CySA+ 180.L2 - Exploring Threat Intelligence and Threat Hunting Concepts Flashcards

1
Q

What is Threat intelligence and threat hunting?

A

strategies used to detect and protect against active threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Threat intelligence

A

describes gathering and analyzing data to help identify potential threats and determine the most effective way to
mitigate them.

Threat intelligence enables the proactive identification of malicious
activity and the capabilities and objectives of different threat actor groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat hunting

A

describes actively searching for signs of malicious activity on an organization’s network.

Threat hunting involves using various tools and techniques to search for potential threats, such as analyzing log files, monitoring suspicious traffic, and performing manual searches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threat actors

A

a person, group, or organization responsible for malicious
activities.

They are often motivated by financial gain, political gain, or simply a
desire to cause harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Threat Actor Types

A
  • Nation-State
  • Organized Crime
  • Hacktivist
  • Insider Threat
  • Script Kiddie
  • Supply Chain Access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

attacks can be characterized as either

A

opportunistic or targeted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Opportunistic attacks

A

can be launched without much
sophistication or funding simply by using tools widely available on the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Targeted attack

A

use highly sophisticated tools and might be backed by a budget that can allocate resources and skilled professionals to achieving its aims.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Nation-State

A

Developed cybersecurity expertise for military and commercial goals.

The goals of nation-state actors are primarily espionage and strategic advantage,

Mandiant’s APT1 report influenced understanding of modern cyberattack life cycles.

Nation-state actors have been implicated in many attacks, particularly on energy
and electoral systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Organized Crime

A

Organized crime groups leverage the global nature of the Internet to conduct their illicit activities from various locations around the world, often spanning multiple jurisdictions.

Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Blackmail

A

a form of extortion where someone threatens to reveal embarrassing, damaging, or incriminating information about another person unless they are given money or some other form of benefit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Hacktivist

A

A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda.

Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

Political, media, and financial groups and companies
are probably most at risk, but environmental and animal advocacy groups may
target companies in a wide range of industries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Insider Threat

A

an actor who has been identified by the organization and granted some sort of access.

Within this group of internal threats, you
subdivide the threat to 1) insiders with permanent privileges, such as employees, and 2) insiders with temporary privileges, such as contractors and guests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Intentional insider - Threat Actors

A

An intentional insider is very much aware of their actions and has a clear intent and goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Unintentional insiders

A

An unintentional insider may cause a vulnerability to be realized by misconfiguring a system or service in IT, clicking links and opening attachments in phishing emails, or by acquiring and using unauthorized software and/or cloud services, also referred to as Shadow IT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Script Kiddie

A

someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks.

Script kiddie attacks might have no specific target or reasonable goal other than gaining attention or proving technical abilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Supply Chain Access

A

A common trend observed in attacks involves identifying the vendors and/or products an organization uses on an ongoing basis.

For example, a vendor may supply software products so an attacker can work to gain access to the software supplier, whose security practices may be lackluster, to insert malicious code into the vendor software prior to delivery to the target organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Advanced Persistent Threat (APT)

A

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time.

One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Forensics

A

in the context of cybersecurity, refers to the process of collecting, analyzing, and interpreting digital evidence to investigate and respond to security incidents or cybercrimes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Command and Control (C&C or C2)

A

the centralized system used by attackers to manage and control compromised devices or networks.

It allows attackers to issue commands, receive data, and coordinate malicious activities remotely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Rootkit

A

malware that can give a threat actor the highest privileges to control your computer without your consent or knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Advanced Persistent Threat (APT) typically targets

A

Large organizations, such as financial institutions, companies
in healthcare, and other organizations that store large volumes of personally
identifiable information (PII), especially when the PII describes important
government and political figures.

Historically, APTs have been observed targeting governments to carry out political objectives, interfere in elections, or spy on another country.

As APT groups are identified and profiled, they are assigned
unique number identifiers and code names.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Advanced Persistent Threat (APT) - Advance Nature

A

They are rarely executed by lone attackers using publicly available exploits.

Advanced Persistent Threats (APTs), typically carried out by well-resourced and organized threat actors.

APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution.

APTs spend considerable time gathering intelligence on their targets to develop highly specific exploits.

APT groups often combine many
different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.

most APTs are interested in
maintaining access—or persistence—to networks and systems. Because of this,
APTs are some of the most notorious and harmful threats to organizations and governments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Orchestrated Attacks

A

APT groups often combine many
different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.

through the use of spear-phishing emails followed by malware deployment and lateral movement within the target network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Tactics, techniques, and procedures (TTPs)

A

Core concept in computer security that describe a method that threat actors or groups use when they want to compromise a target.

Cybersecurity teams leverage the documented TTPs attributed to various threat actor groups to fingerprint how adversaries conduct cyberattacks to compromise organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

profile, or fingerprint

A

Cybersecurity analysts carefully deconstruct and document methods used by well-known threat actor groups to create a profile, or fingerprint, that identifies them.

These profiles can also help improve an organization’s defensive capabilities by
understanding the methods attackers will use to gain access to their environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

TTPs - Improving Defensive Capabilities:

A

Understanding attacker methods enhances an organization’s defensive capabilities.

Enables Organizations to anticipate and counter potential attacks more effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Behavioral analysis

A

identifies abnormal behaviors,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Threat information
feeds

A

insight into popular attack patterns and active threat actors.

This information helps defensive teams identify if any associated TTPs appear in their environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

User and Entity behavior analytics (UEBA)

A

UEBA is a critical risk management solution that leverages ML algorithms and behavior analytics to provide comprehensive user and entity insights.

A system that can provide automated identification of suspicious activity by user accounts and computer hosts.

By delving into these insights, security teams can identify anomalies and take measures to mitigate potential impacts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Adversarial Tactics, Techniques, and Common Knowledge
(ATT&CK)

A

ATT&CK - A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Open-Source Intelligence (OSINT)

A

The collection and analysis of data gathered from open sources (overt sources and publicly available information) to produce actionable intelligence.

OSINT sources are diverse and include social media, blog posts, news articles, chat forums, and many other sources.

Once potential threats are identified, threat-intelligence sharing platforms can help identify specific details about them, such as origin, methods, and potential targets, and track how they evolve.

OSINT can allow an attacker to develop any number of strategies for compromising
a target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Reconnaissance - OSINT

A

Reconnaissance is often the precursor to more direct attacks.

Understanding reconnaissance techniques and applying them to your own company and networks
will reveal how much useful information is being unintentionally provided to threat groups.

You can also use reconnaissance as a counterintelligence tool to build up profiles of potential or actual adversaries.

34
Q

Publicly available information - OSINT

A

An attacker can harvest information from public repositories and web searches.

Available information includes categories such as the IP addresses of an organization’s DNS servers; the range of
addresses assigned to the organization; names, email addresses, and phone
numbers of contacts within the organization; and the organization’s physical address. This data is publicly available through Whois records, Securities and Exchange Commission (SEC) filings, telephone directories, and more.

35
Q

WHOIS

A

A protocol used to query databases that store information about registered domain names and IP addresses.

36
Q

Securities and Exchange Commission (SEC)

A

a U.S. government agency responsible for regulating the securities industry, enforcing federal securities laws, and overseeing securities markets.

Its primary mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.

The SEC achieves these objectives by requiring companies to disclose important financial information to the public

37
Q

Social Media - OSINT

A

Attackers can use social media sites like Facebook and LinkedIn to find an organization’s information.

Depending on how much an organization or an organization’s employees choose to share publicly, an attacker may find, posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.

38
Q

HTML code - OSINT

A

The HTML code of an organization’s web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators.

The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.

39
Q

Metadata - OSINT

A

Metadata—Attackers can run metadata scans on publicly available documents
using a tool like Fingerprinting Organizations with Collected Archives (FOCA).

For example, Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could extract useful information from its metadata, including the names of authors or anyone that made a change to the document. By using search engines, FOCA (https://github.com/ElevenPaths/FOCA) can cross-reference files with other
domains to find and extract metadata.

40
Q

Defensive OSINT

A

Intelligence gathering that focuses on identifying threats.

  • Government bulletins
  • CERT (computer emergency response team )
  • CSIRT (computer security incident response team)
  • Deep/Dark web:
  • Internal sources

It also helps create a strategy to minimize the impact of an attack before it occurs.

The most critical component of defensive cybersecurity OSINT is identifying potential attackers and their attack methods beforehand.

41
Q

Government bulletins - OSINT

A

The government is responsible for protecting the country’s constituents and the national infrastructure and publishing a wide variety of information and advice regarding observed threats.

For example, the Department of Homeland Security and the Cybersecurity and Infrastructure
Agency publish several types of cybersecurity guidance, including basic
informational content and binding operational directives that federal agencies must implement.

42
Q

CERT

A

Computer Emergency Response Team (CERT)

The goal of a CERT is to mitigate cybercrime and minimize damage
by responding to incidents quickly.

They work with local law enforcement,
federal agencies, and other organizations to help prevent cyberattacks. CERTs
coordinate responses to major events like natural disasters or terrorist attacks.
Because of this, CERTs can provide knowledge and information regarding
trending and observed attacks.

43
Q

CSIRT

A

Computer Security Incident Response Ream (CSIRT)

a group that is responsible for responding to security incidents involving computer systems.

The team typically consists of information security professionals, network administrators, system administrators, legal representatives, and other stakeholders.

The team’s goal is to respond to security incidents quickly and effectively while minimizing the impact to the organization.

44
Q

Deep/Dark web

A

The dark web serves as an operating platform for many cybercrimes. Threat actors utilize the dark web to organize their efforts and sell products such as credit card numbers, drugs, weapons, and malware.

Observing this activity can provide insight to threat actor activities, future attacks, information regarding current tactics, and evidence of previously undiscovered breaches.

45
Q

Internal Sources

A

It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the environment being protected.

Activity logs are a goldmine of information and operational insight and must be continuously collected and analyzed.

46
Q

Proprietary/Closed-Source Intelligence Sources

A
47
Q

Threat intelligence data

A

Threat intelligence data refers to information collected, analyzed, and contextualized to identify and assess potential security threats.

Data can come from various sources, including open-source, human, and technical intelligence.

Threat intelligence data is categorized into two broad types: strategic and operational.

48
Q

3 important attributes of Threat intelligence data

A

timeliness,
relevancy, and
accuracy

49
Q

2 Categories of Threat intelligence data

A

strategic and operational

50
Q

Strategic threat intelligence

A

provides a high-level view of the threat landscape, including emerging trends, tactics, and techniques threat actors use.

51
Q

operational threat intelligence

A

provides more granular details about specific threats, such as indicators of compromise, malware analysis, and network forensics.

52
Q

The primary goal of threat intelligence data

A

The primary goal of threat intelligence data is to offer actionable insights and recommendations for enhanced security.

53
Q

Timeliness - Threat intelligence data

A

The speed at which threat data is collected and disseminated to ensure it is up-to-date and relevant.

54
Q

Relevancy - Threat intelligence data

A

The usefulness of the data in the context of a specific threat and the actionable insights and meaningful context it provides.

55
Q

Accuracy - - Threat intelligence data

A

The reliability and correctness of the threat data.

For example, ensuring it is free from errors, bias, or false information.

56
Q

Sources for Closed-Source Data

A

Closed-source data is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized.

57
Q

Honeynets

A

are a type of security tool used to detect and analyze cyber threats by deploying a network of intentionally vulnerable systems, known as honeypots, within an organization’s network.

These honeypots mimic legitimate network assets and services to attract and lure potential attackers.

By monitoring the activity and interactions with these decoy systems, security teams can gather valuable insights into the tactics, techniques, and procedures (TTPs) used by malicious actors.

58
Q

examples of Closed-Source commercial providers

A

CrowdStrike Falcon Threat Intelligence (https://www.crowdstrike.com/products/threat-intelligence/)

IBM X-Force Exchange (exchange.xforce.ibmcloud.com)

FireEye (https://www.mandiant.com/advantage/threat-intelligence)

Recorded Future (https://www.recordedfuture.com/research/intelligence-reports)

59
Q

Information Sharing and Analysis Centers (ISACs)

A

A not-for-profit group set up to share sector-specific threat intelligence and security best practices among its members.

Information Sharing and Analysis Centers (ISACs) provide critical Infrastructure owners and operators with cybersecurity information and services.

They facilitate the sharing of threat information and best practices between the public and private sectors, allowing for the protection of vital assets.

ISACs also provide advice on current and emerging cyber threats, helping to ensure a more secure cyber landscape.

60
Q

PCII

A

Protected Critical Infrastructure Information.

It is a program operated by the Department of Homeland Security (DHS) in the United States.

PCII provides certain legal protections for sensitive information related to critical infrastructure shared with or within Information Sharing and Analysis Centers (ISACs) or other authorized entities.

This protection helps encourage private-sector organizations to share information about vulnerabilities, threats, and incidents related to critical infrastructure without fear of disclosure or legal repercussions.

61
Q

Threat Intelligence Sharing

A

Threat intelligence sharing helps improve several aspects of cybersecurity, including
- incident response,
- vulnerability management,
- risk management, and
- security engineering.

62
Q

Incident Response - Threat Intelligence Sharing Benefits

A

Threat intelligence sharing can help organizations respond to security incidents more effectively by providing information about threat actors’ tactics,
techniques, and procedures (TTPs).

By sharing information with other organizations, incident responders can better understand the threat landscape and develop more effective incident
response plans.

63
Q

Vulnerability Management - Threat Intelligence Sharing Benefits

A

Threat intelligence sharing can help organizations identify and prioritize vulnerabilities more effectively.

Organizations can quickly identify and
mitigate potential risks by sharing information about emerging threats and vulnerabilities before
attackers exploit them.

64
Q

Risk Management - Threat Intelligence Sharing Benefits

A

Threat intelligence sharing can help organizations manage risk more effectively by providing insight
into emerging threats and attack trends.

By leveraging threat intelligence, organizations can make more informed decisions about where to allocate resources and which security controls to
implement to reduce risk.

65
Q

Security Engineering - Threat Intelligence Sharing Benefits

A

Threat intelligence sharing can also help inform security engineering efforts. By understanding the TTPs threat actors use, security engineers can design and implement more effective security
controls to prevent and detect attacks.

66
Q

Confidence level or Confidence score:

A

helps assess the reliability and relevance of threat intelligence by assigning a numerical value or score based on various factors such as the source credibility, data quality, and contextual information.

A higher confidence level indicates a greater degree of certainty or trustworthiness in the threat intelligence, making it more suitable for decision-making and action.

67
Q

The DHS identifies 16 critical infrastructure sectors

A
  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base Sector
  • Emergency services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government service and Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors Materials, and waste Sector
  • Transportation Systems Sector
  • Water and Wastewater Systems

One of the primary areas of focus for cybersecurity in industries that support critical infrastructure is with embedded systems and industrial control systems.

68
Q

Embedded Systems

A

Embedded systems are specialized computing systems designed to perform specific functions within a larger system or device.

69
Q

Industrial Control Systems (ICS)

A

Industrial Control Systems (ICS) are specialized systems used to monitor and control industrial processes and critical infrastructure such as manufacturing plants, power plants, water treatment facilities, and transportation systems.

70
Q

Critical Infrastructure Sectors - Government

A

The Multi-State ISAC serves nonfederal governments in the US, including state, local, tribal, and territorial governments.

Key cybersecurity concerns for governments include interference in the electoral process and the security of electronic voting mechanisms.

There is a dedicated ISAC for election infrastructure security issues.

71
Q

Critical Infrastructure Sectors - Healthcare

A

Healthcare providers are targeted by criminals for blackmail and ransom opportunities through compromising patient data or interfering with medical devices.

For more information on the Health ISAC, visit h-isac.org.

72
Q

Critical Infrastructure Sectors - Financial

A

The financial sector is a prime target for fraud and extortion.

Attackers can target both individual account holders and financial institutions.

Serious financial shocks, like major trading platform or ATM outages, can pose a national security risk.

For more information on the Financial Services ISAC, visit fsisac.com.

73
Q

Critical Infrastructure Sectors - Aviation

A

The aviation industry faces risks from fraud as well as from terrorists or hostile nation-state actors.

Air traffic control and aircraft operation rely on interconnected systems, some of which use aging infrastructure susceptible to interference and spoofing.

For more information on the Aviation ISAC, visit a-isac.com.

74
Q

Threat Intelligence Sharing

A

is crucial for cyber defense teams and cybersecurity organizations.

Cyber threat intelligence sharing focuses on finding indicators of compromise, tracking threat actor groups, documenting findings, discussing strategies, and distributing knowledge.

Many leading cybersecurity vendors share threat information via the Cyber Threat Alliance (CTA).

Participating in an industry group that actively shares information on threats and attacks helps bolster defensive team capabilities and effectiveness.

75
Q

Threat intelligence sharing goals

A
  • Identifying indicators of compromise
  • Tracking threat actor groups
  • Documenting findings
  • Discussing strategies
  • Distributing knowledge
76
Q

The Automated Indicator Sharing (AIS) ecosystem

A

enables the exchange of machine-readable cyber threat indicators and defensive measures.

77
Q

US Cybersecurity and Infrastructure Security Agency (CISA).

A

AIS is managed and maintained CISA

78
Q

Threat Information platform

A

enables the analysis and distribution of
IOCs, tactics, techniques, and procedures (TTPs), threat actors, courses of action,
incidents, and other types of similar information.

79
Q

Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX).

A

protocols used for exchanging cyber threat intelligence in a structured and standardized manner.

80
Q

Trusted Automated eXchange of Indicator Information (TAXII)

A

a set of technical specifications and supporting documentation for securely exchanging cyber threat information in order to detect, prevent, and mitigate cyber threats in real time.

81
Q

Structured Threat Information eXpression (STIX)

A

a standardized language that uses a JSON-based lexicon to express and share threat intelligence information in a readable and consistent format.

It is similar to how a common language can help people from different parts of the world communicate. Only instead of conversation between people, STIX enables the exchange of cyber threat information between systems. STIX provides a common syntax so users can describe threats consistently by their motivations, abilities, capabilities, and responses.

82
Q

Threat Hunting:

A

A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.

aims to analyze routine activities and network traffic to identify potential anomalies indicative of malicious actions.

describes the systematic methods used to identify malicious cyber activities within an organization’s network.

subscribes to an “assume breach” mentality, crucial for protecting against advanced cyberattacks and developing procedural approaches to cyber resilience.