exam Flashcards
The MITRE ATT&CK frameworks contain domain-adapted knowledge of attacker
tactics and techniques e.g. for enterprise systems or industrial control systems. Its
main use is to place detected adversary activity within a framework, which allows
the identification of likely related activities and indicators of compromise.
Can such a framework also be utilised to synthesise attack patterns such as for use in
training exercises? Give a reasoned answer why this may or may not be
appropriate. [25]
negative: the matrices are restrained in how the attack is constructed and its hard to discern the intent of the attacker. (which is critical for apt style attacks)
In assessing the criticality of a given node in a network, a number of centrality
metrics can be used. Two examples of such metrics are vertex degree centrality (i.e.
counting the number of directly adjacent nodes to a given node) and betweenness
centrality (i.e. ranking vertices by the number of shortest paths between other
vertices in the graph that contain the given node).
Assume that we know that a given network is characterised by a power law degree
distribution. Which metric would be the preferred metric to determine the criticality
(e.g. overall loss of connectivity in case of failure or attack) of a node? Include both
the accuracy of the metric and the computational cost in your considerations and
give a reasoned answer. [25]
> In this case, both are similar
in a power law distribution, paths between non adjacent vertices will need to traverse higher degree vertices
we choose degree centrality because counting adjacent nodes is less costly than calculating several shortest paths per vertices.
The Input-Output Inoperability model proposed by Haimes and Jiang allows the
study of interconnected systems to determine the degree to which a particular
component or sector is affected (i.e. its level of dysfunction, such as the fraction of
intended production or service level).
For this, the model requires the availability of an interdependency matrix capturing
how each component (sector) depends on all others.
Identify and briefly describe two examples of limitations of the IIM for capturing the
impact of an attack. [25]
Issue 1:
IIM only captures a linear combination of inputs.
this is appropriate for absolutes like physical items but can be limiting for services with nonlinear dependsencies
Issue 2:
IIMs only consider settles, steady dependencies. They do not capture the immediate effects of disruption or any attempts and successes at substitution
Consider a company for which Internet connectivity, particularly to globally
distributed partners and suppliers is essential.
Explain why in this case the selection of multiple, redundant Internet Service
Providers (ISP) for connectivity is critical, and which metrics and questions the
company should approach each ISP with in order to ascertain that a given
combination of providers offers adequate levels of resilience and redundancy. [25]
The main problem is the AS connectivity of the provides via BGP.
just having several neighbours is not enough: we need to know that the paths of different providers are vertex disjoint and that there are several paths, so that if a vertex or segment goes down, we still have paths.
describe a power law distribution
> most vertices have a small degree
the number of nodes with a high degree decreases exponentially, they don’t follow a normal distribution
these high degree nodes are called HUBS
also known as scale free
What is BGP?
Border Gateway Protocol
> used for routing in the internet
> every network needs a unique AS (Autonomous System) number
> every AS is connected to 2+ other ASs
describe AS connection
each AS has several border gateways
each border gateway is a router that connects to a specific border gateway in another AS
A well-resourced adversary wishes to both discredit the product quality of a
vaccine manufacturer and to steal trade secrets from the R&D system at the
same time.
Assume that the relevant R&D data is held on a separate network not
connected to the Internet. How can the adversary learn about the
location of the data and successfully exfiltrate these if only a remote cyber
attack is possible?
Give a description of possible steps taken by the adversary beginning with
intelligence gathering; do not merely reproduce a generic framework, but
address how such an air-gapped system can still be compromised
> they don’t want to disrupt the network, just retrieve information from it
the network is air gapped but still has several vulnerabilities.
Seeing as we just want info, gaining access to a company computer that has the ability to request info from the database is enough to retrieve whatever we need.
if we know what information we want precisely and just need proof to discredit the company, the attack could be as simple as sending a phishing email to an employee and convincing them to send the information, or using the email to gain access to their system to see the information
there are some constant vulnerabilities no matter how protected a network is, like external connections and the people with access
To discredit the product quality, the attacker identified
seeks to disrupt production processes in such a way that quality control
processes will detect anomalies.
The attacker could not penetrate into the production system, but has
successfully compromised systems on the business network also used to
prepare shipments of the vaccine to an independent testing laboratory.
Can a manipulation of systems and databases call the product quality
into question? Briefly identify a scenario and elaborate how the adversary
would achieve a violation of quality requirements.
The vaccine process is likely automated, from the production of vaccines, to the regulation and the testing. If the data at any one of these stages is accessed and changed, it calls the quality into question and can discredit the effectiveness of the whole batch of vaccines.
Which insights can the target of a persistent attacker obtain by setting up a second, air-gapped
system without the actual production facilities? Which additional measures
would be required for such a decoy to be effective?
> it would have to be unknown to employees as a decoy
its data would need to formatted the same as the actual data
everything should be the same except its actual contents
it should be audited to know who has attempted access
define a network
a collection of nodes and connections
what is a diagram with edges on one axis and vertices on the other called?
incidence matrix
What is Isomorphism?
G1 and G2 are isomorphic if there exists a 1-1 mapping V1 -> V2
define a walk
a sequence between nodes going through vi, vi+1, vi+2 …
define a trail
a walk with distinct edges
define a path
a walk with distinct vertices
what is w(G)
the number of components in G
what is a component?
a subgraph such that it is not a subgraph of anything but the graph
when is V* a vertex cut?
if w(G - V*) > w(G)
when is E* an edge cut?
if w(G - E*) > w(G)
what is k(G)?
the size of a minimal vertex cut. G is k connected
what is lambda(G)?
a minimal edge cut
What are the preliminaries of Menger’s Theorem?
a graph G where u and v aren’t adjacent
what is menger’s theorem?
the minimum number of vertices in a vertex cut that disconnects u and v = the max number of pairwise vertex-independent paths between u and v. (same for edges)
when is G k connected?
if k is the minimum number of vertex independent paths (same for edges)
when is a graph strongly connected?
every vertex connects to every other vertex
when is a graph weakly connected?
when the undirected graph is connected
what is a circuit?
a closed walk that touches every edge
what is an Euler circuit?
a closed walk where all edges are traversed once
what is a hamilton path?
a path containing every vertex
what is a hamilton cycle?
a cycle containing every vertex
when is a graph hamiltonian?
when it contains a hamilton cycle
What is Eccentricity?
e(u): max{d(u,v) l v is in V(G)}
what is radius?
rad(G): min{ e(u) l u is in V(G)
what is diameter?
diam(G): max{d(u,v) l u, v are in V(G)
what is the characteristic path length of a graph?
the median of the shortest paths
what is the clustering coefficient?
the degree to which nodes cluster together
concerning robustness of networks, what is true if p <= (1-e)/n?
the size of the components is around logn
concerning robustness of networks, what is true if p > (1+e)/n?
there is 1 giant component with other components tending toward O(logn)
concerning robustness of networks, what is true if p = 1/n?
the number of vertices in the largest component is proportional to n^(2/3)
where average degree is k:
what is true when k < 1?
clusters will be small and isolated, diameter is small, paths will be short
where average degree is k:
what is true when k = 1?
a giant component arises, diameter peaks, paths are long
where average degree is k:
what is true when k > 1?
almost all nodes are connected, diameter is small, paths are short
what is robustness in networks>
what fraction of edges or vertices would need to be removed to create a partition?
what is the clustering property of ER graphs?
they have a low clustering coefficient
Describe the Watts-Strogatz Algorithm
V is a set of vertices, k is even, n>k>ln(n)>1
- order n vertices into a ring
- connect each v to its k/2 left and k/2 right neighbours
- with probability p, replace < u , v> with < u , w > that doesn’t exist in G
what is the risk equation?
risk = probability * expected loss
define risk
the potential that a given threat will exploit vulnerabilities of an asset and cause harm
(FMEA) define basic functions
verb/noun descriptions of required critical system functionality
(FMEA) define secondary functions
verb/noun descriptions of required non-critical system functionality
(FMEA) define failure mode
description of a failure
(FMEA) define failure effect
impact of the failure on the system
(FMEA) define failure cause
the cause of the failure
(FMEA) define occurence
rate at which the first level cause will occur
(FMEA) define detection
likelihood that controls will detect the failure mode during development or operation.
What are the 3 steps for FMEA?
- functional analysis
- identification of failure modes
- determination of severity, occurrence, criticality
describe FTAs
Fault and Attack trees.
system oriented, top down analysis approach. most common for casual analysis
what are the 4 steps for attack tree construction?
- select a system level failure and assign it top event
- investigate immediate causes
- repeat recursively until component failures are identified
- group immediate, necessary, and sufficient causes with logic gates
what is Qo(t)?
probability(top event occurs at time t)
what is qi(t)?
probability(event i occurs at t)
what is Ei(t)?
event i occurs at t
What does FTA do and not do?
distinguishes events but doesn’t describe attacks
define non-repairable
a defect can’t be remedied. modelled by failure rate lambda i
define repairable
a defect can be remedied. qi(t) = lambda i * MTTRi
what is MTTRi?
mean time to react to i
define periodical testing
a unit i is tested periodically at fixed intervals T
periodical testing formula
qi(t) = (lambda i * Ti) / 2
What are the limitations of attack trees?
> they’re static, so they can’t capture attacker/defender interactions
they require formal syntax and semantics definitions
describe attack defence trees
they incorporate attack noes and defence nodes
can be refined for further detail until a basic action is reached
describe attack countermeasure trees
they consider defensive and mitigating measures
minimum cut = attack countermeasure scenarios
What does game theory model?
adversarial and co-operative behaviour
which strategy to employ
describe game theory peoperties
> actions are views as variables
there are constraints on joint behaviour of variables
interested in strategy not probability
assumes players are rational and selfish
describe equilibrium in game theory
> no player has incentive to deviate
all players know all matrices
no communication between players
when is product distribution in nash equillibrium?
if for every player i and every mixed strategy p’i:
Ea~p[Mi(a)] >= Ea~p[i:p’i][Mi(a)]
a game may have multiple NEs
when is state required in game theory?
when previous rounds are considered
What are petri nets?
a family of formalisms that allow intuitive graphical and mathematical modelling of concurrency
what are graphical representations of petri nets used for?
communicating complex process behaviour
what are mathematical representation of petri nets used for?
precise analysis and automation of analysis
what is the main benefit of petri nets?
- the ability to capture concurrent behaviour
- giving natural formalisation for distributed and parallel activity that can also be non deterministic.
What does the graphical petri net model look like?
a bipartite graph with:
> place nodes for resources and states
> transition nodes for transitional and events
when is transition t enabled in a petri net?
t is enabled in a marking if for every edge place p -> t there exists a distinct token in the marking
what are the results of firing a transition?
> 1 token is removed from any p for every edge pt
> 1 token is added from any p for any edge tp
Describe Hierarchal Petri Nets
they allow the decomposition of complex networks into assemblies
low level details can be hidden for decision making
describe coloured Petri nets (CPNs)
they allow tokens to have value, and are therefore more compact
describe timed petri nets
petri nets where time is incorporated
(Control Systems) define process
a set/sequence operation using resources to transform inputs into outputs
(Control Systems) define manipulated variable
the parameter of a process that is manipulated by the control system
(Control Systems) define final control element (FCE)
a component changing a MVs value
(Control Systems) define controller output
a signal from the controller to the FCE
(Control Systems) define process variable
a measurement variable that changes in response to the MV changing
(Control Systems) define set point
value the PV tries to maintain
(Control Systems) define actuator
mechanism for translating a controller output into physical changes
(Control Systems) define detector
translates physical variables into MVs
(Control Systems) define transducer
a device receiving information in 1 form and translating it to another
(Control Systems) define transmitter
a transducer responding to a MV via a sensor and converting it to a standardised transmission signal thats a function of the MV
(Control Systems) define controller
a device that operates automatically to regulate a controlled variable
(Control Systems) define Process Control
the act of controlling FCEs to change MVs so as to maintain PVs at desired Set Points
describe an open loop control system
the simplest for of control system. relies only on the model and current state of the system.
it is cheap to implement and does not rely on feedback.
in which situation is an open loop control system appropriate?
in highly predictable and non critical environments disturbances are not taken into account
how do you make an open loop system into a closed loop system?
add a feedback loop and a process variable to be monitored
what are the 3 stages of designing a closed loop control system?
- modelling
- analysis
- design
What are some points that are considered in control system analysis?
does it overshoot or undershoot resulting in oscillations
how are oscillations handles?
by dampening. Strong dampening limits the speed and magnitude of the control systems response.
describe observability in control systems
a system is observable if its state can be determined by its outputs in finite time
what re some problems with non linear control systems?
> no superposition
may have multiple, isolated equilibrium points rather than just 1
can have a finite escape time if unstable
what is the main problem with actuators and sensors?
they can be manipulated and are subject to wear and tear.
define accuracy
how close to the true value a result is
define precision
how similar the results are when a process is repeated
what pattern do errors usually follow?
normal distribution
How is bias compensated for in control systems?
via calibration. But calibration may be manipulated
What are the downsides of a processing unit in a control system?
it allows more flexibility for the attacker
what are the downsides of intelligent sensors in a control system?
it enables a number of attacks that can’t be detected by simple statistical tests
what are possible attacks on actuators?
physical manipulation can change the gain achieved and can restrict the range of the actuator
What are the 2 most severe control systems problems?
loss of view and loss of control
CNE
computer network exploitation (intelligence seeking)
CNA
computer network attack (offensive)
what are the 7 cyber kill chain steps?
- reconnaissance
- weaponisation
- delivery
- exploitation
- installation
- command and control
- actions on objectives
what are the 6 kill chain steps?
F2T2EA find fix track target engage assess
what was MITRE ATT&CK originally formulate for?
to describe both attacker and defender behaviour
TTPS
tactics, techniques, and procedures
what is the MITRE ATT&CK framework structure?
matrices -> databases -> technique records -> details
what are the key uses of the MITRE ATT&CK framework?
> threat intelligence mapping > gap identification > incident support > threat hunting > red teaming (reverse engineering attacks)
APT
advances persistent threat
What is a direct defence to the cyber kill chain?
cyber kill chains are intelligence driven so intelligence should be monitored and limited
what is the principle of battlefield terrain analysis?
defenders know their terrain and can exploit the fact that attackers don’t
what are the 5 main aspects of battlefield terrain analysis?
> observation and fields of fire > cover and concealment > obstacles > key terrain > avenues of approach
how can users help defend against the cyber kill chain?
they can notice and report delivery mechanisms
describe an APT
> structured
>targetted
What is a honeypot?
machines providing replicated services
What is a honeynet?
network segments with dissimulative services or data
What is a honeyfile?
an audited file no one should have to access
what is a honey record?
a honey file for databases
what is a honey user?
user account or even just hash values that can serve as alert sources and decoys
How are critical infrastructure interdependencies modelled graphically?
with directed graphs
what is centrality?
the proximity of a node to other nodes
what is betweenness?
the total number of oaths that pass through a node
what is a local clustering coefficient?
the fraction of edges between immediately connecting neighbouring vertices over the number of possible edges
where is agent-based modelling used?
where the state and behaviours of the vertices must be captured. used when we know the conditions.
what does agent-based modelling require?
a precise description of the behaviour of each agent based on current state and external influences which may not always be completely known.
Describe Game Theoretical Models
> capture interaction
of interest where conventional adversary models may be too strong
assumes that the adversary is acting optimally for the available information
