Threat Intelligence Flashcards

1
Q

Which of the following measures is not commonly used to assess threat intelligence?

A. Timeliness

B. Detail

C. Accuracy

D. Relevance

A

Answer:

B. While higher levels of detail can be useful, it isn’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What language is STIX based on?

A. PHP

B. HTML

C. XML

D. Python

A

Answer:

C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following activities follows threat data analysis in the threat intelligence cycle?

A. Gathering feedback

B. Threat data collection

C. Threat data review

D. Threat intelligence dissemination

A

Answer:

D. Threat intelligence dissemination or sharing typically follows threat data analysis. The goal is to get the threat data into the hands of the organizations and individuals who need it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage?

A. Review of security breaches or compromises your organization has faced

B. Review of current vulnerability scans

C. Review of current data handling standards

D. A review of threat intelligence feeds for new threats

A

Answer:

A. Understanding what your organization needs is important for the requirements gathering phase of the intelligence cycle. Reviewing recent breaches and compromises can help to define what threats you are currently facing. Current vulnerability scans can identify where you may be vulnerable but are less useful for threat identification. Data handling standards do not provide threat information, and intelligence feed reviews list new threats, but those are useful only if you know what type of threats you’re likely to face so that you can determine which ones you should target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?

A. DHS

B. SANS

C. CERTS

D. ISACs

A

Answer:

D. The U.S. government created the information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following threat actors typically has the greatest access to resources?

A. Nation-state actors

B. Organized crime

C. Hacktivists

D. Insider threats

A

Answer:

A. Nation-state actors are government sponsored and typically have the greatest access to resources, including tools, money, and talent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Organizations like Anonymous, which target governments and businesses for political reasons, are examples of what type of threat actor?

A. Hacktivists

B. Military assets

C. Nation-state actors

D. Organized crime

A

Answer:

A. Hacktivists execute attacks for political reasons, including those against governments and businesses. The key element in this question is the political reasons behind the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Jason gathers threat intelligence that tells him that an adversary his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?

A. His organization’s attack surface

B. A possible attack vector

C. An example of adversary capability

D. A probability assessment

A

Answer:

B. Attack vectors, or the means by which an attacker can gain access to their target, can include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn’t mean what they can do, but their ability to do so. The attack surface might include the organization’s parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of assessment is particularly useful for identifying insider threats?

A. Behavioral

B. Instinctual

C. Habitual

D. IOCs

A

Answer:

A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior context of the actions performed such as after-hours logins, misuse of credentials, logins from abnormal locations or in abnormal patterns, other behavioral indicators are often used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cyn wants to send threat information via a standardized protocol specifically designed to exchange cyberthreat information. What should she choose?

A. STIX 1.0

B. OpenIOC

C. STIX 2.0

D. TAXII

A

Answer:

D. TAXII, the Trusted Automated Exchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What phase of the Cyber Kill Chain includes creation of persistent backdoor access for attackers?

A. Delivery

B. Exploitation

C. Installation

D. C2

A

Answer:

C. The installation phase of the Cyber Kill Chain focuses on providing persistent backdoor access for attackers. Delivery occurs when the tool is put into action either directly or indirectly, whereas exploitation occurs when a vulnerability is exploited. Command and control (C2) uses two-way communications to provide continued remote control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What common criticism is leveled at the Cyber Kill Chain?

A. Not all threats are aimed at a kill.

B. It is too detailed.

C. It includes actions outside the defended network.

D. It focuses too much on insider threats.

A

Answer:

C. The Kill Chain includes actions outside the defended network which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware-based techniques, as well as a lack of focus on insider threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is not a common technique used to defend against command and control (C2) capabilities deployed by attackers?

A. Network hardening

B. Patching against zero-day attacks

C. Deploying detection capabilities

D. Tracking new C2 methods and technology

A

Answer:

B. Patching against zero-day attacks won’t stop a command and control capability, although it might stop the initial exploit that results in the installation of C2 tools. Network hardening, deploying additional capabilities to detect C2 traffic, and staying ahead of the latest in C2 methods and technology so that detections and hardening match them are all common techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?

A. Threat quality level

B. STIX level

C. Confidence level

D. Assurance level

A

Answer:

C. The confidence level of your threat information is how certain you are of the information. A high confidence threat assessment will typically be confirmed either by multiple independent and reliable sources or via direct verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What drove the creation of ISACs in the United States?

A. Threat information sharing for infrastructure owners

B. The Cybersecurity Act of 1994

C. Threat information collection network providers

D. The 1998 ISAC Act

A

Answer:

A. ISACs were introduced in 1998 as part of a presidential directive, and they focus on threat information sharing and analysis for critical infrastructure owners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

STRIDE, PASTA, and LINDDUN are all examples of what?

A. Zero-day rating systems

B. Vulnerability assessment tools

C. Adversary analysis tools

D. Threat classification tools

A

Answer:

D. STRIDE, PASTA, and LINDDUN are all examples of threat classification tools. LINDDUN focuses on threats to privacy, STRIDE is a Microsoft tool, and PASTA is an attacker-centric threat modeling tool.

17
Q

OpenIOC uses a base set of indicators of compromise originally created and provided by which security company?

A. Mandiant

B. McAfee

C. CrowdStrike

D. Cisco

A

Answer:

A. The threat indicators built into OpenIOC are based on Mandiant’s indicator list. You can extend and include additional indicators of compromise beyond the 500 built-in definitions.

18
Q

Advanced persistent threats are most commonly associated with which type of threat actor?

A. Insider threats

B. Nation-state actors

C. Organized crime

D. Hacktivists

A

Answer:

B. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. The complexity of their operations and the advanced tools that they bring typically require significant resources to leverage fully.

19
Q

Gabby wants to select a threat framework for her organization, and identifying threat actor tactics in a standardized way is an important part of her selection process. Which threat model would be her best choice?

A. The Diamond Model

B. ATT&CK

C. The Cyber Kill Chain

D. The Universal Threat Model

A

Answer:

B. The ATT&CK framework specifically defines threat actor tactics in standardized ways. The Diamond Model is useful for guiding thought processes about threats, and the Cyber Kill Chain is most useful for assessing threats based on a set of defined stages. The Universal Threat Model was made up for this question!

20
Q

Forensic data is most often used for what type of threat assessment data?

A. STIX

B. Behavioral

C. IOCs

D. TAXII

A

Answer:

C. Forensic data is very helpful when defining indicators of compromise (IOCs). Behavioral threat assessments can also be partially defined by forensic data, but the key here is where the data is most frequently used.