Classifying Threats Section 4

Question 1

Name Some Threat Classifications

Answer 1

known threats, malware, documented exploits, unknown threats, 0-day exploits, obfuscated malware code, behavior-based detection (heuristics), recycled threats, known knowns, unknown known, known unknowns, unknown unknowns

Question 2

Unknown Unknowns

Answer 2

A classification of malware that contains completely new attack vectors and exploits. Things that we don’t know, and we just don’t have any way to know about it yet. We must experiment more and more, and we have to do a lot more research, and try to figure these things out.

Question 3

Ex of Unknown Unknowns

Answer 3

if there is a zero-day, we’ve never seen it before, and it’s doing something that we never thought was malicious behavior, this is an unknown unknown. Eventually we might find out ‘that thing they’re doing’ when you put them together, that’s a bad thing. Then it becomes a known unknown and if eventually we can get a signature for it, it will become a known known.

Question 4

Known Unknowns

Answer 4

A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection. We don’t have a matching signature for this and that we can’t predict; we must research it to start reducing the uncertainty we have around this thing.
● We know that it is bad (that’s the known part) but we don’t know any signatures that are related with it, so we don’t have an easy way to block it. This is generally where you’re going to see a lot of behavior-based analysis done.

Question 5

Unknown Known

Answer 5

▪ Something that is known to other people, but it may be known to you.

Question 6

Ex of Unknown Known

Answer 6

● EX: There may be a signature out there inside the McAfee FW but there’s not one inside your firewall. So McAfee knows about it and they can stop it but we don’t know about it and we can’t stop it.

Question 7

Recycled Threats

Answer 7

Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning.
● If we take different pieces and parts of different malware code and we put them together we can now bypass the signature-based detection of a known threat because it is now something new that we may be able to get through the system and by the anti-malware scans.

Question 8

Behavior-based Detection (heuristics)

Answer 8

▪ A malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior.

Question 9

Ex of Behavior-based Detection (heuristics)

Answer 9

if you send an email with an attachment in it, that attachment may be opened in a sandbox first, evaluated based on its behavior, see if it’s malicious or not and if it isn’t malicious then be sent into my inbox and if it is malicious, it can be sent out and destroyed.

Question 10

Obfuscated Malware Code

Answer 10

Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware.
● Scramming or changing the code slightly randomly at different intervals essentially making it unknow. You’re making the signatures inaccurate so it can no longer be detected.

Question 11

Zero-day Exploits

Answer 11

An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.
●Something someone found out in the wild to break into something that analysts don’t have a way to protect against.

Question 12

Unknown threats

Answer 12

A threat that cannot be identified using basic signature or pattern. Much more dangerous for analyst.

Question 13

Ex of unknown threats:

Answer 13

Zero-day exploits, obfuscated malware code, behavior-based detection, recycled threats, known unknowns and unknown unknowns.

Question 14

Documented Exploits

Answer 14

A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data.

Question 15

Ex of Documented Exploits

Answer 15

Static threats that are easily detected using signatures or hash values.

Question 16

Malware

Answer 16

Any software intentionally designed to cause damage to a computer, server, client, or computer network.
● Viruses, rootkits, trojans and botnets.

Question 17

Name some activities hackers perform

Answer 17

Social media profiling, social engineering, network scanning, fingerprinting, service discovery and packet capture.

Question 18

What is fingerprinting and service discovery used for

Answer 18

to identify vulnerable services that they can exploit and attack.

Question 19

Name the 8 main types of threat actors

Answer 19

Script kiddies, insider threats, competitor, organized crime, hacktivist, nation-state, APT, Supply chain threats

Question 20

Script kiddie

Answer 20

Someone who has the least amount skill when it comes to being an attacker. They use other people’s tools as they don’t have the skill to make their own and they often don’t understand what they are doing and what kind of damage they may cause.

Question 21

Insider threat

Answer 21

People who have authorized access to an organization’s network, policies, procedures, and business practices. This can be an employee or a former employee who has knowledge of the organization’s network, policies, procedures, and business practices.

Question 22

What are they two types of insider threats? Describe each

Answer 22

Skilled: someone who is able to elevate their own user account permissions so they can now access data from across the entire network as a sys admin and then try to grab everything they can and sell it to a willing buyer.
Unskilled: may try to copy the org’s files onto a thumb drive and walk out the front door with them. Even though they were authorized to access those files, they may not have been authorized to remove them from the network or post them online and this results in some kind of data breach.

Question 23

What enforcement technologies should organizations have in place to defend against insider threats

Answer 23

DLP, SIEM search (systems need to be properly configured to search through the SIEM to ID patterns of abuse in order to catch the malicious insider.)

Question 24

it is important to have a solid cybersecurity strategy to counter Insider Threats including:

Answer 24

● Employee Education and Training
● Access Controls
● Incident Response Plans – helps to quickly detect, contain and deal with any kind of insider threat you may encounter.
● Regular Monitoring to detect unusual behavior

Question 25

competitor

Answer 25

● A rogue business attempting to conduct cyber espionage against an organization. They are focused on stealing your proprietary data, disrupting your business, or damaging your reputation.

Question 26

Often competitors will..

Answer 26

seek to use an employee as an insider threat in your organization to steal the data from you or they may try to break into your network via the internet.

Question 27

Organized crime

Answer 27

● Focused on hacking and computer fraud to achieve financial gains. Organized crime gangs often run different schemes of scams using social engineering or conducting more technical attacks using ransomware to steal money from their victims.

Question 28

T or F Organized crime is typically well-funded and they use sophisticated attacks and tools

Answer 28

T

Question 29

Hacktivist

Answer 29

● Politically-motivated hacker who targets governments or individuals to advance their political ideologies.

Question 30

Nation State actors have..

Answer 30

with exceptional capability, funding, and organization with an intent to hack a network or system. They do not pick a network at random to attack but instead, they determine specific targets to achieve their political motives.

Question 31

Not all ____ are ________ but almost all _______ are going to be considered ____

Answer 31

● Not all APT are nation-states, but almost all nation-states are going to be considered an APT.

Question 32

How long are Nation States or an APT inside of a victimized network before defenders discover an intrusion?

Answer 32

At least 6-9 months but they can go longer.

Question 33

Many nation-states tried to present themselves as...

Answer 33

a threat actor inside of the other groups, so they can maintain a plausible deniability. Often times, a Nation State might use the TTPs of a different Nation State as well in order to implicate them inside of an attack; this is called a false flag attack

Question 34

A nation-state actor refers to a...

Answer 34

government or government affiliated group that conducts cyber-attacks.

Question 35

Advanced persistent threat (APT)

Answer 35

●An attacker that establishes a long-term presence on a network in order to gather sensitive information

Question 36

What is the main goal of an APT

Answer 36

to harvest sensitive data, intellectual property, and other sensitive information

Question 37

What is the key difference between a Nation State and APT

Answer 37

▪Nation-state is affiliated with the government. ▪APT is a generic type of cyber-attack that establishes long-term presence on a network to gather sensitive information.

Question 38

APT use a lot of..

Answer 38

tools that exist on the computer already which we refer to as living off the land.

Question 39

Commodity Malware

Answer 39

▪Malicious software applications that are widely available for sale or easily obtainable and usable. Generic (off the shelf malware) and going against everyone.

Question 40

where can Commodity Malware be found

Answer 40

these on the dark web/net and there are online marketplaces where you can buy RATs like Poison Ivy, Dark Comet, and Extreme Rat etc. and other types of malware. They’re available online for a fee, then you can download them and start using them as part of your attacks if you’re a bad guy.

Question 41

what can identifying if malware is commodity or targeted help you determine

Answer 41

the severity of the incident

Question 42

What kind of threat are APTs considered to be

Answer 42

known unknown threat

Question 43

Is an APT a group or a single person

Answer 43

a group. Generally, you’re going to have a staff that has different realms of expertise. EX: one person whose jobs it is to break down the front door and get into the system. Another person whose job it is to establish persistence and make sure they don’t get kicked out. Maybe another person whose is a linguist who can assist in translating the information I’m getting.

Question 44

Command and Control (C2)

Answer 44

▪An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

Question 45

What do APTs often target

Answer 45

target financial institutions, healthcare companies, and governments to get large PII data sets and that can be turned into money.

Question 46

What does it mean to establish persistence

Answer 46

▪The ability of a threat actor to maintain covert access to a target host or network.

Question 47

Reputation Data

Answer 47

▪Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains. All of this data helps provide the basis for what we’re going to use inside our research because they tell us known things that we know are bad.

Question 48

Indicator of Compromise (IOC)

Answer 48

residual sign that an asset or network has been successfully attacked or is continuing to be attacked. ▪An IoC is evidence that an attack was successful.

Question 49

Ex of IOCs

Answer 49

▪Hash value ▪IP address ▪A file left behind on a system ▪Unauthorized software and files ▪Suspicious emails ▪Suspicious registry and file system changes ▪Unknown port and protocol usage ▪Excessive bandwidth usage ▪Rogue hardware ▪Service disruption and defacement. ▪Suspicious or unauthorized account usage

Question 50

Indicator of Attack (IoA)

Answer 50

▪A term used for evidence of an intrusion attempt that is in progress right now.

Question 51

What is Behavioral Threat Research

Answer 51

refers to the correlation of IoCs into attack patterns. ▪EX: if we took all of these different IOCs and if I see them in this particular order, that may indicate that adversary X has done this and if I see them in a different order, it might be that adversary Y has done this and that is based on their TTPs.

Question 52

Tactics, Techniques, and Procedures (TTP)

Answer 52

●Behavior patterns that were used in historical cyberattacks and adversary actions. By learning these, you’re going to be able to start understanding the way your adversary thinks and how you could try to get one step ahead of them to prevent them from getting further into your networks.

Question 53

What can high CPU, memory or network usage indicate?

Answer 53

o Viruses or Worms – if I start looking at your system and I have high CPU or memory usage, this could be a sign that there’s some kind of malware infecting your host, or you might see a virus detect alert if there’s a known signature, but again if this is a new piece of malware or a new virus or worm, you’re going to have to look for secondary effects like high CPU, high memory, high network usage and things like that.

Question 54

What are two common ways C2 mechanisms in servers hide themselves

Answer 54

Port hopping and fast flux dns

Question 55

Port hopping

Answer 55

▪An APT’s C2 application might use any port to communicate and may jump between different ports. oIt may start using port 22 and if it thinks its being detected it will jump to port 1258 or whatever port it’s going to use. By jumping between these ports, it can try to evade detection.

Question 56

fast flux dns

Answer 56

▪A technique that rapidly changes the IP address associated with a domain. oWhat happens here is that you have one domain name, but multiple IP address associated with it. So even if you start blocking IP addresses, they can change the backend IP address and still route their communications to the C2 server. This allows an adversary to defeat your IP based blacklisting and it allows them to maintain communication and remain as an advanced persistent threat by maintain that C2 communication.

Question 57

How can you detect fast flux dns

Answer 57

by looking at the communication patterns that emerge as these changes keep happening, because we’re going to see that your machine now went from this IP to that IP to a 3rd or 4th IP. That can be detected through our logs.

Question 58

Data Exfiltration

Answer 58

▪The unauthorized transfer of data from a computer or other device.

Question 59

What may be an indicator of data exfiltration

Answer 59

if you see file types or compression or encryption that’s being used on data and you normally don’t have that.

Question 60

Name 3 different attack frameworks

Answer 60

▪ Lockheed Martin Kill Chain ▪ MITRE ATT&CK Framework ▪ Diamond Model of Intrusion Analysis

Question 61

Lockheed Martin Kill Chain

Answer 61

▪Describes the stages by which a threat actor progresses a network intrusion.

Question 62

What are the steps of the Lockheed martin kill chain

Answer 62

1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. C2 7. Actions of Objectives

Question 63

in the Lockheed Martin Kill Chain what is Reconnaissance (step 1)

Answer 63

oThe attacker determines what methods to use to complete the phases of the attack. *Attackers don’t want to get caught while doing this so they try to be sneaky by using things like open source and passive information gathering so they can’t be detected.

Question 64

In step 1 of the Lockheed Martin Kill Chain what type of scanning do attackers start with and why

Answer 64

*In this phase you can use both passive and active scanning techniques but generally we’re going to start out with passive info gathering and then move into active scanning.

Question 65

in the Lockheed Martin Kill Chain what is Weaponization (step 2)

Answer 65

o The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system. * You’re basically coding or creating the malware or the exploit you want to run, but you’re not running it yet. You’ve only creating it inside your own lab, you haven’t sent it to the victimized system.

Question 66

in the Lockheed Martin Kill Chain what is Delivery (step 3)

Answer 66

oThe attacker identifies a vector by which to transmit the weaponized code to the target environment. *This may be by email, dropping a USB drive loaded with that malware in their parking lot.

Question 67

in the Lockheed Martin Kill Chain what is Exploitation (step 4)

Answer 67

o The weaponized code is executed on the target system by your chosen mechanism. o Ex: If you sent them an email with a phishing link and they click that link, the sending of the email was delivery. Clicking the link is when exploitation happens, and the code starts running. Or if you dropped the USB drive (delivery) and they plugged it into their system and the autorun started up that code, that would be exploitation.

Question 68

in the Lockheed Martin Kill Chain what is Installation (step 5)

Answer 68

oThis mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system. *If we had a stage one dropper (a type of malware that acts as the initial point of entry) that was run as part of exploitation, we now have downloaded and installed our phase two, giving us control of that system moving forward and that persistence that we’re looking for.

Question 69

in the Lockheed Martin Kill Chain what is C2 (step 6)

Answer 69

o The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack. * At this point your ‘own this system’. You have access to is, you can remote into that system, and you can now run commands on that system. That’s what the C2 is all about.

Question 70

in the Lockheed Martin Kill Chain what is Actions on Objectives (step 7)

Answer 70

o The attacker typically uses the access he has achieved from steps 1-6 to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives. * That may be data exfiltration or some other goal or motive. Whatever their goal was originally with reconnaissance, they’ve now achieved that by being on the system; they have 2-way communication using command and control and now we can perform action on objectives.

Question 71

What are the 6 Ds we try to do to an attacker who is trying to break into our systems?

Answer 71

o Detect, Deny, Disrupt, Degrade, Deceive, Destroy.

Question 72

The kill chain is..

Answer 72

a linear method but there are newer methods out there that work in more of an iterative manner or allow you to think holistically across multiple lines of attack.

Question 73

MITRE ATT&CK Framework

Answer 73

▪ A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

Question 74

pre-ATT&CK tactics matrix

Answer 74

▪ an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain.

Question 75

Diamond Model of Intrusion Analysis

Answer 75

▪A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.

Question 76

What are the 4 core features of the Diamond Model?

Answer 76

adversary, capability, infrastructure, and victim.

Question 77

Each event in a diamond model is put into a _____ which is an..

Answer 77

array of info that contains info on the adversary, the capability, the infrastructure, and victim.

Question 78

By putting all info of the diamond model into a tuple format we can..

Answer 78

use it inside of some sort of automated system, for instance, our SIEM, that can then help correlate all this info together for us.

Question 79

Name four different formats out there that can be used to share data

Answer 79

o Structured Threat Information eXpression (STIX) o Trusted Automated eXchange of Indicator Information (TAXII) o OpenIOC o Malware Information Sharing Project (MISP)

Question 80

How is STIX expressed?

Answer 80

in JavaScript Object Notation (JSON) format that consists of attribute: value pairs.

Question 81

STIX is built from high-level STIX domain objects (SDO) that contain multiple..

Answer 81

attributes and values.

Question 82

In STIX what is Observed Data

Answer 82

a stateful property of your computer system and what you’ve actually seen in the event occurring – like an IP or an executable file.

Question 83

In STIX anytime you see an indicator you should..

Answer 83

dig a little deeper on it to figure out if it’s an indicator of past compromise or a TTP.

Question 84

In STIX what is an attack pattern

Answer 84

known adversary behaviors starting with the overall goal of what they’re trying to attack and then elaborating down to some kind of specific technique or procedure.

Question 85

In STIX what are campaign and threat actors

Answer 85

people who are trying to attack you. we are trying to figure out.. Who are these people? What are their goals? What is their campaign?

Question 86

In STIX what is a Course of Action (COA)

Answer 86

the mitigating actions or security controls that you can use to reduce the risk from these different attacks and how to resolve these incidents.

Question 87

In STIX when taking all the STIX Domain Object and putting them together you start...

Answer 87

creating a connection of this relationship of objects and this can do a lot of things for you as you start indicating what it was, what the targets were, and what things were attributed to it.

Question 88

STIX work by creating..

Answer 88

language for us to describe these things in a very easy way to share them automatically across our systems.

Question 89

Trusted Automated eXchange of Indicator Information (TAXII)

Answer 89

A protocol for supplying codified information to automate incident detection and analysis.

Question 90

what is Trusted Automated eXchange of Indicator Information (TAXII) used for

Answer 90

to transmit data back and forth between servers and clients over some kind of a secure connections like a secure web connection, HTTPS, using something like a REST API. ▪ Ex: if you have a CTI subscription with some service provider, they’re going to maintain their data repository but you as a subscriber need to get that information from them. The way you do this is by using TAXII.

Question 91

TAXII is really a..

Answer 91

connection mechanism, you can actually take STIX and provide it over TAXII

Question 92

OpenIOC

Answer 92

▪ A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis.

Question 93

OpenIOC is a..

Answer 93

open-source tool. it has a lot of different information for each entry. Each entry is going to have a lot of different metadata there such as the author, category info, confidence level, usage license, plus a description and a definition.

Question 94

Malware Information Sharing Project (MISP)

Answer 94

provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII. It is also open source.