Cybersecurity Threat Intelligence and Hunting

Questions and Answers

Match the following characters with their categorization in URLs:

% = Reserved Character = Unsafe Character / = Reserved Character { = Unsafe Character

Match the following terms with their descriptions related to URL handling:

Percent Encoding = Allows submission of any character or binary data in URLs Double Encoding = Encoding the percent sign along with the character Obfuscation = Misleading the nature of a URL through encoding Null String Termination = A method causing a premature end to a string

Match the following examples with their appropriate URL components:

http://diontraining.com = Base URL upload.php?post= = Query Parameter //www.DionTraining.com = Scheme %3Cscript%3E = Percent Encoded Data

Match the following security concepts with their explanations:

Malicious Input = Input designed to exploit vulnerabilities Directory Traversal = Accessing unauthorized directories via URLs User-Agent = A client application making requests to servers System and Network Concepts = Foundational principles in security operations

Match the following URL issues with their implications:

Unsafe Characters = Can lead to security vulnerabilities Reserved Characters = Have specific meanings in URLs Encoding Misuse = Can conceal malicious activity in URLs Carriage Return = Not allowed within a valid URL

Match the following Windows processes with their primary functions:

lsass.exe = Handles authentication and authorization services winlogon.exe = Manages access to the user desktop userinit.exe = Sets up the user shell explorer.exe = Typical user shell and process launcher

Match the following process characteristics with their corresponding suspicious indicators:

Unknown process name = Any process name that you do not recognize Similar to legitimate process = Any process name that is similar to a legitimate system process Missing metadata = Processes that appear without an icon, version info, or company name Unsigned processes = Processes that are unsigned, especially from known companies

Match the Windows processes with their expected number of instances:

lsass.exe = Should have one instance running winlogon.exe = Should have one instance per user session userinit.exe = Should only be seen briefly after log-on explorer.exe = Can have multiple instances for different user processes

Match the Windows process with its parental relationship:

lsass.exe = Child of wininit.exe winlogon.exe = Child of dwm.exe userinit.exe = Launches explorer.exe as the shell explorer.exe = Parent for all processes started by the user

Match the mentioned processes with how they should ideally function:

lsass.exe = Single instance necessary for system operation winlogon.exe = Essential for user session management userinit.exe = Transient process on log-on explorer.exe = Persistent user interface for file management

Match each type of threat classification with its description:

Known Threats = A threat that can be identified using basic signature or pattern matching Malware = Any software intentionally designed to cause damage to a computer, server, client, or network Zero-day Exploit = An unknown exploit that exposes a vulnerability in software or hardware Obfuscated Malware Code = Malicious code whose execution is hidden through techniques like compression or encryption

Match the terms with their respective definitions:

Behavior-based Detection = A method that evaluates an object based on its intended actions before execution Recycled Threats = Combining and modifying parts of existing exploit code to create new threats Known Unknowns = Malware that contains obfuscation techniques to circumvent signature-matching Unknown Unknowns = Malware that contains completely new attack vectors and exploits

Match the following types of vulnerabilities with their characteristics:

Documented Exploits = A sequence of commands that takes advantage of a vulnerability Unknown Threats = A threat that cannot be identified using basic signature or pattern matching Hacker = An individual who seeks to exploit and harm networks Threat Actors = Those who wish to harm networks or steal secure data

Match the terms with their relevant scenarios:

Known Threats = Identified using signature or pattern matching Malware = Intentionally designed harmful software Zero-day Exploit = Vulnerability exposure before realization of a problem Obfuscated Malware Code = Execution hiding through various techniques

Match the different classifications of threats with their details:

Behavior-based Detection = Evaluates intended actions before execution Recycled Threats = Creation of new threats from existing exploit code Known Unknowns = Circumventing signature detection with obfuscation Unknown Unknowns = New attack vectors with no prior identification

Match these threat concepts with their descriptions:

Similar Threats = Those that can be recognized through common patterns Targeted Malware = Strategically crafted to attack specific entities Zero-day Vulnerabilities = Previously unknown weaknesses exploited in the wild Obfuscated Code = Code designed to hide its true intentions

Match the following exploits with their types:

Zero-day Exploit = Unknown exploit causing immediate issues Documented Exploit = Proven weaknesses utilized in attacks Known Threats = Capable of being identified and mitigated Obfuscated Malware = Types designed to evade detection measures

Match each malware classification with its definition:

Malware = Software intended to damage or exploit systems Unknown Threats = Not identifiable via signature matching Known Unknowns = Contains obfuscation techniques Zero-day = Exploiting vulnerabilities not yet discovered

Match the following endpoint security tools with their descriptions:

Antivirus (AV) = Software capable of detecting and removing virus infections Host-based IDS/IPS (HIDS/HIPS) = Monitors a computer system for unexpected behavior Endpoint Protection Platform (EPP) = Performs multiple security tasks including firewall and encryption User and Entity Behavior Analytics (UEBA) = Automates identification of suspicious activity by user accounts

Match the following sandboxing features with their purposes:

Monitor system changes = Tracks alterations made by malware Create snapshots = Captures the state of the system at a specific time Execute known malware = Test behavior of existing malware samples Dump virtual machine’s memory = Extracts memory contents for analysis

Match the following common sandbox tools with their functionalities:

FLARE VM = Runs a Windows binary and monitors changes Cuckoo = Automatically runs malware in various environments Joe Sandbox = Analyzes malware behavior across multiple platforms Honeypot lab = Studies malware and its C2 through multiple sandboxed machines

Match the following reverse engineering components with their descriptions:

Disassembler = Translates machine language into assembly language Decompiler = Converts low-level machine code into high-level code File Signature = Indicates file type by the first two bytes of a binary header Assembly Code = Native processor instructions for program implementation

Match the following types of malware analysis methods with their definitions:

Static Analysis = Examines the code without executing it Dynamic Analysis = Monitors the behavior of malware during execution Behavioral Analysis = Identifies patterns in how malware operates Signature-based Detection = Uses known patterns to identify malware

Match the following types of malware with their characteristics:

Worms = Self-replicating malware spread over networks Trojans = Disguised as legitimate software but harmful Ransomware = Locks user data and demands payment for access Rootkits = Gain unauthorized access and remain hidden

Match the following malware analysis goals with their approaches:

Determining if a file is malicious = Testing within an isolated environment Identifying dependencies = Analyzing system interactions of malware Understanding malware behavior = Emulating real computer environments Classifying malware = Automating detection based on behavior

Match the following terms related to malware exploitation with their meanings:

Exploit Technique = Specific method used by malware to infect a target Fileless Techniques = Malware infection methods avoiding traditional files Advanced Threat Protection (ATP) = Preemptive defensive measures against advanced threats NextGen AV = Hybrid approach combining multiple security techniques

Match the following programming concepts with their descriptions:

Strings = Encoded character sequences within executable files Packed Programs = Compressed executables that require unpacking Malware Code Obfuscation = Techniques to mask code from analysis Machine Code = Binary code executed by processors

Match the following characteristics of EDR solutions with their functionalities:

Data collection = Gathers information from endpoint systems Log analysis = Evaluates collected logs for suspicious activities Threat detection = Identifies potential threats using data Response automation = Provides automated responses to detected threats

Match the following cybersecurity principles with their importance:

Endpoint Protection = Safeguards individual devices from threats Network Monitoring = Tracks network traffic for anomalies Malware Analysis = Investigates malicious software for understanding Access Control = Regulates who can access information and resources

Match the firewall log types with their descriptions:

Connections that are permitted or denied = Tracking allowed or blocked network activity Port and protocol usage = Monitoring network traffic characteristics Bandwidth utilization = Analyzing usage duration and data volume Audit log of address translations = Logging NAT/PAT operations

Match the firewall tool with its description:

iptables = A Linux-based firewall using syslog format Windows Firewall = A Windows-based firewall in W3C Extended Log Format NAT = Translates private IP addresses to a public address PAT = Maps multiple private IPs to a single public address

Match the type of proxy with its function:

Forward Proxy = Mediates client-server communication Transparent Proxy = Redirects without client configuration Nontransparent Proxy = Requires client to be configured with proxy details Reverse Proxy = Protects backend servers from direct requests

Match the egress filtering principle with its action:

Whitelist application ports = Allow only authorized outbound traffic Block known bad IP ranges = Prevent connections to malicious addresses Restrict DNS lookups = Limit queries to trusted DNS services Block internet access from specific subnets = Secure isolated network segments

Match the attack mitigation strategy with its description:

Black Hole = Silently drops malicious traffic Sinkhole = Directs attack traffic for analysis Firewalking = Probes firewall for open ports Blinding Attack = Missed logs due to resource limitations

Match the characteristics with the type of firewall configuration:

Screened Subnet = Exposes external services to untrusted networks ACL Processing = Processes from top to bottom based on specificity Drop vs Reject = Two ways to handle denied packets Egress Filtering = Controls outbound traffic to mitigate malware

Match the type of web attack with its prevention method:

SQL Injection = Prevention through WAF Cross-Site Scripting (XSS) = Monitored by application firewalls DoS attacks = Mitigated by traffic management Code Injection = Defended against with web application filters

Match the element of proxy logs with its function:

Cached content = Improves access speed Client request logs = Tracks user activity Blocked requests = Logs intent of filtered traffic Redirected responses = Manages communication flow

Match intrusion detection systems (IDS) with their purpose:

IDS = Monitors for attacks in progress IPS = Prevents detected threats actively SIEM = Correlates log data from multiple sources Honeypot = Distracts attackers from real targets

Match security data types with their explanation:

Event severity = Indicates the seriousness of an incident URL parameters = Details of web requests made Protocol used = Identifies the communication method Event timing = Records when an incident occurred

Match the configuration best practice with its goal:

Block internal loopback requests = Mitigate insider threats Use specific block rules = Enhance ACL efficiency Limit IPv6 access = Control exposure of the network Implement logging tools = Facilitate large volume analysis

Match the firewall component with its characteristic:

Drop rule = Makes port states less identifiable Explicit reject = Informs sender of blocked traffic Packet filtering = Evaluates each packet against rules Network Address Translation = Masks private IP addresses

Match the firewall log format with its source:

Syslog format = Used by iptables on Linux W3C Extended Log Format = Utilized by Windows Firewall JSON format = Common in web application firewalls Custom vendor format = Specific to individual firewall manufacturers

Match the term with its correct definition:

Dark Nets = Unused IP address space Screened subnet = Subnetwork for external services Common port filtering = Restricts access to port services Malware C2 prevention = Blocks malware command communication

Match the firewall functionality with its purpose:

Audit logging = Records all firewall activities Traffic filtering = Regulates data flow based on rules Connection tracking = Monitors active sessions Access control = Manages allowed and blocked connections

Study Notes

Threat Intelligence vs. Threat Hunting

• Threat intelligence is the process of collecting, analyzing, and disseminating information about potential threats.
• Threat hunting is a proactive approach to security that uses information from threat intelligence to identify potential threats before they can cause harm.

Prioritizing Vulnerabilities

• Consider the potential impact of the vulnerability: How much damage could an attacker do if they exploited this vulnerability? If the vulnerability is in a critical system that stores sensitive data, it must be prioritized.
• Evaluate the likelihood of exploitation: How easy is it for an attacker to exploit this vulnerability? If the vulnerability is publicly known, it's more likely to be exploited.
• Consider the resources required to fix the vulnerability: How much time and money will it take to fix the vulnerability? If it's a simple fix, it should be done quickly.

Attack Methodology Frameworks

• Attack methodologies (e.g., MITRE ATT&CK) describe common attack tactics and techniques that adversaries use.
• These frameworks help security professionals understand the techniques used in attacks, making it possible to identify and mitigate them.
• Frameworks can also be used to assess the existing security controls to identify potential weaknesses in the defenses.

Threat Types

• Known Threats: These can be identified using basic signature or pattern matching.
• Malware: Malicious software designed to damage systems or networks.
• Documented Exploits: Software, data, or commands that exploit vulnerabilities for unauthorized access or malicious actions.
• Unknown Threats: Threats undiscoverable by standard signature or pattern matching techniques.
• Zero-day Exploits: Unknown vulnerabilities exploited in the wild, posing immediate risks before detection and mitigation.
• Obfuscated Malware Code: Malicious code hidden using techniques like compression, encryption, or encoding to hinder analysis.
• Behavior-based Detection: Malware detection based on analyzing intended actions rather than relying solely on established signatures.
• Recycled Threats: Combining and modifying existing exploit code to create new, disguised threats.
• Known Unknowns: Malware employing obfuscation to bypass signature-matching detection.
• Unknown Unknowns: Malware utilizing completely novel attacks and exploit methods.

Threat Actors

• Threat Actors: Individuals or groups intending to cause harm to networks or steal data.

Percent Encoding

• Can be used to represent unsafe characters in URLs, ensuring proper transmission and interpretation by servers.
• Allows characters that aren't directly allowed in URLs to be represented using an encoded format.
• Can be misused for obfuscation, hiding malicious scripts or binary data in URLs.
• Can be double-encoded to further obscure malicious intent, making detection more challenging.

Appliance Monitoring

• Firewall Logs: Records of network traffic allowed or blocked, ports and protocols used, bandwidth utilization, and Network Address Translation (NAT/PAT) events.
• Firewall log formats: Often vendor-specific.
• Common Tools:
  • iptables: Linux-based firewall using syslog format for logs.
  • Windows Firewall: Windows-based firewall using W3C Extended Log File Format.
  • Log Collection Tools: Necessary for gathering large volumes of firewall logs for analysis.
• Blinding Attack: A scenario where the firewall can't keep up with logging due to high traffic, resulting in data loss.
• Log Retention: Determined by the volume of events and available storage capacity.

Firewall Configurations

• Screened Subnet: A network segment that isolates and exposes external services to untrusted networks like the internet.
• ACL (Access Control List): A set of rules prioritizing specific traffic based on IP addresses, ports, or applications, determining what traffic is allowed or blocked.
• Firewall ACL Configuration Principles:
  • Block incoming requests from internal, loopback, and multicast IP address ranges.
  • Block incoming requests from protocols typically used locally (ICMP, DHCP, OSPF, SMB, etc.).
  • Configure IPv6 to either block all IPv6 traffic or restrict it to authorized hosts and ports.
• Drop vs. Reject:
  • Drop: Silently discarding packets, making it challenging to identify port states.
  • Reject: Explicitly rejecting packets with a TCP RST or ICMP port/protocol error message.
• Firewalking: A reconnaissance technique used to map firewalls and find hosts behind them.
• Egress Filtering: ACL rules applied to outbound traffic to prevent malware from communicating with command-and-control servers.

Egress Filter Best Practices

• Allow only whitelisted application ports and destination addresses.
• Restrict DNS lookups to trusted and authorized DNS services.
• Block access to known malicious IP address ranges (blocklist).
• Block all internet access from subnets that don't require it (e.g., ICS/SCADA systems).
• Limitations: Some malware operates over social media and cloud-based HTTPS connections, making complete elimination challenging.

Security Mitigation Strategies

• Black Hole: Silently dropping traffic to mitigate DoS or intrusion attacks.
• Dark Nets: Unused network ports or IP address space on a local network, a potential target for attackers.
• Sinkhole: Redirecting traffic flooding a target IP address to a separate network for analysis, providing more information than blackholing.

Proxies and Logging

• Forward Proxy: Acts as a mediator between a client and a server, potentially filtering, modifying, or caching requests for performance improvement.
• Nontransparent Proxy: Clients must be explicitly configured to use this type of proxy.
• Transparent Proxy (Forced/Intercepting Proxy): Clients are not aware of using this proxy, as it redirects traffic without explicit configuration.
• Proxy Log Analysis: Reveals website visits, request contents, and the rules applied for filtering or blocking traffic.
• Reverse Proxy: Protects servers from direct client requests, providing a layer of security.
• Reverse Proxy Log Analysis: Helps detect malicious activity based on request headers, URLs, and signs of compromise.

Web Application Firewalls

• WAF (Web Application Firewall): Designed to protect web servers and their associated databases from code injection and DoS attacks.
• WAF Functionality: Prevents web-based vulnerabilities like SQL injection, XML injection, and cross-site scripting (XSS) attacks.
• WAF Logs: Often stored using JSON format, containing event details like time, severity, URL parameters, HTTP method, and rule context.

Intrusion Detection and Prevention Systems

• IDS (Intrusion Detection System): Software/hardware that monitors security infrastructure for signs of active attacks.
• IPS (Intrusion Prevention System: Similar to an IDS but takes proactive measures to block attacks based on detected threats.
• Key Differentiation:
  • IDS: Detects attacks and alerts administrators.
  • IPS: Additionally blocks identified attacks.

Endpoint Monitoring

• Antivirus (AV) software detects and removes viruses, worms, trojans, rootkits, adware, spyware, and other malware.

• Host-based Intrusion Detection/Prevention System (HIDS/HIPS) monitors a computer system for unexpected behavior or drastic changes to the system's state.

• Endpoint Protection Platform (EPP) includes an agent and monitoring system that performs multiple security tasks like anti-virus, HIDS/HIPS, firewall, DLP, and file encryption.

• Endpoint Detection and Response (EDR) includes software agents that collect system data and logs for analysis by a monitoring system for early threat detection.

• User and Entity Behavior Analytics (UEBA) identifies suspicious activity by user accounts and computer hosts with the help of artificial intelligence (AI) and machine learning (ML).

• Advanced Threat Protection (ATP), Advanced Endpoint Protection (AEP), and Next-Gen AV (NGAV) are modern security solutions that combine features from EPP, EDR, and UEBA.

Sandboxing

• Sandboxing isolates computing environments from host systems. They are controlled and secure with communication links between the sandbox and the host usually prohibited.

• Sandboxing helps determine if files are malicious, identify effects on the system and dependencies.

• Sandboxing tools monitor system changes, execute known malware, identify process changes, monitor network activity, system calls, create snapshots, and record file creation and deletion.

• The sandbox host (virtual machine) should only be used for malware analysis.

• FLARE VM, Cuckoo, and Joe Sandbox are popular sandboxing tools. They emulate real computer environments and allow analysis of malware samples in an isolated setting.

• For complex analysis, a honeypot lab with multiple sandboxed machines and Internet access is necessary.

Reverse Engineering

• Reverse Engineering analyzes the structure of hardware or software to understand how it functions.

• Reverse engineers can determine who wrote the code by identifying patterns.

• Malware writers often obfuscate code to prevent analysis.

• Disassemblers translate machine language into assembly language.

• Machine Code is binary code executed by the processor, typically represented as 2 hex digits for each byte.

• File Signature (or Magic Number) identifies the file type, such as the first two bytes of a Windows portable executable (EXE, DLL, SYS, DRV, or COM) that always start with 4D 5A in HEX, MZ in ASCII, or TV in Base64 encoding.

• Assembly Code contains native processor instructions used to implement the program.

• Decompilers translate binary or low-level machine code into higher-level code.

• High-level Code is human-readable code that makes it easier to identify functions, variables, and programming logic.

• Reverse engineers identify malware by looking for strings, such as "InternetOpenUrl" and URLs. The Strings tool dumps all strings with over three characters in ASCII or Unicode encoding.

• Program Packers compress executables and contain code to decompress the executable.

• Packed programs act as self-extracting archives.

• Packed malware can mask string literals and modify its signatures to avoid detection from signature-based scanners.

Malware Exploitation

• Exploit Techniques are specific methods malware uses to infect target hosts.

• Fileless techniques are used to avoid detection by signature-based software.

• Local Security Authority SubSystem (lsass.exe) handles authentication and authorization services for the system. It should have a single instance running as a child of wininit.exe.

• WINLOGON (winlogon.exe) manages access to the user desktop. It should only have one instance for each user session with the Desktop Window Manager (dwm.exe) as a child process.

• USERINIT (userinit.exe) sets up the shell and quits, so you should only see this process briefly after log-on.

• Explorer (explorer.exe) is the typical user shell and is likely to be the parent for all processes started by the logged-on user.

• Suspicious processes include those with unfamiliar names, similar names to legitimate system processes, those that appear without an icon, version information, description or company name, and unsigned processes, especially from well-known companies.

Description

Explore the differences between threat intelligence and threat hunting in cybersecurity. This quiz also covers how to prioritize vulnerabilities and understand attack methodologies, helping you grasp essential concepts in proactive security measures.