Week 4 Flashcards
Name this: Data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors
Threat intelligence
Threat intelligence is critical for understanding and mitigating potential security threats.
What does IDD stand for and what is its focus?
IDD = Intelligence Driven Defense. Emphasizes taking action based on threat intelligence
IDD aims to enhance security posture by proactively addressing potential threats.
Is Intelligence Driven Defense a reactive or proactive measure?
Proactive
This approach is designed to anticipate and mitigate threats before they occur.
What additional aspects does Intelligence Driven Defense encompass?
Applying information about emerging threats, vulnerabilities, and security awareness
It goes beyond just collecting and sharing intelligence.
What is a Kill Chain?
Military concept - defines the structure of an attack
Kill chains are used to understand the phases of an attack and develop defensive strategies.
What is the Cyber Kill Chain?
An adapted framework from the military kill chain. It outlines the phases an attacker follows during a cyber intrusion
This framework is crucial for cybersecurity defense strategies.
Cyber Kill Chain (1): The attackers gather info about the target, explore vulnerabilities, harvest credentials. The more information the more sophisticated an attack can be
Reconnaissance
This phase involves gathering information about the target, exploring vulnerabilities, and harvesting credentials.
T/F - Reconnaissance involves passive & active modes, physical and dumpster diving
True
This phase is crucial for attackers to understand their targets.
Cyber Kill Chain: The attacker creates an attack vector. A possibly customized malicious payload. Packaged for easy delivery, and may set up backdoors.
Weaponization
This phase involves creating a customized malicious payload packaged for easy delivery.
Cyber Kill Chain (3): The attacker launches the attack. The payload is delivered through various means (e.g. phishing). This marks the point where the attackers weaponized code is introduced into the target environment.
Delivery
This marks the introduction of weaponized code into the target environment.
Cyber Kill Chain: Malicious code is executed within the victims system. Allows the attacker to escalate privileges within the compromised system/network. May involve gaining admin/root access.
Exploitation
This phase is critical for gaining control over the target system.
Cyber Kill Chain (5): Immediately following the previous phase, an attack vector is installed on the victims system. They may modify critical files to ensure they’re hidden. This is the turning point in the attack lifecycle as the attacker can now assume control.
Installation
This is a turning point in the attack lifecycle.
Cyber Kill Chain (6): The attacker remotely controls a device or identity within the target system/network. The attacker creates backdoors and expands their access. More points of entry. A persistent presence in the targeted system.
Command and Control
This phase allows for persistent access to the target.
Cyber Kill Chain (7): “Objective Achieved”, the attacker may now perform data exfiltration, data destruction, espionage, financial gain, disruption of operation, or encryption for ransom
Actions on Objectives
This is the final phase where attackers achieve their goals.
What is a critique of the Cyber Kill Chain regarding Perimeter Security?
It focuses mostly on perimeter security and malware protection
This critique highlights the limitations of addressing internal threats.
Name the Cyber Kill Chain steps from 1-7 RWDEICA
Reconnaissance, Weaponization, Delivery, Exploitation Installation, Command and Control, Actions on Objectives
What is a critique of the Cyber Kill Chain regarding Insider Threats?
The Cyber Kill Chain doesn’t account for insiders whatsoever
Insider threats can bypass many defenses considered in the kill chain.
What is a critique of the Cyber Kill Chain related to the Remote Work Trend?
It doesn’t account for remote work
The shift to remote work complicates traditional security models.
What is a critique of the Cyber Kill Chain regarding IoT technology?
There’s no consideration for the amount of IoT devices that exist now
IoT devices present unique vulnerabilities that the kill chain does not address.
What is MITRE ATT&CK?
Knowledgebase that tracks cyber adversary tactics, techniques, and behaviors used by threat actors across the entire attack lifecycle
It is a valuable resource for understanding and defending against cyber threats.
What does ATT&CK stand for?
Adversarial Tactics, Techniques and Common Knowledge
This framework is used to categorize and analyze adversary actions.
True or False: The MITRE ATT&CK Framework is based on real world observations.
True
This foundation enhances its relevance and applicability in real-world scenarios.
How does the MITRE ATT&CK framework help a security operations team?
Deduces adversarial motivations and behavior and how they relate to defense
This insight aids in developing effective defensive strategies.
True or False: The MITRE ATT&CK framework is a private service.
False. It’s a public service used to better understand the different ways bad actors might operate
This accessibility makes it a widely used tool in cybersecurity.
What are Tactics in the MITRE ATT&CK framework?
The adversary goals and why
Tactics define the high-level objectives of adversaries.
What are Techniques in the MITRE ATT&CK framework?
How adversaries achieve tactical goals
Techniques provide insight into the methods used by attackers.
What are Procedures in the MITRE ATT&CK framework?
Specific implementations to execute a technique or sub-technique
Procedures offer detailed examples of how techniques are applied.
What three areas does the MITRE ATT&CK Framework cover?
Enterprise, Mobile, and Industrial Control Systems
This broad coverage helps address diverse cybersecurity challenges.
What is the Pyramid of Pain?
A conceptual model for the effective use of Cyber Threat Intelligence
It emphasizes increasing the cost of adversaries’ operations.
What is the focus of the Pyramid of Pain?
Increasing the cost of their adversaries’ operations. Hit them where it hurts
This strategy aims to deter attackers by making their efforts more costly.
