Cyber Security and Threat Modeling

Questions and Answers

PDF Questions PDF Answers

Which of the following best describes the importance of combining technologies in achieving Confidentiality, Integrity, and Availability (CIA)?

No single technology can assure CIA on its own, necessitating combinations. (correct)

Each technology functions independently to ensure CIA.

Only narrative reports are needed to fulfill CIA requirements.

Combined technologies can adequately cover all aspects of CIA.

What factor primarily influences the selection of security controls to be applied?

The specific risks identified within the system. (correct)

Best practices in the industry.

The available budget for security measures.

Personal preference of the security team.

What are the two forms of cyber threat intelligence mentioned?

Incident Reports and Vulnerability Scans.

Narrative Reports and Data Feeds. (correct)

Analytical Reports and Risk Assessments.

Personal Insights and Social Media Analysis.

How can one mitigate risks to achieve better coverage in Confidentiality, Integrity, and Availability?

By evaluating current controls and adding necessary ones for coverage.

What is the essence of security intelligence in relation to information systems?

It processes and analyzes data to give insights into security statuses.

What distinguishes an Intrusion Prevention System (IPS) from an Intrusion Detection System (IDS)?

An IPS can actively block attacks in progress.

Which of the following is a prominent feature of Snort's functionality?

Unified output log format.

In the context of IDS/IPS log entries, which of the following statements is true?

Log entries are created with every matched rule.

What is a common capability of Network Access Control (NAC)?

It can perform device integrity assessments.

Which port security method requires that only clients with approved MAC addresses can connect?

MAC Filtering

Why should web administrative interfaces be disabled in network appliances?

To reduce the risk of unauthorized access.

When utilizing the 802.1X protocol for NAC, what is primarily being encapsulated?

EAP communications.

What is an essential feature of posture assessment in NAC solutions?

Assessing compliance with health policy.

Which action is typically NOT part of an IPS function?

Only logging security events.

In a Snort rule, what does the 'action' field typically indicate?

The predetermined response to a rule match.

How does location-based NAC determine access eligibility?

Using geolocation mechanisms such as GPS.

Which type of security configuration can help in denying internet access to remote management?

Port-based access control lists (ACLs)

What is the primary purpose of remediation within a NAC framework?

Addressing non-compliance of devices with health policies.

What is a key factor to assess when performing threat modeling?

The potential impact on data confidentiality, integrity, and availability

Which of the following best describes the attack surface in cybersecurity?

The totality of points where an unauthorized user can potentially access a system

What is the nature of threat hunting in cybersecurity?

It is designed to identify threats not caught by standard security monitoring

What tool can be utilized for open-source intelligence gathering by capturing email addresses from a domain?

The Harvester

Which technique helps to isolate specific areas of interest while conducting Google hacking?

Using quotes for exact phrases

What type of threat does the dark web primarily serve as a platform for?

Illegal activities and black market exchanges

Which of the following is NOT typically included in the scope of threat modeling?

User interface design

What benefit does the AbuseIPDB provide to organizations in cybersecurity?

Facilitates proactive monitoring of potentially abusive IP addresses

In cyber threat hunting, what is the role of creating a hypothesis?

To identify potential attack events based on likelihood and impact

How can organizations use the deep web effectively?

To gather intelligence on potential threats

What is a common method used during reconnaissance phases associated with DNS harvesting?

DNS Zone Transfer

What is the main goal of a bug bounty program for companies?

To crowdsource the discovery of security flaws

Which aspect is considered when categorizing the capability of adversaries in threat modeling?

Their level of expertise and resources

Which of the following methods would NOT be relevant for improving threat detection during threat hunting?

Conducting internal audits

What is the primary function of a dropper in malware operations?

To install or run additional malware on the host

Which of the following best describes the purpose of a downloader in malware behavior?

It retrieves additional tools from the Internet post-infection.

Which exploit technique runs malicious code using the identity of a legitimate process?

Code Injection

What is a common characteristic of malware that employs 'Living Off the Land' techniques?

It manipulates pre-installed system tools for execution.

Which process is typically characterized as a legitimate process in a Windows environment?

services.exe

Identify the exploit technique that involves manipulating code in a dynamic link library.

DLL Injection

What is a primary indicator of anomalous behavior according to behavioral analysis?

Deviation from established baseline activities

In which scenario would a threat hunter most likely use Sysinternals tools?

To identify potential security issues and anomalous processes.

Which of the following processes is responsible for managing low-level Windows functions?

csrss.exe

Which of these statements correctly describes shellcode?

It is a lightweight code that can include various formats.

Which of the following describes the primary function of an Endpoint Protection Platform (EPP)?

Performs multiple security tasks including anti-virus and file encryption.

What is the main advantage of using sandboxing for malware analysis?

It allows for comprehensive testing of malware in a contained environment.

How does User and Entity Behavior Analytics (UEBA) primarily detect suspicious activities?

Utilizing advanced computing techniques like AI and ML.

What is the key purpose of a disassembler in malware reverse engineering?

To translate machine code into assembly language.

Why is a packed program used by malware developers?

To compress the code and conceal malicious actions until unpacked.

Which tool is known for allowing the execution and analysis of malware across multiple operating systems?

Joe Sandbox

What is the function of a malware 'string' in reverse engineering?

To identify unique signatures for detection.

What does the File Signature or Magic Number indicate in a binary header?

The type of file being analyzed.

Which feature is NOT typically associated with sandboxing tools?

Automatically classifying malware types.

Which of the following describes the role of an Endpoint Detection and Response (EDR)?

To collect system data and perform threat analysis.

What is a common goal of advanced endpoint protection (AEP)?

To integrate multiple security technologies for better threat management.

Why is it critical to isolate a sandbox host from other functions?

To avoid interference with malware tests.

What describes the purpose of creating a honeypot lab?

To capture and analyze advanced persistent threats (APTs).

Study Notes

Security and Threat Intelligence

• Security Intelligence is the process of using data to understand the security status of information systems
• Cyber Threat Intelligence focuses on gathering information about emerging threats and potential threat sources
• Cyber Threat Intelligence uses both Narrative Reports and Data Feeds

Threat Modeling

• Threat Modeling identifies and assesses potential threats to a system
• Threat Modeling considers both the defender's point of view and the attacker's point of view

Threat Modeling

• Adversary Capability is a formal classification of the resources and expertise of a threat actor
• Attack Surface is the point where a network or application receives external connections or inputs/outputs
• Attack Vector is a specific path that a threat actor uses to gain unauthorized access to a system

Threat Hunting

• Threat Hunting involves proactively searching for threats that have gone undetected by regular security monitoring
• Threat Hunting can be less disruptive than penetration testing
• Threat Hunting uses existing tools for regular security monitoring and incident response

Open-Source Intelligence (OSINT)

• OSINT uses publicly available information and tools to gather information
• OSINT helps attackers develop strategies to compromise a target

Google Hacking

• Google Hacking uses Google search operators to find vulnerable web servers and applications
• Google Hacking Database (GHDB) is a database of search strings for finding vulnerable websites
• Shodan is a search engine that focuses on identifying vulnerable internet-connected devices

Profiling Techniques

• Email Harvesting is an OSINT technique that gathers email addresses
• Pipl.com, Peekyou.com, and Echosec.net are tools used for email harvesting
• The Harvester is a command line tool for penetration testing

Harvesting Techniques

• whois is a public listing of domains and their registered administrators
• DNS Zone Transfer replicates DNS databases across DNS servers and is frequently used in reconnaissance
• DNS Harvesting gathers information about a domain, like subdomains, hosting provider, and administrative contacts

Website Harvesting

• Website Harvesting copies website source code for vulnerabilities and information analysis

AbuseIPDB

• AbuseIPDB is a community-driven database that tracks IP addresses known for abusive behavior
• AbuseIPDB helps organizations take proactive measures for cybersecurity
• AbuseIPDB data should be combined with other security measures for reliability

Deep Web and Dark Web

• Deep Web refers to the internet content that is not indexed by search engines
• Deep Web includes private databases, subscription websites, and government databases
• Dark Web is a part of the deep web used for illegal activities, such as buying and selling drugs, weapons, and stolen data

Bug Bounty

• Bug Bounty programs allow companies to crowdsource security testing of their software
• Bug Bounty participants report potential issues found in applications and services
• Bug Bounty participation allows security professionals to gain recognition and show their skills

Network Forensics

• Network Forensics is the process of investigating network activity to collect evidence for criminal prosecution or incident response.

Intrusion Prevention System (IPS)

• IPS is an IDS that can actively block attacks.
• IPS can be implemented using software and hardware.
• IPS monitors security infrastructure for attacks in progress.

Common IPSs

• Snort is an open-source software that can operate as an IDS or IPS.
• Snort is available for Windows and selected Linux distributions.
• Zeek is another open source IDS for Unix/Linux platforms.
• Zeek has a scripting engine to respond to significant events.
• Security Onion is an open source Linux-based platform for security monitoring including Snort, Suricata, Zeek, Wireshark, and NetworkMiner.

IDS and IPS Logs

• Log entries are created every time a rule is matched in an IDS or IPS.
• IDS/IPS software allows different formats for log entries including unified output, syslog, CSV, tcpdump (pcap), and input into a SIEM.
• Analysts can create custom rules for their specific organizations.

Snort Rule Format

• General Snort rule format: "Action Protocol SourceIP SourcePort Direction DestinationIP DestinationPort (RuleOption; RuleOption; ...)".
• The action field in the rule can include 'alert', 'log', 'pass', 'drop', and 'reject'.
• Source and destination address and ports can be set to 'any', variable like $EXTERNAL_NET or %HOME_NET, or specific static values.
• Direction can be unidirectional '->' or '<-'.

Port Security Configuration

• Port security prevents unauthorized access to ports used for communication between hosts and firewalls.
• Network appliances, such as switches, routers, and firewalls, can be vulnerable to software attacks.
• Implement port security to restrict access to designated host devices.
• Monitor the number of designated interfaces.
• Deny internet access to remote management.
• Implement port security to restrict access to designated host devices.

Network Access Control (NAC)

• NAC authenticates users and evaluates device integrity before granting network access.
• 802.1X encapsulates EAP communications over a LAN or wireless LAN.
• Port-based NAC performs authentication of connected devices before activating a port.
• NAC can configure minimum-security profiles that devices must meet to access the network.

Key Features of a NAC solution

• Posture Assessment: evaluates endpoint security configuration for compliance with the security policy.
• Remediation: improves endpoint security if it doesn't meet the minimum-security profile.
• Pre- and Post-admission Control: grants or denies access based on device compliance with the security profile.

Sandboxing

• Sandboxing uses an isolated environment to run programs securely without affecting the host system.
• Sandbox prohibits communication links between the sandbox and the host.
• Sandboxing is used to analyze malware for malicious behavior, identify system effects, and identify dependencies.
• Sandboxing tools should not be used for other tasks.

Common Sandbox Tools

• FLARE VM allows running Windows binaries in a sandbox environment for analysis.
• Cuckoo allows running malware samples in Linux, Windows, or Mac environments.
• Joe Sandbox analyzes the behavior of malware in a controlled environment.
• Joe Sandbox automatically classifies malware behavior.

Reverse Engineering

• Reverse Engineering analyzes hardware or software to understand its functionality.
• Malware reverse engineering can identify the malware author's code patterns.
• Malware writers often obfuscate code to prevent analysis.
• Disassembler translates machine language into assembly language.
• Machine code is represented by two hexadecimal digits for each byte.
• File Signature (or Magic Number) are the first two bytes of a binary header that indicates it file type.
• Assembly Code is the native processor instructions used to implement the program.
• Decompiler translates binary or low-level machine language into higher-level code.

Malware Exploitation

• Exploit Technique describes the specific method by which malware code infects a target host.
• Modern malware uses fileless techniques to avoid detection by signature-based security software.
• APT uses fileless techniques to evade detection by signature-based security software.

Malware Delivery Methods

• Dropper malware is specifically designed to install or execute additional malware.
• Downloader malware connects to the internet to retrieve additional tools following an initial infection.
• Shellcode is lightweight code used to exploit a target, potentially including various code formats like scripts or binary code.
• Shellcode was initially used to give attackers a shell (command prompt) on the target system, but the term now has a broader meaning.

Code Injection

• A technique to run malicious code using a legitimate process's identification number.
• Other code injection techniques include masquerading, DLL injection, DLL sideloading, and process hollowing.

Droppers and Anti-Forensics

• Droppers often employ anti-forensics methods to avoid detection and analysis.

Living Off the Land Techniques

• Exploit techniques that leverage standard system tools and packages to gain access.
• Intrusions are harder to detect when adversaries utilize standard tools and processes to run malicious code.

Behavioral Analysis

• Threat hunting and security monitoring should incorporate behavioral analysis to identify infections.
• Sysinternals is a suite of tools for troubleshooting Windows issues and is helpful for security investigations.
• Process Explorer can filter out legitimate activity to identify anomalous behavior.

Legitimate Processes and Suspicious Activity

• Determine normal processes on a system to recognize suspicious ones.
• System Idle (PID 0) and System (PID 4) are kernel-level binaries responsible for the first user-mode process (Session Manager SubSystem – smss.exe).
• Client Server Runtime SubSystem (csrss.exe) manages low-level Windows functions; multiple instances can run if launched from %SystemRoot%\System32 with no parent process.
• WININIT (wininit.exe) manages drivers and services; only one instance should be running as a process.
• Services.exe hosts nonboot drivers and background services. Only one instance should run, as a child of wininit.exe, with other service processes as children of services.exe or svchost.exe.
• Services are started by the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts.

Description

This quiz explores key concepts in security intelligence and threat modeling, focusing on understanding vulnerabilities and potential attacks to information systems. It includes insights on cyber threat intelligence, adversary capabilities, and proactive threat hunting. Test your knowledge on how to identify, assess, and mitigate threats in cybersecurity.