Study Guide - Chapter 4: Threat Intelligence Flashcards

1
Q

1- Which of the following measures is not commonly used to assess threat intelligence?

  • Timeliness
  • Detail
  • Accuracy
  • Relevance
A

Timeliness

While higher levels of detail can be useful, it isn’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3- Which of the following activities follows threat data analysis in the threat intelligence cycle?

Gathering feedback
Threat data collection
Threat data review
Threat intelligence dissemination

A

Threat intelligence dissemination

Threat intelligence dissemination or sharing typically follows threat data analysis. The goal is to get the threat data into the hands of the organizations and individuals who need it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat Intelligence Cycle steps

A
  • Planning and Requirements Gathering
  • Data Collection
  • Data Processing and Analysis
  • Intelligence Dissemination
  • Feedback
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

4- Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage?

  • Review of security breaches or compromises your organization has faced
  • Review of current vulnerability scans
  • Review of current data handling standards
  • Review of threat intelligence feeds for new threats
A

Review of security breaches or compromises your organization has faced

Understanding what your organization needs is important for the requirements gathering phase of the intelligence cycle. Reviewing recent breaches and compromises can help to define what threats you are currently facing. Current vulnerability scans can identify where you may be vulnerable but are less useful for threat identification. Data handling standards do not provide threat information, and intelligence feed reviews list new threats, but those are useful only if you know what type of threats you’re likely to face so that you can determine which ones you should target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

5- What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?

DHS
SANS
CERTs
ISACs

A

ISACs

The U.S. government created the information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SANS

A

SANS Institute as a provider of
* security training
* security resources
* source of threat intelligence information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISAC

A

Information Sharing and Analysis Centers (ISACs)
* organizations that facilitate the sharing of threat information among infrastructure owners and operators within specific sectors, also providing tools and support to their members
* ISACs were created to help protect critical infrastructure by establishing a trusted environment for sharing threat data, incident response, and threat analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CERTs

A

Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs)
* organizations that provide public information via their websites and social media feeds
* often share threat information that can be especially useful for organizations that face similar threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CSIRTs

A

Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs)
* organizations that provide public information via their websites and social media feeds
* often share threat information that can be especially useful for organizations that face similar threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

8- Jason gathers threat intelligence that tells him that an adversary his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?

  • His organization’s attack surface
  • A possible attack vector
  • An example of adversary capability
  • A probability assessment
A

A possible attack vector

Attack vectors, or the means by which an attacker can gain access to their target, can include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn’t mean what they can do but their ability to do so. The attack surface might include the organization’s parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

9- What type of assessment is particularly useful for identifying insider threats?

  • Behavioral
  • Instinctual
  • Habitual
  • IOCs
A

Behavioral

Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior context of the actions performed, such as after‐hours logins, misuse of credentials, and logins from abnormal locations or in abnormal patterns, other behavioral indicators are often used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

10- Felix want to gather threat intelligence about an organized crime threat actor. Where is he most likely to find information published by the threat actor?

  • Social media
  • Blogs
  • Government bulletins
  • The dark web
A

The dark web

Threat actors like criminal organizations frequently operate via the dark web. Forums operate as clearinghouses for information, resources, and access via TOR‐hosted sites. While social media, blogs, or government bulletins may provide information about a criminal organization, more likely to publish information themselves on the dark web.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

11- Which of the following is not a common indicator of compromise?

  • Administrative account logins
  • Unexpected modifications of configuration files
  • Login activity from atypical countries or locations
  • Large outbound data transfers from administrative systems
A

Administrative account logins

Administrative logins themselves are not IOCs, but unexpected behavior associated with them or other atypical behavior is an indicator of compromise. Unexpected modifications of configuration files, login activity from atypical countries or locations, and large file transfers from administrative systems are all common indicators of compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

12- Nick wants to analyze attacker tactics and techniques. What type of tool can he deploy to most effectively capture actual attack data for analysis?

  • A firewall
  • A honeypot
  • A web application firewall
  • A SIEM
A

A honeypot

Nick should deploy a honeypot to capture attack tools and techniques for further analysis. Firewalls block traffic. A web application firewall is a firewall designed to protect web applications, and while it may capture useful information it is not as well suited to this purpose. A SIEM, or security information and event management tool, may also capture relevant attack data but it’s not specifically designed for the purpose like a honeypot is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

13- Which of the following is not a common focus area for threat hunting activities?

Policies
Misconfigurations
Isolated networks
Business‐critical assets

A

Policies

Threat hunters are less likely to look at policies. Instead, configurations and misconfigurations, isolated networks, and business‐critical assets are all common focuses of threat hunters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

14- What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?

  • Threat quality level
  • STIX level
  • Confidence level
  • Assurance level
A

Confidence level

The confidence level of your threat information is how certain you are of the information. A high confidence threat assessment will typically be confirmed either by multiple independent and reliable sources or via direct verification.

17
Q

15- What drove the creation of ISACs in the United States?

  • Threat information sharing for infrastructure owners
  • The Cybersecurity Act of 1994
  • Threat information collection network providers
  • The 1998 ISAC Act
A

Threat information sharing for infrastructure owners

ISACs were introduced in 1998 as part of a presidential directive, and they focus on threat information sharing and analysis for critical infrastructure owners.

18
Q

16- How is threat intelligence sharing most frequently used for vulnerability management?

  • To identify zero‐day threats before they are released
  • As part of vulnerability feeds for scanning systems
  • As part of patch management processes to determine which patches are not installed
  • To perform quantitative risk assessment
A

As part of vulnerability feeds for scanning systems

Threat intelligence feeds often provide information about what vulnerabilities are being actively exploited as well as about new exploits. This can influence patching priorities and vulnerability management efforts. Zero‐day threats aren’t known until they are released. Vulnerability management efforts help to determine what patches aren’t installed, but threat intelligence doesn’t determine that. Threat intelligence isn’t directly leveraged for quantitative risk assessment as part of vulnerability management efforts in typical organizations.

19
Q

17- OpenIOC uses a base set of indicators of compromise originally created and provided by which security company?

Mandiant
McAfee
CrowdStrike
Cisco

A

Mandiant

The threat indicators built into OpenIOC are based on Mandiant’s indicator list. You can extend and include additional indicators of compromise beyond the 500 built‐in definitions.

20
Q

18- Advanced persistent threats are most commonly associated with which type of threat actor?

  • Insider threats
  • Nation‐state actors
  • Organized crime
  • Hacktivists
A

Nation‐state actors

Advanced persistent threats (APTs) are most commonly associated with nation‐state actors. The complexity of their operations and the advanced tools that they bring typically require significant resources to leverage fully.

21
Q

19- What are the two types of insider threats?

Attack and defense
Approved and prohibited
Real and imagined
Intentional and unintentional

A

Intentional and unintentional

Insider threats may be intentional or unintentional.

22
Q

Forensic data is most often used for what type of threat assessment data?

  • STIX
  • Behavioral
  • IOCs
  • TAXII
A

Behavioral

Forensic data is very helpful when defining indicators of compromise (IOCs). Behavioral threat assessments can also be partially defined by forensic data, but the key here is where the data is most frequently used.