exam

Question 1

The MITRE ATT&CK frameworks contain domain-adapted knowledge of attacker
tactics and techniques e.g. for enterprise systems or industrial control systems. Its
main use is to place detected adversary activity within a framework, which allows
the identification of likely related activities and indicators of compromise.
Can such a framework also be utilised to synthesise attack patterns such as for use in
training exercises? Give a reasoned answer why this may or may not be
appropriate. [25]

Answer 1

negative: the matrices are restrained in how the attack is constructed and its hard to discern the intent of the attacker. (which is critical for apt style attacks)

Question 2

In assessing the criticality of a given node in a network, a number of centrality
metrics can be used. Two examples of such metrics are vertex degree centrality (i.e.
counting the number of directly adjacent nodes to a given node) and betweenness
centrality (i.e. ranking vertices by the number of shortest paths between other
vertices in the graph that contain the given node).
Assume that we know that a given network is characterised by a power law degree
distribution. Which metric would be the preferred metric to determine the criticality
(e.g. overall loss of connectivity in case of failure or attack) of a node? Include both
the accuracy of the metric and the computational cost in your considerations and
give a reasoned answer. [25]

Answer 2

> In this case, both are similar
in a power law distribution, paths between non adjacent vertices will need to traverse higher degree vertices
we choose degree centrality because counting adjacent nodes is less costly than calculating several shortest paths per vertices.

Question 3

The Input-Output Inoperability model proposed by Haimes and Jiang allows the
study of interconnected systems to determine the degree to which a particular
component or sector is affected (i.e. its level of dysfunction, such as the fraction of
intended production or service level).
For this, the model requires the availability of an interdependency matrix capturing
how each component (sector) depends on all others.
Identify and briefly describe two examples of limitations of the IIM for capturing the
impact of an attack. [25]

Answer 3

Issue 1:
IIM only captures a linear combination of inputs.
this is appropriate for absolutes like physical items but can be limiting for services with nonlinear dependsencies

Issue 2:
IIMs only consider settles, steady dependencies. They do not capture the immediate effects of disruption or any attempts and successes at substitution

Question 4

Consider a company for which Internet connectivity, particularly to globally
distributed partners and suppliers is essential.
Explain why in this case the selection of multiple, redundant Internet Service
Providers (ISP) for connectivity is critical, and which metrics and questions the
company should approach each ISP with in order to ascertain that a given
combination of providers offers adequate levels of resilience and redundancy. [25]

Answer 4

The main problem is the AS connectivity of the provides via BGP.
just having several neighbours is not enough: we need to know that the paths of different providers are vertex disjoint and that there are several paths, so that if a vertex or segment goes down, we still have paths.

Question 5

describe a power law distribution

Answer 5

> most vertices have a small degree
the number of nodes with a high degree decreases exponentially, they don’t follow a normal distribution
these high degree nodes are called HUBS

also known as scale free

Question 6

What is BGP?

Answer 6

Border Gateway Protocol
> used for routing in the internet
> every network needs a unique AS (Autonomous System) number
> every AS is connected to 2+ other ASs

Question 7

describe AS connection

Answer 7

each AS has several border gateways

each border gateway is a router that connects to a specific border gateway in another AS

Question 8

A well-resourced adversary wishes to both discredit the product quality of a
vaccine manufacturer and to steal trade secrets from the R&D system at the
same time.
Assume that the relevant R&D data is held on a separate network not
connected to the Internet. How can the adversary learn about the
location of the data and successfully exfiltrate these if only a remote cyber
attack is possible?
Give a description of possible steps taken by the adversary beginning with
intelligence gathering; do not merely reproduce a generic framework, but
address how such an air-gapped system can still be compromised

Answer 8

> they don’t want to disrupt the network, just retrieve information from it
the network is air gapped but still has several vulnerabilities.
Seeing as we just want info, gaining access to a company computer that has the ability to request info from the database is enough to retrieve whatever we need.
if we know what information we want precisely and just need proof to discredit the company, the attack could be as simple as sending a phishing email to an employee and convincing them to send the information, or using the email to gain access to their system to see the information
there are some constant vulnerabilities no matter how protected a network is, like external connections and the people with access

Question 9

To discredit the product quality, the attacker identified
seeks to disrupt production processes in such a way that quality control
processes will detect anomalies.
The attacker could not penetrate into the production system, but has
successfully compromised systems on the business network also used to
prepare shipments of the vaccine to an independent testing laboratory.
Can a manipulation of systems and databases call the product quality
into question? Briefly identify a scenario and elaborate how the adversary
would achieve a violation of quality requirements.

Answer 9

The vaccine process is likely automated, from the production of vaccines, to the regulation and the testing. If the data at any one of these stages is accessed and changed, it calls the quality into question and can discredit the effectiveness of the whole batch of vaccines.

Question 10

Which insights can the target of a persistent attacker obtain by setting up a second, air-gapped
system without the actual production facilities? Which additional measures
would be required for such a decoy to be effective?

Answer 10

> it would have to be unknown to employees as a decoy
its data would need to formatted the same as the actual data
everything should be the same except its actual contents
it should be audited to know who has attempted access

Question 11

define a network

Answer 11

a collection of nodes and connections

Question 12

what is a diagram with edges on one axis and vertices on the other called?

Answer 12

incidence matrix

Question 13

What is Isomorphism?

Answer 13

G1 and G2 are isomorphic if there exists a 1-1 mapping V1 -> V2

Question 14

define a walk

Answer 14

a sequence between nodes going through vi, vi+1, vi+2 …

Question 15

define a trail

Answer 15

a walk with distinct edges

Question 16

define a path

Answer 16

a walk with distinct vertices

Question 17

what is w(G)

Answer 17

the number of components in G

Question 18

what is a component?

Answer 18

a subgraph such that it is not a subgraph of anything but the graph

Question 19

when is V* a vertex cut?

Answer 19

if w(G - V*) > w(G)

Question 20

when is E* an edge cut?

Answer 20

if w(G - E*) > w(G)

Question 21

what is k(G)?

Answer 21

the size of a minimal vertex cut. G is k connected

Question 22

what is lambda(G)?

Answer 22

a minimal edge cut

Question 23

What are the preliminaries of Menger’s Theorem?

Answer 23

a graph G where u and v aren’t adjacent

Question 24

what is menger’s theorem?

Answer 24

the minimum number of vertices in a vertex cut that disconnects u and v = the max number of pairwise vertex-independent paths between u and v. (same for edges)

Question 25

when is G k connected?

Answer 25

if k is the minimum number of vertex independent paths (same for edges)

Question 26

when is a graph strongly connected?

Answer 26

every vertex connects to every other vertex

Question 27

when is a graph weakly connected?

Answer 27

when the undirected graph is connected

Question 28

what is a circuit?

Answer 28

a closed walk that touches every edge

Question 29

what is an Euler circuit?

Answer 29

a closed walk where all edges are traversed once

Question 30

what is a hamilton path?

Answer 30

a path containing every vertex

Question 31

what is a hamilton cycle?

Answer 31

a cycle containing every vertex

Question 32

when is a graph hamiltonian?

Answer 32

when it contains a hamilton cycle

Question 33

What is Eccentricity?

Answer 33

e(u): max{d(u,v) l v is in V(G)}

Question 34

what is radius?

Answer 34

rad(G): min{ e(u) l u is in V(G)

Question 35

what is diameter?

Answer 35

diam(G): max{d(u,v) l u, v are in V(G)

Question 36

what is the characteristic path length of a graph?

Answer 36

the median of the shortest paths

Question 37

what is the clustering coefficient?

Answer 37

the degree to which nodes cluster together

Question 38

concerning robustness of networks, what is true if p <= (1-e)/n?

Answer 38

the size of the components is around logn

Question 39

concerning robustness of networks, what is true if p > (1+e)/n?

Answer 39

there is 1 giant component with other components tending toward O(logn)

Question 40

concerning robustness of networks, what is true if p = 1/n?

Answer 40

the number of vertices in the largest component is proportional to n^(2/3)

Question 41

where average degree is k:

what is true when k < 1?

Answer 41

clusters will be small and isolated, diameter is small, paths will be short

Question 42

where average degree is k:

what is true when k = 1?

Answer 42

a giant component arises, diameter peaks, paths are long

Question 43

where average degree is k:

what is true when k > 1?

Answer 43

almost all nodes are connected, diameter is small, paths are short

Question 44

what is robustness in networks>

Answer 44

what fraction of edges or vertices would need to be removed to create a partition?

Question 45

what is the clustering property of ER graphs?

Answer 45

they have a low clustering coefficient

Question 46

Describe the Watts-Strogatz Algorithm

Answer 46

V is a set of vertices, k is even, n>k>ln(n)>1

1. order n vertices into a ring
2. connect each v to its k/2 left and k/2 right neighbours
3. with probability p, replace < u , v> with < u , w > that doesn’t exist in G

Question 47

what is the risk equation?

Answer 47

risk = probability * expected loss

Question 48

define risk

Answer 48

the potential that a given threat will exploit vulnerabilities of an asset and cause harm

Question 49

(FMEA) define basic functions

Answer 49

verb/noun descriptions of required critical system functionality

Question 50

(FMEA) define secondary functions

Answer 50

verb/noun descriptions of required non-critical system functionality

Question 51

(FMEA) define failure mode

Answer 51

description of a failure

Question 52

(FMEA) define failure effect

Answer 52

impact of the failure on the system

Question 53

(FMEA) define failure cause

Answer 53

the cause of the failure

Question 54

(FMEA) define occurence

Answer 54

rate at which the first level cause will occur

Question 55

(FMEA) define detection

Answer 55

likelihood that controls will detect the failure mode during development or operation.

Question 56

What are the 3 steps for FMEA?

Answer 56

1. functional analysis
2. identification of failure modes
3. determination of severity, occurrence, criticality

Question 57

describe FTAs

Answer 57

Fault and Attack trees.

system oriented, top down analysis approach. most common for casual analysis

Question 58

what are the 4 steps for attack tree construction?

Answer 58

1. select a system level failure and assign it top event
2. investigate immediate causes
3. repeat recursively until component failures are identified
4. group immediate, necessary, and sufficient causes with logic gates

Question 59

what is Qo(t)?

Answer 59

probability(top event occurs at time t)

Question 60

what is qi(t)?

Answer 60

probability(event i occurs at t)

Question 61

what is Ei(t)?

Answer 61

event i occurs at t

Question 62

What does FTA do and not do?

Answer 62

distinguishes events but doesn’t describe attacks

Question 63

define non-repairable

Answer 63

a defect can’t be remedied. modelled by failure rate lambda i

Question 64

define repairable

Answer 64

a defect can be remedied. qi(t) = lambda i * MTTRi

Question 65

what is MTTRi?

Answer 65

mean time to react to i

Question 66

define periodical testing

Answer 66

a unit i is tested periodically at fixed intervals T

Question 67

periodical testing formula

Answer 67

qi(t) = (lambda i * Ti) / 2

Question 68

What are the limitations of attack trees?

Answer 68

> they’re static, so they can’t capture attacker/defender interactions
they require formal syntax and semantics definitions

Question 69

describe attack defence trees

Answer 69

they incorporate attack noes and defence nodes

can be refined for further detail until a basic action is reached

Question 70

describe attack countermeasure trees

Answer 70

they consider defensive and mitigating measures

minimum cut = attack countermeasure scenarios

Question 71

What does game theory model?

Answer 71

adversarial and co-operative behaviour

which strategy to employ

Question 72

describe game theory peoperties

Answer 72

> actions are views as variables
there are constraints on joint behaviour of variables
interested in strategy not probability
assumes players are rational and selfish

Question 73

describe equilibrium in game theory

Answer 73

> no player has incentive to deviate
all players know all matrices
no communication between players

Question 74

when is product distribution in nash equillibrium?

Answer 74

if for every player i and every mixed strategy p’i:

Ea~p[Mi(a)] >= Ea~p[i:p’i][Mi(a)]

a game may have multiple NEs

Question 75

when is state required in game theory?

Answer 75

when previous rounds are considered

Question 76

What are petri nets?

Answer 76

a family of formalisms that allow intuitive graphical and mathematical modelling of concurrency

Question 77

what are graphical representations of petri nets used for?

Answer 77

communicating complex process behaviour

Question 78

what are mathematical representation of petri nets used for?

Answer 78

precise analysis and automation of analysis

Question 79

what is the main benefit of petri nets?

Answer 79

• the ability to capture concurrent behaviour

- giving natural formalisation for distributed and parallel activity that can also be non deterministic.

Question 80

What does the graphical petri net model look like?

Answer 80

a bipartite graph with:
> place nodes for resources and states
> transition nodes for transitional and events

Question 81

when is transition t enabled in a petri net?

Answer 81

t is enabled in a marking if for every edge place p -> t there exists a distinct token in the marking

Question 82

what are the results of firing a transition?

Answer 82

> 1 token is removed from any p for every edge pt

> 1 token is added from any p for any edge tp

Question 83

Describe Hierarchal Petri Nets

Answer 83

they allow the decomposition of complex networks into assemblies
low level details can be hidden for decision making

Question 84

describe coloured Petri nets (CPNs)

Answer 84

they allow tokens to have value, and are therefore more compact

Question 85

describe timed petri nets

Answer 85

petri nets where time is incorporated

Question 86

(Control Systems) define process

Answer 86

a set/sequence operation using resources to transform inputs into outputs

Question 87

(Control Systems) define manipulated variable

Answer 87

the parameter of a process that is manipulated by the control system

Question 88

(Control Systems) define final control element (FCE)

Answer 88

a component changing a MVs value

Question 89

(Control Systems) define controller output

Answer 89

a signal from the controller to the FCE

Question 90

(Control Systems) define process variable

Answer 90

a measurement variable that changes in response to the MV changing

Question 91

(Control Systems) define set point

Answer 91

value the PV tries to maintain

Question 92

(Control Systems) define actuator

Answer 92

mechanism for translating a controller output into physical changes

Question 93

(Control Systems) define detector

Answer 93

translates physical variables into MVs

Question 94

(Control Systems) define transducer

Answer 94

a device receiving information in 1 form and translating it to another

Question 95

(Control Systems) define transmitter

Answer 95

a transducer responding to a MV via a sensor and converting it to a standardised transmission signal thats a function of the MV

Question 96

(Control Systems) define controller

Answer 96

a device that operates automatically to regulate a controlled variable

Question 97

(Control Systems) define Process Control

Answer 97

the act of controlling FCEs to change MVs so as to maintain PVs at desired Set Points

Question 98

describe an open loop control system

Answer 98

the simplest for of control system. relies only on the model and current state of the system.
it is cheap to implement and does not rely on feedback.

Question 99

in which situation is an open loop control system appropriate?

Answer 99

in highly predictable and non critical environments disturbances are not taken into account

Question 100

how do you make an open loop system into a closed loop system?

Answer 100

add a feedback loop and a process variable to be monitored

Question 101

what are the 3 stages of designing a closed loop control system?

Answer 101

1. modelling
2. analysis
3. design

Question 102

What are some points that are considered in control system analysis?

Answer 102

does it overshoot or undershoot resulting in oscillations

Question 103

how are oscillations handles?

Answer 103

by dampening. Strong dampening limits the speed and magnitude of the control systems response.

Question 104

describe observability in control systems

Answer 104

a system is observable if its state can be determined by its outputs in finite time

Question 105

what re some problems with non linear control systems?

Answer 105

> no superposition
may have multiple, isolated equilibrium points rather than just 1
can have a finite escape time if unstable

Question 106

what is the main problem with actuators and sensors?

Answer 106

they can be manipulated and are subject to wear and tear.

Question 107

define accuracy

Answer 107

how close to the true value a result is

Question 108

define precision

Answer 108

how similar the results are when a process is repeated

Question 109

what pattern do errors usually follow?

Answer 109

normal distribution

Question 110

How is bias compensated for in control systems?

Answer 110

via calibration. But calibration may be manipulated

Question 111

What are the downsides of a processing unit in a control system?

Answer 111

it allows more flexibility for the attacker

Question 112

what are the downsides of intelligent sensors in a control system?

Answer 112

it enables a number of attacks that can’t be detected by simple statistical tests

Question 113

what are possible attacks on actuators?

Answer 113

physical manipulation can change the gain achieved and can restrict the range of the actuator

Question 114

What are the 2 most severe control systems problems?

Answer 114

loss of view and loss of control

Question 115

CNE

Answer 115

computer network exploitation (intelligence seeking)

Question 116

CNA

Answer 116

computer network attack (offensive)

Question 117

what are the 7 cyber kill chain steps?

Answer 117

1. reconnaissance
2. weaponisation
3. delivery
4. exploitation
5. installation
6. command and control
7. actions on objectives

Question 118

what are the 6 kill chain steps?

Answer 118

F2T2EA
find
fix
track
target
engage
assess

Question 119

what was MITRE ATT&CK originally formulate for?

Answer 119

to describe both attacker and defender behaviour

Question 120

TTPS

Answer 120

tactics, techniques, and procedures

Question 121

what is the MITRE ATT&CK framework structure?

Answer 121

matrices -> databases -> technique records -> details

Question 122

what are the key uses of the MITRE ATT&CK framework?

Answer 122

> threat intelligence mapping
> gap identification
> incident support
> threat hunting
> red teaming (reverse engineering attacks)

Question 123

APT

Answer 123

advances persistent threat

Question 124

What is a direct defence to the cyber kill chain?

Answer 124

cyber kill chains are intelligence driven so intelligence should be monitored and limited

Question 125

what is the principle of battlefield terrain analysis?

Answer 125

defenders know their terrain and can exploit the fact that attackers don’t

Question 126

what are the 5 main aspects of battlefield terrain analysis?

Answer 126

> observation and fields of fire
> cover and concealment
> obstacles
> key terrain
> avenues of approach

Question 127

how can users help defend against the cyber kill chain?

Answer 127

they can notice and report delivery mechanisms

Question 128

describe an APT

Answer 128

> structured

>targetted

Question 129

What is a honeypot?

Answer 129

machines providing replicated services

Question 130

What is a honeynet?

Answer 130

network segments with dissimulative services or data

Question 131

What is a honeyfile?

Answer 131

an audited file no one should have to access

Question 132

what is a honey record?

Answer 132

a honey file for databases

Question 133

what is a honey user?

Answer 133

user account or even just hash values that can serve as alert sources and decoys

Question 134

How are critical infrastructure interdependencies modelled graphically?

Answer 134

with directed graphs

Question 135

what is centrality?

Answer 135

the proximity of a node to other nodes

Question 136

what is betweenness?

Answer 136

the total number of oaths that pass through a node

Question 137

what is a local clustering coefficient?

Answer 137

the fraction of edges between immediately connecting neighbouring vertices over the number of possible edges

Question 138

where is agent-based modelling used?

Answer 138

where the state and behaviours of the vertices must be captured. used when we know the conditions.

Question 139

what does agent-based modelling require?

Answer 139

a precise description of the behaviour of each agent based on current state and external influences which may not always be completely known.

Question 140

Describe Game Theoretical Models

Answer 140

> capture interaction
of interest where conventional adversary models may be too strong
assumes that the adversary is acting optimally for the available information