Security Incident Creation and Threat Intelligence (14%) Flashcards
What is the MITRE ATT&CK framework?
A knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies.
What does ATT&CK stand for?
Adversarial Tactics, Techniques, and Common Knowledge
The relationship between tactics and techniques can be visualized in the __________________.
ATT&CK Matrix
What are tactics?
Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action.
What are techniques?
Techniques represent “how” an adversary achieves a tactical objective by performing an action.
What table are tactics stored in?
Kill Chain Phase [sn_ti_stix2_kill_chain_phase]
What table are techniques stored in?
Attack Pattern [sn_ti_stix2_attack_pattern]
When alerts are ingested from the SIEM, what are executed to populate the MITRE-ATT&CK information on the Security Incident?
Extraction rule/s
What are three personas related to MITRE-ATT&CK usage?
- Security Teams
- Executive Teams
- Threat Intel Teams
What visually represents the structure of the STIX object and its relationship?
STIX Visualizer
What display aggregate data visually using colors to represent different values?
Heatmap
When setting up the MITRE-ATT&CK integration in ServiceNow, what is the first step?
Setup the TAXII Profile
For Threat Intelligence, what scope are all of the System Properties in?
Threat Intelligence Support Common [sn_ti]
What role is created when the MITRE-ATT&CK integration is setup?
sn_ti.mitre_analyst
Where can a listing of the Techniques be found?
Threat Intelligence > MITRE ATT&CK Repository > Techniques
What are Observables?
Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks.
What are Indicators of Compromise (IOCs)?
Anything that allows you to detect an attack or breach; often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached.
What are observations of “potentially malicious activity”?
Sighting Searches
What is a Security Case?
A collection of records that aid in building an argument for identifying and dealing with particular threats.
What represent the “why” of an ATT&CK technique?
Tactics; they are the adversary’s tactical objective: the reason for performing an action
What represents “how” an adversary achieves a tactical objective by performing an action?
Techniques
What table are tactics stored in?
Kill Chain Phase [sn_ti_stix2_kill_chain_phase]
What table are techniques stores in?
Attack Pattern [sn_ti_stix2_attack_pattern]
What are executed to populate the MITRE-ATT&CK information on the Security Incident when alerts are ingested from the SIEM?
Extraction rule/s
__________________ are the first actionable items in threat intelligence.
Observables
Where do you go to view and manage MITRE relationships?
Threat Intelligence > MITRE ATT&CK Repository > MITRE Relationships
From the Filter Navigator, where do you go to find a listing of the Techniques?
Threat Intelligence > MIRE ATT&CK Repository > Techniques
For Threat Intelligence, all the System Properties are in the ____________________________ application scope.
Threat Intelligence Support Common
What visually represents the structure of the STIX object and its relationship?
STIX Visualizer
__________________ charts display aggregate data visually using colors to represent different values.
Heatmap
