SECOPS 4: Hunting Cyber Threats

Question 1

HM0

Answer 1

Relies on alerting (IDS). Cannot effectively hunt.

Question 2

HM1

Answer 2

Manual hunt ops. IDS alerts and internal info. Use threat intel feeds to identify threats.

Manual hunt.

Question 3

HM2

Answer 3

Incorporate hunt techniques from external. Large amounts of info.

Active hunt operations

Question 4

HMM

Answer 4

Hunting Maturity Model

Question 5

Hunting Maturity Model

Answer 5

Created by Sqrrl. Levels of maturity for a threat hunting operation.

Question 6

HM3

Answer 6

Analyze info of different types and use it to ID new malicious activity.
Do not rely on external.
Machine learning, data vizualization

Question 7

HM4.

Answer 7

HM3 + automation. Scripts written based on intel and procedures.

Question 8

Hunting Cycle

Answer 8

Hypothesize
Investigate
Uncover
Inform and enrich

Question 9

Hypothesize

Answer 9

Look at system from perspective of the atacker

Question 10

Investigate (Hunting cycle)

Answer 10

Use tools to investigate hypothesis

Question 11

Uncover (Hunting cycle)

Answer 11

Hunter attempts to discover a pattern or TTP.

Analyst investigates IOC’s to determine who was infected and what was done.

TTP’s are then shared.

Question 12

Inform and enrich (Hunting cycle)

Answer 12

Documentation and automation

Question 13

TTP

Answer 13

Tactics, techniques, and procedures.

How an attacker maintains presence.

Question 14

CVSS calculates…

Answer 14

chance of compromise and potential severity of damage

Question 15

Base metric

Answer 15

characteristics of a vuln that are constant over time and across user environments.

Question 16

Base metric composed of…

Answer 16

Exploitability metrics, impact metrics

Question 17

CVSS Attack Vector

Answer 17

More remote equals higher score.

Local, adjacent, network, physical

Question 18

Attack complexity

Answer 18

Conditions beyond attackers control that must exist to exploit

Low, High

Question 19

Privileges required

Answer 19

Privileges needed to exploit

None, low, high

Question 20

User interaction

Answer 20

Whether a user other than the attacker must participate for exploitation to succeed.

Question 21

Scope

Answer 21

Ability for vuln in one component to impact other resources or privileges.

Question 22

Confidentiality Impact

Answer 22

Vulnerabilities impact on confidentiality

Question 23

Integrity impact

Answer 23

Impact to trustworthiness or accuracy of info

Question 24

Availability impact

Answer 24

Can affect bandwidth, proc time, disk space

Question 25

Exploit code maturity

Answer 25

Likelihood of vuln being attacked based on current exploit availability

Question 26

Remediation level

Answer 26

Score goes down with availability of a patch

Question 27

Report confidence

Answer 27

Confidence that the vuln exists.

Question 28

CVSS Environmental Metrics

Answer 28

Customize score based on Importance of IT asset to the users organization

Question 29

Modified base impacts

Answer 29

Modify the impact of individual base metrics (Attack vector, Scope, CIA, etc.)

Question 30

CVSS Scores are computed from

Answer 30

“Big 3” CIA

Question 31

What modifies CVSS scores?

Answer 31

Temporal and environmental scoring

Question 32

What has largest bearing on CVSS score?

Answer 32

Base score

Question 33

Temporal scoring

Answer 33

“Time”. Based on vuln.

Question 34

CVSS scoring interval

Answer 34

Point in time. Scheduled re-evaluation.

Question 35

CVSS Final score

Answer 35

Score including environmental score. Used to prioritize

Question 36

Base score

Answer 36

Computed by the vendor or originator with intention of being publishied

Question 37

CVSS Rating: None

Answer 37

0.0

Question 38

CVSS Rating: Low

Answer 38

0.1-3

Question 39

CVSS Rating: Medium

Answer 39

4-6

Question 40

CVSS Rating: High

Answer 40

7-8

Question 41

CVSS Rating: Critical

Answer 41

9-10