Utilizing Threat Data and Intelligence – Practice Questions

Blue Team
by TechnoHerder : Leave a comment

Question 1

An engineer implements the Johari window to classify threats into quadrants. Which quadrant represents risks identified, but discarded?

  1. Known unknowns
  2. Known knowns
  3. Unknown knowns
  4. Unknown unknowns

Solution

The “unknown knowns” quadrant represents risks that are documented or identified but then disregarded or perhaps minimized in importance.

Known knowns categorize any threats that are previously known and have a solution and documented resolution type (these may be minimized an any importance).

Known unknowns malware may be malware that has a known signature, but not detected by off-the-shelf tools. Authors can use various obfuscation techniques to circumvent signature-matching.

The domain and area of completely new attack vectors and exploits describes unknown unknowns.

Question 2

10.0% completeQuestion

A security engineer writes a report on recent threat activities. A threat included on the report is under investigation for being intentional or unintentional. The report includes which threat type?

  1. Insider
  2. Hacktivist
  3. Organized crime
  4. Outsider

Solution

An insider threat arises from an actor who has been identified by the organization and granted some sort of access. Unlike other attacks (which are likely targeted and intentional) an insider attack may be accidental.

A hacktivist group, such as Anonymous or WikiLeaks use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public.

An organized crime gang can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit.

An outsider threat is classified as a threat that gains access to protected information from outside an organization.

Question 3

Capability refers to a threat actor’s ability to craft novel exploit techniques and tools. Which capability can exploit supply chains to introduce vulnerabilities in proprietary and open-source products?

  1. Acquired
  2. Developed
  3. Integrated
  4. Advanced

Solution

MITRE (corporate identity) identifies varying levels of capability of adversary exploitation techniques. Advanced capabilities can exploit supply chains to introduce vulnerabilities in proprietary and open-source products and plan campaigns that exploit suppliers and service providers.

An acquired capability uses commodity malware and techniques only. Acquired techniques can further modify existing tools (augmented capability).

Developed capabilities can identify and exploit zero-day vulnerabilities and can deploy significant human and financial resources to attack planning and execution.

Integrated capabilities can use a variety of non-cyber tools, such as political or military assets.

Question 4

What type of threat is exhibited by an actor that is known to work within the organization and have access to internal systems?

  1. Hacktivist
  2. Persistent
  3. Insider
  4. Outsider

Solution

An insider threat arises from an actor, identified by the organization, and granted some sort of access. Unlike other attacks, which are likely intentional and targeted, an insider attack may be accidental.

A hacktivist group, such as Anonymous or WikiLeaks, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public.

IT professionals coined the term advanced persistent threat (APT), to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems infected with a virus or rootkit, an APT refers to the ongoing ability of an adversary.

An outsider threat is a threat that gains access to protected information from outside an organization.

Question 5

The Lockheed Martin kill chain identifies phases of an attack on systems. Evaluate the given descriptions and determine which one relates to Exploitation.

  1. Weaponized code executed on a target system.
  2. Weaponized code achieves persistence on a target system.
  3. Weaponized code establishes an outbound channel for remote access.
  4. Weaponized code transmitted to the target environment.

Solution

Exploitation is the mechanism by which the attacker executes a weaponized code on the target system. For example, a phishing email may trick the user into running the code.

Installation is the mechanism by which the weaponized code runs a remote access tool and achieves persistence on the target system.

With command and control (C2 or C&C), the weaponized code establishes an outbound channel to a remote server that can then control the remote access tool.

With delivery, the attacker identifies a vector by which to transmit the weaponized code to the target environment, such as via an email attachment, or on a USB drive.

Question 6

An organization hires a new junior systems engineer. As a newly purchased laptop has not yet arrived for the new employee to use, management suggests connecting to the network with a personal laptop. Which threat type does this action present?

  1. Organized
  2. Unintentional
  3. Deterrent
  4. Intentional

Solution

An unintentional threat is accidental and non-malicious in nature. The junior systems engineer presents an unintentional threat to the company’s internal network by connecting a personal device. While specifics on the device are unknown, the use of personal devices on such a private network can present a risk.

Organized refers to a cybercrime adversary, such as organized crime. Organized crime attacks usually seek financial gain.

A deterrent is a security control type that may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties.

Intentional is a generalized term. With security in mind, an intentional attack is malicious in nature.

Question 7

Under which threat class category do completely new attack vectors and exploits belong?

  1. Unknown knowns
  2. Known knowns
  3. Known unknowns
  4. Unknown unknowns

Solution

Unknown unknowns is described as the domain and area of completely new attack vectors and exploits.

Unknown knowns are a vulnerability classification that represents risks that are documented or identified but are then disregarded or perhaps minimized in any importance.

Known Knowns categorize any threats that are previously known and have a solution and documented resolution type (these may be minimized an any importance).

Known unknowns malware may be malware that has a known signature but is not detected by off-the-shelf tools. Authors can use various obfuscation techniques to circumvent signature-matching.

Question 8

When considering a threat’s motivation, questioning what an attacker stands to gain is helpful in determining which factor?

  1. Effectiveness
  2. Likelihood
  3. Capability
  4. Impact

Solution

Discovering the threat’s motivation is a means of determining likelihood. Organizations should consider what an attacker stands to gain from conducting an attack.

Effectiveness may apply to the strength of a security control or of an incident response procedure.

Capability may refer to the strength of a malicious technique or actor, or as part of the diamond model that relates specific events observed in a pattern or sequence.

Impact may apply to the payload impact of a malicious attack, or the exposure of a company’s private data to the public.

Question 9

An attacker uses open-source intelligence to gather information on an organization. What feature does the attacker use to review Microsoft Office documents when planning an attack?

  1. Social media
  2. Publicly available information
  3. Metadata
  4. HTML code

Solution

Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could glean useful information from its metadata.

Attackers can use social media sites, like Facebook and LinkedIn, to mine for an organization’s information.

An attacker can harvest information from public repositories and web searches. Information available include categories such as the IP addresses of an organization’s DNS servers, the range of addresses assigned to the organization, as well as names, email addresses, and phone numbers of contacts within the organization

The HTML code of an organization’s web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators.

Question 10

A systems engineer suspects a new type of malware has impacted the company network. Which threat hunting approach does the engineer utilize in an attempt to find the origin of the malware? Select all that apply.

  1. Analyze the executable process list
  2. Analyze other infected hosts
  3. Analyze network traffic
  4. Identify the method of execution

Solution

Analyzing network traffic is helpful in discovering outgoing traffic to domains identified as suspect from threat research reputational databases.

Identifying the method by which the malicious process first executed is helpful in determining the source of the infection (such as a link in an email message). This is also helpful in blocking the attack vector against future compromise.

Analyzing the executable process list on a suspect host is helpful when looking for a program or service that is out of the norm.

Analyzing other infected hosts is helpful in discovering any similarities between the malicious process that admin can use to automate detection and prevention.

Performance-based Questions

Scenario

You work as an IT security analyst for a medium-sized global manufacturing firm. An accounts payable employee reports that the computer does not work properly. The employee states that after visiting a website, a message now appears on the screen. You suspect the employee’s computer was infected with some form of malware. You interview the employee for details and take notes.

With your interest in security, you decide to use this as a training exercise for other IT security coworkers by creating a kill chain list. This list contains the ordered kill chain stages and your findings.

Employee interview notes:

  • The employee received an email that appeared to be from a legitimate company.
  • The employee clicekd on a link in the email, to enter an advertised contest.
  • The link directed the user to a website that looked okay but did not see any contest information.
  • Shortly thereafter, the user experienced numerous pop-ups at any website.
  • The employee decided to reboot the PC to eliminate the popups.
  • After the PC rebooted, the employee states that a message appears asking for payment to use the computer and files.
  • You have confirmed the on-screen message after examining the computer.

Accounts Payable Employee: I received a message to enter a contest. I cliked the link and now my computer has problems. It says I have to pay to get my files?

Solution

Kill Chain Stages:

  1. Reconnaissance – Phishing
  2. Weaponization – Executable Code
  3. Delivery – Malicious Link
  4. Exploitation – Drive-by-Download
  5. Installation – Encryption
  6. Command & Control – Internet Host
  7. Actions on Objectives – Ransomware

While the kill chain itself is a defined set of stages or steps, the findings based on each stage of the kill chain can be determined based on interpreting and analyzing what the accounts payable employee said during your interview with them.

The first stage in the kill chain is reconnaissance. This is where the attacker decides what method to use for the attack. In this case, the attacker used email for phishing.

The second stage in the kill chain is weaponization. In this instance, the attacker created a malicious code used to install malicious software.

The third stage in the kill chain is a delivery method. In this case, the employee enabled delivery from the website by clicking the malicious link in the email.

The fourth stage in the kill chain is exploitation. In this instance, the code was a drive-by-download. This means that after the employee visited the website, the code installed at some point, on to the system.

The fifth stage in the kill chain is the installation. In this case, the installation of the code enabled encryption of the employee’s files.

The sixth stage in the fill chain is Command & control. In this situation, an Internet host (server/system) is behind the malicious connection to the employee’s PC.

The seventh and final stage in the kill chain is the action on objectives. The goal of this attack is ransomware.

Leave a Reply

Your email address will not be published. Required fields are marked *