Podcast
Questions and Answers
What is one of the primary actions an attacker can perform during the actions on objectives phase?
What is one of the primary actions an attacker can perform during the actions on objectives phase?
What does the MITRE ATT&CK framework specifically categorize?
What does the MITRE ATT&CK framework specifically categorize?
Which of the following is NOT one of the core features in the Diamond Model of Intrusion Analysis?
Which of the following is NOT one of the core features in the Diamond Model of Intrusion Analysis?
Why do some organizations view the Kill Chain model as too simplistic?
Why do some organizations view the Kill Chain model as too simplistic?
Signup and view all the answers
Which aspect does the Diamond Model of Intrusion Analysis help to analyze?
Which aspect does the Diamond Model of Intrusion Analysis help to analyze?
Signup and view all the answers
What does the term Indicator of Compromise (IoC) primarily refer to?
What does the term Indicator of Compromise (IoC) primarily refer to?
Signup and view all the answers
Why is correlating multiple IoCs essential in threat analysis?
Why is correlating multiple IoCs essential in threat analysis?
Signup and view all the answers
What type of detection may struggle against advanced adversary tactics?
What type of detection may struggle against advanced adversary tactics?
Signup and view all the answers
Which of the following is NOT identified as an indicator of compromise?
Which of the following is NOT identified as an indicator of compromise?
Signup and view all the answers
What do TTPs in behavioral threat research stand for?
What do TTPs in behavioral threat research stand for?
Signup and view all the answers
How might a Security Operations Center (SOC) analyst identify a threat?
How might a Security Operations Center (SOC) analyst identify a threat?
Signup and view all the answers
Which of the following is a characteristic of behavioral threat research?
Which of the following is a characteristic of behavioral threat research?
Signup and view all the answers
Which of the following indicators could suggest a DDoS attack?
Which of the following indicators could suggest a DDoS attack?
Signup and view all the answers
What phase of the Kill Chain involves data exfiltration and network monitoring?
What phase of the Kill Chain involves data exfiltration and network monitoring?
Signup and view all the answers
Which method is NOT used for delivering the weaponized code to the target?
Which method is NOT used for delivering the weaponized code to the target?
Signup and view all the answers
In the Kill Chain, which step directly follows the Weaponization phase?
In the Kill Chain, which step directly follows the Weaponization phase?
Signup and view all the answers
What is the main goal of the Reconnaissance phase in the Kill Chain?
What is the main goal of the Reconnaissance phase in the Kill Chain?
Signup and view all the answers
What role does the Command and Control (C2) server play in the Kill Chain?
What role does the Command and Control (C2) server play in the Kill Chain?
Signup and view all the answers
During which phase of the Kill Chain is the payload code created?
During which phase of the Kill Chain is the payload code created?
Signup and view all the answers
Which of the following could indicate the presence of malware on a device?
Which of the following could indicate the presence of malware on a device?
Signup and view all the answers
What tactic might an attacker use during the Reconnaissance phase to avoid detection?
What tactic might an attacker use during the Reconnaissance phase to avoid detection?
Signup and view all the answers
Study Notes
CySA+ 2B: Attack Frameworks and Indicator Management
- Classifying threat actors: Understanding adversary motivations and capabilities is crucial. Sophisticated tools are needed due to the diverse nature of threat actors. Attack frameworks can help categorize and analyze indicators of compromise (IoCs).
- Indicators of Compromise (IoC): IoCs are residual signs that an asset or network has been successfully attacked. They can be specific (e.g., malware signatures) or require analyst interpretation (e.g., unusual data downloads). Analysts must judge, but correlating multiple IoCs improves accuracy.
- Types of IoCs: IoCs include unauthorized software, suspicious files/emails, suspicious registry changes, unknown ports/protocols, unusual bandwidth usage, rogue hardware, and service disruptions.
- Threat Research: Signature-based detection may not identify sophisticated adversary tactics. Threat research has evolved beyond static signatures to understand patterns in adversary behavior. This behavioral analysis helps identify tactics, techniques, and procedures (TTPs).
- Behavioral TTPs: Some TTPs to look for include DDoS attacks (increased network traffic), viruses/worms (higher CPU/memory use), network reconnaissance (port scans), and data exfiltration (spikes in data transfer).
Kill Chain
- Kill Chain Overview: A framework outlining the steps attackers usually take to achieve their objectives (e.g., Lockheed Martin Kill Chain). Seven steps are included: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.
- Reconnaissance: Attackers stealthily assess target systems and vulnerabilities.
- Weaponization: Attackers create the tools/code tailored to exploit vulnerabilities.
- Delivery: Attackers deliver the malware to the target. Common methods include email attachments, USB drives, and other means of transferring the weaponized code.
- Exploitation: The delivered malware is executed on the target system.
- Installation: The malicious code establishes persistence on the target system.
- Command and Control (C2): The attacker establishes communication to control the compromised system; a C2 server is used as the control point for various malware.
- Actions on Objectives: Attackers use access to collect and exfiltrate data or other malicious actions.
MITRE ATT&CK Framework
- Alternative to Kill Chain for More Modern Attacks: Some organizations find the Kill Chain too basic for modern threats.
- MITRE ATT&CK Framework: A more nuanced framework that tags specific adversary tactics, techniques, and procedures (TTPs). Includes categories like target selection, initial access, persistence, lateral movement, and command and control.
- Importance of the Framework: The framework helps identify and categorize specific actions that attackers might take for more efficient threat response.
Diamond Model of Intrusion Analysis
- Analysis of Intrusion Events: This model helps analyze intrusion events focusing on adversary, capability, infrastructure, and victim.
- Graph Representation: The model uses a diamond shape to visualize the four core aspects of an intrusion event.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Explore the fundamentals of attack frameworks and the management of Indicators of Compromise (IoCs) in the context of CySA+. This quiz covers the classification of threat actors, various types of IoCs, and the importance of threat research in modern cybersecurity. Test your knowledge of how to identify and analyze the signs of successful cyber attacks.
