Slides Flashcards
(156 cards)
1
Q
Insider threat
A
Someone who intentionally misused access to negatively effect network
2
Q
Insider threat methods
A
- Plant logic bombs
- Open backdoors
- Steal
- Attack internal resources
3
Q
Insider threat warning signs
A
- Greed
- Introvertversion (outside of normal behavior)
- Financial hardship
- Vulnerability of blackmail
- Reduced loyalty to the United States
- Destructive, narcissistic behavior
4
Q
Insider threat detection and prevention techniques
A
- Encryption
- Data loss prevention
- Data access monitoring
- Log analysis
- Data redaction
- Data access control
5
Q
Data/file encryption
A
Ensures integrity and confidentiality of data
6
Q
Data Loss Prevention
A
Protects data be providing information about how data is used
7
Q
Data Access Monitoring
A
Identifies who is accessing what
8
Q
Log Analysis
A
Can determine abnormal events
9
Q
Data Redaction
A
Removing sensitive data from media
10
Q
What are the types of access control?
A
- Discretionary access control
- Mandatory access control
- Role-based access control
11
Q
Discretional Access Control (DAC)
A
Only those specified by the owner
12
Q
Mandatory Access Control (MAC)
A
Decisions made by cental authority
13
Q
What type of access control is based on what a user does in an organization?
A
Role-based access control
14
Q
What is it called when a criminal encrypts data on a computer and demands money for access?
A
Ransomware
15
Q
What is one of the fastest growing malware threats?
A
Ransomware
16
Q
What are attacks delivered via WiFi, Ethernet, RF, Bluetooth?
A
Remote direct attacks
17
Q
What delivers attacks through a legitimate looking website, targets vulnerabilities in the browser and associated software and is an attack of opportunity?
A
Drive-by attack
18
Q
What is a focused drive-by attack called?
A
Watering hole
19
Q
What is malicious content embedded in a webpage?
A
IFrame Redirect
20
Q
What are web-based threats?
A
- Drive-by attacks
- Watering hole
- IFrame redirect
- Fake login pages
- Browser plug-in and script based exploits
- SQL injection
- SEO poisoning
21
Q
What is web based code executed locally to deliver enhanced content to users and uses mostly JavaScript and VBscript?
A
Browser plug-in and script based exploits
22
Q
What is called when attackers manipulate Search Engine Optimization to put their malicious sites high up in search engineer results, is often times legit website controlled by actor, and is very effective against enterprise networks/users?
A
SEO poisoning
23
Q
What is the act of entering false information into a DNS cache in order to redirect to a malicious website?
A
DNS cache poisoning
24
Q
What is called when an attacker uses legitimate credentials to move within the network with no need for plain text passwords and uses Windows Server Message Block (SMB) to login with password hash?
A
Pass-the-hash
25
What can be a legitimate, existing remote access tool like sysinternals (PSExec) or powershell or illegitimate with legit use often going undetected?
Remote access tools/remote access trojan (RAT)
26
What is it called when attackers exploit a recently fixed zero-day exploit on systems that have not been remediated?
N-day exploit
27
China
- Noisiest threat actor
- Rapid economic expansion
- Ineffective mitigation strategies for target countries
- large population/large attack volume
- TTP "Smash and grab"
- Attacks lack sophistication and creativity
28
North Korea
- Perceives cyber attacks as a means to "level the playing field"
- Commonly uses spear-phishing, watering hole, intel gathering, ransomware
29
Russia
- Home to many advanced cyber attack security researchers
- TTPs include weaponized email attachments, varied attack patterns, exploits, data exfiltration methods, extremely effective detection evasion, Human Intelligence usage
- Low and slow, in it for the long run
30
Syria
- Loyal to Syrian President Bashar al-Assad
- Attacks governments, online services, and media perceived as hostile to the Syrian government
31
What is a group with the ability to be a threat and persist for a long period of time, highly skilled and organized, and many are sponsored?
Advanced Persistent Threats
32
APT29
- Adaptive and disciplined threat group
- Hides activity on victim’s network, communicating infrequently and in a way that closely resembles legitimate traffic
- Monitors network defender activity to maintain control over systems
- Uses only compromised servers for C2 communication
- Counters attempts to remediate attacks
- Maintains fast malware development cycle, quickly altering tools to hinder detection
‐ Associated Malware (Hammertoss, Uploader, tDiscoverer)
‐ Targets (Western European governments, Foreign policy groups, Other organizations with valuable information for Russia)
33
APT28
‐ Also known as Tsar Team (FireEye)
- Skilled team of developers and operators collecting intelligence on defense and geopolitical issues
- Likely receives ongoing financial support from Russian government
‐ Associated malware (Chopstick, Sourface)
Gain insider information related to governments, militaries and security organizations
‐ Targets (Georgia and eastern European countries and militaries, North Atlantic Treaty Organization (NATO))
34
Hacker
- Deeper knowledge and understanding of computer technology
‐ Concerned with subtle details of operating systems, algorithms, and configuration files
‐ Elite few of well trained and highly ambitious people
35
Patriot Hackers
- Main motives are to aid or support one’s own nation-state in an ongoing real-world conflict or war
‐ Chinese hackers have traditionally been especially inclined toward patriotic hacking
36
Malware Authors
- Form of specialized black-hat hackers
- Develop original software for antagonistic or criminal purposes
- Usually highly skilled in computer programming and detection evasion
- Malware “creation kits” used as framework to allow custom malware creation
37
Cyber Militias
- Group of volunteers using cyberattacks to achieve political goal
‐ Utilize common communications channel (E.g. internet forum, social media service)
‐ Do not get any monetary rewards for their services
‐ Members that use cyberspace resources, in legal or illegal ways, as a means of general protest or to promote an expressed ideology or a political agenda
38
Cyber Hacktivists
- Cyber militias that can, in some sense, be seen as a cyberspace equivalent to Greenpeace activists or other groups carrying out acts civil disobedience
‐ The “Anonymous” collective often seen as archetype of a hacktivist actor
- Methods often used by hacktivists include web site defacements, internet resource redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins and various forms of cyber-sabotage
39
Criminal Syndicates
- Eastern Europe and West Africa are most active cybercrime hubs
- Other areas where unemployment rates are high and salaries are low
‐ Usually motivated by money and power
‐ Previously lawful citizens with technical skills turn to cybercrime as means to escape poverty
‐ Potential payout is huge on global scale (estimated $114 billion)
40
What can be manipulated to route traffic from one country to another?
Border Gateway Protocol
41
Supply Chain Threat
- Since firmware is loaded into memory before most security applications, it is undetectable by conventional cyber defense mechanisms
‐ Malicious code on firmware persists through system updates/reboots
42
Who has six HPC systems?
Russia
43
Who is aggressively pursuing implementations for secure quantum communications protocols?
Chinese
44
What needs to be included in cyber intelligence reports?
- Adversarial Indicators of Compromise (IOCs)
- Tactics Techniques and Procedures (TTPs)
- Recommended actions/counter attacks
45
What is generated bi-weekly be the 616th Operations Center?
Cyber Threat Bulletin
46
Report which uses insights, statistics, and case studies to show how tools and tactics of APT actors evolved since 2014 and includes global and regional threat intelligence on industry trends as well as detailed malware analyses?
Mandiant's Annual Cyber Threat Report
47
Worldwide team of security engineers, threat analysts, and researchers who develop a variety of content on the latest threats that impact organizations and end users?
- Symantec's Annual Threat Report
- Symantec's Monthly Threat Report
- White papers covering an array of security topics
48
What government agencies make cyber reports?
- Department of Homeland Security
- United States Computer Emergency Readiness Team
- Department of Defense
- Federal Bureau of Investigation
49
What government agencies provide reports to the public?
- DHS Publications
- FBI Internet Crime Complaint Center (IC3) Reports
- DHS and FBI Joint Analysis Report (JAR-16-20296A)
50
What is provided by both the DHS and FBI, provides technical details regarding tools and infrastructure used by Russian civilian and military intelligence services (RIS) to exploit networks and endpoints associated with the US election and a range of US government, political, and private sector entities, referred to as Grizzly Steppe?
JAR-16-20296A
51
Activities performed consistently on a day-to-day basis to support multiple ongoing operations?
Standard operations
52
Activities performed in support of an operation guided by a tasking?
Target Operations
53
What are the five phases used by adversaries?
- Phase 0: Administer – Intent and resource development
- Phase 1: Prepare – Reconnaissance and staging
- Phase 2: Engage – Delivery and exploitation (to include C2)
- Phase 3: Propagate – Internal reconnaissance, lateral movement, and network persistence
- Phase 4: Effect – Exfiltration and attack
54
What are the two phases of Phase 0: Administer?
- Resource Development
- Tasking
55
What is it when adversaries conduct research on target networks and/or entities of interest and set up infrastructure and capabilities used during operations?
Phase 1: Prepare
56
What consists of adversary actions against a target to gain initial access?
Phase 2: Engage
57
What is guaranteeing ongoing & robust access to victim and propagating & achieving maintained presence on target/network?
Phase 3: Propagate
58
What is the manipulation, disruption, denial, degradation, or destruction of computer or communication systems called?
Phase 4: Effect
59
What are the three primary missions in Defensive Cyberspace Operations (DCO)?
1. Defend networks, systems and information
2. Prepare to defend the United States and its interests against cyberattacks of significant consequence
3. Provide integrated cyber capabilities to support military operations and contingency plans
60
What mission conducts ongoing network defense operations to securely operate the DoDIN, has quick response capabilities, and covers the majority of DoD's ops in cyberspace?
Defend networks, systems and information
61
What mission covers direction by POTUS/SECDEF to counter imminent/on-going attacks against US homeland or US interests?
Prepare to defend the United States and its interests against Cyberattacks of Significant Consequence?
62
What mission is to ensure that the internet remains open, secure, and prosperous and conducting cyber operations to deter or defeat strategic threats in other domains?
Provide integrated cyber capabilities to support military operations and contingency plans
63
What are the strategic goals for defensive cyberspace operations?
1. Build and maintain ready forces and capabilities to conduct cyber ops
2. Defend the DoDIN, secure DoD data & mitigate risks to DoD missions
3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive/destructive cyber attacks of significant consequence
4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages
5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability
64
Parts of 1. Build and maintain ready forces and capabilities to conduct cyber ops?
a. Build the cyber workforce
b. Build technical capabilities for cyber operations
c. Validate and continually refine adaptive C2 mechanism for cyber operations
d. Establish an enterprise-wide cyber modeling and simulation capability
e. Assess Cyber Mission Force capability
65
Parts of 2. Defend the DoDIN, secure DoD data & mitigate risks to DoD missions?
a. Build the Joint Information Environment (JIE) single security architecture
b. Assess and ensure the effectiveness of the JFHQ for DoD
c. Mitigate known vulnerabilities
d. Assess DoD’s cyber defense forces
e. Improve the effectiveness of the current DoD Computer Network Defense Service
f. Plan for network defense and resilience
g. Red team DoD’s network defenses
66
Parts of 3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive/destructive cyber attacks of significant consequence?
a. Continue to develop intelligence and warning capabilities to anticipate threats
b. Develop and exercise capabilities to defend the nation
c. Develop innovative approaches to defending U.S. critical infrastructure
d. Develop automated information sharing tools
e. Assess DoD’s cyber deterrence posture and strategy
67
Parts of 5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability?
a. Build partner capacity in key regions
b. Develop solutions to counter the proliferation of destructive malware
c. Work with capable international partners to plan and train for cyber operations
d. Strengthen the U.S. cyber dialogue with China to enhance strategic stability
68
What are the two types of encryption?
Symmetric and asymmetric
69
What requires both sender and receiver to know and use the same key so they can encrypt/decrypt data?
Symmetric encryption
70
What are the types of symmetric algorithms?
Stream Ciphers and Block Ciphers
71
What are some of the features of stream ciphers?
- Encrypts bits of data 1 bit/byte at a time
- Faster and smaller to implement than block ciphers
- Most common = Rivest Cipher 4 (RC4)
72
What are some of the features of block ciphers?
- Encrypts info by breaking it down into blocks and encrypting data in each block
- Encrypts data in fixed sized blocks (commonly of 64 bits)
- Most common = Triple Data Encryption Standard (3DES) & Advanced Encryption Standard (AES)
73
What are some popular hash functions?
- Message Digest 5 (MD5)
- Secure Hash Function (SHA)
74
What are some applications of hash functions?
- Password storage protection
- Data integrity checks
- Data file checksums (Provides assurance of data’s integrity)
75
What are the goals of cryptography?
CIA and non-repudiation
76
What are computing environments under the control of a single authority and have personnel and physical security measures?
Secure enclaves
77
What is used within an organization performing a single function with multiple managed elements operating under the same security policy with the primary roles of providing services to internal users and providing very limited or no publicly accessible resources or services?
General Business LAN enclave
78
What is a single site location performing management of multiple network enclave elements that may be based outside of General Business LAN enclave boundaries?
Network Operations Center
79
What are the purposes of the many NOC enclaves within the DoD?
- Manage and monitor different networks
- Provide geographic redundancy in case one site is unavailable or offline
80
CPCON 5
‐ DoD Risk Level: Very Low
‐ Priority Focus: All Functions
‐ Routine network ops (DoDIN Ops)
‐ Normal readiness
‐ Admins create snapshot of systems/network (known good “Baseline”)
‐ No impact to end-users
81
CPCON 4
‐ DoD Risk Level: Low
‐ Priority Focus: All Functions
‐ Increases DoDIN in preparation for exercises
‐ User profiles reviewed for dormant accounts
‐ Increased frequency of validation process
● E.g. checking system/information/network/configs against known good baseline
‐ Confirm state of network as good (unaltered) or bad (compromised)
‐ Limited impact to users
82
CPCON 3
‐ DoD Risk Level: Medium
‐ Priority Focus: Critical, Essential, and Support Functions
‐ Further increase in frequency of validation processes
‐ Minor impact to end-users
83
CPCON 2
‐ DoD Risk Level: High
‐ Priority Focus: Critical, and Essential Functions
‐ Higher frequency validation of validation process
‐ Preplanning personnel training & pre-positioning of system rebuilding utilities
● Use of “hot spare” equipment = reduced rebuild time
‐ Significant impact to users for short periods
84
CPCON 1
‐ DoD Risk Level: Very High
‐ Priority Focus: Critical Functions
‐ Highest readiness condition
‐ Significant impact to end-users for short periods
85
Mission Assurance Category (MAC) III
● Requires best practice protective measures
● Requires basic integrity and basic availability of info systems
● Info systems handle info necessary for day-to-day business
‐ Info systems do not provide short-term support deployed/contingency forces
86
Mission Assurance Category (MAC) II
● Requires additional safeguards beyond best practices to ensure adequate assurance
● Requires high integrity and medium availability of info systems
● Info systems handle info important to the support of deployed and contingency forces
87
Mission Assurance Category (MAC) I
● Most stringent protection measures
● Requires high integrity & high availability
● Info systems handle info vital to operational readiness, mission effectiveness, & support of deployed and contingency forces
88
What is one of the most complex areas of designing, implementing and managing a network?
Connecting to external networks
89
What are the requirements for enclave external connections?
‐ Every site must have security policy to address filtering of traffic to and from those connections
‐ SIPRNet connections must comply with the documentation required by the SIPRNet Connection Approval Office (SCAO)
‐ Prior to connecting with another activity, establish Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) between the two sites
90
What provides non-product specific requirements to mitigate sources of security vulnerabilities consistently and commonly encountered across IT systems and applications?
DISAs Security Requirement Guides (SRGs)
91
What is published by DISA and provides product-specific information for validating, attaining, and continuously maintaining compliance with requirements defined in the SRG for that product's technology area, meeting minimum requirements and additional documents?
STIGs
92
What evaluates an organization's compliance with DoD security orders and directives by assessing network vulnerabilities, physical and traditional security, and user education and awareness?
Command Cyber Operational Readiness Inspections (CCORI)
93
What seeks to provide a more threat focused, mission-based assessment?
CCORI
94
A CCORI analyzes what levels of effort to review operational risk?
- Mission
- Threat
- Vulnerabilities
95
CCORI mission analysis is phased into the what phases of the operations order?
- Site selection
- Scoping/pre-inspection
- Inspection
- Post-inspection
96
What is required by all enclaves connecting to the DISN and initiated in parallel with request fulfillment process for new/additional connections?
Assessment and Authorization (A&A) process
97
What are the components of a vulnerability assessment?
- Scanning engine
- Vulnerability database
98
What vulnerabilities are included in a vulnerability assessment?
- Outdated components
- Misconfiguration issues
99
A vulnerability scan may be required to ensure compliance with what standards?
- PCI (Payment Card Industry)
- FISMA (Federal Information Security Management Act)
- HIPAA (Health Insurance Portability & Accountability)
100
What is used to protect networks and computing devices, can be a hardware device or software, can control inbound & outbound internet traffic, and supports Network Address Translation (NAT)?
Firewalls
101
What are the two rules that define general firewall security stances?
Default deny and default allow
102
What are the main elements or components of firewall rules?
1. Base protocol
2. Source address
3. Source port
4. Target address
5. Target port
6. Action
103
What are the basic rule guidelines for firewalls?
● Keep the rule set as simple as possible
● Document every rule
● Use a change control mechanism to track rule modifications.
● Always confirm the default deny before using changed/updated rule sets
104
What are the functions NIDS operate in?
- Signature detection (passively examines network traffic)
- Anomaly detection (checks compliance w/ various protocol standards
- Hybrid
105
What is designed to go one step further and actually try to prevent the attack from succeeding, typically achieved by inserting the NIPS device inline with the traffic?
Network-based IPS (NIPS)
106
What takes advantage of being installed on the system to protect by monitoring and analyzing what other processes on the system are doing at a very detailed level and can analyze encrypted traffic and the decryption process has occured?
Host-based IPS (HIPS)
107
What are focused on gaining intelligence information about attackers and their technologies and methods?
Research honeypots
108
What are aimed at decreasing the risk to company IT resources and providing advanced warning about the incoming attacks on the network infrastructure?
Production honeypots
109
What is the best tool for examining hacker activity?
Honeypots
110
What are the honeypot components?
● Network device hardware
● Monitoring/logging tools
● Management workstation
● Alerting mechanism
● Keystroke logger
● Packet analyzer
● Forensic tools
111
What are the steps in the cyber incident handling process and life cycle?
● Detection of Events
● Preliminary Analysis and Identification
● Preliminary Response Action
● Incident Analysis
● Response and Recover
● Post-Incident response
112
What lists known cyber vulnerabilities?
The National Vulnerability Database (NVD)
113
What are the steps of the preliminary response action phase?
1. Preventing a reportable cyber event or incident from causing further damage
2. Maintaining control of the affected IS(s) and the surrounding environment
3. Ensuring forensically sound acquisition of data necessary
4. Maintaining and updating the incident report and actively communicating updates through the appropriate technical & operational command channels
114
What are the steps of the response and recovery phase?
1. Mitigating the risk or threat
2. Restoring the integrity of the IS and returning it to an operational state.
3. Implementing proactive and reactive defensive and protective measures to prevent similar incidents from occurring in the future
115
What are the parts of the post-incident response phase?
‐ Lessons learned
‐ Initial root cause
‐ Problems with executing mission
‐ Missing policies and procedures
‐ Inadequate infrastructure defenses
‐ After Action Report
116
CAT 0
Training and exercise
117
CAT 1
Root level intrusion (incident)
118
CAT 2
User level intrusion (incident)
119
CAT 3
Unsuccessful activity attempt (event)
120
CAT 4
Denial of service (incident)
121
CAT 5
Non-compliance activity (event)
122
CAT 6
Reconnaissance (event)
123
CAT 7
Malicious logic (incident)
124
CAT 8
Investigating (event)
125
CAT 9
Explained anomaly (event)
126
What are the phases of the forensics process?
- Collection
- Examination
- Analysis
- Reporting
127
What provides organizations a starting point for developing a forensic capability, in conjunction with extensive guidance provided by legal advisors, law enforcement officials, and management?
NIST 800-86
128
What is the gathering and reviewing of all information from or about the affected IS(s) to further incident analysis and understand the full scope of the incident?
System analysis
129
What is a suite of computer forensics software, commonly used by law enforcement, is the de-facto standard in forensics, and is made to collect data from a computer in a forensically sound manner?
EnCase
130
What is an easy-to-use file viewer that recognizes nearly 300 types of files and works with media images created by several imaging utilities?
Forensic Toolkit (FTK)
131
What is a popular, free, open source forensic software suite for Linux, is a collection of command-line tools that provides media management and forensic analysis functionality, and supports MAC partitions and analyzes files from MAC systems?
The Sleuth Kit (TSK)
132
What is a Linux forensic tool used by law enforcement, government agencies, military, intelligence and private investigators?
SMART
133
What is the process of analyzing and capturing the capabilities of software artifacts suspected of being malicious code?
Malware analysis
134
What are individuals analyzing or otherwise handling malware expected to do?
- Handle with care
- Catalog all software artifacts
- Perform analysis in an isolated environment
135
What involves quick checks to characterize the sample within the context of the analysis missions with techniques including file type identification, string extraction, public source analysis, and comparative analysis with previously analyzed artifacts?
Malware analysis (surface analysis)
136
What is some potential information gained from malware analysis (surface analysis)?
‐ Identification of strings in binary files
‐ Hashes
‐ Antivirus software detection status
‐ File sizes
‐ File type identification
‐ File attribute information
137
What is controlled execution of the malware sample in an isolated environment instrumented to monitor, observe, and record run-time behavior?
Malware analysis (run-time)
138
What is some potential information to be gained from malware analysis (run-time)?
‐ Network touch points (addresses, protocols, ports, etc.)
‐ File system and registry activity
‐ Vulnerabilities or weaknesses in particular run-time environments
‐ System service daemon interactions
‐ Success of remediation techniques in particular run-time environments
‐ Suggestions of adversarial intent
139
What focuses on examining and interpreting the contents of a malware sample?
Malware analysis (static)
140
What is the first formal study in the requirements process?
Capabilities Based Assessment (CBA)
141
What does the CBA consist of?
- Defining the capabilities required
- Gap analysis
142
If the CBA recommends a material solution, what is the next step in the requirements process?
Initial capabilities document (ICD)
143
What is an analytical comparison of the operational effectiveness, suitability, risk, and life cycle cost of alternatives that satisfy validated capability needs?
Analysis of Alternatives (AoA)
144
What describes the increment and provides an outline of the overall acquisition program strategy?
Capability Development Document (CDD)
145
What outlines an affordable increment(s) of militarily useful, logistically supportable, and technically mature capabilities that is ready for production?
Capability Production Document (CPD)
146
What is a dynamic, agile, risk-management-based problem-solving approach, balancing critical operational cyber mission needs against other organizational resource requirements and priorities?
Real-time Operations and Innovation (RTO&I)
147
What are the RTO&I project types?
- Type 1: Immediate needs
- Type 2: Known short-term future needs
148
What identifies service specific needs during a current conflict or crisis situation that if not satisfied in an expedited manner, will result in unacceptable loss of life or critical mission failure, and has the goal of delivering fielded capabilities within 180 days of a validated request?
Urgent Operational Needs (UONs)
149
What is an urgent need identified by a warfighting commander that requires synchronization across multiple Service/agency providers to ensure complete and timely combat capability is provided to the Joint warfighter?
Joint Urgent Ops/Joint Emergent Op Needs (JUON/JEONs)
150
What has the purpose of ensuring DoD acquires systems that work and meet specified requirements and provides knowledge of system design, capabilities, and limitations to the acquisition community to improve a system?
Capabilities-based test & evaluation (T&E)
151
What are the types of T&E?
- Developmental testing
- Operational testing
- Cyber test
152
What are the steps in developmental testing?
1. Identifies and helps resolve deficiencies and vulnerabilities as early as possible.
2. Verifies compliance with specifications, standards, and contracts.
3. Characterizes system performance and military utility.
4. Assesses quality and reliability of systems.
5. Determines fielded system performance against changing operational requirements and threats.
153
Operational Testing
- Determines the operational effectiveness and suitability of the systems under test
‐ Determines if operational capability requirements have been satisfied and assesses system impacts to both peacetime and combat operations
‐ Identifies and helps resolve deficiencies as early as possible, identifies enhancements, and evaluates changes in system configurations that alter system performance
154
Cyber Testing
‐ Evaluates and characterizes systems and sub-systems operating in the cyberspace domain, and the access pathways of such systems
‐ Focuses on identifying system cyber vulnerabilities. It is scoped through assessing a system’s cyber boundary and risk to mission assurance. Risk analysis, at a minimum, should consider the threat and threat severity, the likelihood of discovery, likelihood of attack, and system impact
155
What is the only method of analysis that can produce a definitive or complete understanding of a malware sample?
Reverse engineering
156
What is potential information gained by reverse engineering?
1. Manual unpacking of packing executable files
2. Understanding of obfuscation or encryption techniques
3. Definitive understanding of malware capabilities
4. Characterization of malware sophistication
5. Comparison of capabilities across malware samples
6. Understanding algorithms used
