Lesson 2:Using Threat Intelligence

Question 1

Open-source intelligence

Answer 1

a collection and analysis of information that is gathered from publicly available sources.

Question 2

Open-source intelligence is primarily used in

Answer 2

national security, law enforcement, and business intelligence functions.

Question 3

Closed source intelligence consists of

Answer 3

government or private data, which is not available through open inquiry.

Question 4

Closed source intelligence is primarily used in

Answer 4

business information, law enforcement data, educational records, banking records, and medical records.

Question 5

When assessing threat intelligence which three factors should you consider?

Answer 5

timeliness, relevancy, and accuracy of intelligence sources

Question 6

Confidence scores allow organizations to

Answer 6

filter and use threat intelligence based on how much trust they can give it.

Question 7

Why does a lot of threat intelligence start with a lower confidence score

Answer 7

that score increases as the information solidifies

Question 8

What does (STIX) stand for?

Answer 8

Structured Threat Information Expression

Question 9

Structured Threat Information Expression (STIX) is an

Answer 9

XML language originally sponsored by the U.S. Department of Homeland Security.

Question 10

Using a single threat feed can leave you in the dark! Many organizations leverage

Answer 10

multiple threat feeds to get the most up-to-date information.

Question 11

1. Requirements Gathering:

Answer 11

a. Assess what security breaches or compromises you have faced
b. what information could have prevented or limited the impact of the breach
c. what controls and security measures were not in a place that would have mitigated the breach

Question 12

2. Data Collection:

Answer 12

a. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.

Question 13

3. Data Processing and Analysis: The data that you gathered will likely be in several different formats.

Answer 13

You must process the data to allow it to be consumed by whatever tools or processes

Question 14

(TAXII) protocol

Answer 14

Trusted Automated Exchange of Indicator Information

Question 15

4. Intelligence Dissemination

Answer 15

Data is distributed to leadership and operational personnel who will use the data as part of their security operations role.

Question 16

5. Feedback gathering feedback contributes to the continuous

Answer 16

improvement of security and it should be used to improve the overall output of your threat intelligence program.

Question 17

In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help

Answer 17

infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.

Question 18

The CySA+ exam objectives specifically mention three areas in this information sharing grouping:

Answer 18

healthcare, financial services, and aviation.

Question 19

The CySA+ exam objectives specifically call out four common threat actors:

Answer 19

Nation-state actors
Organized Crime
Hacktivist
Insider Threat

Question 20

Nation-state actors often have the most access to

Answer 20

resources, including tools, talent, equipment, and time. ``

Question 21

Organized crime focused attacks aimed at

Answer 21

financial gain. Ransomware attacks are an increasingly common example of this type of threat from organized crime groups.

Question 22

Insider threats are threats from

Answer 22

employees or other trusted individuals or groups inside an organization.

Question 23

Insider threat’s intentions whether intentional or unintentional are

Answer 23

considered to be one of the most likely causes of breaches and are often difficult to detect.

Question 24

ATT&CK stands for

Answer 24

Adversarial Tactics, Techniques, and Common Knowledge

Question 25

The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle, from

Answer 25

initial access through execution, persistence, privilege escalation, and exfiltration.

Question 26

The Diamond Model of Intrusion Analysis focuses heavily on understanding the attacker and their motivations

Answer 26

then uses relationships between these elements to better understand the threat

Question 27

Lockheed Martin’s Cyber Kill Chain Seven stages

Answer 27

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives

Question 28

1. Reconnaissance: Defenders must gather data about reconnaissance activities and

Answer 28

prioritize defenses based on that information.

Question 29

2. Weaponization involves building or acquiring a weaponizer that combines

Answer 29

malware and an exploit into a payload that can be delivered to the target. 9

Question 30

3. Delivery adversary either deploys their tool directly against targets or via release that relies

Answer 30

on staff at the target interacting with it such as an email payload, on a USB stick, or via websites that they visit.

Question 31

4. Exploitation uses software, hardware, or human vulnerability to gain access. Defense against this stage focuses on

Answer 31

user awareness, secure coding, vulnerability scanning, penetration testing, and endpoint hardening to ensure the organizations has a strong security posture

Question 32

5. Installation focuses on persistent backdoor access for attackers. Defenders must monitor for

Answer 32

typical artifacts of a persistent remote shell or other remote access methodologies.

Question 33

6. Command and Control (C2) access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by

Answer 33

hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology.

Question 34

7. Actions on Objectives: Adversaries will collect credentials, escalate privileges, move laterally through the environment. They may also

Answer 34

cause damage to systems or data.

Question 35

Retention of logs is important at which stage? why?

Answer 35

Delivery.

Defenders need them to track what occurred

Question 36

Proactive Threat Hunting Activities: Establishing a hypothesis to test and should have actionable results based on

Answer 36

the threat that the hypothesis considers.

Question 37

Proactive Threat Hunting Activities: Profiling threat actors and activities. This helps ensure that

Answer 37

you have considered who may be a threat, and why, as well as what their typical actions and processes are.

Question 38

Proactive Threat Hunting Activities: Threat hunting tactics. The skills, techniques, and procedures are where action

Answer 38

meets analysis. This step includes executable process analysis,

Question 39

Proactive Threat Hunting Activities: Reducing the attack surface area. This allows resources to be

Answer 39

focused on the remaining surface area, making protection more manageable.

Question 40

Proactive Threat Hunting Activities: Bundling critical assets into

Answer 40

groups and protection zones.

Question 41

Proactive Threat Hunting Activities: Improving detection capabilities. This is a continuous process as threats improve their techniques and technology. If you do not improve your detection capabilities, new threats will

Answer 41

bypass existing capabilities over time.

Question 42

Proactive Threat Hunting Activities: Integrated intelligence combines

Answer 42

multiple intelligence sources to provide a better view of threats.

Question 43

Proactive Threat Hunting Activities: Attack vectors must be understood, assessed, and addressed based on the

Answer 43

analysis of threat actors and their techniques as well as the surface area that threat actors can target.

Question 44

Attack vectors that specify how an attacker can gain access to their target, can include things like

Answer 44

(USB) key drops.

Question 45

The ATT&CK framework specifically defines

Answer 45

threat actor tactics in standardized ways.

Question 46

Which type of assessment is particularly useful for identifying insider threats?

Answer 46

Behavioral indicators: after-hours logins, misuse of credentials, logins from abnormal locations or abnormal patterns

Question 47

TAXII is specifically designed to exchange information

Answer 47

via Hypertext Transfer Protocol Secure (HTTPS).

Question 48

Which security company creates and provides a base set of indicators of compromise (IOC) used by OpenIOC?

Answer 48

Mandiant security company

Question 49

What is a common criticism of the Cyber Kill Chain model?

Answer 49

It includes actions outside the defended network

Question 50

Athena and Redshift fall under which category

Answer 50

Analytics

Question 51

CLOUD9, CLOUD COMMIT fall under which category

Answer 51

Development:

Question 52

RDS, DynamoDB, Aurora, DocumentDB, ElastiCache, Neptune fall under which category

Answer 52

Databases:

Question 53

Explain the difference between Region, AZ, and data center?

Answer 53

Regions are geographically isolated locations around the globe that has 2 or more AZ’s within it
-An AZ has one or more data centers within it