Security Incident Creation and Threat Intelligence (14%) Flashcards

1
Q

What is the MITRE ATT&CK framework?

A

A knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does ATT&CK stand for?

A

Adversarial Tactics, Techniques, and Common Knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The relationship between tactics and techniques can be visualized in the __________________.

A

ATT&CK Matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are tactics?

A

Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are techniques?

A

Techniques represent “how” an adversary achieves a tactical objective by performing an action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What table are tactics stored in?

A

Kill Chain Phase [sn_ti_stix2_kill_chain_phase]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What table are techniques stored in?

A

Attack Pattern [sn_ti_stix2_attack_pattern]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When alerts are ingested from the SIEM, what are executed to populate the MITRE-ATT&CK information on the Security Incident?

A

Extraction rule/s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are three personas related to MITRE-ATT&CK usage?

A
  1. Security Teams
  2. Executive Teams
  3. Threat Intel Teams
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What visually represents the structure of the STIX object and its relationship?

A

STIX Visualizer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What display aggregate data visually using colors to represent different values?

A

Heatmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When setting up the MITRE-ATT&CK integration in ServiceNow, what is the first step?

A

Setup the TAXII Profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

For Threat Intelligence, what scope are all of the System Properties in?

A

Threat Intelligence Support Common [sn_ti]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What role is created when the MITRE-ATT&CK integration is setup?

A

sn_ti.mitre_analyst

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Where can a listing of the Techniques be found?

A

Threat Intelligence > MITRE ATT&CK Repository > Techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
A
17
Q

What are Observables?

A

Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks.

18
Q

What are Indicators of Compromise (IOCs)?

A

Anything that allows you to detect an attack or breach; often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached.

19
Q

What are observations of “potentially malicious activity”?

A

Sighting Searches

20
Q

What is a Security Case?

A

A collection of records that aid in building an argument for identifying and dealing with particular threats.

21
Q

What represent the “why” of an ATT&CK technique?

A

Tactics; they are the adversary’s tactical objective: the reason for performing an action

22
Q

What represents “how” an adversary achieves a tactical objective by performing an action?

A

Techniques

23
Q

What table are tactics stored in?

A

Kill Chain Phase [sn_ti_stix2_kill_chain_phase]

24
Q

What table are techniques stores in?

A

Attack Pattern [sn_ti_stix2_attack_pattern]

25
Q

What are executed to populate the MITRE-ATT&CK information on the Security Incident when alerts are ingested from the SIEM?

A

Extraction rule/s

26
Q

__________________ are the first actionable items in threat intelligence.

A

Observables

27
Q

Where do you go to view and manage MITRE relationships?

A

Threat Intelligence > MITRE ATT&CK Repository > MITRE Relationships

28
Q

From the Filter Navigator, where do you go to find a listing of the Techniques?

A

Threat Intelligence > MIRE ATT&CK Repository > Techniques

29
Q

For Threat Intelligence, all the System Properties are in the ____________________________ application scope.

A

Threat Intelligence Support Common

30
Q

What visually represents the structure of the STIX object and its relationship?

A

STIX Visualizer

31
Q

__________________ charts display aggregate data visually using colors to represent different values.

A

Heatmap