Cybersecurity Threat Intelligence Quiz

Questions and Answers

A campaign is a collection of malicious actor behaviors targeting a common ______ over a finite timeframe.

target

A course of action is a preventative or response action to address an ______.

attack

An Identity is an SDO representing individuals, organizations, or ______.

groups

Indicators in spear phishing messages often use links with phishing ______, generic form language, or ASCII homographs.

domains

An intrusion set may comprise multiple campaigns over a long period, even if from the same threat ______.

actor

TAXII defines how threat data is shared among participating ______.

partners

TAXII specifies the structure for exchanging information and accompanying ______.

messages

TAXII 1.0 integrates with existing sharing agreements using three primary ______.

models

In the Hub and Spoke model, a central Hub communicates with multiple ______ nodes.

Spoke

In the Peer-to-Peer model, peers communicate ______ with each other.

directly

Accuracy is crucial for decision-making in information __________.

security

Analysts should acknowledge and mitigate __________ by surrounding themselves with diverse perspectives.

bias

The __________ level of confidence is used for assessments based on high-quality information.

high

Moderate confidence indicates that the information is credibly sourced but not sufficient for a higher level of __________.

confidence

Information categorized as __________ is questionable, fragmented, and raises significant concerns about its sources.

low

Malware is any malicious code or software used to compromise the integrity or availability of a system or its ______.

data

The observed data SDO describes any observable collected from a network or ______ device.

system

Reports detail security events, including the malware used or the methodologies employed during a ______.

campaign

The threat actor SDO identifies individuals or groups responsible for ______ activities.

malicious

The tool SDO describes software used by threat actors during ______.

campaigns

An indicator includes context describing an aspect of an event relating to a specific ______.

intrusion

To transform newly discovered indicators into actionable items, analysts perform ______ to determine if the indicator is valid.

vetting

The Structured Threat Information Expression (STIX) uses a structure based on twelve Domain Objects (SDOs) and two ______ Objects (SROs).

Relationship

Attack patterns help categorize attacker tactics, techniques, and ______.

procedures

Sharing threat intelligence with partners benefits everyone by improving detection and prioritizing ______ allocation.

resource

A Vulnerability SDO is used to communicate any mistake in software that an attacker can exploit to gain unauthorized access to a _____

system

Malware objects provide key characteristics about the malicious software and when they are used in an _____

attack

The Relationship SRO links SDOs together and shows how they work with each _____

other

A Sighting SRO provides information about the occurrence of an SDO, such as an indicator or _____

malware

The relationship type 'target' is used to show the relationship between a source SDO and a target _____

SDO

Signature-based systems are effective against ______ threats.

known

Anomaly-based systems examine what an executable does, not just what it ______ like.

looks

'Zero day' refers to a vulnerability or exploit in software that is previously ______ to the public.

unknown

Anomaly-based systems often use a ______ environment to observe an executable's behavior.

virtual

A zero-day vulnerability is a flaw in software that the ______ is unaware of.

vendor

The TAXII server manages the ______ and channels.

collections

OpenIOC is designed to organize information about attacker tactics, techniques, and procedures (TTPs) and indicators of ______.

compromise

The ______ is the client that requests and subscribes to data in the TAXII 2.0 architecture.

Consumer

OpenIOC comprises three main components: IOC Metadata, References, and ______.

Definition

A ______ in OpenIOC describes how the IOC fits operationally within specific environments.

Reference

APTs are identified by the use of stealthy and continuous computer hacking ______.

techniques

APT operators often use both digital surveillance and traditional techniques targeting ______.

humans

These campaigns are often orchestrated by military or government ______.

entities

APTs reflect a political plan, indicating their nature as a deeper ______ issue.

political

The execution of APT campaigns might be automated, but humans are responsible for their ______.

orchestration

Zero-day vulnerabilities create black markets for these ______.

exploits

Security teams need to develop ______ and controls to mitigate impacts from discoveries.

mitigations

Organizations should use a multi-faceted approach to respond to ______ exploits.

zero-day

The US Pentagon has adopted 'Hack the Pentagon' as part of a ______ program.

bug bounty

Proactive efforts to discover new ______ are essential for organizations.

threats

Flashcards

Accuracy in threat intelligence

Threat intelligence needs accurate information, even if not perfectly understanding the situation.

Analyst bias

Analysts' personal viewpoints can affect judgments. Diverse teams and structured methods are crucial.

High confidence intelligence

Strong support for the accuracy of the intelligence from information's quality or judgment strength.

Moderate confidence intelligence

Credible but less reliable information, not enough data for higher confidence.

Low confidence intelligence

Questionable or implausible information; lacking sufficient support.

Indicator

Observable artifact on a network, including context related to a specific intrusion.

Indicator Vetting

Determining if an indicator is valid and researching its source.

Indicator Analysis

Investigating an indicator's originating signal to check its use in spotting malicious activity.

STIX

Standardized threat data communication, with a structured format for representing threat data.

Attack Pattern

Representation of attacker tactics, techniques, and procedures (TTPs), such as spear phishing.

Campaign

A group of malicious actions targeting a specific target over a limited time.

Course of Action

A preventative or reactive measure taken to deal with an attack.

Identity (SDO)

A representation of an individual, organization, or group in security data.

Indicator (SDO)

Observable suspicious activity on a network or endpoint, needing context.

Intrusion Set

Collection of behaviors or techniques shared among attacks, possibly by different actors.

Malware definition

Malicious software used to harm or compromise a system.

Observed Data

Raw data from networks/devices; not intelligence.

Threat Actor

Person/group causing malicious activity.

Security Report

Completed intelligence product on a security event.

Tool (SDO)

Software used by threat actors (not malware).

TAXII

A standard protocol for exchanging threat intelligence data between different organizations.

Hub and Spoke Model

A central hub (like a server) distributes threat information to multiple spoke nodes (like clients).

Source/Subscriber Model

A central source (like a newsfeed) sends threat information to multiple subscribers (like recipients).

Peer-to-Peer Model

Multiple organizations (peers) directly share threat intelligence with each other, without a central point of control.

What are the 3 main TAXII models?

Hub and Spoke, Source/Subscriber, and Peer-to-Peer.

Vulnerability SDO

A vulnerability SDO describes a weakness in software that attackers can exploit to gain unauthorized access. It's like a crack in a wall that allows someone to get inside.

Malware Object

A Malware Object provides information about the malicious software used in an attack, highlighting its key characteristics and capabilities. It's like a description of a weapon.

Relationship SRO

A Relationship SRO links different SDOs together, showing how they work with each other. It reveals the connection between, for example, a vulnerability and the malware that exploits it.

Sighting SRO

A Sighting SRO provides information about when, where, and how often an SDO (like malware or an indicator) was observed. It helps understand attack trends and evolution.

Target Relationship

A common type of Relationship SRO used to describe how a source SDO interacts with a target SDO. For instance, 'malware targets vulnerability' describes how malware exploits a weakness.

Zero-day exploit

A vulnerability in software that is unknown to the vendor and can be exploited before a patch is released.

Exploit marketplace

A black market where malicious actors buy and sell zero-day exploits.

Bug bounty programs

Programs where companies incentivize researchers to find and report vulnerabilities in their software.

SANS Internet Storm Center

A resource center dedicated to sharing information about emerging cyber threats and vulnerabilities.

Proactive threat discovery

Identifying potential threats before they impact an organization.

TAXII 2.0 Collections

A logical store of threat data objects managed by a TAXII server. It provides a structured way for clients to access and share threat intelligence.

TAXII 2.0 Channels

A communication pathway managed by the TAXII server, allowing clients to subscribe to published threat data updates.

OpenIOC Framework

A framework that organizes information about attacker tactics, techniques, procedures, and indicators of compromise in a machine-readable format.

What is OpenIOC Metadata?

Metadata within the OpenIOC framework includes information like the author's name, the IOC's name, and a description. It provides context about the IOC.

What are OpenIOC References?

References in OpenIOC provide details about how an IOC relates to specific environments and its operational context. Analysts need to verify these references for external sharing.

Signature-based detection

This type of security system relies on identifying known malicious patterns (signatures) in software or network traffic. It's effective against known threats but ineffective against new or evolving threats.

Anomaly-based detection

This security system looks for unusual or unexpected behavior in software or network traffic. It analyzes how a program runs, rather than just its code, to detect suspicious activity.

Zero-day vulnerability

A previously unknown flaw in software that can be exploited before a fix is available. Attackers can use this vulnerability to gain unauthorized access to systems or data.

Sandbox

A controlled environment where software is executed in isolation to observe its behavior without affecting the real system. It helps to identify malicious behavior.

What is the difference between signature-based and anomaly-based detection?

Signature-based detection relies on known patterns of malicious activity, while anomaly-based detection looks for unexpected behavior. Signature-based is effective against known threats but ineffective against new or evolving threats. Anomaly-based can detect unknown threats but may produce false positives and requires careful configuration.

What is an APT?

An APT is a sophisticated, long-term cyberattack campaign often orchestrated by nation-states or well-funded organizations. They aim to gain persistent access to target systems and steal sensitive data, all while remaining undetected.

What makes APTs 'advanced'?

APT operators are highly skilled, well-funded, and use advanced techniques. They utilize a wide range of tools, tactics, and resources, including sophisticated malware, social engineering, and intelligence gathering.

What makes APTs 'persistent'?

APTs are not quick, opportunistic attacks. They are planned and executed over long periods, focusing on specific targets with clear goals.

What makes APTs a 'threat'?

APTs are not mere technical issues. They are driven by political motives and often involve espionage or sabotage. Their impact can be devastating, compromising critical infrastructure or stealing sensitive information.

Why are APTs difficult to detect?

APTs are designed to evade detection. They use stealthy techniques, disguise their actions, and move slowly and carefully to avoid raising alarms.