Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

0-CWO > 9 - DCO > Flashcards

9 - DCO Flashcards

(130 cards)

Start Studying
1
Q

Insider Threat
– Definition

A
  • Current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and used that access to affect CIA of data or information systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Insider Threat
– Negative Impacts

A
  • Financial losses
  • Negative publicity
  • Loss of man-hours
  • Disruption of ops
  • Disruption of critical services
  • Mission downtime
  • Mission failure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Insider Threat
– Methods
– Prevention/Detection Challenges

A
  • Methods
    – Logic bombs
    – Backdoors
    – Steal sensitive data
    – Attack internal resources
  • Prevention/Detection Challenges
    – Human behaviour/action is unpredictable
    – Not detected by traditional security measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Insider Threat
– Warning Signs
– Behavioural Indicators

A
  • Warning Signs
    – Greed
    – Abnormal introversion
    – Financial hardship
    – Vulnerability to blackmail
    – Reduced loyalty to US
    – Destructive, narcissistic, or passive aggressive behaviour
  • Behavioural Indicators
    – Workers coming in at unusual times w/o authorization/need
    – Accessing network at odd times
    – Unnecessarily copying classified materials
    – Signs of vulnerability to blackmail (drug abuse, excessive gambling, other illegal activities)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Insider Threat
– Detection and prevention techniques

A
  • Encryption
  • Data Loss Prevention
    – Provides information about how sensitive data is used/transferred
  • Data Access Monitoring
    – ID who is accessing what
    – Correlate network activity to certain user
    – ID user trends/software usage
  • Log Analysis
  • Data Redaction
  • Data Access Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Access Control Types

A
  • Discretionary (DAC) - Owner specifies who has read/write/execute rights
  • Mandatory (MAC) - Access control policy determined by central authority; owner cannot change access rights
  • Role-Based (RBAC) - Access rights determined by user’s roles within an organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

External Threats
– Definition
– Examples

A
  • Attack originating from outside the organization’s network

Examples

  • Ransomware
    – One of the fastest growing malware threats
  • E-mail/Spear-phishing
    – Focused attack on specific, usually high-interest person
    – Requires minimal cost/skill to execute
  • Unauthorized Media
    – CDs, DVDs, USB, etc.
  • Unauthorized Physical Access
  • Direct Remote Attacks
    – Attacks delivered via WiFi, Ethernet, RF, Bluetooth
  • Botnets
  • Web-Based Threats
    Drive-By Attack - attack delivered through seemingly legitimate website; attack of opportunity targeting vulnerabilities in browser/device
    Watering Hole Attack - Focused drive-by attack w/ specific target
    IFrame Redirect - Malicious content embedded in a webpage
    Fake Login Pages
    Browser Plug-in and Script-Based exploits
    SQL Injection
  • OS/Application based exploits
  • DNS Cache Poisoning
  • Pass-the-Hash
  • Remote Access Tools (RAT)
  • Zero-Day Exploits
  • N-Day Exploits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

China (State Sponsored Threat)

A
  • Noisiest threat actor
  • Large attack volume
  • Lack sophistication/creativity, but effective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

North Korea (State Sponsored Threat)

A
  • Cyber attacks are means to “level the playing ground” against more advanced forces
  • Common attacks
    – Spear-phishing
    – Watering hole
    – Intel gathering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Russia (State Sponsored Threat)

A
  • Home to many advanced researchers
  • TTPs:
    – Weaponized email attachments
    – Varied attack patterns, exploits, exfil methods
    – Extremely effective detection evasion
    – HUMINT
  • Attributed malware
    – Zeus
    – Gozi
    – SpyEye
    – SpyZeus
    – Ligats Trojans
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Middle East (State Sponsored Threats)

A
  • Often creative, deceptive, or novel attack methods due to lack of sophistication/brute force capes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Iran (State Sponsored Threats)

A
  • Cutting Sword of Justice used “Shamoon” virus to attack Saudi oil company Aramco
  • Operation Ababil - DDoS attacks against US financial institutions, including NY Stock Exchange
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Syria (State Sponsored Threats)

A
  • Syrian Electronic Army (SEA)
  • Loyal to Syrian President
  • Conducts DDoS, phishing, pro-Assad defacements, and spamming campaigns
  • Hacked AP, BBC, Financial Times, Guardian, NY Times, Twitter, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Advanced Persistent Threat
– Definition

A
  • Anyone conducting cyber ops on behalf of a government body
  • Among the most dangerous cyber threats
  • Often large scale hacking campaigns
  • Receive funding/resources from gov
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

APT29
– Description
– Associated Malware
– Targets

A
  • Russia
  • Hides activity on victim’s network, communicating infrequently and resembling network traffic
  • Monitors network defender activity
  • Uses compromised servers for C2
  • Counters attack remediation attempts
  • Fast malware dev cycle to hinder detection
  • Associated Malware
    – Hammertoss
    – Uploader
    – tDiscoverer
  • Targets
    – Western European governments
    – Foreign policy groups
    – Orgs w/ valuable info for Russia
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

APT28
– Description
– Associated Malware
– Targets

A
  • Russia
  • Tsar Team (FireEye)
  • Skilled devs/operators collecting intel on defense/geopolitical issues
  • Gain insider info related to governments, military, and security orgs
  • Associated Malware
    – Chopstick
    – Sourface
  • Targets
    – Georgia and eastern European countries
    – NATO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Ordinary Citizens

A
  • Most common threat
    – “Layer 8 Issue”
  • Weakest link
  • Home end-users, employees, etc.
  • Mostly passive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Script Kiddies

A
  • Vandals/graffiti artists of the internet
  • Inferior knowledge of programming/security
  • Motivated by short-term ego-gratification
  • Uses existing, well-known exploits/pre-made scripts
  • Little thought/concern about consequences
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Hackers

A
  • Deeper knowledge/understanding of computer tech
  • Concerned w/ subtle details of OSs, algorithms, config files
  • Few in number, highly ambitious
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Patriot Hackers

A
  • Motive - aid or support own nation-state in ongoing conflict
  • Common among Chinese hackers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Cyber Terrorists

A
  • Use computer/network technologies to carry out attacks and cause public fear
    Ex: Islamic State Hacking Division
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Malware Authors

A
  • Specialized black-hat
  • Dev original malware
  • Highly skilled in computer programming/detection evasion
  • Uses malware “creation kits” for custom malware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Cyber Militia

A
  • Group of volunteers using cyber attacks to achieve political goal
  • Uses common comm channels (social media, forums, etc.)
  • No monetary rewards for service
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Cyber Hacktivists

A
  • Cyber militias that can, in some sense, be seen as cyberspace equivalent to Greenpeace activists or other groups carrying out acts of civil disobedience
  • Ex: Anonymous
  • Methods:
    – Web site defacement
    – Internet resource redirect
    – DoS
    – Info theft
    – Web site parodies
    – Virtual sit-ins
    – Cyber sabotage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Criminal Syndicates
- Most active in Eastern Europe and West Africa - Common in areas w/ high unemployment and low salaries - Motivated by money/power
26
BGP Threat
- BGP can be manipulated to route traffic from one country to another
27
Supply Chain Threat
- Threats exist in both **production and distribution** - Affect information and communication technology devices which are **manufactured, assembled, and distributed from multiple individual components and numerous distributors** - Affect **hardware, software, and firmware** components
28
Advanced Computing Technologies
- High Performing Computing (HPC) -- Russia has 6 HPC systems - Quantum Computing
29
Cyber Intelligence Reports
- Provide **timely access** to **relevant, actionable** threat intelligence, including: -- IOCs -- TTPs -- Recommended actions/counter attacks
30
Cyber Threat Information
- Any **information** that can help an organization **identify, assess, monitor, and respond to cyber threats**
31
Cyber Threat Bulletin
- **Bi-weekly** report from **616th** Operations Center - Designed to **keep AF members up to date** - **Strengthens SA** of threats - Can be accessed through AF portal
32
Mandiant's Annual Cyber Threat Report
- **Annual** report using **insights, statistics, and case studies** to show how TTPs of APTs have **evolved** since 2014 - Contains **threat intel from millions of VMs** - Aimed at better **arming the public against cyber attackers** - Includes global and regional threat intel
33
Symantec's Security Response Publications
- Worldwide team develops a variety of **content on the latest threats** - Publications include: -- Annual Threat Report -- Monthly Threat Report -- White Papers on an array of security topics
34
Government Agency Reports
- DHS Publications - FBI Internet Crime Complaint Center (IC3) Report - **DHS and FBI Joint Analysis Report (JAR-16-20296A)** -- Provides **technical details** regarding tools and infrastructure used by Russia -- GRIZZLY STEPPE -- APT28 used spear phishing/stolen creds to compromise US political party
35
Adversary Activity -- Requirements/resources -- Results
- Hardware, software, data, manpower - Results: -- Resources used -- TTPs captured -- Intel gained
36
Categories of Activity
- Standard Operations - Activities performed consistently on a **day-to-day basis** to support **multiple ongoing ops** - Target Operations - Activities performed in support of an **operation guided by a tasking**
37
5 Adversarial Phases
- Phase 0: Administer - Intent and resource development - Phase 1: Prepare - Reconnaissance and staging - Phase 2: Engage - Delivery and exploitation (and C2) - Phase 3: Propagate - Internal recon, lateral movement, persistence - Phase 4: Effect - Exfil and attack
38
Phase 0: Administer
- Day to day/standard ops - Provides resources to drive targeted ops - National strategy + requirements = intent - Resource development - Tasking in preparation of ops
39
Phase 1: Prepare
- Research on target - Infrastructure/capabilities set up - Various types of recon/scanning/staging
40
Phase 2: Engage
- Adversary action to gain initial access - Delivery - Exploitation - C2 - Covering Tracks - Beacon - Covert Channels
41
Phase 3: Propagate
- Guarantee ongoing/robust access - Propagate and achieve maintained persistence - Internal recon - Hashdumping - Lateral movement - Network persistence - Covering tracks
42
Phase 4: Effect
- Manipulation, DoS, destruction of systems - Exfil data - Data manipulation
43
Primary DCO Missions (3)
1. **Defend networks, systems, and information** 2. **Prepare to defend the US and its interests** against cyberattacks of significant consequence 3. Provide **integrated cyber capabilities** to support **mil ops** and **contingency plans**
44
Defend networks, systems, and information (DCO Mission)
- Conduct **ongoing defensive ops** to **securely operate the DoDIN** - **Quick response** to indications of hostile activity - **Majority** of DoD's ops in cyberspace
45
Prepare to Defend the US and its interests (DCO Missions)
- If directed by **POTUS/SECDEF**, counter **imminent/ongoing** attacks - **Synchronize capabilities** w/ other gov agencies (Law enforcement, intel agencies)
46
Provide Integrated cyber capabilities ISO mil ops and contingencies (DCO Missions)
- Ensure internet **remains open, secure, and prosperous** and conduct ops under **doctrine of restraint** to **protect human lives and prevent destruction of property** - Conduct cyber ops to **deter or defeat strategic threats** in other domains
47
Five Strategic Goals for DCO
1. **Build and maintain ready forces and capabilities** 2. **Defend the DoDIN, secure DoD data, and mitigate risks** 3. **Prepare to defend US homeland and interests** from cyber attacks 4. Build and maintain **viable cyber options** and plan to use those options to **control conflict escalation and shape conflict** environment 5. Build and maintain **robust international alliances** to deter shared threats/increase international security
48
Build and maintain ready forces and capabilities (Strategic Goals for DCO)
- Build the cyber workforce - Build technical capabilities - Validate and refine adaptive C2 - Cyber modeling and simulation capabilities - Assess Cyber Mission Force capabilities
49
Defend the DoDIN, secure DoD data/mitigate risks (Strategic Goals for DCO)
- Build Joint Information Environment architecture - Assess and ensure JFHQ effectiveness - Mitigate known vulnerabilities - Assess DoD's cyber defense forces - Improve Computer Network Defense Service effectiveness - Plan network defense and resilience - Red team DoD network defenses - Mitigate risk of insider threat - Exercise Defense Support of Civil Authorities - Strengthen procurement and acquisition - Build collaboration and respond to data loss - Use counterintel to defend against intrusions - Support whole-of-government policies and capes
50
Be prepared to defend the US Homeland and interests (Strategic Goals for DCO)
- Develop intel and warning capabilities - Develop and exercise capes to defend the nation - Develop innovative approaches to defense - Develop automated info sharing tools - Assess cyber deterrence posture and strategy
51
Build and maintain robust international alliances and partnerships (Strategic Goals for DCO)
- Build partner capacity in key regions - Counter proliferation of malware - Work w/ international partners to plan/train for cyber ops - Strengthen cyber dialogue w/ China
52
Encryption Classes (2)
- Symmetric (Shared Key) - Asymmetric (Public Key)
53
Symmetric Encryption -- Types -- Examples
- Stream Ciphers -- Encrypts 1 bit/byte at a time -- Faster and smaller -- RC4 - Block Ciphers -- Breaks info down into blocks and encrypts each block -- Encrypts in fixed size blocks (commonly 64 bits) -- 3DES, AES
54
Hash Function -- Examples -- Applications
- MD5 - SHA - Password storage protection - Data integrity checks - Data file checksums
55
Cryptographic Goals
- PAIN - Privacy (Confidentiality) - Authenticity - Integrity - Non-repudiation -- Proof of delivery and assurance of sender's identity
56
Secure Enclave
- Computing environment under control of a single authority - Has personnel and physical security measures - may include sub or regional enclaves -- Sub enclave - extension of private intranet
57
General Business LAN (Enclave Type)
- Used w/in an organization performing a **single function with multiple managed elements** operating under the **same security policy** - Provide services to internal users (printing, email, etc.) - Provides limited/no publicly accessible resources/services
58
Network Operations Center (Enclave Type)
- Single site performing management of multiple network enclave elements - Manage and monitor different networks - Provide geographic redundancy
59
Data Center (Enclave Type)
- Enterprise level network that services multiple sites - Specialized, non-traditional LAN enclave - Provides distributed, high-performance application computing for globally distributed customers - Numerous users outside the Data Center's General Business LAN
60
INFOCON 5
- Routine network ops - Normal readiness - Create good baseline - No impact to users
61
INFOCON 4
- Increases DoDIN preparation for exercises - Review profiles for dormant accounts - Increased validation frequency (checking systems against baseline) - Confirm network state (unaltered or compromised) - Limited impact to users
62
INFOCON 3
- Further increase in validation frequency - Minor impact to end users
63
INFOCON 2
- Higher frequency of validation - Pre-planning personnel training - Pre-positioning system rebuilding utilities - Significant impact to users for short periods
64
INFOCON 1
- Highest readiness - Addresses higher level intrusion techniques (such as rootkits) - Significant impact to users for short periods
65
MAC III (Mission Assurance Category)
- Best practice security measures - Basic integrity and availability requirements - Systems handle info necessary for day-to-day business - No support for deployed/contingency forces
66
MAC II (Mission Assurance Category)
- Additional safeguards beyond best practices - High integrity and medium availability requirements - Systems handle info important to deployed and contingency ops
67
MAC I (Mission Assurance Category)
- Most stringent protection measures - High integrity and high availability requirements - Systems handle info vital to operational readiness, mission effectiveness, and support of deployed and contingency forces
68
External Connections (Enclaves)
- One of the most complex parts of network design, implementation, and management - Every site must have security policy to filter traffic from external connections - SIPRNet connections must comply with SIPRNet Connection Approval Office (SCAO) requirements - Must establish a MOU or MOA before connecting to another activity
69
DISA's Security Requirement Guides (SRGs)
- Provide **non-product specific requirements** to mitigate commonly encountered vulnerabilities
70
STIGs
- Provide **product specific** information for compliance w/ requirements defined in the SRG - Published by DISA to assist sites in securing enclaves - Provide orgs w/ an overview of the applicable policy and docs required for a secure operating environment
71
Command Cyber Operational Readiness Inspections (CCORIs)
- Evaluates an organization's compliance w/ DOD security orders and directives - Assesses -- Network vulnerabilities -- Physical and traditional security -- User education and awareness - Provides a more threat-focused, mission-based assessment - 3 levels of effort to review operational risk -- Mission -- Threat -- Vulnerabilities - Four mission analysis phases -- Site Selection -- Scoping/pre-inspection -- Inspection -- Post-inspection
72
Assessment and Authorization Process (A&A)
- Required by all enclaves connecting to DISN - Initiated in parallel w/ request fulfillment process for new/additional connections
73
Vulnerability Scanning Components
- Scanning Engine -- Software doing the scan - Vulnerability Database -- Database of vulnerabilities being scanned
74
Scanned Vulnerabilities
- Outdated Components -- Firmware/software patches not pushed to network devices - Misconfiguration Issues -- Incorrectly configured firewall -- Misconfigured user accounts
75
Vulnerability Scanning -- When to do it
- TOMS - Testing - Operations - Maintenance - System Development
76
Honeypot Types
- Research Honeypots -- Focused on gaining intelligence information about attackers and their TTPs - Production Honeypots -- Aimed at decreasing the risk to company IT resources and providing advance warning about incoming attacks
77
Honeypot Components
- Network device hardware - Monitoring/logging tools - Management workstation - Alerting mechanism - Keystroke logger - Packet analyzer - Forensic tools
78
Cyber Incident Handling Process and Life Cycle
- Detection of Events - Preliminary Analysis and Identification - Preliminary Response Action - Incident Analysis - Response and Recover - Post-Incident Response
79
Detection of Events (Incident Response Methodology)
- Info gathered about potential incident/vulnerability and sent for analysis and response - The point where an anomalous or unusual cyber event is first noticed
80
Preliminary Analysis and Identification (Incident Response Methodology)
- Performing initial analysis of a detected cyber event to determine if it is reportable - Ensures incidents are properly ID'd and reported
81
Preliminary Response Action (Incident Response Methodology)
1. Prevent a reportable event/incident from causing further damage 2. Maintain control of the affected IS(s) 3. Ensure forensically sound acquisition of data 4. Maintain and update incident report and actively communicate updates
82
Incident Analysis (Incident Response Methodology)
- Understand technical details, root cause(s), and potential impact of incident - Understand patterns of activity to characterize the threat - ID the root cause(s) through technical analysis
83
Response and Recovery (Incident Response Methodology
1. Mitigate the risk or threat 2. Restore integrity of the IS 3. Implement proactive and reactive defensive measures to prevent similar incidents
84
Post-Incident Response (Incident Response Methodology)
- Lessons learned - Initial root cause - Problems w/ executing mission - Missing policies and procedures - Inadequate infrastructure defenses - After Action Report
85
"Cyber Bible"
CJCSM 6510.01B
86
Incident Categories
0 - Training and Exercises 1 - Root Level Intrusion (Incident) 2 - User Level Intrusion (Incident) 4 - DoS (Incident) 7 - Malicious Logic (Incident) 3 - Unsuccessful Activity Attempt (Event) 5 - Non-compliance Activity (Event) 6 - Reconnaissance (Event) 8 - Investigating (Event) 9 - Explained Anomaly (Event)
87
CAT 0 Incident
- Training and Exercises - Ops performed for training purposes and to support exercises
88
CAT 1 Incident
- Root Level Intrusion (Incident) - Unauthorized root or admin access
89
CAT 2 Incident
- User Level Intrusion (Incident) - Unauthorized user-level access
90
CAT 3 Incident
- Unsuccessful Activity Attempt (Event) - **Deliberate attempts** to gain unauthorized access that are defeated by **normal defensive mechanisms**
91
CAT 4 Incident
- Denial of Service (Incident) - Activity that **denies, degrades, or disrupts** normal functionality
92
CAT 5 Incident
- Non-compliance Activity (Event) - Actions (or inaction) that potentially exposes ISs to increased risk - Also includes admin activity, such as failure to apply patches, installation of vulnerable apps, etc.
93
CAT 6 Incident
- Reconnaissance (Event) - Activity that seeks to gather information used to characterize ISs, apps, etc.
94
CAT 7 Incident
- Malicious Logic (Incident) - Installation of software designed and/or deployed by adversaries w/ malicious intentions - **Only** includes malicious code that **does not** provide **remote interactive control**
95
CAT 8 Incident
- Investigating (Event) - Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing, further review
96
CAT 9 Incident
- Explained Anomaly (Event)
97
Digital Forensics
- The discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in the court of law
98
Forensics Process (Four Phases)
- Collection -- ID, label, record, and acquire data - Examination -- Forensically processing large amounts of collected data - Analysis -- Analyze the results of the examination to derive info that addresses the questions driving the analysis - Reporting -- Present the evidence and the results of teh analysis in a court of law
99
Publication covering forensic guidelines and procedures
- NIST 800-86 - Provides orgs a starting point for developing a forensic capability, in conjunction with extensive guidance from legal advisors, law enforcement officials, and management
100
System Analysis (Forensics)
- Gathering and reviewing of all info from or about the affected IS - May include: -- Logs -- Files -- Config settings -- Currently logged on users -- Past logins/connections -- Running processes -- Open files
101
Volatile Data
- Data that will be lost when IS loses power or is shut down (RAM, cache, system registers) - System Data: -- IS profile -- Current date/time -- Command history -- Current uptime -- Running processes -- Open files, startup files, clipboard data -- Logged on users -- DLLs or shared libraries - Network Data -- Open connections -- Open ports and sockets -- Routing info and config -- Network interface status and config -- ARP cache
102
Non-volatile Data
- Data on hard drives and removable storage which will not be lost when powered off - Includes: -- IS Log files -- Event viewer files -- Application logs -- Disk image
103
EnCase
- Windows - Suite of computer forensics software, commonly used by law enforcement - de-facto standard in forensics - Collects data in a forensically sound manner -- Employs checksums to help detect tampering
104
Forensic Toolkit (FTK)
- Windows - Easy-to-use file viewer that recognizes ~300 types of files -- May find evidence on most devices - Works with media images created by several imaging utilities
105
The Sleuth Kit (TSK)
- Unix - Popular, free, open source forensic software - Collection of command-line tools providing media management and forensics - Supports Mac partitions and file systems
106
SMART
- Unix - Used by law enforcement, government, military, intel agencies, forensic examiners, and private investigators
107
Malware Analysis
- Analyzing and capturing the capabilities of software artifacts suspected of being malicious code - Must: -- Handle with care -- Catalog all artifacts -- Analyze in an isolated environment
108
Surface Malware Analysis
- Quick checks to characterize the sample - Includes: -- File type ID -- String extraction -- Public source analysis -- Comparative analysis - May gain: -- Strings in binary files -- Hashes -- Antivirus detection status -- File sizes -- File type -- File attribute info
109
Run-Time Malware Analysis
- Controlled execution of malware in an isolated environment - May gain: -- Network touch points (IPs, protocols, ports, etc.) -- File system and registry activity -- Vulnerabilities or weaknesses -- System service daemon interactions -- Success of remediation techniques -- Suggestions of intent
110
Static Malware Analysis
- Focuses on examining and interpreting the contents of a malware sample without execution or disassembly - Includes: -- Text files -- Web page scripts -- Source -- Binary (requires reverse engineering)
111
Capability Requirements Process
- Operates in iterative manner where initial reqs drive early acquisition process
112
Capabilities Based Assessment (CBA)
- First formal study in requirements process - Includes: -- Defining capability required -- Gap analysis
113
Initial Capabilities Document (ICD)
- Next step, if CBA recommends a material solution - Documents the need for a new material approach to satisfy specific capability gaps
114
Analysis of Alternatives (AoA)
- Analytical comparison of the operational effectiveness, suitability, risk, and life cycle cost of alternatives - Helps decision-makers understand the tradespace for new material solutions
115
Capability Development Document (CDD)
- Describes the increment and provides an outline of the overall acquisition program strategy
116
Capability Production Document (CPD)
- Outlines an affordable increment of militarily useful, logistcally supportable, and technically mature capability that is ready for production
117
Modifications (Capability Development)
- An alteration to a configuration item (CI) that, as a minimum, changes its form, fit, function, or interface
118
Real-Time Operations and Innovation (RTO&I)
- Dynamic, agile, risk-management-based problem solving approach - Balances critical operational needs against org resource requirements/priorities - Driven by rapidity with which cyber operational needs and vulnerabilities emerge - Provides flexible framework for innovative solutions to urgent needs
119
RTO&I Types
- Type 1 - Immediate Needs -- Urgent mission-critical OCO, DCO, or DODIN/AFIN needs - Type 2 - Known Short-Term Future Needs -- Generate capabilities to meet critical future threats or known vulnerabilities in anticipation of future OCO, DCO, or other DODIN ops
120
Urgent Operational Needs (UONs)
- ID **service specific** needs during a current conflict or crisis - If needs not met, will result in unacceptable loss - Goal is to deliver fielded capability w/in 180 days
121
Joint Urgent Ops/Joint Emergent Op Needs (JUON/JEONs)
- Urgent need ID'd by **warfighting commander** that requires synchronization across **multiple service/agency providers**
122
Capabilities Based Test and Evaluation (T&E)
- Ensure DoD acquires systems that work and meet specified requirements - Provides knowledge of system design, capabilities, and limitations to the acquisition community - Evaluates the capability of the system to effectively accomplish its intended mission in a realistic mission environment while meeting technical specifications - Requires full understanding of joint operational concepts
123
Developmental Testing (Capability Development)
1. ID and help resolve deficiencies and vulnerabilities early 2. Verify compliance w/ specifications, standards, and contracts 3. Characterize system performance and military utility 4. Assess quality and reliability 5. Determine system performance against evolving reqs/threats
124
Operational Testing
- Determines operational effectiveness and suitability - Determines if operational capability reqs have been satisfied - Assesses system impacts to both peacetime and combat ops - IDs and helps resolve deficiencies early; IDs enhancements; and evaluates config changes that alter performance
125
Cyber Testing
- Evaluates and characterizes systems and sub systems in the cyber domain, and access pathways of said systems - Focuses on ID'ing vulnerabilities - Should consider threat and threat severity, likelihood of discovery, likelihood of attack, and system impact
126
Reverse Engineering
- Disassembling of malware and interpretation of assembly language - Only method of analysis that can produce a definitive or complete understanding of a malware sample - May gain: -- Manual unpacking of packing executable files -- Understanding of obfuscation/encryption techniques -- Malware capes -- Characterization of sophistication -- Comparison of capes across malware samples -- Algorithms used
127
Disassembler
- Takes a program's executable binary as input and generates textual files that contain the assembly language code for part/whole of a program
128
Debugger
- Allow software developers to observe their program while it's running - Basic features -- Ability to set breakpoints -- Ability to trace through code
129
Compilers
- Program that converts instructions into a machine-code or lower-level form so that it can be executed by a computer - Turns the ASCII source code into a binary
130
Decompiler
- Tries to reverse compilation and turn a binary file back into readable high-level source code

0-CWO (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions