Security Control Categories Quiz

Questions and Answers

Which of the following is considered a known threat?

• Advanced Persistent Threats (APTs)
• Documented exploits against software vulnerabilities (correct)
• Obfuscated malware code
• Zero-day exploits

Nation-state actors primarily focus on committing fraud and blackmail.

False (B)

What is the primary goal of hacktivist groups?

To promote a political agenda or ideology.

An APT stands for __________.

Advanced Persistent Threat

Match the following threat actor types with their descriptions:

Nation-State = Groups backed by governments with cybersecurity expertise Organized Crime = Groups involved in fraud and blackmail Hacktivist = Groups promoting political ideologies

What distinguishes nation-state actors from other threat types?

They are funded by government entities for military or commercial goals. (B)

Obfuscated malware code is classified as a known threat.

False (B)

What does effective threat intelligence involve?

Understanding the behavior of adversary groups.

Which of the following describes a DDoS attack?

A sudden spike in network traffic (C)

In the Kill Chain, exploitation refers to the creation of payload and exploit code.

False (B)

What phase follows reconnaissance in the Kill Chain?

Weaponization

In the Kill Chain, the phase during which an attacker identifies the best way to deliver the weaponized code is called ______.

Delivery

Match the TTP to its indication:

DDoS = Spike in network traffic Viruses/Worms = Increased CPU or memory usage Network Reconnaissance = Port scanning Data Exfiltration = Unusual spikes in data transfers

What technique might an attacker use to evade detection during reconnaissance?

Using zombie hosts or botnets (C)

Data exfiltration is indicated by consistent and low network traffic.

False (B)

What are the seven steps of the Lockheed Martin Kill Chain?

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.

What is a primary focus of Endpoint Detection and Response (EDR)?

Logging endpoint observables (C)

User and Entity Behavior Analytics (UEBA) are primarily used for data collection.

False (B)

What is the purpose of sandboxing in cybersecurity?

To isolate untrusted data in a closed virtual environment for testing and analysis.

EDR aims to provide __________ and historical visibility into compromises.

real-time

Match the following technologies with their primary function:

EDR = Logging endpoint observables UEBA = Behavioral analysis Sandboxing = Testing malicious data AI and Machine Learning = Reducing false positives in analysis

Which of the following is a characteristic of User and Entity Behavior Analytics (UEBA)?

Comparison to a baseline for behavior analysis (B)

Sandboxing can only be used for malware analysis.

False (B)

Identify one example of a UEBA solution mentioned.

Microsoft's Advanced Threat Analytics or Splunk UEBA.

What does the 'DPT' field indicate in an iptables log entry?

Destination port (D)

The MAC address appears at the end of the iptables log entry.

False (B)

What does SPT denote in the iptables log?

Source port

The _____ format is used by the Windows-based firewall for logging.

W3C Extended Log File

Which of the following fields is NOT included in the Windows Firewall log format?

DPT (C)

Match the component with its description in the Windows Firewall log:

c-ip = Client IP s-IP = Server IP cs-method = Action taken by the client cs-username = Name of the user accessing the server

The 'TTL' field indicates the time taken for a packet to reach its destination.

False (B)

What does the 'SC-status' field represent in the Windows Firewall log?

Server response code

What feature should a sandbox provide to monitor changes made by an executed malware file?

Monitor all system and API calls (D)

A sandbox host used for malware analysis should be physically isolated from the main network.

True (A)

What is the primary goal of reverse engineering malware?

To understand how it functions and propagates.

Static analysis involves reading the code of the malicious application to understand its ______.

goals

Match the following aspects of malware analysis with their descriptions:

Static Analysis = Reading the code to understand goals Sandbox = Isolated environment for malware execution Network Access Control = Precautions against exploiting vulnerabilities Reverse Engineering = Examining the code structure and patterns

Which of the following is NOT a feature of a sandbox for malware analysis?

User intervention during analysis (A)

Java class files are more difficult to reverse engineer compared to applications written in other languages.

False (B)

What precautions must be taken regarding host patch management?

To protect against vulnerabilities in hypervisors.

What port number does the syslog protocol use?

514 (D)

Heuristic analysis relies solely on predefined rules to generate alerts.

False (B)

What does SIEM stand for in the context of logging and analysis?

Security Information and Event Management

Anomaly analysis identifies events that do not follow expected ______.

patterns

Which of the following is NOT a detection method mentioned?

Network-based analysis (B)

Match the analysis types with their descriptions:

Behavioral Analysis = Recognizes baseline traffic patterns Anomaly Analysis = Identifies events that do not conform to expected patterns Trend Analysis = Detects patterns within a dataset over time Heuristic Analysis = Allows machines to infer information independently

Trend Analysis can be used to predict future events based on past patterns.

True (A)

What is the simplest form of correlation used in SIEM tools?

Signature-based detection rules

Flashcards

Threat Classification

Categorizing threats into known and unknown types, including malware, documented exploits, zero-day exploits, and obfuscated malware.

Threat Actor Types

Understanding adversary groups like Nation-States, Organized Crime, and Hacktivists to understand their motives and capabilities.

Nation-State

Government-backed threat actors with high resources and expertise, often targeting espionage and strategic advantages like energy or electoral systems.

Organized Crime

Criminal groups focused on financial gain, often engaging in fraudulent activities and blackmailing.

Hacktivist

Groups using cyber skills with political motivation, promoting an ideology or agenda.

Advanced Persistent Threat (APT)

A skillful adversary who can infiltrate systems and remain undetected for a long period using various tools and techniques.

Malware

Software designed to cause harm or damage, classified as a known threat.

Zero-day exploits

Exploits of unknown vulnerabilities, categorized as unknown threats.

TTPs

Tactics, Techniques, and Procedures used in attacks.

DDoS Attack

Sudden surge of network traffic to overwhelm a target.

Malware (Viruses/Worms)

Software designed to damage or disable a system.

Network Reconnaissance

Attacker scanning for vulnerabilities in a network.

Kill Chain

Series of steps attackers follow to achieve their goals.

Kill Chain: Reconnaissance

Finding out about target's security and attack methods.

Kill Chain: Weaponization

Creating the attack tools tailored for targets.

Kill Chain: Delivery

Getting the attack tools to the target’s system.

iptables INPUT drop

A command that rejects network traffic coming into a system through interface eth0.

IN=eth0

Incoming network traffic on network interface 'eth0'.

SRC=10.1.0.102

Source IP address of the network packet.

DST=10.1.0.10

Destination IP address of the network packet.

SPT=2584

Source port number of the TCP connection.

DPT=21

Destination port number of the TCP connection.

MAC Address

A unique identifier assigned to network interface cards (NICs).

Windows Firewall Log Format

Log format used by Windows Firewall that contains detailed information about network activity.

EDR vs. EPP

Endpoint Detection and Response (EDR) aims to detect and respond to threats in real-time, focusing on analyzing behavior and anomalies, while Endpoint Protection Platforms (EPP) primarily rely on signature-based detection and prevention.

EDR's Goal

The goal of EDR is to provide visibility into an attack, contain it within a single host, and enable remediation to restore the host to its original state.

UEBA

User and Entity Behavior Analytics (UEBA) analyzes user and machine behavior to identify potential threats by comparing it to a baseline of expected behavior.

UEBA's Focus

UEBA tracks behavior across various devices and cloud services, analyzing user accounts, machine accounts, and embedded hardware.

Sandboxing

Sandboxing isolates untrusted data in a controlled virtual environment for analyzing threats and vulnerabilities without risking the host system.

Sandbox Applications

Sandboxes are used for various purposes, including testing application code during development and analyzing potential malware.

Sandbox Benefits

Sandboxing offers more comprehensive security analysis than traditional anti-malware solutions, allowing for testing in various environments.

UEBA & AI

UEBA heavily relies on advanced computing techniques like artificial intelligence (AI) and machine learning to analyze complex behavior patterns and reduce false positives.

Sandbox Features

A sandbox for malware analysis should monitor system changes, execute malware, track API calls, take snapshots, and record file activity.

Sandbox Isolation

The sandbox should be isolated (physically or virtually) from the main network to prevent malware from spreading.

Reverse Engineering

Examining the structure of a system or application to understand how it functions, especially relevant for malware analysis.

Static Analysis

Analyzing malware code without executing it to understand its goals by examining its structure and instructions.

Dynamic Analysis

Analyzing malware by executing it in a controlled environment to observe its behavior, including system changes and network activity.

Malware Attribution

Determining the source of malware by identifying patterns in its code, execution, or communication.

Honeypot

A system designed to lure and trap attackers, especially for malware analysis and studying attacker behavior.

C&C Communication

Malware often communicates with a server for remote control and instructions, referred to as Command and Control (C&C).

Syslog

A standard protocol used by network devices to send event data logs to a central location for analysis and reporting.

SIEM

Security Information and Event Management, a software solution that gathers and analyzes security data from various sources to detect and respond to threats.

Signature-Based Detection

A basic form of threat detection that uses predefined patterns or signatures to identify known malicious activity.

Heuristic Analysis

A more advanced method of threat detection that uses machine learning to analyze suspicious activity and identify patterns that may not be explicitly defined.

Behavioral Analysis

A method of threat detection that analyzes user and network behavior to identify anomalies that deviate from the expected norms.

Anomaly Analysis

A technique that looks for events that do not follow the expected patterns or rules defined for a system.

Trend Analysis

Analyzing historical data to detect emerging trends and predict future events or threats.

What is the difference between anomaly analysis and trend analysis?

Anomaly analysis focuses on identifying deviations from expected behavior in individual events, while trend analysis identifies patterns over time to predict future occurrences.

Study Notes

Security Control Categories

• Security controls are categorized into technical, operational, and managerial types.
• Preventative controls are implemented before a threat event.
• Detective controls monitor for and identify malicious activity.
• Corrective controls restore to previous state after an incident.

Technical Controls

• These controls include hardware and software components safeguarding systems from cyber threats.
• Examples include firewalls, IDS, IPS, encryption, and authentication mechanisms.

Operational Controls

• These controls, implemented by people, supplement technical security.
• They often rely on management activities and other technical controls.
• Examples include labeling, documentation, security awareness training, and personnel security.

Managerial Controls

• These controls manage development, maintenance, and use of systems and processes.
• Examples include system-specific policies, procedures, rules of behavior, and individual roles and responsibilities.

Incident Response Capability

• A critical component of security, it is essential for dealing with cybersecurity breaches.
• Physical security practices help prevent unauthorized access to sensitive assets.

Deterrents

• Controls discourage attackers from attacking systems.
• May only give a slight deterrent effect rather than stop attacks, like making a perceived threat more time-consuming for attackers.

Compensating Controls

• Alternative controls implemented when a specific security measure is impossible or impractical to execute.

CIA Triad

• Confidentiality, Integrity, and Availability are primary goals of information security.
• Controls must protect all three principles to ensure security.

Security Information and Event Management (SIEM)

• A collection of tools, designed for analysis and incident response of security events.
• Provides a central location for managing data from various IT systems

Cyber Threat Intelligence (CTI)

• A component of cybersecurity focused on collecting and analyzing attack intelligence information.
• Involves 5 interconnected phases: Requirements, Collection, Analysis, Dissemination, and Feedback.

Security Controls, Important Note

• A variety of control types used is more effective than a single control approach.

Threat Classification

• Known threats include malware and documented exploits.
• Unknown threats include zero-day exploits and obfuscated malware code.

Threat Actor Types

• Threat intelligence focuses on adversary groups’ behavior instead of just malware signatures.
• Group types considered include organized crime, hacktivists, and nation-states.

.

Description

Test your understanding of the three main categories of security controls: technical, operational, and managerial. This quiz covers examples of each type and explores their functions in safeguarding systems against cyber threats. Enhance your knowledge on preventative, detective, and corrective mechanisms.