SECOPS 3: Incident Analysis in a Threat Centric SOC

Question 1

Kill Chain steps

Answer 1

Recon
Weaponization
Delivery
Exploitation
Installation
C2
Actions on Objectives

Question 2

What is a kill chain?

Answer 2

Process of an attacker building a plan to effect a specific goal against a target

Question 3

Weaponization

Answer 3

Development of a cyber weapon based on recon of a target

Question 4

Delivery

Answer 4

Transmission of payload via communication vector

Question 5

Exploitation

Answer 5

Executing the malicious code.

Results in access to the target system.

Question 6

3 Typical system weaknesses

Answer 6

Apps, OS, Users

Question 7

Installation phase

Answer 7

Establish persistence/back door

Question 8

C2 Phase

Answer 8

Exploited hosts beacon to the C2 server.

Question 9

Actions on objectives

Answer 9

Objective dependent actions taken by attacker.

The point of the whole thing

Question 10

Recon mitigation

Answer 10

NGFW, NGIPS

Question 11

Weaponization mitigation

Answer 11

Threat Intelligence

Question 12

Delivery Mitigation

Answer 12

DNS, Email, Web Security, NGIPS

Question 13

Exploit mitigation

Answer 13

Network Anti-Malware, NGFW, NGIPS

Question 14

Installation mitigation

Answer 14

Host Anti-Malware

Question 15

C2 Mitigation

Answer 15

DNS Security, Web Security, NGIPS

Question 16

Action on Obj. Mitigation

Answer 16

Flow analytics

Question 17

Diamond model nodes

Answer 17

Capability, Infrastructure, Adversary, Victim

Question 18

Diamond model Type 1 infrastructure

Answer 18

Owned by adversary

Question 19

Diamond model Type 2 infrastructure

Answer 19

Co-opted by adversary

Question 20

Diamond model meta-features (6)

Answer 20

Timestamp
Phase
Result
Direction
Methodology
Resources