Dion Sections 1-3

Question 1

Security Control

Answer 1

mitigates vulnerabilities and risk to ensure the confidentiality, integrity, availability, nonrepudiation, and authentication of data

Question 2

Security controls should be selected and deployed in a structured manner using a …

Answer 2

Risk Management Framework

Question 3

What is NIST Special Publication 800-53 for?

Answer 3

Federal information systems and organizations.

Question 4

What is NIST Special Publication 800-171 for?

Answer 4

outlines security requirements for protecting CUI in Non-Federal systems and organizations

Question 5

What is the ISO framework

Answer 5

a set of requirements for defining, implementing, operating, and improving an Information Security Management System (ISMS)

Question 6

What is a technical (logical) control?

Answer 6

A category of security control that is implemented as a system (hardware, software, or firmware).

Question 7

Digital signature

Answer 7

a hash of the email you’re going to send, encrypted with your digital private key.

Question 8

Operational Controls

Answer 8

A category of security control that is implemented primarily by people rather than systems.

Question 9

Managerial Controls

Answer 9

A category of security control that provides oversight of the information system.

Question 10

Security Control Functional Types (7) P,D,C,P,D,C,R

Answer 10

Preventative, Detective, Corrective, Physical, Deterrent, Compensating, Responsive

Question 11

What is a preventative control

Answer 11

A control that acts to eliminate or reduce the likelihood that an attack can succeed.

Question 12

Detective control

Answer 12

A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion.

Question 13

Corrective control

Answer 13

A control that acts to eliminate or reduce the impact of an intrusion event.

Question 14

No single security control is invulnerable, how is the efficiency of a control instead measured?

Answer 14

By how long it delays an attack

Question 15

Physical Control

Answer 15

A type of security control that acts against in-person intrusion attempts.

Question 16

Deterrent Control

Answer 16

A type of security control that discourages intrusion attempts.

Question 17

Compensating Control

Answer 17

A type of security control that acts as a substitute for a principal control. Not the top line, but gives you some protection.

Question 18

Responsive Control

Answer 18

System that actively monitors for potential vulnerabilities or attacks, and then takes action to mitigate them before they can cause damage

Question 19

Firewall

Answer 19

system that monitors all incoming and outgoing network, traffic and blocks

Question 20

Intrusion Prevention System (IPS)

Answer 20

devices that can monitor network traffic for patterns that indicate an intrusion is occurring such as a repeated failed log on attempt.

Question 21

How do you decide which security control you’re actually going to apply?

Answer 21

It depends on the risk

Question 22

How can I mitigate risk?

Answer 22

Use the CIA triad. Ask which part or parts do you have controls for and how can you add controls for what you are missing so that you cover all of them or mitigate what can’t be covered.

Question 23

Security Intelligence

Answer 23

process where data is generated and is then collected, processed, analyzed, and disseminated to provide insights into the security status of information systems.

Question 24

Security Intelligence points…

Answer 24

Inward. As you go through your FW logs, intrusion detection alerts and other things, you’re understanding what your security posture is internally.
We are looking inward, how are our systems looking?

Question 25

Cyber Threat Intelligence (CTI)

Answer 25

Investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape.

Question 26

CTI points…

Answer 26

Outward, we are thinking about attacker groups, malware outbreaks, 0 day exploits. All of the bad things out there and what could hurt us.

Question 27

What are 2 forms of CTI

Answer 27

Narrative reports & Data Feeds

Question 28

In CTI what is a narrative report and what do they do?

Answer 28

gives us the analysis of a certain adversary group or a certain type of malware. These give you intel about what the bad guys are doing and can help security professionals decide where we want to put money and which security controls we want to have to be able to defend ourselves from the bad guys and those types of attacks.

Question 29

In CTI what is a data feed and what are some examples

Answer 29

can be a list of known bad indicators (IOCs), domain names, IP addresses, it might be something like hashes of exploit malware code.

Question 30

What kind of information are things like domain names, IP addresses or hashes of exploit malware code.

Answer 30

Tactical information

Question 31

Data feeds are very..

Answer 31

tactical, informational that we can do something with. EX: known bad Ips, can be blocked in the FW so no connections can go to it.

Question 32

What are the phases of the Intelligence Cycle

Answer 32

1. Requirements (Planning & Direction)
2. Collections (& Processing)
3. Analysis
4. Dissemination
5. Feedback

Question 33

Security Intelligence is a..

Answer 33

process. It’s not just about collecting data, you have to plan to collect that data, go through and process that data and review it.

Question 34

What is Phase 1: Requirements (Planning & Direction), in the Intel Cycle?

Answer 34

Sets out the goals for the intelligence gathering effort. What do we want to collect? What do we care about? What do we want to spend the time money and resources to collect?

Question 35

What is Phase 2: Collection (& Processing), in the Intel Cycle?

Answer 35

Implements and using software tools to gather data which is then processed for later analysis.

Question 36

In Phase 2 of the Intel Cycle what is the ‘processing part’

Answer 36

where we will convert all the data into a standard format.
o When all the data is coming from different systems, it might be coming in a different format; we will need to normalize that data and that is the ‘processing’ part. All the IP addresses will go in a column, all the timestamps will go in another column, all the domains will go in a 3rd column. This way we can search and index all the information and use it as we search for those things later in our analysis cycle.

Question 37

What is Phase 3: Analysis, of the Intel Cycle?

Answer 37

This may use automated analysis, AI and ML and is performed against the given use cases from the planning phase. (if it doesn’t impact your and your business, it shouldn’t matter)

Question 38

What three categories is data put into in Phase 3: Analysis of the Intel Cycle?

Answer 38

1. Known good - we are going to allow it
2. Known bad - we are going to block it
3. Not sure - this is where further analysis needs to be done. Things like machine learning and AI have to be used to help our humans go through all the data because there is just too much stuff going over our networks.

Question 39

In the Intel Cycle, all analysis should be done in the context of a..

Answer 39

use case.

Question 40

In the Intel Cylce, what is a use case?

Answer 40

the use cases are something that we developed all the way back in our planning phase. We decided what type of information we were interested in, for what reason and confirmed it was something that would/does impact our organization rather than wasting time, money and resources on data that doesn’t effect us.

Question 41

What is Phase 4: Dissemination, in the Intel Cycle?

Answer 41

Published information produced by analysts to consumers who need to act on the insights developed. This can take a lot of different forms and it depends on your organization and what the intended audience is. You may have oral, written, PowerPoint presentations or even emails.

Question 42

What are the 3 most common levels we like to break dissemination into?

Answer 42

1. Strategic
2. Operational
3. Tactical

Question 43

define the dissemination level: Strategic, regarding CTI

Answer 43

addresses broad themes and objectives. These usually affect projects and business priorities over weeks, months, and years.

Question 44

Give an example of the dissemination level: Strategic, regarding CTI

Answer 44

a report to an executive or a PowerPoint presentation in a large group.

Question 45

define the dissemination level: Operational, regarding CTI

Answer 45

addresses the day-to-day priorities of manager and specialist.

Question 46

Give an example of the dissemination level: Operational, regarding CTI

Answer 46

An example is a checklist of the things you should be worried about today and these are the things we need to focus on today.

Question 47

define the dissemination level: Tactical, regarding CTI

Answer 47

informs real-time decisions made by staff as they encounter different alerts and system indications.

Question 48

Give an example of the dissemination level: Tactical, regarding CTI

Answer 48

someone working in a SOC and they see an alert pop up on your screen that is considered tactical intel, it needs to be dealt with right now and is real time.

Question 49

What is Phase 5: Feedback, in the Intel Cycle?

Answer 49

Lessons learned: Aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs. Basically, how can we do things better?

Question 50

Name 3 things that should be take aways from Phase 5: Feedback, of the Intel Cycle

Answer 50

1. Lesson learned: Figuring out what incidents occurred during this intel gathering this cycle so we can avoid those problems the next cycle.
2. Measurable success: o What metrics are going to show us success or failure of the intelligence gathering?
3. Evolving threat issues: we want to start shifting out intel collections towards the threat vectors as they change.

Question 51

T or F
We have to be able to identify some factors to weigh the value of the intelligence that we’re getting.

Answer 51

T
This is important because we have to consider the sources of our intel. There are lots of intel sources but not all are created equal.

Question 52

What two parts can be dug out of Phase 2: Collecting (& Processing), of the Intel Cycle?

Answer 52

1. Evaluation
2. Sources

Question 53

Factors Used to Evaluate Sources:

Answer 53

Timeliness, Relevancy, Accuracy, Confidence Level

Question 54

When evaluating sources in Phase 2: Collecting (& Processing), of the Intel Cycle what is Timeliness

Answer 54

Ensures an intelligence source is up-to-date. Over time the information is not nearly as valuable. EX: if I know someone is attaching your network today and I don’t tell you about it for three years, it’s not very useful.

Question 55

When evaluating sources in Phase 2: Collecting (& Processing), of the Intel Cycle what is Relevancy

Answer 55

● Ensures an intelligence source matches its intended use case.
o EX: if I see there are a lot of attacks going against MacOS but we use Windows, does that really apply to me?
o Think: what affects me and my organization?

Question 56

When evaluating sources in Phase 2: Collecting (& Processing), of the Intel Cycle what is Accuracy?

Answer 56

● Ensures an intelligence source produces effective results. This means the information needs to be valid and true.
o EX: if you tell me that I’ve been attacked and I look and can’t find anything, was I really attacked or was your info bad? We don’t really know.
o We want to try to eliminate as many false positives as possible, especially when using automated software, machine learning and AI. Make sure that we’re getting the right info so that we can do our analysis properly on good information and create good decisions.

Question 57

When evaluating sources in Phase 2: Collecting (& Processing), of the Intel Cycle what is Confidence Level?

Answer 57

● Ensures an intelligence source produces qualified statements about reliability.
When an analyst publishes report, they don’t have a hundred percent of the facts. It’s just the way this works. We’re trying to guess our way through this and we’re getting lots of different pieces of information and lots of different indicators and we try to put together the best report we can.

Question 58

What are the 3 general sources of information in CTI?

Answer 58

1. Proprietary
2. Closed-Source
3. Open-Source

Question 59

Name some different sources of open-source intell

Answer 59

1. US-CERT
2. UKs NCSC
3. AT&T Security (OTX)
4. MISP - Malware Information Sharing project
5. VirusTotal
6. spamhaus - focused on spam and email
7. SANS ISC Suspicious Domains - focused on domains.

Question 60

What is explicit knowledge?

Answer 60

knowledge you can write down, see, feel and touch.

Question 61

What is implicit knowledge?

Answer 61

really useful but you can only get it from experience practitioners in the field. This is that sense they have that they just go ‘ah, I know something is wrong here because of my 20 years of experience’. They may not always have the latest trends in cybersec, although most of the time they do, but they have the ability to give you that attitude and instinct because of their career as a cyber security professional. Overtime, you will develop this.

Question 62

Threat feeds are a form of ____ knowledge

Answer 62

explicit

Question 63

Open-Source Intelligence (OSINT)

Answer 63

method of obtaining information about a person or organization through public records, websites, and social media

Question 64

What are Information Sharing and Analysis Centers (ISACS)

Answer 64

A not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

Question 65

Name some examples of areas ISACs exist in:

Answer 65

Critical infrastructure, Government, Healthcare, Financial, Aviation

Question 66

Critical Infrastructure

Answer 66

Any physical or virtual infrastructure that is considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these.

Question 67

When talking about ISACs Government means:

Answer 67

non-federal governments in the US, such as state, local, tribal, and territorial governments.

Question 68

Financial ISACs serve..

Answer 68

financial sector to prevent fraud and extortion of both the consumer and financial institutions.
For example, we want to make sure we’re getting information about anybody who’s trying to affect a major trading platform or the stock market or someone who might be able to go after ATMs to have them give out money for free. These could pose a national security or economic risk to our country.

Question 69

Aviation ISACs serve..

Answer 69

the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe operations of air traffic control systems.

Question 70

In Phase 4: Dissemination, of the Intel Cycle, what do we dig deeper into?

Answer 70

1. Risk Management & Security Engineering
2. Incident Response
3. Vulnerability Management
4. Detection and Monitoring

Question 71

Define Risk Management in the Intel Cycle

Answer 71

Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact

Question 72

Why is threat intelligence important to risk management

Answer 72

Because it tells us how risky a certain thing is based on outside threats, because we know our own vulnerabilities through our vulnerability management and our scanning, but if we don’t know what attackers are coming after us we cant really think about the threat. So, putting those two together (threat intelligence and risk management) is really important.

Question 73

Define Incident Response in the Intel Cycle

Answer 73

An organized approach to addressing and managing the aftermath of a security breach or cyberattack.

Question 74

If someone has been successful in penetrating our network, we need intelligence to help keep them out. The best type of intel here is…

Answer 74

tactical-level intel because we need to know where they are in our networks, what IPs they’re coming from, what they’re going to do once they’re inside our network, and all those tactical pieces of threat intel will help us ID where they are and how we can get them out of our network and prevent them from coming back.

Question 75

Define Vulnerability Management in the Intel Cycle

Answer 75

The practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.

Question 76

Define Detection and Monitoring in the Intel Cycle

Answer 76

The practice of observing activity to identify anomalous patterns for further analysis.
o As we know what threats are out there, we can then tune our sensors better. This allows us to add more rules and definitions based on different observed incidences that have happened either to our organization or partner organizations, or one of those commercial data feeds that we’re subscribed to. By getting that info, we can tune our sensors to have a lot more true positives and a lot less false positive. This is why it’s a good idea to make sure you’re on the dissemination chain for threat intelligence.