Jim works as a security analyst in a large multinational company. Recently, a group of hackers
penetrated into their organizational network and used a data staging technique to collect sensitive
dat
a. They collected all sorts of sensitive data about the employees and customers, business tactics of
the organization, financial information, network infrastructure information and so on.
What should Jim do to detect the data staging before the hackers exfiltrate from the network?
C
Explanation:
In the scenario described, where attackers have penetrated the network and are staging data for
exfiltration, Jim should focus on monitoring network traffic for signs of malicious file transfers,
implement file integrity monitoring, and scrutinize event logs. This approach is crucial for detecting
unusual activity that could indicate data staging, such as large volumes of data being moved to
uncommon locations, sudden changes in file integrity, or suspicious entries in event logs. Early
detection of these indicators can help in identifying the staging activity before the data is exfiltrated
from the network.
Reference:
NIST Special Publication 800-61 Rev. 2, "Computer Security Incident Handling Guide"
SANS Institute Reading Room, "Detecting Malicious Activity with DNS and NetFlow"
Andrews and Sons Corp. has decided to share threat information among sharing partners. Garry, a
threat analyst, working in Andrews and Sons Corp., has asked to follow a trust model necessary to
establish trust between sharing partners. In the trust model used by him, the first organization makes
use of a body of evidence in a second organization, and the level of trust between two organizations
depends on the degree and quality of evidence provided by the first organization.
Which of the following types of trust model is used by Garry to establish the trust?
D
Explanation:
In the trust model described, where trust between two organizations depends on the degree and
quality of evidence provided by the first organization, the model in use is 'Validated Trust.' This
model relies on the validation of evidence or credentials presented by one party to another to
establish trust. The validation process assesses the credibility, reliability, and relevance of the
information shared, forming the basis of the trust relationship between the sharing partners. This
approach is common in threat intelligence sharing where the accuracy and reliability of shared
information are critical.
Reference:
"Building a Cybersecurity Culture," ISACA
"Trust Models in Information Security," Journal of Internet Services and Applications
A threat analyst obtains an intelligence related to a threat, where the data is sent in the form of a
connection request from a remote host to the server. From this data, he obtains only the IP address
of the source and destination but no contextual information. While processing this data, he obtains
contextual information stating that multiple connection requests from different geo-locations are
received by the server within a short time span, and as a result, the server is stressed and gradually
its performance has reduced. He further performed analysis on the information based on the past
and present experience and concludes the attack experienced by the client organization.
Which of the following attacks is performed on the client organization?
C
Explanation:
The attack described, where multiple connection requests from different geo-locations are received
by a server within a short time span leading to stress and reduced performance, is indicative of a
Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the attacker floods the target's
resources (such as a server) with excessive requests from multiple sources, making it difficult for the
server to handle legitimate traffic, leading to degradation or outright unavailability of service. The
use of multiple geo-locations for the attack sources is a common characteristic of DDoS attacks,
making them harder to mitigate.
Reference:
"Understanding Denial-of-Service Attacks," US-CERT
"DDoS Quick Guide," DHS/NCCIC
Jame, a professional hacker, is trying to hack the confidential information of a target organization. He
identified the vulnerabilities in the target system and created a tailored deliverable malicious
payload using an exploit and a backdoor to send it to the victim.
Which of the following phases of cyber kill chain methodology is Jame executing?
C
Explanation:
In the cyber kill chain methodology, the phase where Jame is creating a tailored malicious
deliverable that includes an exploit and a backdoor is known as 'Weaponization'. During this phase,
the attacker prepares by coupling a payload, such as a virus or worm, with an exploit into a
deliverable format, intending to compromise the target's system. This step follows the initial
'Reconnaissance' phase, where the attacker gathers information on the target, and precedes the
'Delivery' phase, where the weaponized bundle is transmitted to the target. Weaponization involves
the preparation of the malware to exploit the identified vulnerabilities in the target system.
Reference:
Lockheed Martin's Cyber Kill Chain framework
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains," leading to the development of the Cyber Kill Chain framework
Steve works as an analyst in a UK-based firm. He was asked to perform network monitoring to find
any evidence of compromise. During the network monitoring, he came to know that there are
multiple logins from different locations in a short time span. Moreover, he also observed certain
irregular log in patterns from locations where the organization does not have business relations. This
resembles that somebody is trying to steal confidential information.
Which of the following key indicators of compromise does this scenario present?
D
Explanation:
The scenario described by Steve's observations, where multiple logins are occurring from different
locations in a short time span, especially from locations where the organization has no business
relations, points to 'Geographical anomalies' as a key indicator of compromise (IoC). Geographical
anomalies in logins suggest unauthorized access attempts potentially made by attackers using
compromised credentials. This is particularly suspicious when the locations of these logins do not
align with the normal geographical footprint of the organization's operations or employee locations.
Monitoring for such anomalies can help in the early detection of unauthorized access and potential
data breaches.
Reference:
SANS Institute Reading Room, "Indicators of Compromise: Reality's Version of the Minority Report"
"Identifying Indicators of Compromise" by CERT-UK
Which of the following characteristics of APT refers to numerous attempts done by the attacker to
gain entry to the target’s network?
D
Explanation:
Advanced Persistent Threats (APTs) are characterized by their 'Multiphased' nature, referring to the
various stages or phases the attacker undertakes to breach a network, remain undetected, and
achieve their objectives. This characteristic includes numerous attempts to gain entry to the target's
network, often starting with reconnaissance, followed by initial compromise, and progressing
through stages such as establishment of a backdoor, expansion, data exfiltration, and maintaining
persistence. This multiphased approach allows attackers to adapt and pursue their objectives despite
potential disruptions or initial failures in their campaign.
Reference:
"Understanding Advanced Persistent Threats and Complex Malware," by FireEye
MITRE ATT&CK Framework, detailing the multiphased nature of adversary tactics and techniques
Lizzy, an analyst, wants to recognize the level of risks to the organization so as to plan
countermeasures against cyber attacks. She used a threat modelling methodology where she
performed the following stages:
Stage 1: Build asset-based threat profiles
Stage 2: Identify infrastructure vulnerabilities
Stage 3: Develop security strategy and plans
Which of the following threat modelling methodologies was used by Lizzy in the aforementioned
scenario?
C
Explanation:
The threat modeling methodology employed by Lizzy, which involves building asset-based threat
profiles, identifying infrastructure vulnerabilities, and developing security strategies and plans, aligns
with the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) methodology.
OCTAVE focuses on organizational risk and security practices, emphasizing self-directed risk
assessments to identify and prioritize threats to organizational assets and develop appropriate
security strategies and plans. This methodology is asset-driven and revolves around understanding
critical assets, identifying threats to those assets, and assessing vulnerabilities, leading to the
development of a comprehensive security strategy.
Reference:
The CERT Guide to System and Network Security Practices by Julia H. Allen
"OCTAVE Method Implementation Guide Version 2.0," Carnegie Mellon University, Software
Engineering Institute
Which of the following types of threat attribution deals with the identification of the specific person,
society, or a country sponsoring a well-planned and executed intrusion or attack over its target?
B
Explanation:
True attribution in the context of cyber threats involves identifying the actual individual, group, or
nation-state behind an attack or intrusion. This type of attribution goes beyond associating an attack
with certain tactics, techniques, and procedures (TTPs) or a known group and aims to pinpoint the
real-world entity responsible. True attribution is challenging due to the anonymity of the internet
and the use of obfuscation techniques by attackers, but it is crucial for understanding the motive
behind an attack and for forming appropriate responses at diplomatic, law enforcement, or
cybersecurity levels.
Reference:
"Attribution of Cyber Attacks: A Framework for an Evidence-Based Analysis" by Jason Healey
"The Challenges of Attribution in Cyberspace" in the Journal of Cyber Policy
In a team of threat analysts, two individuals were competing over projecting their own hypotheses
on a given malware. However, to find logical proofs to confirm their hypotheses, the threat
intelligence manager used a de-biasing strategy that involves learning strategic decision making in
the circumstances comprising multistep interactions with numerous representatives, either having or
without any perfect relevant information.
Which of the following de-biasing strategies the threat intelligence manager used to confirm their
hypotheses?
A
Explanation:
Game theory is a mathematical framework designed for understanding strategic situations where
individuals' or groups' outcomes depend on their choices and the choices of others. In the context of
threat intelligence analysis, game theory can be used as a de-biasing strategy to help understand and
predict the actions of adversaries and defenders. By considering the various strategies and potential
outcomes in a 'game' where each player's payoff is affected by the actions of others, analysts can
overcome their biases and evaluate hypotheses more objectively. This approach is particularly useful
in scenarios involving multiple actors with different goals and incomplete information.
Reference:
"Game Theory and Its Applications in Cybersecurity" in the International Journal of Computer
Science and Information Security
"Applying Game Theory to Cybersecurity" by the SANS Institute
Cybersol Technologies initiated a cyber-threat intelligence program with a team of threat intelligence
analysts. During the process, the analysts started converting the raw data into useful information by
applying various techniques, such as machine-based techniques, and statistical methods.
In which of the following phases of the threat intelligence lifecycle is the threat intelligence team
currently working?
C
Explanation:
The phase where threat intelligence analysts convert raw data into useful information by applying
various techniques, such as machine learning or statistical methods, is known as 'Processing and
Exploitation'. During this phase, collected data is processed, standardized, and analyzed to extract
relevant information. This is a critical step in the threat intelligence lifecycle, transforming raw data
into a format that can be further analyzed and turned into actionable intelligence in the subsequent
'Analysis and Production' phase.
Reference:
"Intelligence Analysis for Problem Solvers" by John E. McLaughlin
"The Cyber Intelligence Tradecraft Project: The State of Cyber Intelligence Practices in the United
States (Unclassified Summary)" by the Carnegie Mellon University's Software Engineering Institute