Security Incident Creation and Threat Intelligence (14%)

Question 1

What is the MITRE ATT&CK framework?

Answer 1

A knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies.

Question 2

What does ATT&CK stand for?

Answer 2

Adversarial Tactics, Techniques, and Common Knowledge

Question 3

The relationship between tactics and techniques can be visualized in the __________________.

Answer 3

ATT&CK Matrix

Question 4

What are tactics?

Answer 4

Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action.

Question 5

What are techniques?

Answer 5

Techniques represent “how” an adversary achieves a tactical objective by performing an action.

Question 6

What table are tactics stored in?

Answer 6

Kill Chain Phase [sn_ti_stix2_kill_chain_phase]

Question 7

What table are techniques stored in?

Answer 7

Attack Pattern [sn_ti_stix2_attack_pattern]

Question 8

When alerts are ingested from the SIEM, what are executed to populate the MITRE-ATT&CK information on the Security Incident?

Answer 8

Extraction rule/s

Question 9

What are three personas related to MITRE-ATT&CK usage?

Answer 9

1. Security Teams
2. Executive Teams
3. Threat Intel Teams

Question 10

What visually represents the structure of the STIX object and its relationship?

Answer 10

STIX Visualizer

Question 11

What display aggregate data visually using colors to represent different values?

Answer 11

Heatmap

Question 12

When setting up the MITRE-ATT&CK integration in ServiceNow, what is the first step?

Answer 12

Setup the TAXII Profile

Question 13

For Threat Intelligence, what scope are all of the System Properties in?

Answer 13

Threat Intelligence Support Common [sn_ti]

Question 14

What role is created when the MITRE-ATT&CK integration is setup?

Answer 14

sn_ti.mitre_analyst

Question 15

Where can a listing of the Techniques be found?

Answer 15

Threat Intelligence > MITRE ATT&CK Repository > Techniques

Question 17

What are Observables?

Answer 17

Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks.

Question 18

What are Indicators of Compromise (IOCs)?

Answer 18

Anything that allows you to detect an attack or breach; often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached.

Question 19

What are observations of “potentially malicious activity”?

Answer 19

Sighting Searches

Question 20

What is a Security Case?

Answer 20

A collection of records that aid in building an argument for identifying and dealing with particular threats.

Question 21

What represent the “why” of an ATT&CK technique?

Answer 21

Tactics; they are the adversary’s tactical objective: the reason for performing an action

Question 22

What represents “how” an adversary achieves a tactical objective by performing an action?

Answer 22

Techniques

Question 23

What table are tactics stored in?

Answer 23

Kill Chain Phase [sn_ti_stix2_kill_chain_phase]

Question 24

What table are techniques stores in?

Answer 24

Attack Pattern [sn_ti_stix2_attack_pattern]

Question 25

What are executed to populate the MITRE-ATT&CK information on the Security Incident when alerts are ingested from the SIEM?

Answer 25

Extraction rule/s

Question 26

__________________ are the first actionable items in threat intelligence.

Answer 26

Observables

Question 27

Where do you go to view and manage MITRE relationships?

Answer 27

Threat Intelligence > MITRE ATT&CK Repository > MITRE Relationships

Question 28

From the Filter Navigator, where do you go to find a listing of the Techniques?

Answer 28

Threat Intelligence > MIRE ATT&CK Repository > Techniques

Question 29

For Threat Intelligence, all the System Properties are in the ____________________________ application scope.

Answer 29

Threat Intelligence Support Common

Question 30

What visually represents the structure of the STIX object and its relationship?

Answer 30

STIX Visualizer

Question 31

__________________ charts display aggregate data visually using colors to represent different values.

Answer 31

Heatmap