Podcast Beta
Questions and Answers
Which of the following best describes the importance of combining technologies in achieving Confidentiality, Integrity, and Availability (CIA)?
What factor primarily influences the selection of security controls to be applied?
What are the two forms of cyber threat intelligence mentioned?
How can one mitigate risks to achieve better coverage in Confidentiality, Integrity, and Availability?
Signup and view all the answers
What is the essence of security intelligence in relation to information systems?
Signup and view all the answers
What distinguishes an Intrusion Prevention System (IPS) from an Intrusion Detection System (IDS)?
Signup and view all the answers
Which of the following is a prominent feature of Snort's functionality?
Signup and view all the answers
In the context of IDS/IPS log entries, which of the following statements is true?
Signup and view all the answers
What is a common capability of Network Access Control (NAC)?
Signup and view all the answers
Which port security method requires that only clients with approved MAC addresses can connect?
Signup and view all the answers
Why should web administrative interfaces be disabled in network appliances?
Signup and view all the answers
When utilizing the 802.1X protocol for NAC, what is primarily being encapsulated?
Signup and view all the answers
What is an essential feature of posture assessment in NAC solutions?
Signup and view all the answers
Which action is typically NOT part of an IPS function?
Signup and view all the answers
In a Snort rule, what does the 'action' field typically indicate?
Signup and view all the answers
How does location-based NAC determine access eligibility?
Signup and view all the answers
Which type of security configuration can help in denying internet access to remote management?
Signup and view all the answers
What is the primary purpose of remediation within a NAC framework?
Signup and view all the answers
What is a key factor to assess when performing threat modeling?
Signup and view all the answers
Which of the following best describes the attack surface in cybersecurity?
Signup and view all the answers
What is the nature of threat hunting in cybersecurity?
Signup and view all the answers
What tool can be utilized for open-source intelligence gathering by capturing email addresses from a domain?
Signup and view all the answers
Which technique helps to isolate specific areas of interest while conducting Google hacking?
Signup and view all the answers
What type of threat does the dark web primarily serve as a platform for?
Signup and view all the answers
Which of the following is NOT typically included in the scope of threat modeling?
Signup and view all the answers
What benefit does the AbuseIPDB provide to organizations in cybersecurity?
Signup and view all the answers
In cyber threat hunting, what is the role of creating a hypothesis?
Signup and view all the answers
How can organizations use the deep web effectively?
Signup and view all the answers
What is a common method used during reconnaissance phases associated with DNS harvesting?
Signup and view all the answers
What is the main goal of a bug bounty program for companies?
Signup and view all the answers
Which aspect is considered when categorizing the capability of adversaries in threat modeling?
Signup and view all the answers
Which of the following methods would NOT be relevant for improving threat detection during threat hunting?
Signup and view all the answers
What is the primary function of a dropper in malware operations?
Signup and view all the answers
Which of the following best describes the purpose of a downloader in malware behavior?
Signup and view all the answers
Which exploit technique runs malicious code using the identity of a legitimate process?
Signup and view all the answers
What is a common characteristic of malware that employs 'Living Off the Land' techniques?
Signup and view all the answers
Which process is typically characterized as a legitimate process in a Windows environment?
Signup and view all the answers
Identify the exploit technique that involves manipulating code in a dynamic link library.
Signup and view all the answers
What is a primary indicator of anomalous behavior according to behavioral analysis?
Signup and view all the answers
In which scenario would a threat hunter most likely use Sysinternals tools?
Signup and view all the answers
Which of the following processes is responsible for managing low-level Windows functions?
Signup and view all the answers
Which of these statements correctly describes shellcode?
Signup and view all the answers
Which of the following describes the primary function of an Endpoint Protection Platform (EPP)?
Signup and view all the answers
What is the main advantage of using sandboxing for malware analysis?
Signup and view all the answers
How does User and Entity Behavior Analytics (UEBA) primarily detect suspicious activities?
Signup and view all the answers
What is the key purpose of a disassembler in malware reverse engineering?
Signup and view all the answers
Why is a packed program used by malware developers?
Signup and view all the answers
Which tool is known for allowing the execution and analysis of malware across multiple operating systems?
Signup and view all the answers
What is the function of a malware 'string' in reverse engineering?
Signup and view all the answers
What does the File Signature or Magic Number indicate in a binary header?
Signup and view all the answers
Which feature is NOT typically associated with sandboxing tools?
Signup and view all the answers
Which of the following describes the role of an Endpoint Detection and Response (EDR)?
Signup and view all the answers
What is a common goal of advanced endpoint protection (AEP)?
Signup and view all the answers
Why is it critical to isolate a sandbox host from other functions?
Signup and view all the answers
What describes the purpose of creating a honeypot lab?
Signup and view all the answers
Study Notes
Security and Threat Intelligence
- Security Intelligence is the process of using data to understand the security status of information systems
- Cyber Threat Intelligence focuses on gathering information about emerging threats and potential threat sources
- Cyber Threat Intelligence uses both Narrative Reports and Data Feeds
Threat Modeling
- Threat Modeling identifies and assesses potential threats to a system
- Threat Modeling considers both the defender's point of view and the attacker's point of view
Threat Modeling
- Adversary Capability is a formal classification of the resources and expertise of a threat actor
- Attack Surface is the point where a network or application receives external connections or inputs/outputs
- Attack Vector is a specific path that a threat actor uses to gain unauthorized access to a system
Threat Hunting
- Threat Hunting involves proactively searching for threats that have gone undetected by regular security monitoring
- Threat Hunting can be less disruptive than penetration testing
- Threat Hunting uses existing tools for regular security monitoring and incident response
Open-Source Intelligence (OSINT)
- OSINT uses publicly available information and tools to gather information
- OSINT helps attackers develop strategies to compromise a target
Google Hacking
- Google Hacking uses Google search operators to find vulnerable web servers and applications
- Google Hacking Database (GHDB) is a database of search strings for finding vulnerable websites
- Shodan is a search engine that focuses on identifying vulnerable internet-connected devices
Profiling Techniques
- Email Harvesting is an OSINT technique that gathers email addresses
- Pipl.com, Peekyou.com, and Echosec.net are tools used for email harvesting
- The Harvester is a command line tool for penetration testing
Harvesting Techniques
- whois is a public listing of domains and their registered administrators
- DNS Zone Transfer replicates DNS databases across DNS servers and is frequently used in reconnaissance
- DNS Harvesting gathers information about a domain, like subdomains, hosting provider, and administrative contacts
Website Harvesting
- Website Harvesting copies website source code for vulnerabilities and information analysis
AbuseIPDB
- AbuseIPDB is a community-driven database that tracks IP addresses known for abusive behavior
- AbuseIPDB helps organizations take proactive measures for cybersecurity
- AbuseIPDB data should be combined with other security measures for reliability
Deep Web and Dark Web
- Deep Web refers to the internet content that is not indexed by search engines
- Deep Web includes private databases, subscription websites, and government databases
- Dark Web is a part of the deep web used for illegal activities, such as buying and selling drugs, weapons, and stolen data
Bug Bounty
- Bug Bounty programs allow companies to crowdsource security testing of their software
- Bug Bounty participants report potential issues found in applications and services
- Bug Bounty participation allows security professionals to gain recognition and show their skills
Network Forensics
- Network Forensics is the process of investigating network activity to collect evidence for criminal prosecution or incident response.
Intrusion Prevention System (IPS)
- IPS is an IDS that can actively block attacks.
- IPS can be implemented using software and hardware.
- IPS monitors security infrastructure for attacks in progress.
Common IPSs
- Snort is an open-source software that can operate as an IDS or IPS.
- Snort is available for Windows and selected Linux distributions.
- Zeek is another open source IDS for Unix/Linux platforms.
- Zeek has a scripting engine to respond to significant events.
- Security Onion is an open source Linux-based platform for security monitoring including Snort, Suricata, Zeek, Wireshark, and NetworkMiner.
IDS and IPS Logs
- Log entries are created every time a rule is matched in an IDS or IPS.
- IDS/IPS software allows different formats for log entries including unified output, syslog, CSV, tcpdump (pcap), and input into a SIEM.
- Analysts can create custom rules for their specific organizations.
Snort Rule Format
- General Snort rule format: "Action Protocol SourceIP SourcePort Direction DestinationIP DestinationPort (RuleOption; RuleOption; ...)".
- The action field in the rule can include 'alert', 'log', 'pass', 'drop', and 'reject'.
- Source and destination address and ports can be set to 'any', variable like $EXTERNAL_NET or %HOME_NET, or specific static values.
- Direction can be unidirectional '->' or '<-'.
Port Security Configuration
- Port security prevents unauthorized access to ports used for communication between hosts and firewalls.
- Network appliances, such as switches, routers, and firewalls, can be vulnerable to software attacks.
- Implement port security to restrict access to designated host devices.
- Monitor the number of designated interfaces.
- Deny internet access to remote management.
- Implement port security to restrict access to designated host devices.
Network Access Control (NAC)
- NAC authenticates users and evaluates device integrity before granting network access.
- 802.1X encapsulates EAP communications over a LAN or wireless LAN.
- Port-based NAC performs authentication of connected devices before activating a port.
- NAC can configure minimum-security profiles that devices must meet to access the network.
Key Features of a NAC solution
- Posture Assessment: evaluates endpoint security configuration for compliance with the security policy.
- Remediation: improves endpoint security if it doesn't meet the minimum-security profile.
- Pre- and Post-admission Control: grants or denies access based on device compliance with the security profile.
Sandboxing
- Sandboxing uses an isolated environment to run programs securely without affecting the host system.
- Sandbox prohibits communication links between the sandbox and the host.
- Sandboxing is used to analyze malware for malicious behavior, identify system effects, and identify dependencies.
- Sandboxing tools should not be used for other tasks.
Common Sandbox Tools
- FLARE VM allows running Windows binaries in a sandbox environment for analysis.
- Cuckoo allows running malware samples in Linux, Windows, or Mac environments.
- Joe Sandbox analyzes the behavior of malware in a controlled environment.
- Joe Sandbox automatically classifies malware behavior.
Reverse Engineering
- Reverse Engineering analyzes hardware or software to understand its functionality.
- Malware reverse engineering can identify the malware author's code patterns.
- Malware writers often obfuscate code to prevent analysis.
- Disassembler translates machine language into assembly language.
- Machine code is represented by two hexadecimal digits for each byte.
- File Signature (or Magic Number) are the first two bytes of a binary header that indicates it file type.
- Assembly Code is the native processor instructions used to implement the program.
- Decompiler translates binary or low-level machine language into higher-level code.
Malware Exploitation
- Exploit Technique describes the specific method by which malware code infects a target host.
- Modern malware uses fileless techniques to avoid detection by signature-based security software.
- APT uses fileless techniques to evade detection by signature-based security software.
Malware Delivery Methods
- Dropper malware is specifically designed to install or execute additional malware.
- Downloader malware connects to the internet to retrieve additional tools following an initial infection.
- Shellcode is lightweight code used to exploit a target, potentially including various code formats like scripts or binary code.
- Shellcode was initially used to give attackers a shell (command prompt) on the target system, but the term now has a broader meaning.
Code Injection
- A technique to run malicious code using a legitimate process's identification number.
- Other code injection techniques include masquerading, DLL injection, DLL sideloading, and process hollowing.
Droppers and Anti-Forensics
- Droppers often employ anti-forensics methods to avoid detection and analysis.
Living Off the Land Techniques
- Exploit techniques that leverage standard system tools and packages to gain access.
- Intrusions are harder to detect when adversaries utilize standard tools and processes to run malicious code.
Behavioral Analysis
- Threat hunting and security monitoring should incorporate behavioral analysis to identify infections.
- Sysinternals is a suite of tools for troubleshooting Windows issues and is helpful for security investigations.
- Process Explorer can filter out legitimate activity to identify anomalous behavior.
Legitimate Processes and Suspicious Activity
- Determine normal processes on a system to recognize suspicious ones.
- System Idle (PID 0) and System (PID 4) are kernel-level binaries responsible for the first user-mode process (Session Manager SubSystem – smss.exe).
- Client Server Runtime SubSystem (csrss.exe) manages low-level Windows functions; multiple instances can run if launched from %SystemRoot%\System32 with no parent process.
- WININIT (wininit.exe) manages drivers and services; only one instance should be running as a process.
- Services.exe hosts nonboot drivers and background services. Only one instance should run, as a child of wininit.exe, with other service processes as children of services.exe or svchost.exe.
- Services are started by the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz explores key concepts in security intelligence and threat modeling, focusing on understanding vulnerabilities and potential attacks to information systems. It includes insights on cyber threat intelligence, adversary capabilities, and proactive threat hunting. Test your knowledge on how to identify, assess, and mitigate threats in cybersecurity.