Cyber Threat Intelligence

Question 1

What is Cyber Threat Intelligence (CTI)?

Answer 1

Evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them.

Question 2

What are the three terms often used interchangeably in CTI?

Answer 2

Data, Information, Intelligence.

Question 3

Define Data in the context of CTI.

Answer 3

Discrete indicators associated with an adversary, such as IP addresses, URLs or hashes.

Question 4

Define Information in the context of CTI.

Answer 4

A combination of multiple data points that answer specific questions.

Question 5

Define Intelligence in the context of CTI.

Answer 5

The correlation of data and information to extract patterns of actions based on contextual analysis.

Question 6

What is the primary goal of CTI?

Answer 6

To understand the relationship between your operational environment and your adversary and how to defend against attacks.

Question 7

What type of questions should CTI aim to answer?

Answer 7

Who’s attacking you? What are their motivations? What are their capabilities? What artefacts and indicators of compromise (IOCs) should you look out for?

Question 8

What are the internal sources of threat intelligence?

Answer 8

• Corporate security events
• Cyber awareness training reports
• System logs and events

Question 9

What are the community sources of threat intelligence?

Answer 9

• Open web forums
• Dark web communities for cybercriminals

Question 10

What are the external sources of threat intelligence?

Answer 10

• Threat intel feeds (Commercial & Open-source)
• Online marketplaces
• Public sources including government data, publications, social media, financial and industrial assessments.

Question 11

What are the classifications of Threat Intelligence?

Answer 11

• Strategic Intel
• Technical Intel
• Tactical Intel
• Operational Intel

Question 12

What does Strategic Intel focus on?

Answer 12

High-level intel that looks into the organisation’s threat landscape and maps out risk areas based on trends and emerging threats.

Question 13

What does Technical Intel focus on?

Answer 13

Evidence and artefacts of attacks used by adversaries.

Question 14

What does Tactical Intel assess?

Answer 14

Adversaries’ tactics, techniques, and procedures (TTPs).

Question 15

What does Operational Intel look into?

Answer 15

An adversary’s specific motives and intent to perform an attack.

Question 16

What is the first phase of the CTI lifecycle?

Answer 16

Direction.

Question 17

What is the purpose of the Direction phase in the CTI lifecycle?

Answer 17

To define objectives and goals, identify information assets and business processes that require defending.

Question 18

What does the Collection phase involve?

Answer 18

Gathering required data to address defined objectives.

Question 19

What is the goal of the Processing phase in the CTI lifecycle?

Answer 19

To ensure data is extracted, sorted, organised, correlated, and presented in a usable format.

Question 20

What is the outcome of the Analysis phase?

Answer 20

Deriving insights and making decisions about potential threats.

Question 21

What is the dissemination phase of the CTI lifecycle?

Answer 21

The phase where intelligence is communicated to various organizational stakeholders.

Question 22

What is the Feedback phase in the CTI lifecycle?

Answer 22

The phase where analysts rely on stakeholder responses to improve the threat intelligence process.

Question 23

What is the MITRE ATT&CK framework?

Answer 23

A knowledge base of adversary behaviour focusing on indicators and tactics.

Question 24

What does TAXII stand for?

Answer 24

Trusted Automated eXchange of Indicator Information.

Question 25

What are the two sharing models supported by TAXII?

Answer 25

* Collection * Channel

Question 26

What is STIX?

Answer 26

Structured Threat Information Expression, a language for specifying and communicating standardized cyber threat information.

Question 27

What is the purpose of the Cyber Kill Chain?

Answer 27

To break down adversary actions into steps to help analysts identify specific activities during an investigation.

Question 28

What is the first phase of the Cyber Kill Chain?

Answer 28

Reconnaissance.

Question 29

What does the Installation phase of the Cyber Kill Chain involve?

Answer 29

Installing malware and other tools to gain access to the victim's system.

Question 30

What does the Command & Control phase involve?

Answer 30

Remotely controlling the compromised system and delivering additional malware.

Question 31

What does the Diamond Model focus on?

Answer 31

Intrusion analysis and tracking attack groups over time through four key areas: Adversary, Victim, Infrastructure, and Capabilities.

Question 32

Fill in the blank: The _______ model looks at intrusion analysis and tracking attack groups.

Answer 32

Diamond

Question 33

True or False: The diamond model includes the victim's systems as part of its analysis.

Answer 33

True

Question 34

What is the purpose of threat reports in the dissemination phase?

Answer 34

To consolidate information presented to all suitable stakeholders.

Question 35

Name one company that produces notable threat reports.

Answer 35

* Mandiant * Recorded Future * Palo Alto Unit42