Section 1: Overview of Security

Question 1

CIA Triad

Answer 1

Confidentiality, Integrity, Availability

Question 2

What is Confidentiality

Answer 2

Information has not been disclosed to unauthorised people

Information is only disclosed to authorised people

Question 3

What is Integrity

Answer 3

Information has not been modified or altered without proper authorisation

Question 4

What is availability

Answer 4

Information is able to be stored, accessed, or protected at all times

Question 5

What are the AAA of Security

Answer 5

Authentication, Authorisation, Accounting

Question 6

What is Authentication in AAA

Answer 6

Something you
- have
- are
- know
- do
- somewhere you are.

Think HAKDA

Question 7

What is Authorisation in AAA

Answer 7

When a user is given access to a certain piece of data or certain areas of a building

Question 8

What is Accounting in AAA

Answer 8

Tracking of data, computer usage, and network resources.

In case of data breach or an insider threat, you can go back and look at all the data in the log files to figure out who did what and when.

Question 9

Non-repudiation

Answer 9

When you have proof that someone did something.

Sending an email to someone is signed with a digital signature, you are the only person in the world with that signature. That’s proof that you indeed sent that email.

Question 10

Information Systems Security

Answer 10

The security of the systems that hold and process critical data

Question 11

Information Security

Answer 11

Act of protecting data and information from unauthorised access, unlawful modification and disruption, disclosure, corruption, and destruction.

Question 12

Malware

Answer 12

Short-hand term for malicious software

Question 13

When does Unauthorised Access occur?

Answer 13

Occurs when access to computer resources and data happens without the consent of the owner

Question 14

System Failure

Answer 14

When a computer crashes or an individual application fails (Blue Screen of Death / BSOD)

Question 15

Social Engineering

Answer 15

Act of manipulating users into revealing confidential information or performing other detrimental actions (could be through email phishing or pretending to be someone you are not (i.e delivery person to gain access to premises)

Question 16

What are the 3 controlls of Mitigating Threats?

Answer 16

1. Physical Controls
2. Technical Controls
3. Administrative (or Managerial) Controls

Question 17

What are Physical Controls?

Answer 17

Alarm systems, locks, surveillance cameras, identification cards, and security guards

Question 18

What are Technical Controls?

Answer 18

Smart cards, encryption, access control lists (ACL’s) intrusion detection systems, and network authentication

Question 19

What are Administrative Controls?

Answer 19

Policies, procedures, security awareness training, contingency planning, and disaster recovery plans

Question 20

Most cost effective security control?

Answer 20

User Training!

Question 21

What are the 5 types of Hackers?

Answer 21

1. White Hats
2. Gray Hats
3. Black Hats
4. Blue Hats
5. Elite Hats

Question 22

White Hats

Answer 22

Non-malicious hackers who attempt to break into a company’s system at their request

• Ethical Hackers / Pen testers
• They use open source tools

Question 23

Gray Hats

Answer 23

Hackers without any affiliation to a company. They attempt to break into a company’s network and risk breaking the law

Question 24

Difference between Black & Gray hats?

Answer 24

Black hats:
- have malicious intent

Grey hats:
- Just want to see if they can break into a company, don’t necessarily want to cause harm (still breaking the law)

• They some times break into a company and then inform them that “hey, this is how we did it, you need to patch it”

Question 25

Black Hats

Answer 25

Malicious hackers who break into a computer systems and networks without authorisation or permission

Question 26

Blue Hats

Answer 26

Hackers who attempt to hack into a network with permission of the company but are not employed by the company.

• Freelance ethical hackers / pen testers
• Could be doing this as part of bug bounty program (hackerone)

Question 27

Elite Hats

Answer 27

Hackers who find and exploit vulnerabilities before anyone else does.

• create their own tools
• do their own programming
• develop tools that everyone else ends up using
• Can have 2 categories:
  - Black Hat Elite Hackers
  - White Hat Elite Hackers

Question 28

Script Kiddies

Answer 28

Limited skill and only run other peoples exploits and tools

Question 29

Organised Crime

Answer 29

Hackers who are part of a crime group that is well-funded and highly sophisticated

• well funded
• highly sophisticated

Question 30

Hacktivists

Answer 30

Hackers who are driven by a cause like social change, political agendas, terrorism

Question 31

Advanced Persistent Threats (APT)

Answer 31

Highly trained and funded groups of hackers (often by nation states) with covert and open-source intelligence at their disposal

• Russia trying to hack US elections
• China trying to hack into US companies to steal their intellectual properties

Question 32

Skill Level rankings

Answer 32

High to Low

1. APTs
2. Organised Crime
3. Hactivists
4. Script Kiddies

Question 33

Always consider the sources of your intelligence!
What are some factors to weigh the value of the intelligence you are getting?

Answer 33

1. Timeliness
2. Relevancy
3. Accuracy
4. Confidence Level

Question 34

Intelligence Timeliness

Answer 34

Property of an intelligence source that ensures it is up-to-date

• intelligence over time is not very valuable (newer the better)
• if I know that your network is being attacked now, but wait 3 years to tell you, it is not useful
• once an adversary understands that they have been identified, they will change tactics and the way they do things. So the report you write today, might not be valid for tomorrow, 2 weeks, 3 months, or a year from now. Things change!

Question 35

Intelligence Relevancy

Answer 35

Property of an intelligence source that ensures it matches the use cases intended for it

• if I am using windows or Linux but someone is attacking mac OS machines, is it really relevant to me?
• have to see what affects me or my organisation so I can defend against it

Question 36

Intelligence Accuracy

Answer 36

Property of an intelligence source that ensures it produces effective results

• information must be valid and true
• eliminate false positives especially when using Automated Software/Machine Learning/ Artificial Intelligence

Question 37

Intelligence Confidence Levels

Answer 37

Property of an intelligence source that ensures it produces qualified statements about reliability

• you put a grade on how good you think the information is

Question 38

Three places you can get information from

Answer 38

1. Proprietary
2. Closed-Source
3. Open-Source

Question 39

Proprietary Information

Answer 39

Threat intelligence is widely provided as a commercial service offering, where access to updates and research is subject to subscription fee

• Not nearly as useful. Most of these package readily available information from the internet without adding their own information in them

Question 40

Closed-Source Information

Answer 40

Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymised

• FIREYE

Question 41

Open-Source Information (OSINT)

Answer 41

Data available to use without subscription, which may include threat feeds similar to the commercial providers, and may contain reputation lists and malware signature databases

• US-CERT
• UK’s NCSC
• AT&T Security (OTX)
• MISP (Malware Information Sharing Project)
• VirutsTotal (checks for viruses on uploaded files and is a repo for malware)
• Spamhaus (spam & email)
• SANS ISC Suspicious Domains

Question 42

Threat Feeds

Answer 42

Are a form of explicit knowledge, but implicit knowledge from experience practitioners is also useful

Question 43

Explicit knowledge

Answer 43

Is knowledge you can

• write down
• feel
• see
• touch

Question 44

Implicit knowledge

Answer 44

Is knowledge you

• only get from experience in the field
• ‘ah I know something is wrong here because of my experience’
• Cant write down this knowledge, its just something you know because of your experience

Question 45

Open-Source Intelligence (OSINT)

Answer 45

Methods of obtaining information about a person or organisation through public records, websites, and social media

Question 46

What is Threat Hunting

Answer 46

A Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring

• a pro active response

Question 47

Is Threat hunting potentially less disruptive than penetration testing?

Answer 47

Yes. You analyse data within the system you have instead of trying to break in

Question 48

First step of Threat Hunting?

Answer 48

Establish a Hypothesis

• It is derived from the threat modelling and is based on potential events with higher likelihood and higher impact

Question 49

Second step of Threat Hunting?

Answer 49

Profiling Threat Actors and Activities

• Create scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be
• understand who is trying to attack you
• what systems they might be going after

Question 50

What does Threat Hunting rely on?

Answer 50

On the use of tools developed for regular security monitoring and incident response

Question 51

What should you assume when Threat Hunting?

Answer 51

That the existing rules you have in place for protection have most likely failed

Question 52

What are the steps you need to take for the following scenario:

You have threat intelligence that there is this new Windows malware that is infecting your Windows computers and there are no current malware definitions for it.

Answer 52

1. Analyse network traffic
2. Analyse the executable process lists on the host you are analysing
3. Identify how the malicious process was executed

Question 53

What are the 5 benefits of Threat Hunting?

Answer 53

1. Improve detection capabilities
2. Integrate Intelligence
3. Reduce attack surface
4. Block attack vectors
5. Identify critical assets

Question 54

What does the benefit of Threat Hunting, “Improve detection capabilities” include?

Answer 54

Once you find out how someone infiltrated and bypassed detection. Feed it back to the detection plan, rewrite rule sets, detection algorithms, and use better scripting. You can also improve signature based detection and prevent future attacks.

Question 55

What does the benefit of Threat Hunting, “Integrate Intelligence” include?

Answer 55

Correlate external threat intelligence with your internal logs and sources. When combined you get Actionable Intelligence

Question 56

What does the benefit of Threat Hunting, “Reduce Attack Surface” include?

Answer 56

Identify your attack surface. Where the bad guy might have gotten in to the network. Based on that you can go back and reduce the attack surface

Question 57

What does the benefit of Threat Hunting, “Block Attack Vectors” include?

Answer 57

There are different attack vectors and TTP (Tactics, Techniques, Procedures) used by bad guys.

You can add additional security controls to try and block those different ports or interfaces and prevent infiltrations.

Question 58

What does the benefit of Threat Hunting, “Identify Critical Assets” include?

Answer 58

You can identify what people go after and figure out what the best offensive options for those critical systems and data assets are.

Question 59

What does TTP mean?

Answer 59

Tactics, Techniques, Procedures

Question 60

What are the 3 attack frameworks?

Answer 60

1. Lockheed Martin Kill Chain
2. MITRE ATT&CK Framework
3. Diamond Model of Intrusion Analysis

Question 61

What is the Lockheed Martin Kill Chain Framework?

Answer 61

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

Question 62

What are the 7 steps of Lockheed Martin Kill Chain Framework?

Answer 62

1. Reconnaissance
2. Weaponisation
3. Delivery
4. Exploitation
5. Installation
6. Command & Control (C2)
7. Actions on Objective

Question 63

What is the Reconnaissance step in Kill Chain?

Answer 63

Process which an attacker determines what methods to use to complete the phases of the attack

• passive information gathering
• passive / active scanning techniques
• OSINT

Question 64

What is the Weaponisation step in Kill Chain?

Answer 64

When the attacker prepares the payload code with exploit code that will take advantage of the vulnerability in the target system and execute by using the vulnerability.

Question 65

What is the Delivery step in Kill Chain?

Answer 65

When a vector is identified which allows the weaponised code to be transmitted to the target environment

• email (phishing)
• USB

Question 66

What is the Exploitation step in Kill Chain?

Answer 66

The weaponised code is executed on the target system

• email with phishing link, exploitation when the link is clicked
• when infected USB is plugged in, and auto runs

Question 67

What is the Installation step in Kill Chain?

Answer 67

Mechanism that enables the weaponised code to run a remote access tool and achieve persistence on the target system

• gives us control of the system going forwards
• persistence is what we are looking for

Question 68

What is the Command & Control (C2) step in Kill Chain?

Answer 68

An outbound channel is established to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack (reverse shell)

• You have access, control, and you can run commands

Question 69

What is the Actions on Objective step in Kill Chain?

Answer 69

Use the access you achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Question 70

How can Kill Chain Analysis be used to our advantage?

Answer 70

Can be used to identify defensive course-of-action matrix to counter the progress of an attack at each stage

• block the kill chain steps
• detect, deny, disrupt, degrade, deceive, destroy the attacker’s capabilities (6 Ds)

Question 71

What are the 6 D’s of Kill Chain Analysis?

Answer 71

1. Detect
2. Deny
3. Disrupt
4. Degrade
5. Deceive
6. Destroy

Question 72

What is the MITRE ATT&CK Framework?

Answer 72

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques and common knowledge or procedures (attack.mitre.org)

Question 73

What is the MITRE ATT&CK Framework focusing on?

Answer 73

Focusing more on the Exploitation Phase

Question 74

What does the pre-ATT&CK tactics matrix align with?

Answer 74

Reconnaissance and Weaponisation phases of the Kill Chain

• detect things before they become real attacks

Question 75

What is the Diamond Model of Intrusion Analysis framework?

Answer 75

A framework for analysing cybersecurity incidents and intrusions by exploring the relationship between four core features

Question 76

What are the 4 core features of the Diamond Model of Intrusion Analysis Framework?

Answer 76

1. Adversary
2. Capability
3. Infrastructure
4. Victim

Question 77

What does the Diamond Model of Intrusion Analysis framework represent?

Answer 77

An intrusion event

Question 78

How can you automate the Diamond Model of Intrusion Analysis framework?

Answer 78

By creating a Tuple and adding it to a SIEM

Question 79

Can the 3 attack Frameworks be combined or used individually only?

Answer 79

They can be combined or used individually.