Security Control Categories Quiz

Questions and Answers

Which of the following is considered a known threat?

Advanced Persistent Threats (APTs)

Documented exploits against software vulnerabilities (correct)

Obfuscated malware code

Zero-day exploits

Nation-state actors primarily focus on committing fraud and blackmail.

False

What is the primary goal of hacktivist groups?

To promote a political agenda or ideology.

An APT stands for __________.

Advanced Persistent Threat

Match the following threat actor types with their descriptions:

Nation-State = Groups backed by governments with cybersecurity expertise Organized Crime = Groups involved in fraud and blackmail Hacktivist = Groups promoting political ideologies

What distinguishes nation-state actors from other threat types?

They are funded by government entities for military or commercial goals.

Obfuscated malware code is classified as a known threat.

False

What does effective threat intelligence involve?

Understanding the behavior of adversary groups.

Which of the following describes a DDoS attack?

A sudden spike in network traffic

In the Kill Chain, exploitation refers to the creation of payload and exploit code.

False

What phase follows reconnaissance in the Kill Chain?

Weaponization

In the Kill Chain, the phase during which an attacker identifies the best way to deliver the weaponized code is called ______.

Delivery

Match the TTP to its indication:

DDoS = Spike in network traffic Viruses/Worms = Increased CPU or memory usage Network Reconnaissance = Port scanning Data Exfiltration = Unusual spikes in data transfers

What technique might an attacker use to evade detection during reconnaissance?

Using zombie hosts or botnets

Data exfiltration is indicated by consistent and low network traffic.

False

What are the seven steps of the Lockheed Martin Kill Chain?

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.

What is a primary focus of Endpoint Detection and Response (EDR)?

Logging endpoint observables

User and Entity Behavior Analytics (UEBA) are primarily used for data collection.

False

What is the purpose of sandboxing in cybersecurity?

To isolate untrusted data in a closed virtual environment for testing and analysis.

EDR aims to provide __________ and historical visibility into compromises.

real-time

Match the following technologies with their primary function:

EDR = Logging endpoint observables UEBA = Behavioral analysis Sandboxing = Testing malicious data AI and Machine Learning = Reducing false positives in analysis

Which of the following is a characteristic of User and Entity Behavior Analytics (UEBA)?

Comparison to a baseline for behavior analysis

Sandboxing can only be used for malware analysis.

False

Identify one example of a UEBA solution mentioned.

Microsoft's Advanced Threat Analytics or Splunk UEBA.

What does the 'DPT' field indicate in an iptables log entry?

Destination port

The MAC address appears at the end of the iptables log entry.

False

What does SPT denote in the iptables log?

Source port

The _____ format is used by the Windows-based firewall for logging.

W3C Extended Log File

Which of the following fields is NOT included in the Windows Firewall log format?

DPT

Match the component with its description in the Windows Firewall log:

c-ip = Client IP s-IP = Server IP cs-method = Action taken by the client cs-username = Name of the user accessing the server

The 'TTL' field indicates the time taken for a packet to reach its destination.

False

What does the 'SC-status' field represent in the Windows Firewall log?

Server response code

What feature should a sandbox provide to monitor changes made by an executed malware file?

Monitor all system and API calls

A sandbox host used for malware analysis should be physically isolated from the main network.

True

What is the primary goal of reverse engineering malware?

To understand how it functions and propagates.

Static analysis involves reading the code of the malicious application to understand its ______.

goals

Match the following aspects of malware analysis with their descriptions:

Static Analysis = Reading the code to understand goals Sandbox = Isolated environment for malware execution Network Access Control = Precautions against exploiting vulnerabilities Reverse Engineering = Examining the code structure and patterns

Which of the following is NOT a feature of a sandbox for malware analysis?

User intervention during analysis

Java class files are more difficult to reverse engineer compared to applications written in other languages.

False

What precautions must be taken regarding host patch management?

To protect against vulnerabilities in hypervisors.

What port number does the syslog protocol use?

514

Heuristic analysis relies solely on predefined rules to generate alerts.

False

What does SIEM stand for in the context of logging and analysis?

Security Information and Event Management

Anomaly analysis identifies events that do not follow expected ______.

patterns

Which of the following is NOT a detection method mentioned?

Network-based analysis

Match the analysis types with their descriptions:

Behavioral Analysis = Recognizes baseline traffic patterns Anomaly Analysis = Identifies events that do not conform to expected patterns Trend Analysis = Detects patterns within a dataset over time Heuristic Analysis = Allows machines to infer information independently

Trend Analysis can be used to predict future events based on past patterns.

True

What is the simplest form of correlation used in SIEM tools?

Signature-based detection rules

Study Notes

Security Control Categories

• Security controls are categorized into technical, operational, and managerial types.
• Preventative controls are implemented before a threat event.
• Detective controls monitor for and identify malicious activity.
• Corrective controls restore to previous state after an incident.

Technical Controls

• These controls include hardware and software components safeguarding systems from cyber threats.
• Examples include firewalls, IDS, IPS, encryption, and authentication mechanisms.

Operational Controls

• These controls, implemented by people, supplement technical security.
• They often rely on management activities and other technical controls.
• Examples include labeling, documentation, security awareness training, and personnel security.

Managerial Controls

• These controls manage development, maintenance, and use of systems and processes.
• Examples include system-specific policies, procedures, rules of behavior, and individual roles and responsibilities.

Incident Response Capability

• A critical component of security, it is essential for dealing with cybersecurity breaches.
• Physical security practices help prevent unauthorized access to sensitive assets.

Deterrents

• Controls discourage attackers from attacking systems.
• May only give a slight deterrent effect rather than stop attacks, like making a perceived threat more time-consuming for attackers.

Compensating Controls

• Alternative controls implemented when a specific security measure is impossible or impractical to execute.

CIA Triad

• Confidentiality, Integrity, and Availability are primary goals of information security.
• Controls must protect all three principles to ensure security.

Security Information and Event Management (SIEM)

• A collection of tools, designed for analysis and incident response of security events.
• Provides a central location for managing data from various IT systems

Cyber Threat Intelligence (CTI)

• A component of cybersecurity focused on collecting and analyzing attack intelligence information.
• Involves 5 interconnected phases: Requirements, Collection, Analysis, Dissemination, and Feedback.

Security Controls, Important Note

• A variety of control types used is more effective than a single control approach.

Threat Classification

• Known threats include malware and documented exploits.
• Unknown threats include zero-day exploits and obfuscated malware code.

Threat Actor Types

• Threat intelligence focuses on adversary groups’ behavior instead of just malware signatures.
• Group types considered include organized crime, hacktivists, and nation-states.

.

Description

Test your understanding of the three main categories of security controls: technical, operational, and managerial. This quiz covers examples of each type and explores their functions in safeguarding systems against cyber threats. Enhance your knowledge on preventative, detective, and corrective mechanisms.