Lesson 2: Explaining Threat Actors and Threat Intelligence Flashcards
An IT manager in the aviation sector checks the industry’s threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing?
A. Open Source Intelligence (OSINT)
B. An Information Sharing and Analysis Center (ISAC)
C. A vendor website, such as Microsoft’s Security Intelligence blog
D. A closed or proprietary threat intelligence platform
B
ISACs are set up to share industry-specific threat intelligence and best practices in critical sectors, such as the aviation industry.
A security engineer investigates a recent system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector?
A. Threat
B. Vulnerability
C. Risk
D. Exploit
A
A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector.
An unknowing user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department’s sanction. Identify the type of threat that is a result of this user’s action.
A. Unintentional insider threat
B. Malicious insider threat
C. Intentional attack vector
D. External threat with insider knowledge
A
Anyone who has or had authorized access to an organization’s network, system, or data is considered an insider threat. Installing unauthorized software is negligent, but the user is an unintentional attack vector.
Which of the following is mostly considered an insider threat? (Select all that apply.)
A. Former employee
B. Contractor
C. Customer
D. White hat hacker
A, B
Anyone who has or had authorized access to an organization’s network, system, or data is considered an insider threat. In this example, a former employee and a contractor fit the criteria.
Current employees, business partners, and contractors also qualify as insider threats.
What is Open Source Intelligence (OSINT)?
A. Obtaining information, physical access to premises, or even access to a user account through the art of persuasion
B. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources
C. Using web search tools and social media to obtain information about the target
D. Using software tools to obtain information about a host or network topology
C
OSINT is using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.
A company technician goes on vacation. While the technician is away, a critical patch released for Windows servers is not applied. According to the National Institute of Standards and Technology (NIST), what does the delay in applying the patch create on the server?
A. Control
B. Risk
C. Threat
D. Vulnerability
D
NIST defines vulnerability as a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. In addition to delays in applying patches, other examples of vulnerabilities include improperly installed hardware, untested software, and inadequate physical security.
A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company’s website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequent. The contractor visits the bar and learns details of the company’s security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice? (Select all that apply.)
A. Open Source Intelligence (OSINT)
B. Scanning
C. Social engineering
D. Persistence
A, C
OSINT refers to using web search tools and social media to obtain information about the target. The contractor used this technique by identifying employees and the local restaurant they go to after work.
Social engineering was used at the restaurant by learning about the vacant positions and the shortfall in information security. This could be successful due to the attacker being charismatic and also social norms of people wanting to be friendly. The scenario also mentioned it was the popular location for after work drinks, meaning that alcohol was also likely involved.
A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?
A. Structured Threat Information eXpression (STIX)
B. Automated Indicator Sharing (AIS)
C. Trusted Automated eXchange of Indicator Information (TAXII)
D. A code repository protocol
C
The TAXII protocol provides a means for transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII.
When exploring the deep web, a user will need which of the following to find a specific and hidden dark web site?
A. The Onion Router (TOR)
B. Dark web search engine
C. A specific URL or ip
D. Open Source Intelligence (OSINT)
C
Access to deep web sites, especially those hidden from search engines, are accessed via the website’s URL. These are often only available via “word of mouth” bulletin boards.
One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile? (Select all that apply.)
A. Education
B. Socioeconomic status
C. Intent
D. Motivation
C, D
From the choices provided, the two most critical factors to profile for a threat actor are intent and motivation. Greed, curiosity, or grievance may motivate an attacker.
The intent could be to vandalize and disrupt a system or to steal something.
