General

Question 1

What are the…

Five phases of the Threat Intellience Cycle

Answer 1

1. Planning & Requirements
2. Collection & Processing
3. Analysis
4. Dissemination
5. Feedback

Question 2

Provide the purpose of…

Planning & Requirements

Threat Intelligence Cycle

Answer 2

• Defining our Goal
• Staying business-aligned
• Consider legal restrictions, regulations
• Determine our most likely threats
• How would they do us harm?

Question 3

Provide the purpose of…

Collection & Processing

Threat Intelligence Cycle

Answer 3

• Gathering of information
• Maintain consistency to stay organized
• Automate as much as possible
• Select appropriate end-points to collect data from
• Processing & normalizing the collected data

Potential collection end-points include; cloud, phones, routers, servers, apps, laptops, etc…

Question 4

Provide the purpose of…

Analysis

Threat Intelligence Cycle

Answer 4

• More data means higher chance to prove an attack is happening
• Too much data demands automated tools to sift through the data
• Use of SIEM to automate the correlation of events

Automation could include; Scripts (Bash, Python, PowerShell…)

Question 5

Provide the purpose of…

Dissemination

Threat Intelligence Cycle

Answer 5

• Internally communicating the findings
• Selecting the appropriate audience(s)
• Communicate the findings to EACH of the audiences. (See types)
• Outside communication? Potentially.

• Types
• Strategic Intelligence
• Operational Intelligence
• Tactical Intelligence

Question 6

Provide the purpose of…

Feedback

Threat Intelligence Cycle

Answer 6

• New findings, new information
• Lessons Learned from previous steps
• New discoveries since last time
• New tactics to imploy?
• Assign clear list of people, a clear list of tasks to make the cycle better

Question 7

Whats the time frame of…

Strategic Intelligence

Answer 7

Long-term goals

Question 8

Whats the time frame of…

Operational Intelligence

Answer 8

Shorter-term goals

Question 9

Whats the time frame of…

Tactical Intelligence

Answer 9

Real-time goals

Question 10

What is…

Security Intelligence

Answer 10

How secure are we?

Question 11

What is…

Cyber Threat Intelligence

Answer 11

How threatening is the world?
* Narrative Sources
* Threat Feeds

Threat feeds are online resources that can be queried. Flow of known vulnerabilities, IP addresses, anti-virus softwares, necessary patches, real-time attacks, etc…

Question 12

What is… used for?

Historical / Trend Analysis

Answer 12

Used to indicator potential threats

Question 13

Describe what… is used for

Reconnaisance

As a defender

Answer 13

• What could an attacker find out about us?
• Use of OSINT tools to automate some of the process

Use of open-sourced (public) data to analysis a target (e.g. Social Media, websites, job descriptions, LinkedIN)

Question 14

What does … stand for?

OSINT

Answer 14

Open-source Intelligence

The process of gathering and analyzing publicly available information to assess threats, make decisions, and/or answer specific questions.

Question 15

What is a … ?

zone transfer

Answer 15

Usually used to transfer DNS to new server; however could be used to fetch ALL DNS server information if misconfigured poorly

Question 16

What are … used for?

Website Rippers

Answer 16

Clones the entire target website

Used for interacting with the website and see potential vulnerabilities

Question 17

What are important for … ?

Confidence Levels

Information source

Answer 17

• Timeliness (up to date?)
• Relevancy
• Accuracy
• Fake News?

Question 18

What is the … ?

Admiralty System

Answer 18

A method for evaluating a source and the credibility of an information source

Question 19

What is … used for?

Information Sharing and Analysis Centers

Answer 19

Sources for industry specific security information

Question 20

Whats the purpose of … ?

Vulnerability Management

Answer 20

Keep an overview of security holes within organization

meltdown / spectre are two classic vulnerabilities to be aware of

enables us to patch problem before they get exploited

Question 21

What does the process of … look like?

Vulnerability Management

Answer 21

• Assign responsibilities
• Document EVERYTHING
• Keep management excited about this
• Track all inventory
• Assign a business risk to each item, in order to prioritize when things fall a part
• Select the appropriate tools
• Scan for vulnerabilities
• Fix ASAP
• Dont forget about it, continuous process

Question 22

What are … ?

Unknown Threats

Answer 22

Threats that only present themselves via behaviors (aka breaks the mould)

Very advanced malware or Zero-day vulnerability

Question 23

Describe the … ?

The Johari Window

Answer 23

• Known Knowns - we know what to do, just need to act
• Known Unknowns - Aware but not sure how to implement
• Unknown Knowns - Could understand but not aware of
• Unknown Unknowns - Dont know how little you know

Question 24

Describe the behavior of …

APT

Answer 24

Advanced coordinated group(s) with the ability to establish persistent presence. Malicious actors by nature.

CYSA Exam - Well funded, Governmentally supported
Technically - Anyone with ability to break into something

Question 25

What is … all about?

Organized Crime

Answer 25

All about stealing stuff

Question 26

What is … all about?

Cyberterrorism

Answer 26

Engage in acts with no financial reason

Watch the world burn

Question 27

What is … all about?

Hacktivists

Answer 27

Moral justice, political agenda

Form of digital protest

Question 28

What is … all about?

Nation-States

Answer 28

• Nation sponsored hacker groups
• Focused on military/commercial advantage

Closely related to APTs

Question 29

What is … all about?

Script Kiddies

Answer 29

Beginner level hackers that employ commodity malware/scripts to perform attacks

Question 30

What is … all about?

Recreational Hackers

Answer 30

• Non-dangerous
• Hacking competitions
• Capture the Flag contests

Question 31

What is … all about?

Professional hackers

Answer 31

• Security auditors
• Penetration testers
• Security researchers who report their findings immediately

Question 32

What is … all about?

Suicide hackers

Answer 32

• Nothing to loss
• Desperate to reach their goals

Question 33

What is … all about?

Insider Threats

Answer 33

• Present / former colleague
• Already given permissions
• Trusted creditionals

Question 34

What is … ?

Shadow IT

Answer 34

• Integrating devices / software / cloud services into the company without the knowledge of company IT

Mobile devices, hidden switches, cloud services,

Question 35

What is … ?

Commodity Malware

Answer 35

• Highly available, malicious software
• Under funded actors imploy
• APTs even start attacks using commodity malware to remain hidden