{ "@context": "https://schema.org", "@type": "Organization", "name": "Brainscape", "url": "https://www.brainscape.com/", "logo": "https://www.brainscape.com/pks/images/cms/public-views/shared/Brainscape-logo-c4e172b280b4616f7fda.svg", "sameAs": [ "https://www.facebook.com/Brainscape", "https://x.com/brainscape", "https://www.linkedin.com/company/brainscape", "https://www.instagram.com/brainscape/", "https://www.tiktok.com/@brainscapeu", "https://www.pinterest.com/brainscape/", "https://www.youtube.com/@BrainscapeNY" ], "contactPoint": { "@type": "ContactPoint", "telephone": "(929) 334-4005", "contactType": "customer service", "availableLanguage": ["English"] }, "founder": { "@type": "Person", "name": "Andrew Cohen" }, "description": "Brainscape’s spaced repetition system is proven to DOUBLE learning results! Find, make, and study flashcards online or in our mobile app. Serious learners only.", "address": { "@type": "PostalAddress", "streetAddress": "159 W 25th St, Ste 517", "addressLocality": "New York", "addressRegion": "NY", "postalCode": "10001", "addressCountry": "USA" } }

Classifying Threats Flashcards

(58 cards)

1
Q

What is a Known Threats?

A

A threat that can be identified using basic signature or pattern matching

Once we know it and recognize it - we will block it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Malware?

A

Any software intentionally designed to cause damage to a computer, server, client, or computer network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Documented Exploits ?

A

A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an Unknown Threats?

A

A threat that cannot be identified using basic signature or patter.

Those are the threats we need to look out for and investigate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a matching Zero-day Exploit ?

A

An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an Obfuscated Malware Code ?

A

Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a Behavior-based Detection?

A

A malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Recycled Threats ?

A

Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a Known Unknowns?

A

A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an Unknown Unknowns ?

A

A classification of malware that contains completely new attack vectors and exploits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are Threat Actors?

A

Those who wish to harm networks or steal secure data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a Black Hat Hacker?

A

An unauthorized hacker – criminals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a White Hat Hacker?

A

An ethical or authorized hacker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a Grey Hat Hacker?

A

A semi-authorized hacker where it sometimes acts as a good or bad folk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Basic activities that hackers perform:

A

▪ Social Media Profiling
▪ Social Engineering
▪ Network Scanning
▪ Fingerprinting
▪ Service Discovery
▪ Packet Capture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of threat actors

A
  • Advanced persistent threat (APT)
  • Hacktivists
  • Organized crime
  • Nation-state
  • Script kiddie
  • Insider threat
    o Intentional
    o Unintentional
  • Supply chain
  • Competitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a Script Kiddie?

A

Uses other people’s tools to conduct their attacks as they do not have the skills to make their own tools.
Script kiddies often don’t understand what they’re doing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is an Insider threat?

A

People who have authorized access to an organization’s network, policies, procedures, and business practices
To prevent an insider threat, organizations need to have policies and enforcement technologies such as
● Data Loss Prevention
● Internal Defenses
● SIEM Search

2 different types of insider threats
-Intentional- an actor who deliberately seeks to cause
harm
-Unintentional- an actor who causes harm because of
carelessness

Solid cybersecurity strategy to counter Insider Threats include: Employee Education and Training, Access Controls, Incident Response Plans and Regular Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a Competitor?

A

A rogue business attempting to conduct cyber espionage against an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is an Organized Crime?

A

Focused on hacking and computer fraud to achieve financial gains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a Hacktivist?

A

Politically-motivated hacker who targets governments or
individuals to advance their political ideologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a Nation-State?

A

A group of attackers with exceptional capability, funding, and organization with an intent to hack a network or system. They conducts highly covert hacks over long periods of time.

Not all APT are nation-states, but almost all nation-states are going to be considered an APT

They’re going to be inside of a victimized network for six to nine months.
Many nation-states tried to present themselves as a threat actor inside of the other groups, so they can maintain a plausible deniability.

A nation-state actor refers to a government or government affiliated group that conducts cyber attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a Advanced Persistent Threat (APT) ?

A

An attacker that establishes a long-term presence on a network in order to gather sensitive information.

The main goal of an APT is to harvest sensitive data, intellectual property, and other sensitive information.

An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware

APTs are considered a known unknown threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are Key difference between Nation-state and APT threat actors ?

A

▪ Nation-state is affiliated with the government
▪ APT is a generic type of cyber attack that establishes
long-term presence

25
What are Supply Chain Threats?
Supply chain threats refer to the risks associated with the security practices surrounding the components of a product or system, from manufacturing through distribution to the end-user. Supply chain threats refer to the risks associated with the security practices surrounding the components of a product or system, from manufacturing through distribution to the end-user.
26
What is a Commodity Malware?
Malicious software applications that are widely available for sale or easily obtainable and usable. Targeted or custom malware is developed and deployed with a target in mind. Identifying if the malware is commodity or targeted can help determine the severity of an incident.
27
What is a Zero-day Vulnerability ?
A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it Zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it Most adversaries will only use a zero-day vulnerability for high value attacks
28
29
What is a Command and Control (C2) ?
An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
30
What is Persistence?
The ability of a threat actor to maintain covert access to a target host or network
31
What is a Reputation Data ?
Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains
32
What is an Indicator of Compromise (IoC)?
A residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Other Indicators of Compromise: ● Unauthorized software and files ● Suspicious emails ● Suspicious registry and file system changes ● Unknown port and protocol usage ● Excessive bandwidth usage ● Rogue hardware ● Service disruption and defacement ● Suspicious or unauthorized account usage An IoC is evidence that an attack was successful
33
What is an Indicator of Attack (IoA) ?
A term used for evidence of an intrusion attempt that is in progress
34
What is a Behavioral Threat Research ?
A term that refers to the correlation of IoCs into attack patterns
35
35
What is a Tactics, Techniques, and Procedures (TTP) ?
Behavior patterns that were used in historical cyberattacks and adversary actions o DDoS o Viruses or Worms o Network Reconnaissance o APTs o Data Exfiltration
36
What is a Port Hopping ?
An APT’s C2 application might use any port to communicate and may jump between different ports in order to avoid detection while scanning
37
What is a Fast Flux DNS ?
A technique rapidly changes the IP address associated with a domain
38
What is a Data Exfiltration ?
The unauthorized transfer of data from a computer or other device
39
Lockheed Marin Kill Chain
1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control (C2) 7. Actions on Objectives Kill Chain Analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage.
40
What is Reconnaissance ?
step 1 in the cyber kill chain by Lockheed Marin The attacker determines what methods to use to complete the phases of the attack. Likely to be OSINT. but it can be active search.
41
What is Weaponization?
step 2 in the cyber kill chain by Lockheed Marin The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.
42
What is Delivery ?
step 3 in the cyber kill chain by Lockheed Marin The attacker identifies a vector by which to transmit the weaponized code to the target environment
43
What is Exploitation ?
step 4 in the cyber kill chain by Lockheed Marin The weaponized code is executed on the target system
44
What is Installation?
step 5 in the cyber kill chain by Lockheed Marin This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system
45
What is Command & Control (C2) ?
step 6 in the cyber kill chain by Lockheed Marin The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack
46
What is Actions on Objectives ?
step 7 in the cyber kill chain by Lockheed Marin The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
47
MITRE ATT&CK Framework
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org) The pre-ATT&CK tactics matrix- an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain.
48
Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim
49
Structured Threat Information eXpression (STIX)
A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework. **STIX is expressed in JavaScript Object Notation (JSON)** format that consists of attribute: value pairs STIX is built from high-level STIX domain objects (SDO) that contain multiple attributes and values: ● Observed Data ● Indicator ● Attack Pattern ● Campaign and Threat Actors ● Course of Action (COA)
50
Trusted Automated eXchange of Indicator Information (TAXII)
A protocol for supplying codified information to automate incident detection and analysis Subscribers obtain updates to the data for their analysis tools using TAXII
51
OpenIOC
A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis
52
Malware Information Sharing Project (MISP)
MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII
53
JSON = almost always ....
STIX
54
Indicator Management - types
- Structured Threat Information eXpression (STIX) - Trusted Automated eXchange of Indicator Information (TAXII) - OpenIOC - Malware Information Sharing Project (MISP)
55
Quiz: Which step in the Lockheed Martin Kill Chain describes when an attacker combines the payload code with the exploit code so that the attack is ready to use?
Weaponization
56
Quiz: In the Cyber Kill Chain model, at which stage does an attacker take advantage of a system's vulnerabilities using the malicious payload that has been delivered, thereby initiating the actual attack?
Exploitation
57
Quiz: Which type of threat will patches NOT effectively combat as a security control?
Zero - days attacks Because they have no known fix! so u can't patch them successfully.