cysa+ study guide Flashcards
Security Intelligence
The process through which data generated in the ongoing use of information systems is
collected, processed, analyzed, and disseminated to provide insights into the security
status of those systems
What is a Cybersecurity Analyst ?
A senior position within an organization’s security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data
and the systems that protect it.
Cybersecurity teams contain junior and senior analysts
What are some functions of a cybersecurity analyst?
Implementing and configuring security controls
Working in a SOC or CSIRT
Auditing security processes and procedures
Conducting risk assessments, vulnerability assessments, and penetration tests Maintaining up-to-date threat intelligence
What is “SOC”
Security Operations Center
A location where security professionals monitor and protect critical information assets in
an organization
The SOC should be the single point of contact for security, monitoring, and incident response
SOCs usually exist for larger corporations, government agencies, and health care
organizations
What are security controls?
Security Control is a technology or procedure put in place to mitigate vulnerabilities and
risk in order to ensure the confidentiality, integrity, availability, and nonrepudiation of data and information.
What are the 4 main security controls?
AC – Access Control
AA – Accountability
IR – Incident Response
RA – Risk Assessment
What is Technical (Logical) Controls
A category of security control that is implemented as a system (hardware, software, or
firmware)
What is Operational Controls
A category of security control that is implemented primarily by people rather than systems
What is Managerial Controls
A category of security control that provides oversight of the information system
What is Preventative Control
A control that acts to eliminate or reduce the likelihood that an attack can succeed
What is Detective Control
A control may not prevent or deter access, but it will identify and record any attempted or successful intrusion
What is Corrective Control
A control acts to eliminate or reduce the impact of an intrusion event
What is a Physical Control
A type of security control that acts against in-person intrusion attempts
What is a Deterrent Control
o A type of security control that discourages intrusion attempts
What is a Compensating Control
A type of security control that acts as a substitute for a principal control
What is the CIA TRAID
Confidentiality, Integrity and Availability
Cyber Threat Intelligence
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat
sources to provide data about
the external threat landscape
▪ Narrative reports ▪ Data Feeds
You don’t use narrative reports or data feeds… you use both!
5 steps of Intelligence Cycle
Requirements (Planning & Direction)
Collection (& Processing)
Analysis
Dissemination
Feedback
Intelligence Sources
You must consider the sources of your intelligence
● Timeliness
Property of an intelligence source that ensures it is up-to-date
● Relevancy
Property of an intelligence source that ensures it matches the use cases intended for it
● Accuracy
Property of an intelligence source that ensures it produces effective results
● Confidence Levels
Property of an intelligence source that ensures it produces qualified statements about
reliability
Proprietary
Threat intelligence is very widely provided as a commercial service offering, where access
to updates and research is subject to a subscription fee
Closed-Source
Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized
Open-Source
Data that available to use without subscription, may include threat feeds similar to the
commercial providers, and may contain reputation lists and malware signature databases
Examples of Open-Source
▪ US-CERT
▪ UK’s NCSC
▪ AT&T Security (OTX)
▪ MISP
▪ VirusTotal
▪ Spamhaus
▪ SANS ISC Suspicious Domains
Open-Source Intelligence (OSINT)
Methods of obtaining information about a person or organization through public
records, websites, and social media
(ISACS)
Information Sharing and Analysis Center (ISAC)
o A not-for-profit group set up to share sector-specific threat intelligence and security best
practices amongst its members
CISP,
Cyber Security Information Sharing Partnership, is like an ISAC within the UK
Critical Infrastructure
Any physical or virtual infrastructure that is considered so vital to the United States that
their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety,
or any combination of these
ICS, SCADA, and embedded system threats are a main focus within critical infrastructure
Types of Critical Infrastructure
● Government
Serves non-federal governments in the US, such as state, local, tribal and territorial
governments
● Healthcare
Serves healthcare providers that are targets of criminals seeking blackmail and ransom opportunities by compromising patient data records or interfering with
medical devices
● Financial
Serves the financial sector to prevent fraud and extortion of both the consumer and financial institutions
● Aviation
Serves the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe
operations of air traffic control systems
Threat Intelligence Sharing is part of which intelligence cycle phase
Dissemination Phase
Whats are the steps of dissemination
● Risk Management
Identifies, evaluates, and prioritizes threats and vulnerabilities to
reduce their negative impact
● Incident Response
An organized approach to addressing and managing the aftermath of a security breach or cyberattack
● Vulnerability Management
The practice of identifying, classifying, prioritizing, remediating, and mitigating software
vulnerabilities
● Detection and Monitoring
The practice of observing activity to identify anomalous patterns for further analysis
Known Threats
A threat that can be identified using basic signature or pattern matching
Malware
Any software intentionally designed to cause damage to a computer, server, client, or
computer networ
Documented Exploits
A piece of software, data or sequence of commands that takes advantage of
a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data
Unknown Threats
A threat that cannot be identified using basic signature or pattern matching
Zero-day Exploit
An unknown exploit in the wild that exposes a vulnerability in software or hardware and
can create complicated problems well before anyone realizes something is wrong
Obfuscated Malware Code
Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware
Behavior-based Detection
A malware detection method that evaluates an object based on its intended actions
before it can actually execute that behavior
Recycled Threats
Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning
Known Unknowns
A classification of malware that contains obfuscation techniques to circumvent
signature-matching and detection
Unknown Unknowns
A classification of malware that contains completely new attack vectors and exploits
Nation-state Actor
A type of threat actor that is supported by the resources of its host country’s military
and security services
Organized Crime
A type of threat actor that uses hacking and computer fraud for commercial gain
Hacktivist
A type of threat actor that is motivated by a social issue or political cause
Insider Threat
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident
Insider threats can be either intentional or unintentional
What about an ex-employee?
Are they threats
Ex-employees can be classified as internal threats or treated as external threats with
insider knowledge
Intentional Threat
A threat actor who conducts an attack with a specific purpose
Unintentional threat
A threat actor that causes a vulnerability or exposes an attack vector without malicious
intent
o Shadow IT is a form of unintentional insider threat
Commodity Malware
Malicious software applications that are widely available for sale or easily obtainable and
usable
dentifying if the malware is commodity or targeted can help determine the severity of an
incident
Zero-day Vulnerability
A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it
APT
dvanced Persistent Threat (APT)
o An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware
o APTs are considered a known unknown threat
APTs often target financial institutions, healthcare companies, and governments to get large PII data sets
Command and Control (C2)
An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets
Persistence
The ability of a threat actor to maintain covert access to a target host or network
