CySA+ 2B: Attack Frameworks and IoC Management

Questions and Answers

What is one of the primary actions an attacker can perform during the actions on objectives phase?

• Restore system functionality post-attack
• Collect information and execute data exfiltration (correct)
• Enhance perimeter security measures
• Establish initial access to the target system

What does the MITRE ATT&CK framework specifically categorize?

• Individual users and their credentials
• Policies for incident response
• Techniques used in cyber attacks (correct)
• Physical security vulnerabilities

Which of the following is NOT one of the core features in the Diamond Model of Intrusion Analysis?

• Adversary
• Infrastructure
• Victim
• Attacker motivation (correct)

Why do some organizations view the Kill Chain model as too simplistic?

It focuses too broadly on perimeter security. (B)

Which aspect does the Diamond Model of Intrusion Analysis help to analyze?

The relationships between various entities in an intrusion event (A)

What does the term Indicator of Compromise (IoC) primarily refer to?

A clear indication that a network has been attacked (C)

Why is correlating multiple IoCs essential in threat analysis?

It provides a clearer picture of events (D)

What type of detection may struggle against advanced adversary tactics?

Signature-based detection (B)

Which of the following is NOT identified as an indicator of compromise?

Monthly software updates (D)

What do TTPs in behavioral threat research stand for?

Tactics, Techniques, and Procedures (D)

How might a Security Operations Center (SOC) analyst identify a threat?

By noticing unusual downloading activity (C)

Which of the following is a characteristic of behavioral threat research?

It links multiple IoCs to identify patterns (A)

Which of the following indicators could suggest a DDoS attack?

A sudden spike in network traffic (A)

What phase of the Kill Chain involves data exfiltration and network monitoring?

Command and Control (B)

Which method is NOT used for delivering the weaponized code to the target?

Physical theft (D)

In the Kill Chain, which step directly follows the Weaponization phase?

Delivery (A)

What is the main goal of the Reconnaissance phase in the Kill Chain?

To gather information about the target's security (C)

What role does the Command and Control (C2) server play in the Kill Chain?

It facilitates remote control of infected systems (A)

During which phase of the Kill Chain is the payload code created?

Weaponization (C)

Which of the following could indicate the presence of malware on a device?

Increased memory usage (D)

What tactic might an attacker use during the Reconnaissance phase to avoid detection?

Utilizing a botnet or zombie hosts (D)

Flashcards

Data exfiltration

The attacker steals data from the target system and sends it to a remote location

MITRE ATT&CK

A framework that categorizes cyberattack techniques by tactics and unique IDs.

Kill Chain

A model of cyberattacks, focused on perimeter security.

Diamond Model

A model that analyzes intrusion events by looking at attacker, capabilities, infrastructure and victim.

CIA Triad

Important security goal.

Malware Indicators

Unusual CPU or memory usage leading to system slowdowns.

Network Reconnaissance

Attackers scanning ports and IP addresses to find weaknesses.

Reconnaissance (Kill Chain)

Attacker's initial step to explore target systems and vulnerabilities.

Weaponization (Kill Chain)

Crafting malware code to exploit vulnerabilities.

Delivery (Kill Chain)

Delivering the malware to the target system.

Exploitation (Kill Chain)

Using malware code to take advantage of an identified vulnerability.

Command and Control (C2)

Attacker's remote control center for malware.

Indicator of Compromise (IoC)

A sign or event indicating a successful attack on a system or network.

Examples of IoCs

Unauthorized files, suspicious emails, unusual registry changes, unusual port usage, or excessive bandwidth use.

Correlating IoCs

Combining multiple IoCs to get a more complete picture of an attack.

Threat Research

Analyzing attacker tactics (how they work), techniques (what tools they use), and procedures (steps they follow).

Behavioral Threat Research

Linking IoCs to create attack patterns.

TTPs

Tactics, Techniques, and Procedures used by Attackers.

DDoS attack

A sudden flood of network traffic intending to overwhelm a system or service.

Static Malware Signature

A method to detect malware based solely on known patterns within a database.

Study Notes

CySA+ 2B: Attack Frameworks and Indicator Management

• Classifying threat actors: Understanding adversary motivations and capabilities is crucial. Sophisticated tools are needed due to the diverse nature of threat actors. Attack frameworks can help categorize and analyze indicators of compromise (IoCs).
• Indicators of Compromise (IoC): IoCs are residual signs that an asset or network has been successfully attacked. They can be specific (e.g., malware signatures) or require analyst interpretation (e.g., unusual data downloads). Analysts must judge, but correlating multiple IoCs improves accuracy.
• Types of IoCs: IoCs include unauthorized software, suspicious files/emails, suspicious registry changes, unknown ports/protocols, unusual bandwidth usage, rogue hardware, and service disruptions.
• Threat Research: Signature-based detection may not identify sophisticated adversary tactics. Threat research has evolved beyond static signatures to understand patterns in adversary behavior. This behavioral analysis helps identify tactics, techniques, and procedures (TTPs).
• Behavioral TTPs: Some TTPs to look for include DDoS attacks (increased network traffic), viruses/worms (higher CPU/memory use), network reconnaissance (port scans), and data exfiltration (spikes in data transfer).

Kill Chain

• Kill Chain Overview: A framework outlining the steps attackers usually take to achieve their objectives (e.g., Lockheed Martin Kill Chain). Seven steps are included: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.
• Reconnaissance: Attackers stealthily assess target systems and vulnerabilities.
• Weaponization: Attackers create the tools/code tailored to exploit vulnerabilities.
• Delivery: Attackers deliver the malware to the target. Common methods include email attachments, USB drives, and other means of transferring the weaponized code.
• Exploitation: The delivered malware is executed on the target system.
• Installation: The malicious code establishes persistence on the target system.
• Command and Control (C2): The attacker establishes communication to control the compromised system; a C2 server is used as the control point for various malware.
• Actions on Objectives: Attackers use access to collect and exfiltrate data or other malicious actions.

MITRE ATT&CK Framework

• Alternative to Kill Chain for More Modern Attacks: Some organizations find the Kill Chain too basic for modern threats.
• MITRE ATT&CK Framework: A more nuanced framework that tags specific adversary tactics, techniques, and procedures (TTPs). Includes categories like target selection, initial access, persistence, lateral movement, and command and control.
• Importance of the Framework: The framework helps identify and categorize specific actions that attackers might take for more efficient threat response.

Diamond Model of Intrusion Analysis

• Analysis of Intrusion Events: This model helps analyze intrusion events focusing on adversary, capability, infrastructure, and victim.
• Graph Representation: The model uses a diamond shape to visualize the four core aspects of an intrusion event.