Cell division

Question 1

Current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused the access to negatively affect the CIA of the organization’s data or information systems.

Answer 1

Insider threat

Question 2

4 insider threat methods

Answer 2

Steal sensitive data via storage devices
Open backdoors
Logic bombs
Attack internal resources

Question 3

Insider threat detection and prevention techniques

Answer 3

Data/File encryption
DLP
Data access monitoring
Data redaction
Data access control

Question 4

Discretional access control

Answer 4

Only users specified by the owner may have some combination of read, write, and execute rights to file

Question 5

Mandatory access control

Answer 5

Access control policy decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights

Question 6

Direct remote attacks

Answer 6

Attack delivered via wifi, ethernet, rf or bluetooth

Question 7

Drive by attack

Answer 7

Malware automatically downloads to user’s system after visiting legitimate, but compromised website

Question 8

Attacks on south korea

DarkSeoul Gang

Answer 8

North Korea state sponsored threats

Question 9

TTPs include weaponized email attachments

Human intelligence usage

Answer 9

Russian state sponsored threats

Question 10

Russian attributed malware

Answer 10

Zeus
Gozi
SpyEye
SpyZeus
Ligats Trojans

Question 11

Vietnamese govt suspected

Poses threat to companies doing business, manufacturing or preparing to invest in the country

Answer 11

APT32

Question 12

APTs associated with China

Answer 12

30, 18, 17, 12, 3, 1

Question 13

APTs associated with Russia

Answer 13

29, 28

Question 14

Attributes of an APT

Loads malicious software directly into a computer’s memory in a way that bypasses HD
Uses blackcoffee malware as part of the first stage of its attacks

Answer 14

APT 17 - China

Question 15

Attributes of an APT -

Major data breach at community health systems
Exploited “Heartbleed” bug in VPN server within CHS network
Gh0st remote access trojan (RAT)

Answer 15

APT 18 - China

Question 16

Attributes of an APT -

Components designed to infect removable drives in order to cross air-gapped networks and steal data
Steal sensitive political, economic and military info about region for gov espionage

Associated malware:
Backspace
Neteagle
Shipshape
Spaceship
Flashfood

Answer 16

APT 30 - China

Question 17

Attributes of an APT -

Only compromised servers for C2 communication

Associated malware:
Hammertoss
Uploader
tDiscover

Answer 17

APT 29 - Russia

Question 18

Associated malware - Chopstick, Sourface
Targets former Soviet state and NATO
Gain insider info related to govts, militaries and security organizations

Answer 18

APT 28 - Russia

Question 19

Maintain surveillance on media outlets that could impact reputation of Chinese leaders
Targets: Western journalists, US military contractors, Taiwanese and Japanese govts, Japanese tech companies
Associated malware- Riptide, hightide, threebyte and waterspout
Most clandestine, discriminating, skilled Chinese group
Adapts tools/techniques based on news reports about itself

Answer 19

APT 12 - China

Question 20

Associated malware - Leouncia

Tends to focus on sat telecoms and tech companies based primarily in SE Asia

Answer 20

APT 5 - Undisclosed

Question 21

Main actor behind a major attack campaign: Op Clandestine Fox
Associated malware: Shotput, cookiecutter, and Plugx/sogu

Answer 21

APT 3 - China

Question 22

Systematically stole hundreds of TB of data from at least 141 organizations spanning 20 major industries
Specifically targets industries that China identifies as strategic in its 5 year plan
Associated malware:
Backdoor.(random names)
Steals broad categories of intellectual property

Answer 22

APT 1 - China

Question 23

Agents that make use of cyberspace resources for intel collection

Answer 23

Cyberspace espionage agent

Question 24

1 of the critical infrastructure protocols in internet traffic flow

Can be manipulated to route traffic from 1 country to another

Answer 24

Border gateway protocol threat

Question 25

Exploits affect info and communication technology devices, which are manufactured, assembled, and distributed from a multitude of individual component and through numerous distributors Operations affect hardware, software, and firmware components

Answer 25

Supply chain threat

Question 26

High performing computing (Russia has 6 HPC systems capable of trillion computations per second) Quantum computing: Are aggressively pursuing implementations for secure quantum communication protocols

Answer 26

Advanced computing technologies

Question 27

Generated bi-weekly by the 624th Ops Center Designed to keep AF members up to date on current threats Strengthens SA of threats that could affect AF personnel/systems

Answer 27

Cyber threat bulletin

Question 28

Annual report which uses insights, statistics, and case studies to show how tools and tactics of APT actors evolved since 2014

Answer 28

Mandiant's annual cyber threat report

Question 29

Worldwide team of security engineers, threat analysts, and researchers who develop a variety of content on the latest threats that impact organizations and end users (Annual threat report, monthly threat report, white papers)

Answer 29

Symantec security response publications

Question 30

Report that resulted in analytic efforts between DHS and FBI USG confirmed 2 RIS actors (APT 29 and APT 28) participated in intrusion against US political party Referred to GRIZZLY STEPPE

Answer 30

JAR-16-20296A | Joint Analysis Report

Question 31

Adversaries transition through 5 phases starting with 0 - 4

Answer 31

Administer - Intent and resource development Prepare - Recon and staging Engage - Delivery and Exploitation Propagate - Internal recon, lateral movement, and network persistence Effect - Exfil and attack

Question 32

Phase 0

Answer 32

Administer resource development and tasking

Question 33

Phase 1

Answer 33

Prepare recon and staging

Question 34

Phase 2

Answer 34

Engage delivery and Exploitation

Question 35

Phase 3

Answer 35

Propagate internal recon, lateral movement, and network persistence

Question 36

Phase 4

Answer 36

Effect exfil and attack

Question 37

3 primary missions in DCO

Answer 37

Defend networks, systems and information Prepare to defend the US and its interests against cyberattacks of significant consequence Provide integrated cyber capabilities to support military operations and contingency plans

Question 38

Encryption programs use ___ to encrypt and decrypt data

Answer 38

algorithms

Question 39

Types of symmetric algorithms

Answer 39

Stream ciphers (RC4) Block ciphers (3DES & AES)

Question 40

Mathematical function that converts a numerical input value into another compressed numerical value

Answer 40

Hashing

Question 41

4 goals of cryptography

Answer 41

Privacy - What is private remains private Authenticity - Proof that msg is from person we believe it to be from Integrity - Info should remain unaltered at the point it was produced Non-repudiation - Sender of data is provided w/ proof of delivery and recipient is assured of the sender's identity

Question 42

Enclave protection mechanisms: | INFOCON 5

Answer 42

Routine network ops (DoDIN Ops) Higher INFOCON less severe

Question 43

INFOCON 1

Answer 43

Highest readiness condition | Significant impact to end-users for short periods

Question 44

Mission Assurance Category MAC I

Answer 44

Most stringent protection measures | Requires high integrity and high availability

Question 45

Mission Assurance Category MAC III

Answer 45

Requires best practice protective measures | Info systems handle info necessary for day-to-day business

Question 46

Provide non-product specific requirements to mitigate sources of security vulnerabilities consistently and commonly encountered across IT systems and applications Not be confused w/ STIGs

Answer 46

DISA Security Requirement Guides | SRGs

Question 47

Minimum requirements, standards, controls and options for securing the enclave as a whole

Answer 47

DISA Security Technical Implementation Guide (STIGs)

Question 48

Required by all enclaves connecting to the DISN Initiated in parallel with request fulfillment process for new/additional connections

Answer 48

Assessment and authorization (A&A) process

Question 49

Seeks to provide a more threat-focused, mission based assessment Analyze 3 levels of effort to review operational risk (mission, threat, and vulnerabilities)

Answer 49

Command cyber operational readiness inspections | (CCORIs) for short

Question 50

If directed by ____ or ____, US military may conduct cyber ops to counter imminent/on-going attack against US homeland or US interests

Answer 50

POTUS or SecDef

Question 51

2 encryption classes??

Answer 51

Asymmetric | Symmetric

Question 52

Firewall can have 2 rules: define default deny

Answer 52

Deny by default/deny all | Assumes most traffic is potentially malicious, unwanted, or unauthorized

Question 53

Firewall can have 2 rules: define default allow

Answer 53

Allow by default or allow all | Assumes most traffic is benign

Question 54

When writing firewall rules, what is the order the syntax goes in?

Answer 54

``` base protocol source address source port destination address destination port action ```

Question 55

NIDS function in 3 modes

Answer 55

Signature detection Anomaly detection hybrid

Question 56

Cyber incident handling process

Answer 56

Detection of events Preliminary analysis and ID Preliminary response action Incident analysis Response and recover Post-incident analysis

Question 57

Incident category | CAT 0

Answer 57

Training and exercises

Question 58

Incident category | CAT 1

Answer 58

Root level intrusion (incident)

Question 59

Incident category | CAT 2

Answer 59

user level intrusion (incident)

Question 60

Incident category | CAT 3

Answer 60

Unsuccessful activity attempt (event)

Question 61

Incident category | CAT 4

Answer 61

Denial of service (incident)

Question 62

Incident category | CAT 5

Answer 62

Non-compliance activity (event)

Question 63

Incident category | CAT 6

Answer 63

Reconnaissance (event)

Question 64

Incident category | CAT 7

Answer 64

Malicious logic (incident)

Question 65

Incident category | CAT 8

Answer 65

Investigating (event)

Question 66

Incident category | CAT 9

Answer 66

Explained anomaly (event)

Question 67

The discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless comms, and storage devices in a way that is admissible as evidence in a court of law

Answer 67

Digital forensics

Question 68

4 phases of forensics process

Answer 68

Collection Examination Analysis Reporting

Question 69

Document that serves as starting point for developing a forensic capability

Answer 69

NIST 800-86

Question 70

Any data stored in IS memory (system registers, cache, RAM) that will be lost when the IS loses power or is shut down

Answer 70

Volatile data Open connections, ports and sockets, routing info, network interface status, ARP cache

Question 71

Data in the IS's HD and removable storage media that will not be changed when the machine is powered off

Answer 71

Non-volatile data

Question 72

Windows based forensic tools

Answer 72

``` EnCase Forensic Toolkit (FTK) ```

Question 73

Unix based forensic tools

Answer 73

The Sleuth Kit (TSK), SMART

Question 74

Malware analysis 3 types of analysis

Answer 74

Surface Analysis run-time static

Question 75

Goal of this process is to deliver fielded capability within 180 days of validated request Identify service specific needs during current conflict or crisis that if not satisfied in an expedited manner, will result in unacceptable loss of life or critical mission failure

Answer 75

UON Urgent Operational Need

Question 76

Urgent need identified by a warfighting commander that requires synchronization across multiple Service/agency providers to ensure complete and timely combat capability is provided to the Joint warfighter

Answer 76

JUON Joint urgent operational need

Question 77

3 types of Test & evaluation

Answer 77

Developmental testing Operational testing Cyber test

Question 78

Lowest level in the software chain | Language of reversing

Answer 78

Assembly language

Question 79

Take a program's executable binary as input and generate textual files that contain the assembly language code for part/whole of program

Answer 79

Disassembler

Question 80

Allow software developers to observe their program while it's running

Answer 80

Debuggers

Question 81

Program that converts instructions into a machine-code or lower level form so that they can be read and executed by a computer

Answer 81

Compiler

Question 82

Tries to reverse compilation process to obtain the original source code file or something similar to it Takes binary file & attempts to produce readable high-level language code from it

Answer 82

Decompiler

Question 83

Byte = __ bits Word = __ bits Dword = __ bits Qword = __ bits

Answer 83

8 bits 16 bits = 2 bytes 32 bits = 4 bytes 64 bits = 8 bytes

Question 84

__ means load the value happens from right to left

Answer 84

MOV | faster than Load effective address

Question 85

__ is intended to be used for arithmetic operations or pointers to memory

Answer 85

LEA = load effective address

Question 86

Motivated by money and power Previously lawful citizens with technical skills turn to cybercrime as means to escape poverty

Answer 86

Criminal syndicates

Question 87

Means of general protest or to promote an expreseed ideology or a political agenda The "anonymous" collective

Answer 87

Cyber militias / hacktivists

Question 88

Form of specialized black hats Develop original software for antagonistic or criminal purposes

Answer 88

Malware authors

Question 89

Use computer and network technologies to carry out their attacks and cause public fear Islamic State hacking division

Answer 89

cyber terrorists

Question 90

Main motives are to aid or support one's own nation-state in an ongoing real world conflict or war

Answer 90

Patriot hacking

Question 91

Layer 8 issues Weakest link

Answer 91

Ordinary citizen

Question 92

Mission analysis is phased in to the 4 phases

Answer 92

Site section Pre-inspection Inspection Post-inspection