Section 1.2: Threat Intelligence Flashcards
What is TTP?
Techniques, tactics, and procedures.
What is the Attack cycle like?
External recon -> Compromised machine -> Internal Recon -> Local Privilege Escalation -> Compromise Creds -> Admin Recon -> Remote Code Execution -> Domain Admin Creds -> Domain Dominance -> Remote Code Execution -> Asset Recon -> Local Privilege Escalation -> Asset Access -> Exfiltration
What steps are inside the Cyber Kill Chain?
Recon, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objective
How do responders develop profiles on their adversaries?
They record, track and group information on the attack to create a profile. All adversaries have preferences on how to commit intrusions and what tools they use.
Name the types of indicators responder’s document.
Atomic Indicators, Computed Indicators, and Behavioral Indicators.
What are Atomic Indicators?
pieces of data that are indicators of adversary activity on their own (IP addresses, email, static string C2 channels, and domain names).
What are Computed Indicators?
Pretty much computed. The most common are hashes of malicious files or specific data that is decoded in custom C2 channels. IDS signatures can apply as well.
What are Behavioral Indicators?
They are a combination of indicators, including other behaviors, to form a profile.
Which indicator is which in this example:
-Using IP address to target sales
-Trojaned MS Word docs
-C2 is created to communicate to A.B.C.D.
1st: Behavioral
2nd: Computed
3rd: Atomic
What is an open mail relay and why is it important?
An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This is a way adversaries can keep sending spoof emails.
What are some ways adversaries can recon an organization.
They can do it through portscans, system enumeration, browsing company sites, pulling down PDF’s, and learning the structure of the organization.
What is weaponization?
The technique adversaries use to obfuscate shellcode.
What is a single-phase exploit and a multi-phase exploit?
A single-phase exploit is the result of a compromised host behaving according to the attacker’s wishes. A multi-phase exploit involves delivery of a shellcode with the function of downloading more capable code.
Name two methods an adversary can exploit an enterprise.
Through hardware vulnerability and through human vulnerability “social engineering”.
What is a trouble and adversary may run into after installing their malware into the victim’s PC?
The tool they to exploit may not be compatible for usage therefore they may not get a response back from it.
