Classifying Threats

Question 1

What is a Known Threats?

Answer 1

A threat that can be identified using basic signature or pattern matching

Once we know it and recognize it - we will block it.

Question 2

What is a Malware?

Answer 2

Any software intentionally designed to cause damage to a computer, server, client, or computer network

Question 3

What is a Documented Exploits ?

Answer 3

A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data

Question 4

What is an Unknown Threats?

Answer 4

A threat that cannot be identified using basic signature or patter.

Those are the threats we need to look out for and investigate.

Question 5

What is a matching Zero-day Exploit ?

Answer 5

An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.

Question 6

What is an Obfuscated Malware Code ?

Answer 6

Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware.

Question 7

What is a Behavior-based Detection?

Answer 7

A malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior

Question 8

What is a Recycled Threats ?

Answer 8

Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning

Question 9

What is a Known Unknowns?

Answer 9

A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection

Question 10

What is an Unknown Unknowns ?

Answer 10

A classification of malware that contains completely new attack vectors and exploits

Question 11

What are Threat Actors?

Answer 11

Those who wish to harm networks or steal secure data

Question 12

What is a Black Hat Hacker?

Answer 12

An unauthorized hacker – criminals

Question 13

What is a White Hat Hacker?

Answer 13

An ethical or authorized hacker

Question 14

What is a Grey Hat Hacker?

Answer 14

A semi-authorized hacker where it sometimes acts as a good or bad folk

Question 15

Basic activities that hackers perform:

Answer 15

▪ Social Media Profiling
▪ Social Engineering
▪ Network Scanning
▪ Fingerprinting
▪ Service Discovery
▪ Packet Capture

Question 16

Types of threat actors

Answer 16

• Advanced persistent threat (APT)
• Hacktivists
• Organized crime
• Nation-state
• Script kiddie
• Insider threat
  o Intentional
  o Unintentional
• Supply chain
• Competitor

Question 17

What is a Script Kiddie?

Answer 17

Uses other people’s tools to conduct their attacks as they do not have the skills to make their own tools.
Script kiddies often don’t understand what they’re doing.

Question 18

What is an Insider threat?

Answer 18

People who have authorized access to an organization’s network, policies, procedures, and business practices
To prevent an insider threat, organizations need to have policies and enforcement technologies such as
● Data Loss Prevention
● Internal Defenses
● SIEM Search

2 different types of insider threats
-Intentional- an actor who deliberately seeks to cause
harm
-Unintentional- an actor who causes harm because of
carelessness

Solid cybersecurity strategy to counter Insider Threats include: Employee Education and Training, Access Controls, Incident Response Plans and Regular Monitoring

Question 19

What is a Competitor?

Answer 19

A rogue business attempting to conduct cyber espionage against an organization

Question 20

What is an Organized Crime?

Answer 20

Focused on hacking and computer fraud to achieve financial gains

Question 21

What is a Hacktivist?

Answer 21

Politically-motivated hacker who targets governments or
individuals to advance their political ideologies

Question 22

What is a Nation-State?

Answer 22

A group of attackers with exceptional capability, funding, and organization with an intent to hack a network or system. They conducts highly covert hacks over long periods of time.

Not all APT are nation-states, but almost all nation-states are going to be considered an APT

They’re going to be inside of a victimized network for six to nine months.
Many nation-states tried to present themselves as a threat actor inside of the other groups, so they can maintain a plausible deniability.

A nation-state actor refers to a government or government affiliated group that conducts cyber attacks

Question 23

What is a Advanced Persistent Threat (APT) ?

Answer 23

An attacker that establishes a long-term presence on a network in order to gather sensitive information.

The main goal of an APT is to harvest sensitive data, intellectual property, and other sensitive information.

An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware

APTs are considered a known unknown threat

Question 24

What are Key difference between Nation-state and APT threat actors ?

Answer 24

▪ Nation-state is affiliated with the government
▪ APT is a generic type of cyber attack that establishes
long-term presence

Question 25

What are Supply Chain Threats?

Answer 25

Supply chain threats refer to the risks associated with the security practices surrounding the components of a product or system, from manufacturing through distribution to the end-user. Supply chain threats refer to the risks associated with the security practices surrounding the components of a product or system, from manufacturing through distribution to the end-user.

Question 26

What is a Commodity Malware?

Answer 26

Malicious software applications that are widely available for sale or easily obtainable and usable. Targeted or custom malware is developed and deployed with a target in mind. Identifying if the malware is commodity or targeted can help determine the severity of an incident.

Question 27

What is a Zero-day Vulnerability ?

Answer 27

A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it Zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it Most adversaries will only use a zero-day vulnerability for high value attacks

Question 29

What is a Command and Control (C2) ?

Answer 29

An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

Question 30

What is Persistence?

Answer 30

The ability of a threat actor to maintain covert access to a target host or network

Question 31

What is a Reputation Data ?

Answer 31

Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains

Question 32

What is an Indicator of Compromise (IoC)?

Answer 32

A residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Other Indicators of Compromise: ● Unauthorized software and files ● Suspicious emails ● Suspicious registry and file system changes ● Unknown port and protocol usage ● Excessive bandwidth usage ● Rogue hardware ● Service disruption and defacement ● Suspicious or unauthorized account usage An IoC is evidence that an attack was successful

Question 33

What is an Indicator of Attack (IoA) ?

Answer 33

A term used for evidence of an intrusion attempt that is in progress

Question 34

What is a Behavioral Threat Research ?

Answer 34

A term that refers to the correlation of IoCs into attack patterns

Question 35

What is a Tactics, Techniques, and Procedures (TTP) ?

Answer 35

Behavior patterns that were used in historical cyberattacks and adversary actions o DDoS o Viruses or Worms o Network Reconnaissance o APTs o Data Exfiltration

Question 36

What is a Port Hopping ?

Answer 36

An APT’s C2 application might use any port to communicate and may jump between different ports in order to avoid detection while scanning

Question 37

What is a Fast Flux DNS ?

Answer 37

A technique rapidly changes the IP address associated with a domain

Question 38

What is a Data Exfiltration ?

Answer 38

The unauthorized transfer of data from a computer or other device

Question 39

Lockheed Marin Kill Chain

Answer 39

1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control (C2) 7. Actions on Objectives Kill Chain Analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage.

Question 40

What is Reconnaissance ?

Answer 40

step 1 in the cyber kill chain by Lockheed Marin The attacker determines what methods to use to complete the phases of the attack. Likely to be OSINT. but it can be active search.

Question 41

What is Weaponization?

Answer 41

step 2 in the cyber kill chain by Lockheed Marin The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.

Question 42

What is Delivery ?

Answer 42

step 3 in the cyber kill chain by Lockheed Marin The attacker identifies a vector by which to transmit the weaponized code to the target environment

Question 43

What is Exploitation ?

Answer 43

step 4 in the cyber kill chain by Lockheed Marin The weaponized code is executed on the target system

Question 44

What is Installation?

Answer 44

step 5 in the cyber kill chain by Lockheed Marin This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

Question 45

What is Command & Control (C2) ?

Answer 45

step 6 in the cyber kill chain by Lockheed Marin The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Question 46

What is Actions on Objectives ?

Answer 46

step 7 in the cyber kill chain by Lockheed Marin The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Question 47

MITRE ATT&CK Framework

Answer 47

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org) The pre-ATT&CK tactics matrix- an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain.

Question 48

Diamond Model of Intrusion Analysis

Answer 48

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Question 49

Structured Threat Information eXpression (STIX)

Answer 49

A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework. **STIX is expressed in JavaScript Object Notation (JSON)** format that consists of attribute: value pairs STIX is built from high-level STIX domain objects (SDO) that contain multiple attributes and values: ● Observed Data ● Indicator ● Attack Pattern ● Campaign and Threat Actors ● Course of Action (COA)

Question 50

Trusted Automated eXchange of Indicator Information (TAXII)

Answer 50

A protocol for supplying codified information to automate incident detection and analysis Subscribers obtain updates to the data for their analysis tools using TAXII

Question 51

OpenIOC

Answer 51

A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis

Question 52

Malware Information Sharing Project (MISP)

Answer 52

MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII

Question 53

JSON = almost always ....

Answer 53

STIX

Question 54

Indicator Management - types

Answer 54

- Structured Threat Information eXpression (STIX) - Trusted Automated eXchange of Indicator Information (TAXII) - OpenIOC - Malware Information Sharing Project (MISP)

Question 55

Quiz: Which step in the Lockheed Martin Kill Chain describes when an attacker combines the payload code with the exploit code so that the attack is ready to use?

Answer 55

Weaponization

Question 56

Quiz: In the Cyber Kill Chain model, at which stage does an attacker take advantage of a system's vulnerabilities using the malicious payload that has been delivered, thereby initiating the actual attack?

Answer 56

Exploitation

Question 57

Quiz: Which type of threat will patches NOT effectively combat as a security control?

Answer 57

Zero - days attacks Because they have no known fix! so u can't patch them successfully.