CySA+ Lesson 2A: Threat Classification

Questions and Answers

What type of threat is characterized by exploits that have yet to be discovered and documented?

• Malware
• Known threats
• Documented exploits
• Zero-day exploits (correct)

Which of the following best describes Advanced Persistent Threats (APTs)?

• Complex malware that self-replicates
• Ongoing efforts by adversaries to maintain access without detection (correct)
• Short-term attacks that require minimal resources
• One-time attacks aimed at financial loss

What is the primary goal of nation-state actors in cyber operations?

• Disruption of services
• Financial gain
• Espionage and strategic advantage (correct)
• Public awareness

Which group is typically involved in activities aimed at promoting a political ideology?

Hacktivists (C)

Which characteristic is NOT associated with organized crime groups in cyber activities?

Espionage for military purposes (D)

Which of the following groups is an example of a hacktivist organization?

Anonymous (A)

In threat modeling, which type of threat is represented by obfuscated malware code?

Zero-day exploits (A)

Which aspect does threat intelligence NOT focus on?

Analyzing employee behavior (B)

What are the two categories of insider threats?

Intentional and Unintentional (B)

What is a common outcome of cyber attacks conducted by organized crime groups?

Financial loss to victims (C)

What is a characteristic of commodity malware?

It is usually prepackaged and available for purchase on the internet. (A)

Which statement accurately describes a zero-day exploit?

A zero-day exploit is a vulnerability exploited before the vendor is aware and can issue a patch. (A)

What is an Advanced Persistent Threat (APT)?

An organized group of attackers or method of sustained attacks targeting specific systems. (C)

What can be considered an example of an unintentional insider threat?

An employee using unauthorized applications leading to a data breach. (C)

Why do adversaries favor using zero-day vulnerabilities for attacks?

They hold significant financial value and are suited for high-value attacks. (D)

Which type of malware is typically used in general circumstances and can be purchased online?

Commodity malware (A)

Flashcards

Insider Threat

Someone with authorized access to an organization, who poses a security risk.

Intentional Insider Threat

A deliberate attack by someone within an organization.

Unintentional Insider Threat

A security risk caused by negligence or mistake.

Commodity Malware

Generic malware readily available for purchase.

Zero-Day Threat

A vulnerability exploited before a patch is released.

Advanced Persistent Threat (APT)

Highly organized attackers with sustained access to a target.

Hacktivist Group

A group of individuals motivated by social or political agendas.

Shadow IT

Unauthorized IT systems/activities used within an organization.

Nation-State Threat Actor

Groups with cybersecurity expertise, backed by governments, aiming for military or commercial goals. Often have advanced persistent threat (APT) capabilities and resources.

Organized Crime Threat Actor

Groups involved in cybercrime, often focused on fraud, blackmail, and financial gains. May operate internationally.

Hacktivist Threat Actor

Groups using hacking skills to promote an ideology or political agenda, often targeting political adversaries or media outlets, sometimes causing denial-of-service attacks.

Known Threats

Threats with known characteristics, like specific malware or exploits against known vulnerabilities.

Malware

Malicious software designed to damage or disable computer systems.

Threat Intelligence

Understanding adversary behavior to identify relevant threats.

Unknown Threats

Threats with unknown characteristics, like zero-day exploits or obfuscated malware.

Study Notes

CySA+ Lesson 2A

• Objectives: Classify threats and threat actor types, use attack frameworks and indicator management, and utilize threat modeling and hunting methodologies.

Threat Classification

• Known Threats: Malware and documented exploits against software vulnerabilities.
• Unknown Threats: Zero-day exploits and obfuscated malware code.

Threat Actor Types

• Threat intelligence involves understanding adversary behavior, not just malware signatures or attack vectors.
• Organized crime groups, hacktivist groups, and other threat entities are monitored to assess their resource levels and how sophisticated their attacks might be.
• Nation-States use financial and technological resources (APTs) for military or commercial goals, often targeting energy and electoral systems, with espionage and strategic advantage as primary goals. They may support multiple adversary groups with different objectives and levels of collaboration.
• Organized crime perpetrators may reside outside of a targeted country and may focus on fraud and blackmail. Cybercrime incidents often exceed physical crime in terms of incidence and loss.
• Hacktivists promote political agendas or ideologies through actions such as releasing confidential information, DoS attacks, or website defacing. They commonly target adversaries in business, media, or politics.

Insider Threats

• Insider threats can be intentional or unintentional. Intentional threats involve malicious actors inside an organization, while unintentional threats stem from negligence or mistakes that inadvertently create vulnerabilities. A common unintentional insider threat is Shadow IT.

Commodity Malware

• Commodity malware is prepackaged and readily available for sale on the internet. It is not targeted to a specific entity.
  • Examples include Remote Access Trojans (RATs) and DDoS tools.

Zero-Day Threats

• Zero-day threats exploit previously unknown vulnerabilities. Adversary groups often discover and exploit these threats before vendors can release patches. These vulnerabilities often have high financial value.

Advanced Persistent Threats (APTs)

• APTs are highly organized and sophisticated groups capable of discovering exploits to high-value targets. They often maintain persistence within a system by using backdoors, allowing them to re-connect and exfiltrate data at a later time.