CYSA+

Questions and Answers

Which phase of the intelligence cycle involves converting data into a standard format?

Analysis

Requirements

Collection & Processing (correct)

Dissemination

Open-source intelligence (OSINT) is only available through paid subscriptions.

False

What are the three categories used during the analysis phase of the intelligence cycle?

Known good, Known bad, Not sure

The primary goal of __________ is to share sector-specific threat intelligence and security best practices.

ISAC

Which factor is NOT used to evaluate intelligence sources?

Accessibility

Match the following intelligence sources with their characteristics:

Proprietary = Available through subscription Closed-Source = Derived from provider's own research Open-Source = Available without subscription OSINT = Obtaining information from public records

Incident response is focused solely on identifying security vulnerabilities.

False

What is the main focus of ISACs in critical infrastructure?

Terrorism and service disruptions

What is the role of feedback in the intelligence cycle?

To clarify requirements and improve collection, analysis, and dissemination.

The practice of identifying and mitigating software vulnerabilities is called __________ management.

vulnerability

Which of the following is an example of an open-source intelligence source?

MISP

Match the ISACs with the sectors they serve:

Healthcare = Targets of data breaches and ransom Financial = Prevents consumer fraud and extortion Aviation = Manages air traffic control safety Government = Assists local and state agencies

Strategic intelligence dissemination focuses on immediate tactical decisions.

False

What does detection and monitoring involve?

Observing activity to identify anomalous patterns.

The __________ scale is used to grade data quality in threat intelligence.

admiralty

What is NOT a goal of threat intelligence sharing?

Data Encryption

What term describes unauthorized hackers with malicious intent?

Black Hat Hackers

A Gray Hat Hacker operates only with authorization and has good intentions.

False

What is the main goal of an Advanced Persistent Threat (APT)?

To harvest sensitive data and intellectual property.

A __________ is defined as a vulnerability that is discovered before the vendor can issue a patch to fix it.

zero-day vulnerability

Match the following threat actors with their descriptions:

Competitor = A rogue business attempting cyber espionage Hacktivist = Politically-motivated hacker Insider Threat = Authorized access causing harm Script Kiddie = Uses others' tools for attacks

Which of the following describes a technique used by APTs to maintain covert access to a network?

Command and Control (C2)

Organized Crime groups focus on hacking for political purposes.

False

What is a common activity performed by hackers to gather information about their targets on social media?

Social Media Profiling

The __________ Threat Intelligence framework standardizes terminology about Indicators of Compromise (IoCs).

Structured Threat Information eXpression (STIX)

Match the following types of malware to their descriptions:

Commodity Malware = Widely available malicious software Targeted Malware = Developed for specific targets Virus = Malware that replicates itself Worm = Self-replicating program that spreads without user intervention

Which stage of the Lockheed Martin Kill Chain involves delivering weaponized code to the target?

Delivery

An Indicator of Attack (IoA) is evidence that an attack has already occurred.

False

What is the purpose of Data Loss Prevention (DLP) systems?

To protect sensitive data from unauthorized access or leaks.

APT attacks often target __________ institutions to access sensitive personal information.

financial

Which of the following characters are considered reserved in a URL?

&'()*+,;=

Percent encoding can be used to obfuscate a URL by encoding unreserved characters.

True

What is a domain that has been included in the content?

https://www.DionTraining.com

A URL cannot contain unsafe characters such as ______, carriage return, or line feed.

tab

Match the following URL concepts with their descriptions:

Reserved characters = Characters that must be encoded or used without modification Unsafe characters = Characters that can cause issues when included in a URL Percent encoding = A method to encode characters into a URL Double-encoding = Encoding an already encoded character to further obfuscate a URL

What does tcpdump primarily do?

Analyzes network packet data on a command line interface

A Packet Sniffer can only be used as hardware and not as software.

False

What is the main purpose of a Flow Collector?

To record metadata and statistics about network traffic.

The __________ is a free and open-source GUI-based packet analyzer used for network analysis.

Wireshark

Match the following HTTP methods with their functions:

GET = Retrieve a resource POST = Send data to the server PUT = Create or replace a resource DELETE = Remove a resource

Which statement about the Domain Generation Algorithm (DGA) is true?

It dynamically generates domain names to evade block lists.

NetFlow provides a complete record of all network traffic, including payload data.

False

What is indicated by a high rate of NXDOMAIN errors?

Potential use of a Domain Generation Algorithm.

The protocol used for polling devices and gathering network traffic statistics is called __________.

SNMP

Match the following HTTP response codes with their meanings:

200 = OK 404 = Not Found 500 = Server Error 401 = Unauthorized

What does a '403 Forbidden' response code indicate?

The request has not been applied due to lack of permissions.

Characters in a URL after a '?' are known as the URL fragment.

False

What is the purpose of percent encoding in URLs?

To encode 8-bit characters that have specific meanings.

A __________ is a hybrid tool that monitors network traffic and logs data of potential interest.

Zeek

What is threat modeling primarily used for?

Identifying potential threat actors and attack vectors

Threat hunting only identifies threats that are already detected by security measures.

False

What does 'attack surface' refer to in cybersecurity?

The point at which a network or application receives external connections or inputs.

The deep web includes information that is not indexed by ________ engines.

search

Match the following cybersecurity concepts with their definitions:

Threat Intelligence = Gathering and analyzing information to understand threats Threat Hunting = Proactively searching for threats in a network OSINT = Collecting public information for intelligence Bug Bounty = Crowdsourcing security testing from external researchers

Which of the following is NOT a type of attack vector?

Technological

The dark web is primarily used for legitimate business operations.

False

What does OSINT stand for?

Open-Source Intelligence

Google Hacking utilizes ________ operators to locate vulnerable web servers.

search

What does AbuseIPDB provide for organizations?

A database of reported abusive IP addresses

Threat modeling should only consider the attacker's perspective.

False

What is a common method used in email harvesting?

Using OSINT techniques to gather email addresses

Match the following harvesting techniques to their descriptions:

WHOIS = Public listing of registered domain administrators DNS Zone Transfer = Replicating DNS databases across servers DNS Harvesting = Gathering information about domain subdomains Website Harvesting = Copying source code of website files

Which of the following is a step in the threat hunting process?

Analyze network traffic

The ________ web is used mostly for illegal activities, including the sale of drugs and stolen data.

dark

Study Notes

Intelligence Cycle

• A process for gathering and analyzing intelligence.
• The goal is to collect and process data to analyze and disseminate valuable insights.
• Consists of five phases: requirements, collection & processing, analysis, dissemination, and feedback.

Requirements (Planning & Direction)

• Defines the goals and objectives for the intelligence gathering effort.
• It determines what to measure and collect based on specific needs.

Collection & Processing

• Implemented by software tools to accumulate various types of data.
• Transforms raw data into a consistent format for analysis.

Analysis

• Performed against the defined use cases from the planning phase.
• Employs automated analysis, AI, and machine learning.
• Categorizes data into three classes: known good, known bad, or uncertain.

Dissemination

• Publishes actionable insights produced by analysts to relevant consumers.
• Delivers information strategically, operationally, and tactically.

Feedback

• Aims to clarify requirements and enhance the effectiveness of the entire cycle.
• Evaluates current inputs and outputs to improve data collection, analysis, and dissemination.
• Offers lessons learned, measures success, and addresses evolving threat issues.

Intelligence Sources

• Sources are evaluated based on timeliness, relevancy, accuracy, and confidence level.

Timeliness

• Ensures the source is up-to-date and relevant.

Relevancy

• Aligns the source with the intended use case.

Accuracy

• Guarantees the source produces reliable and effective results.

Confidence Level

• Assesses the source's trustworthiness and reliability.

MISP Project

• Implements the admiralty scale to grade data and estimative language.
• Based on the reliability of the source and the quality of the information content.

Types of Intelligence Sources

• Proprietary
• Closed-Source
• Open-Source

Proprietary

• Commercial services offered through subscriptions.
• Access to threat intelligence updates and research.

Closed-Source

• Based on the provider's proprietary research and analysis efforts.
• Data from honeypots, customer systems (anonymized), and internal research.

Open-Source

• Publicly available data without subscriptions.
• Includes threat feeds, reputation lists, and malware signature databases.

Examples of Open-Source Intel Providers

• US-CERT
• UK's NCSC
• AT&T Security (OTX)
• MISP
• VirusTotal
• Spamhaus
• SANS ISC Suspicious Domains

Threat Feeds

• Explicit knowledge about threats.
• Implicit knowledge from experienced practitioners is also valuable.

Open-Source Intelligence (OSINT)

• Method for gathering information from public records, websites, and social media.
• Used to find information about individuals or organizations.

Information Sharing and Analysis Centers (ISACs)

• Non-profit organizations sharing sector-specific threat intelligence and best practices with members.

Cyber Security Information Sharing Partnership (CISP)

• Similar to ISAC but operates in the UK.

ISACs and Sector-Specific Focus

• Critical Infrastructure: Vital physical/virtual infrastructure to ensure national security and economic stability.
• Government: Serving non-federal government entities (state, local, tribal, and territorial governments).
• Healthcare: Protecting healthcare providers from cyberattacks targeting patient data and medical devices.
• Financial: Preventing fraud and extortion in the financial sector.
• Aviation: Preventing fraud, terrorism, service disruptions, and safety issues in the aviation industry.

Threat Intelligence Sharing

• Promotes collaboration and information sharing.
• Enhances security posture and reduces the impact of threats.

Benefits of Threat Intelligence Sharing

• Risk Management: Identifies, prioritizes, and mitigates threats.
• Incident Response: Enables faster and more effective responses to cyberattacks.
• Vulnerability Management: Helps identify and remediate software vulnerabilities promptly.
• Detection and Monitoring: Detects anomalous activity and suspicious patterns.

Classifying Threats

• Understanding threat classification helps security teams prioritize their defenses effectively.### Cracker in the Media
• The term "hacker" was used to describe computer enthusiasts, but the media now often portrays them as malicious.
• Crackers are hackers with malicious intent.

Hat-Based Categories of Hackers

• Black Hat Hacker: An unauthorized hacker who engages in criminal activity.
• White Hat Hacker: An ethical or authorized hacker who performs security assessments to improve systems.
• Gray Hat Hacker: A semi-authorized hacker who sometimes acts with good or bad intentions.

Basic Activities of Hackers

• Social Media Profiling
• Social Engineering
• Network Scanning
• Fingerprinting
• Service Discovery
• Packet Capture

Types of Threat Actors

• Script Kiddie: Uses pre-made hacking tools without understanding their functionalities.
• Insider Threat: A person with authorized access to an organization's resources who poses a security risk.
  • Intentional: Deliberately causing harm.
  • Unintentional: Causing harm due to carelessness.
• Competitor: A rogue business attempting cyber espionage against an organization.
• Organized Crime: Focuses on hacking and computer fraud for financial gain.
• Hacktivist: Politically motivated hacker targeting governments or individuals to advance their ideologies.
• Nation-State: A highly capable, funded, and organized group conducting covert cyberattacks against networks or systems.

Advanced Persistent Threat (APT)

• An attacker who establishes a long-term presence on a network to gather sensitive information.
• APTs often target financial institutions, healthcare companies, and governments.
• The primary goal of an APT is to steal sensitive data, including intellectual property and PII.

Key Difference Between Nation-State & APT Threat Actors

• Nation-State: Affiliated with a government.
• APT: A generic type of cyberattack that establishes a long-term presence on a network.

Malware Types

• Commodity Malware: Widely available malicious software applications that can be easily obtained and used.
• Targeted Malware: Custom developed and deployed for a specific target.

Zero-Day Vulnerability

• A vulnerability discovered or exploited before the vendor releases a patch to fix it.
• Most adversaries use zero-day vulnerabilities for high-value attacks.

Command and Control (C2)

• The infrastructure of hosts and services attackers use to direct, distribute, and control malware over botnets.

Persistence (in the Context of Cybersecurity)

• A threat actor's ability to maintain covert access to a target host or network.

Threat Research

• Reputation Data: Blacklists of known threat sources, including malware signatures, IP address ranges, and DNS domains.
• Indicator of Compromise (IoC): Evidence of a successful attack or ongoing intrusion.
  • Examples of IoCs: unauthorized software/files, suspicious email, registry/file system changes, unknown port/protocol usage, excessive bandwidth, rogue hardware, service disruption/defacement, suspicious/unauthorized account usage.
• Indicator of Attack (IoA): Evidence of an intrusion attempt in progress.

Behavioral Threat Research

• Tactics, Techniques, and Procedures (TTP): Behavior patterns used in historical cyberattacks and adversary actions.
  • Examples: DDoS, viruses/worms, network reconnaissance, APTs, data exfiltration.

Attack Frameworks

• Lockheed Martin Kill Chain: Describes the stages of a cyberattack.

  • Reconnaissance: The attacker gathers information to plan the attack.
  • Weaponization: The attacker combines exploit code with malicious payload.
  • Delivery: The attacker identifies a vector to transmit the weaponized code.
  • Exploitation: The weaponized code is executed on the target system.
  • Installation: The attacker enables the weaponized code to establish persistence on the target system.
  • Command & Control (C2): The attacker establishes a communication channel to control the compromised system.
  • Actions on Objectives: The attacker uses the compromised access to gather information or achieve other goals.

• MITRE ATT&CK Framework: A knowledge base maintained by MITRE Corporation for listing and explaining adversary tactics, techniques, and procedures.

• Diamond Model of Intrusion Analysis: A model for analyzing cybersecurity incidents by exploring relationships between four core features: adversary, capability, infrastructure, and victim.

Indicator Management

• Structured Threat Information eXpression (STIX): A standard terminology for IoCs and their relationships within the OASIS Cyber Threat Intelligence (CTI) framework.
• Trusted Automated eXchange of Indicator Information (TAXII): A protocol for supplying codified threat information to automate incident detection and analysis.
• OpenIOC: A framework by Mandiant using XML-formatted files for automated incident detection and analysis.
• Malware Information Sharing Project (MISP): A server platform for cyber threat intelligence sharing.

Threat Modeling

• The process of identifying and assessing potential threat actors and attack vectors that could compromise a system or network.
• Threat modeling should consider both the defender's and attacker's perspectives.
• Main Areas to Consider:
  • Adversary Capability: The resources and expertise available to a threat actor.
  • Attack Surface: The points at which a network or application receives external connections or inputs that could be exploited.
  • Attack Vector: The specific path by which a threat actor gains unauthorized access to a system.

Threat Hunting

• A cybersecurity technique designed to proactively discover threats not detected by standard security monitoring.
• It is potentially less disruptive than penetration testing.
• Steps Involved:
  • Hypothesis: Based on potential threats with high likelihood and impact.
  • Profiling Threat Actors and Activities: Creating scenarios of how attackers might attempt intrusion and their objectives.

Open-Source Intelligence (OSINT)

• Publicly available information and the tools used to aggregate and search it.
• Attackers can use OSINT to develop strategies for compromising targets.
• Examples of OSINT Sources:
  • Publicly Available Information
  • Social Media
  • Dating Sites
  • HTML Code
  • Metadata

Google Hacking

• OSINT technique that uses Google search operators to locate vulnerable web servers and applications.
• Methods:
  • Quotes (" "): To specify an exact phrase.
  • NOT (-): To exclude results containing a specific term.
  • AND/OR: To combine search terms.
  • Scope: To specify the scope of the search, such as site, filetype, related, etc.
  • URL Modifier: Modifiers like &pws=0, &filter=0, &tbs=li:1.
• Google Hacking Database (GHDB): A database of search strings for finding vulnerable websites and services.
• Shodan (shodan.io): A search engine optimized for identifying vulnerable devices connected to the internet.

Profiling Techniques

• Email Harvesting: Gathering email addresses for a domain.
  • Tools: Pipl.com, Peekyou.com, Echosec.net.
• The Harvester: A command-line tool used by penetration testers.

Harvesting Techniques

• whois: A public listing of registered domains and their administrators.
• DNS Zone Transfer: Replicating DNS databases across DNS servers, often used during reconnaissance.
• DNS Harvesting: Using OSINT to gather information about a domain, such as subdomains, hosting provider, and administrative contacts.
• Website Harvesting: Copying website source code to analyze information and vulnerabilities.

AbuseIPDB

• A community-driven database that tracks IP addresses reported for abusive behavior.
• Benefits for Organizations:
  • Proactive cybersecurity approach.
  • Continuously updated by a global user community.
  • Monitoring logs for suspicious activity.
• Important Considerations:
  • The information is not 100% reliable.
  • Use AbuseIPDB in conjunction with other security measures.

Deep Web and Dark Web

• Deep Web: Portion of the Internet not indexed by search engines, including private databases, subscription-based websites, and other content not publicly accessible.
  • Examples: Scientific research, university libraries, government databases.
• Dark Web: A specific part of the deep web used for illegal activities, such as buying and selling drugs, stolen data, and weapons.
  • Considered a criminal haven where hacking and illicit activities are prevalent.

Bug Bounty

• A program where companies crowdsource security testing of their applications and services to identify and address vulnerabilities.
• How to Participate:
  • Find and report problems within your organization.
  • Showcase your skills and gain recognition in the cybersecurity community.
• Responsible and Ethical Testing:
  • Obtain necessary permissions and legal agreements.
  • Use a robust system for tracking, triaging, and remediating vulnerabilities.

Network Forensics

• Involves analyzing data to investigate cybersecurity incidents and identify malicious activity.
• It helps in understanding the nature and scope of an attack, the methods used, the attackers involved, and the impact of the incident.

Network Forensics Tools

• Network traffic capture and decoding: Essential for analysis.
• Switched Port Analyzer (SPAN): Copies network communication (ingress and/or egress) from one or more switch ports to another.
• Packet Sniffer: Records data from frames passing over network media. Methods: mirrored port or tap device.
• Placement: Network sniffers should be placed inside a firewall or near important servers.
• tcpdump: Command-line packet analyzer. Displays TCP/IP and other packets on the attached network.
• Wireshark: Free, open-source GUI-based packet analyzer. Used for network troubleshooting, analysis, protocol development.

Flow Analysis

• Full Packet Capture (FPC): Captures complete packets (header and payload) for all network traffic.
• Flow Collector: Records metadata and statistics about network traffic, not individual frames.
• Flow Analysis Tools: Provide network traffic statistics collected by flow collectors.
  • NetFlow: Cisco developed tool for reporting network flow information. Gathers information like:
    • Network protocol interface
    • IP version and type
    • Source and destination IP addresses
    • Source and destination port
    • IP type of service
    • NetFlow provides metadata, while packet captures provide a complete record.
  • Zeek (Bro): Hybrid tool that monitors networks passively. Logs data of interest and performs data normalization. Stores data in tab-delimited or JSON files.
  • Multi Router Traffic Grapher (MRTG): Graphs traffic flow through routers and switches using SNMP.

IP and DNS Analysis

• Malware Configuration: Often configured to contact specific IPs or DNS names.
• Known-Bad IP Addresses: IP addresses or ranges found on blacklists (Reputation intelligence).
• Domain Generation Algorithms (DGA): A method used by malware to evade block lists by dynamically generating domain names (C2 networks).
  • 5 Steps of DGA attack:
    • Attacker sets up dynamic DNS (DDNS) services.
    • Malware code implements a DGA to create new domain names.
    • DGA creates name records on the DDNS service.
    • Malware tries to connect to C2 using generated domains.
    • C&C server communicates with the DGA to prevent blocking.
• Fast Flux Networks: Malicious technique that hides C&C networks by continuously changing host IP addresses using DGAs.
• DNS NXDOMAIN Errors: High rates of NXDOMAIN errors can indicate a DGA in action.
• Secure Recursive DNS Resolver: Trusted DNS server that communicates with other trusted servers to find an IP address, then returns it to the client.

URL Analysis

• URL Analysis: Determines if a link is on a reputation list or potentially contains malicious scripts.
  • Tools for URL analysis:
    • Resolving percent encoding
    • Assessing URL redirection
    • Showing source code for scripts in URLs
• HTTP Method: Request methods to indicate the desired action for a resource.
  • GET: Retrieves a resource.
  • POST: Sends data to the server for processing.
  • PUT: Creates or replaces a resource.
  • DELETE: Removes a resource.
  • HEAD: Retrieves headers only.
• URL Characters:
  • "?" character delimits data submitted via a URL.
  • "&" character delimits name=value pairs.
  • "#" is used for fragments or anchor IDs.

HTTP Response Codes

• HTTP Response Codes: Header value returned by a server in response to a URL request.
• Common HTTP Response Codes:
  • 200 (OK): Successful GET or POST request.
  • 201 (Created): Successful PUT request for a resource.
  • 3xx (Redirection): Redirection by the server.
  • 4xx (Client Error): Error in the client request.
    • 400 (BadRequest): Request could not be parsed.
    • 401 (Unauthorized): No authentication credentials provided.
    • 403 (Forbidden): Insufficient permissions.
    • 404 (NotFound): Nonexistent resource requested.
  • 5xx (Server Error): Server-side issue.
    • 500 (Internal Server Error): General server-side error.
    • 502 (Bad Gateway): Issue with the server acting as a proxy.
    • 503 (Service Unavailable): Server overload.
    • 504 (Gateway Timeout): Issue with the upstream server.

Percent Encoding

• Percent Encoding: Encodes 8-bit characters for use in URLs (also known as URL encoding).
• Allowed URL Characters:
  • Unreserved Characters: a-z A-Z 0-9 -._ ~
  • Reserved Characters: :/?#[]@!$&'()*+,;=
• Unsafe Characters: Null string termination, carriage return, line feed, EOF, tab, space, \ < > { }
• Percent Encoding Usage: Allows submission of safe or unsafe characters or binary data to the server in URLs.

Warning

• Percent Encoding Misuse: Can be used to obfuscate URLs (encoding unreserved characters) and submit malicious scripts or binary data.
• Double Encoding: Attackers may double-encode to obfuscate the URL further by encoding the "%" sign.

Description

null