Threat Intelligence Flashcards
Which of the following measures is not commonly used to assess threat intelligence?
A. Timeliness
B. Detail
C. Accuracy
D. Relevance
Answer:
B. While higher levels of detail can be useful, it isn’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.
What language is STIX based on?
A. PHP
B. HTML
C. XML
D. Python
Answer:
C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.
Which of the following activities follows threat data analysis in the threat intelligence cycle?
A. Gathering feedback
B. Threat data collection
C. Threat data review
D. Threat intelligence dissemination
Answer:
D. Threat intelligence dissemination or sharing typically follows threat data analysis. The goal is to get the threat data into the hands of the organizations and individuals who need it.
Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage?
A. Review of security breaches or compromises your organization has faced
B. Review of current vulnerability scans
C. Review of current data handling standards
D. A review of threat intelligence feeds for new threats
Answer:
A. Understanding what your organization needs is important for the requirements gathering phase of the intelligence cycle. Reviewing recent breaches and compromises can help to define what threats you are currently facing. Current vulnerability scans can identify where you may be vulnerable but are less useful for threat identification. Data handling standards do not provide threat information, and intelligence feed reviews list new threats, but those are useful only if you know what type of threats you’re likely to face so that you can determine which ones you should target.
What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?
A. DHS
B. SANS
C. CERTS
D. ISACs
Answer:
D. The U.S. government created the information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.
Which of the following threat actors typically has the greatest access to resources?
A. Nation-state actors
B. Organized crime
C. Hacktivists
D. Insider threats
Answer:
A. Nation-state actors are government sponsored and typically have the greatest access to resources, including tools, money, and talent.
Organizations like Anonymous, which target governments and businesses for political reasons, are examples of what type of threat actor?
A. Hacktivists
B. Military assets
C. Nation-state actors
D. Organized crime
Answer:
A. Hacktivists execute attacks for political reasons, including those against governments and businesses. The key element in this question is the political reasons behind the attack.
Jason gathers threat intelligence that tells him that an adversary his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?
A. His organization’s attack surface
B. A possible attack vector
C. An example of adversary capability
D. A probability assessment
Answer:
B. Attack vectors, or the means by which an attacker can gain access to their target, can include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn’t mean what they can do, but their ability to do so. The attack surface might include the organization’s parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this problem.
What type of assessment is particularly useful for identifying insider threats?
A. Behavioral
B. Instinctual
C. Habitual
D. IOCs
Answer:
A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior context of the actions performed such as after-hours logins, misuse of credentials, logins from abnormal locations or in abnormal patterns, other behavioral indicators are often used.
Cyn wants to send threat information via a standardized protocol specifically designed to exchange cyberthreat information. What should she choose?
A. STIX 1.0
B. OpenIOC
C. STIX 2.0
D. TAXII
Answer:
D. TAXII, the Trusted Automated Exchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.
What phase of the Cyber Kill Chain includes creation of persistent backdoor access for attackers?
A. Delivery
B. Exploitation
C. Installation
D. C2
Answer:
C. The installation phase of the Cyber Kill Chain focuses on providing persistent backdoor access for attackers. Delivery occurs when the tool is put into action either directly or indirectly, whereas exploitation occurs when a vulnerability is exploited. Command and control (C2) uses two-way communications to provide continued remote control.
What common criticism is leveled at the Cyber Kill Chain?
A. Not all threats are aimed at a kill.
B. It is too detailed.
C. It includes actions outside the defended network.
D. It focuses too much on insider threats.
Answer:
C. The Kill Chain includes actions outside the defended network which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware-based techniques, as well as a lack of focus on insider threats.
Which of the following is not a common technique used to defend against command and control (C2) capabilities deployed by attackers?
A. Network hardening
B. Patching against zero-day attacks
C. Deploying detection capabilities
D. Tracking new C2 methods and technology
Answer:
B. Patching against zero-day attacks won’t stop a command and control capability, although it might stop the initial exploit that results in the installation of C2 tools. Network hardening, deploying additional capabilities to detect C2 traffic, and staying ahead of the latest in C2 methods and technology so that detections and hardening match them are all common techniques.
What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?
A. Threat quality level
B. STIX level
C. Confidence level
D. Assurance level
Answer:
C. The confidence level of your threat information is how certain you are of the information. A high confidence threat assessment will typically be confirmed either by multiple independent and reliable sources or via direct verification.
What drove the creation of ISACs in the United States?
A. Threat information sharing for infrastructure owners
B. The Cybersecurity Act of 1994
C. Threat information collection network providers
D. The 1998 ISAC Act
Answer:
A. ISACs were introduced in 1998 as part of a presidential directive, and they focus on threat information sharing and analysis for critical infrastructure owners.