Section 4

Question 1

What does HMM?

Answer 1

Hunting Maturity Model

Question 2

What are the 5 levels in the HMM model?

Answer 2

HM0 (Least Proactive)
HM1
HM2
HM3
HM4 (Most Proactive)

Question 3

What is happening at HM0 level?

Answer 3

Only collecting IDS alerts and as such is a reactive model.

Question 4

What is happening at HM1 level?

Answer 4

Collecting IDS alerts but also collecting logs from other systems.

Question 5

What is happening at HM2 level?

Answer 5

Mostly perform active, rather than reactive, hunt operations at this level.
Collecting large amounts of data.
Use External sources into their own hunt operations.

Question 6

What is happening at HM3 level?

Answer 6

Do not rely on external sources
Usually, push such information out
Using machine learning to see beyond the alert.

Question 7

What is happening at HM4 level?

Answer 7

Highest level
automate many tactical level analysis
scripts or programs can be written that are based on intelligence and hunt procedures

Question 8

What is the Threat Hunting Cycle?

Answer 8

Hypothesis
Investigation
Uncover
Inform and enrich

Question 9

What happens in the Hypothesis stage of the Threat Hunting Cycle?

Answer 9

The: 
Who
What
Where
How
Are there Vulnerable systems

Question 10

What happens in the Investigation stage of the Threat Hunting Cycle?

Answer 10

Checking security system logs
Querying datasets
Use of machine learning to help find malicious code

Question 11

What happens in the Uncover stage of the Threat Hunting Cycle?

Answer 11

Identify IOCs (Indicator of compromise)
TTP = Tactics, Techniques and procedures

Question 12

What happens in the Inform and enrich stage of the Threat Hunting Cycle?

Answer 12

Lessons learnt

Support documentation of previous steps

Question 13

What is the Hot Threat Dashboard?

Answer 13

It is used by SOCs to investigate the top 15 vulnerabilities in the network.
Must have a CVSS score of 7.0 or higher to make it onto the top threat dashboard.
After 30 days old vulnerabilities are moved off the list and into the database.

Question 14

What is TLP?

Answer 14

Traffic Light Protocol

Question 15

In the Traffic Light Protocol, what are the different levels?

Answer 15

Red
Amber
Green
White

Question 16

What can be disclosed at TLP Red level?

Answer 16

Not for disclosure, restricted to participants only

Question 17

What can be disclosed at TLP Amber level?

Answer 17

Limited disclosure, restricted to participants organizations only.

Question 18

What can be disclosed at TLP Green level?

Answer 18

Limited disclosure, restricted to the community

Question 19

What can be disclosed at TLP White level?

Answer 19

Disclosure not limited

Question 20

What is an injection attack?

Answer 20

SQL injection attack is when an attacker adds SQL statements to an online form in the hope that it will retrieve secure information, add or delete from the database, crash the database. Validating user input before passing it to the database can stop this attack

Question 21

What is broken authentication & session management?

Answer 21

An attacker takes advantage of a failure to properly expire sessions and to tie a session to an individual.

Question 22

What is Cross-site scripting (XSS) attack?

Answer 22

Poor input validation which allows an attacker to run malicious code in a users browser which might display a message or steal a users cookies.

Question 23

What is insecure direct object reference attack?

Answer 23

An attacker changing the ID in a web address from the current user to a different user and getting the information on that user. This shows a lack of authentication.

Question 24

What is security misconfiguration attack?

Answer 24

An attacker takes advantage of improper configurations of any part of the application stack, including web servers, databases, or application code.

Question 25

What is sensitive data exposure attack?

Answer 25

An attacker takes advantage of a failure to properly secure sensitive data. Sending data in plaintext, using weak encryption keys, compromised encryption algorithm.

Question 26

What is missing function level access control?

Answer 26

When an admin fails to properly authenticate access to restricted sections of a site.

Question 27

What is Cross-site request forgery?

Answer 27

An attacker takes advantage of a failure to ensure that each request was properly originated by a user.

Question 28

What is using components with known vulnerabilities attack?

Answer 28

An attacker takes advantage of a failure to properly patch or update software, creating an attack surface.

Question 29

What are invalidated redirects and forwards?

Answer 29

An attacker takes advantage of a scripts forwarding and redirection features to present the illusion of browsing to a trusted site, only to be forwarded to a malicious one.

Question 30

Examples of devices that produce Transaction Data?

Answer 30

DHCP Servers
DNS Servers
Proxy Servers

Question 31

Examples of devices that produce Alert Data?

Answer 31

AAA Server

IPS devices

Question 32

Examples of devices that produce Session Data?

Answer 32

Netflow

Firewall