Question 56

Sources for Closed-Source Data

Answer 56

Closed-source data is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized.

Question 57

Honeynets

Answer 57

are a type of security tool used to detect and analyze cyber threats by deploying a network of intentionally vulnerable systems, known as honeypots, within an organization’s network.

These honeypots mimic legitimate network assets and services to attract and lure potential attackers.

By monitoring the activity and interactions with these decoy systems, security teams can gather valuable insights into the tactics, techniques, and procedures (TTPs) used by malicious actors.

Question 58

examples of Closed-Source commercial providers

Answer 58

CrowdStrike Falcon Threat Intelligence (https://www.crowdstrike.com/products/threat-intelligence/)

IBM X-Force Exchange (exchange.xforce.ibmcloud.com)

FireEye (https://www.mandiant.com/advantage/threat-intelligence)

Recorded Future (https://www.recordedfuture.com/research/intelligence-reports)

Question 59

Information Sharing and Analysis Centers (ISACs)

Answer 59

A not-for-profit group set up to share sector-specific threat intelligence and security best practices among its members.

Information Sharing and Analysis Centers (ISACs) provide critical Infrastructure owners and operators with cybersecurity information and services.

They facilitate the sharing of threat information and best practices between the public and private sectors, allowing for the protection of vital assets.

ISACs also provide advice on current and emerging cyber threats, helping to ensure a more secure cyber landscape.

Question 60

PCII

Answer 60

Protected Critical Infrastructure Information.

It is a program operated by the Department of Homeland Security (DHS) in the United States.

PCII provides certain legal protections for sensitive information related to critical infrastructure shared with or within Information Sharing and Analysis Centers (ISACs) or other authorized entities.

This protection helps encourage private-sector organizations to share information about vulnerabilities, threats, and incidents related to critical infrastructure without fear of disclosure or legal repercussions.

Question 61

Threat Intelligence Sharing

Answer 61

Threat intelligence sharing helps improve several aspects of cybersecurity, including
- incident response,
- vulnerability management,
- risk management, and
- security engineering.

Question 62

Incident Response - Threat Intelligence Sharing Benefits

Answer 62

Threat intelligence sharing can help organizations respond to security incidents more effectively by providing information about threat actors’ tactics,
techniques, and procedures (TTPs).

By sharing information with other organizations, incident responders can better understand the threat landscape and develop more effective incident
response plans.

Question 63

Vulnerability Management - Threat Intelligence Sharing Benefits

Answer 63

Threat intelligence sharing can help organizations identify and prioritize vulnerabilities more effectively.

Organizations can quickly identify and
mitigate potential risks by sharing information about emerging threats and vulnerabilities before
attackers exploit them.

Question 64

Risk Management - Threat Intelligence Sharing Benefits

Answer 64

Threat intelligence sharing can help organizations manage risk more effectively by providing insight
into emerging threats and attack trends.

By leveraging threat intelligence, organizations can make more informed decisions about where to allocate resources and which security controls to
implement to reduce risk.

Question 65

Security Engineering - Threat Intelligence Sharing Benefits

Answer 65

Threat intelligence sharing can also help inform security engineering efforts. By understanding the TTPs threat actors use, security engineers can design and implement more effective security
controls to prevent and detect attacks.

Question 66

Confidence level or Confidence score:

Answer 66

helps assess the reliability and relevance of threat intelligence by assigning a numerical value or score based on various factors such as the source credibility, data quality, and contextual information.

A higher confidence level indicates a greater degree of certainty or trustworthiness in the threat intelligence, making it more suitable for decision-making and action.

Question 67

The DHS identifies 16 critical infrastructure sectors

Answer 67

• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government service and Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors Materials, and waste Sector
• Transportation Systems Sector
• Water and Wastewater Systems

One of the primary areas of focus for cybersecurity in industries that support critical infrastructure is with embedded systems and industrial control systems.

Question 68

Embedded Systems

Answer 68

Embedded systems are specialized computing systems designed to perform specific functions within a larger system or device.

Question 69

Industrial Control Systems (ICS)

Answer 69

Industrial Control Systems (ICS) are specialized systems used to monitor and control industrial processes and critical infrastructure such as manufacturing plants, power plants, water treatment facilities, and transportation systems.

Question 70

Critical Infrastructure Sectors - Government

Answer 70

The Multi-State ISAC serves nonfederal governments in the US, including state, local, tribal, and territorial governments.

Key cybersecurity concerns for governments include interference in the electoral process and the security of electronic voting mechanisms.

There is a dedicated ISAC for election infrastructure security issues.

Question 71

Critical Infrastructure Sectors - Healthcare

Answer 71

Healthcare providers are targeted by criminals for blackmail and ransom opportunities through compromising patient data or interfering with medical devices.

For more information on the Health ISAC, visit h-isac.org.

Question 72

Critical Infrastructure Sectors - Financial

Answer 72

The financial sector is a prime target for fraud and extortion.

Attackers can target both individual account holders and financial institutions.

Serious financial shocks, like major trading platform or ATM outages, can pose a national security risk.

For more information on the Financial Services ISAC, visit fsisac.com.

Question 73

Critical Infrastructure Sectors - Aviation

Answer 73

The aviation industry faces risks from fraud as well as from terrorists or hostile nation-state actors.

Air traffic control and aircraft operation rely on interconnected systems, some of which use aging infrastructure susceptible to interference and spoofing.

For more information on the Aviation ISAC, visit a-isac.com.

Question 74

Threat Intelligence Sharing

Answer 74

is crucial for cyber defense teams and cybersecurity organizations.

Cyber threat intelligence sharing focuses on finding indicators of compromise, tracking threat actor groups, documenting findings, discussing strategies, and distributing knowledge.

Many leading cybersecurity vendors share threat information via the Cyber Threat Alliance (CTA).

Participating in an industry group that actively shares information on threats and attacks helps bolster defensive team capabilities and effectiveness.

Question 75

Threat intelligence sharing goals

Answer 75

• Identifying indicators of compromise
• Tracking threat actor groups
• Documenting findings
• Discussing strategies
• Distributing knowledge

Question 76

The Automated Indicator Sharing (AIS) ecosystem

Answer 76

enables the exchange of machine-readable cyber threat indicators and defensive measures.

Question 77

US Cybersecurity and Infrastructure Security Agency (CISA).

Answer 77

AIS is managed and maintained CISA

Question 78

Threat Information platform

Answer 78

enables the analysis and distribution of
IOCs, tactics, techniques, and procedures (TTPs), threat actors, courses of action,
incidents, and other types of similar information.

Question 79

Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX).

Answer 79

protocols used for exchanging cyber threat intelligence in a structured and standardized manner.

Question 80

Trusted Automated eXchange of Indicator Information (TAXII)

Answer 80

a set of technical specifications and supporting documentation for securely exchanging cyber threat information in order to detect, prevent, and mitigate cyber threats in real time.

Question 81

Structured Threat Information eXpression (STIX)

Answer 81

a standardized language that uses a JSON-based lexicon to express and share threat intelligence information in a readable and consistent format.

It is similar to how a common language can help people from different parts of the world communicate. Only instead of conversation between people, STIX enables the exchange of cyber threat information between systems. STIX provides a common syntax so users can describe threats consistently by their motivations, abilities, capabilities, and responses.

Question 82

Threat Hunting:

Answer 82

A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.

aims to analyze routine activities and network traffic to identify potential anomalies indicative of malicious actions.

describes the systematic methods used to identify malicious cyber activities within an organization’s network.

subscribes to an “assume breach” mentality, crucial for protecting against advanced cyberattacks and developing procedural approaches to cyber resilience.