Cyber Threat Management: My Knowledge Check Answers

Explanation: Place the options in the following order:

Explanation: In the detection and analysis phase of the NIST incident response process life cycle, the CSIRT should immediately perform an initial analysis to determine the scope of the incident, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring.

Explanation: Family Education Records and Privacy Act (FERPA) is an US federal law that governs the access to education records. Under the law, parents must approve the disclosure of a student’s educational information to public entities prior to the actual disclosure. When a student turns 18 years old, or enters a postsecondary institution at any age, their rights under FERPA transfer from the parents to the student.

Explanation: Preventive security controls prevent unwanted or unauthorized activities from occurring and/or apply restrictions to authorized users.

Explanation: A network profile should include some important elements, such as the following:

• Total throughput – the amount of data passing from a given source to a given destination in a given period of time
• Session duration – the time between the establishment of a data flow and its termination
• Ports used – a list of TCP or UDP processes that are available to accept data
• Critical asset address space – the IP addresses or the logical location of essential systems or data

Explanation: Organizations with significant resources and cybersecurity expertise run penetration tests and red team exercises (simulated attack exercises) to gauge the security capabilities of an organization.

Explanation: Orchestration Automation and Response (SOAR) tools allow an organization to collect data about security threats from various sources, and respond to low-level events without human intervention.

Explanation: Network scanning can help a network administrator strengthen the security of the network and systems by identifying open TCP and UDP ports that could be targets of an attack.

Explanation: Operational exercises: At the most extreme are full operational exercises, or simulations. These are designed to interrupt services to verify that all aspects of a plan are in place and sufficient to respond to the type of incident that is being simulated.

Explanation: Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the policy element is to detail how incidents should be handled based on the mission and functions of an organization.

Explanation: There are various network security tools available for network security testing and evaluation. L0phtcrack can be used to perform password auditing and recovery. SuperScan is a Microsoft port scanning software that detects open TCP and UDP ports on systems. Nmap and Zenmap are low-level network scanners available to the public.

Explanation: The CVSS Base Metric Group has the following metrics: attack vector, attack complexity, privileges required, user interaction, and scope. The user interaction metric expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful.

Explanation: The Payment Card Industry Data Security Standard (PCI DSS) governs how to protect credit card data as merchants and banks exchange transactions.

Explanation: Recovery security controls restore resources, functions and capabilities back to a normal state after a violation of a security policy.

Explanation: A penetration test is a safe way for an organization to test systems for weakness by using the same malicious techniques that are used by real hackers.

Explanation: NIST describes the digital forensics process as involving the following four steps:

• Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
• Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
• Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented.
• Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

Explanation: Sniffing is effectively electronic eavesdropping on a network. It occurs when someone is examining all network traffic as it passes through their NIC, independent of whether the traffic is addressed to them or not. Criminals accomplish network sniffing using software, hardware, or a combination of the two.

Explanation: The Base Metric Group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics, Exploitability and Impact.

Explanation: There are various network security tools available for network security testing and evaluation. Nessus can scan systems for software vulnerabilities. Metasploit is used for penetration testing and IDS signature development. Tripwire is used to assess if network devices are compliant with network security policies. Nmap is a low-level network scanner available to the public that an administrator can use to identify network layer protocol support on hosts. Nnmap can use decoy hosts to mask the source of the scan.

Explanation: A qualitative or quantitative risk analysis is used to identify and prioritize threats to the organization.

Explanation: There are four potential strategies for responding to risks that have been identified:

• Risk avoidance – Stop performing the activities that create risk.
• Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
• Risk sharing – Shift some of the risk to other parties.
• Risk retention – Accept the risk and its consequences.

Explanation: The Cisco Talos group collects information about active, existing, and emerging threats which can be used by Cisco Security products in real time to provide fast and effective security solutions.

Explanation: Professional ethics are principles that govern the behavior of a person or group in a business environment. A cybersecurity specialist needs to understand both the law and the interest of the organization to be able to make right decisions.

Explanation: Risk management is a formal process that reduces the impact of threats and vulnerabilities. The process involves four general steps:

• Frame the risk – Identify the threats throughout the organization that increase risk.
• Assess the risk – Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses.
• Respond to the risk – Develop an action plan to reduce overall organization risk exposure. Management should rank and prioritize threats and a team determines how to respond to each threat.
• Monitor the risk – Continuously review risk reductions due to elimination, mitigation and transfer actions.

Explanation: The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

Explanation: There are four phases in performing network penetration tests: planning, discovery, attack, and reporting.
Phase 2, discovery, is concerned with using passive and active reconnaissance techniques to gather information.

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

• Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
• Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
• Delivery – The weapon is transmitted to the target using a delivery vector.
• Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
• Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
• Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
• Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Explanation: Buying insurance transfers the risk to a third party.

Explanation: The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.

Explanation: There are various network security tools available for network security testing and evaluation. SuperScan is a Microsoft port scanning software that detects open TCP and UDP ports on systems. Nmap and Zenmap are low-level network scanners available to the public. Tripwire is used to assess if network devices are compliant with network security policies. SIEM is used to provide real-time reporting of security events on the network.

Explanation: The MITRE framework is a global knowledge base of threat actor behavior. It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

Explanation: There are four potential strategies for responding to risks that have been identified:

Risk avoidance – Stop performing the activities that create risk.
Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
Risk sharing – Shift some of the risk to other parties.
Risk retention – Accept the risk and its consequences.

Explanation: Two approaches to risk analysis are quantitative and qualitative. Qualitative analysis is based on opinions and scenarios.

Explanation: Access control prevents an unauthorized user from gaining access to sensitive data and networked systems. There are several technologies used to implement effective access control strategies.

Explanation: FireEye uses a three-pronged approach combining security intelligence, security expertise, and technology. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats.

Explanation: Important elements of a network profile include:

• Total throughput – the amount of data passing from a given source to a given destination in a given period of time
• Session duration – the time between the establishment of a data flow and its termination
• Ports used – a list of TCP or UDP processes that are available to accept data
• Critical asset address space – the IP addresses or the logical location of essential systems or data

Explanation: Place the options in the following order:

Explanation: The Diamond Model of intrusion contains four parts:

• Adversary – the parties responsible for the intrusion
• Capability – a tool or technique that the adversary uses to attack the victim
• Infrastructure – the network path or paths that the adversaries use to establish and maintain command and control over their capabilities
• Victim – the target of the attack

Explanation: Enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, CFAA prohibits unauthorized access to computer systems. Knowingly accessing a government computer without permission or accessing any computer used in or affecting interstate or foreign commerce is a criminal offense. The Act also criminalizes the trafficking of passwords or similar access information, as well as knowingly transmitting a program, code or a command that results in damage.

Explanation: Structured Threat Information Expression (STIX) is a set of specifications for exchanging cyberthreat information between organizations. Cyber Observable Expression (CybOX) is a set of standardized schema that specifies, captures, characterizes, and communicates events and properties of network operations and that supports many cybersecurity functions. Trusted Automated Exchange of Indicator Information (TAXII) is a specification for an application layer protocol that allows the communication of CTI over HTTPS and is designed to support STIX.

Explanation: When a threat actor prepares a weapon for an attack, the threat actor chooses an automated tool (weaponizer) that can be deployed through discovered vulnerabilities. Malware that will carry desired attacks is then built into the tool as the payload. The weapon (tool plus malware payload) will be delivered to the target system. By using a zero-day weaponizer, the threat actor hopes that the weapon will not be detected because it is unknown to security professionals and detection methods are not yet developed.

Explanation: Methodology – This is used to classify the general type of event, such as port scan, phishing, content delivery attack, syn flood, etc.

Explanation: There are six steps in the vulnerability management life cycle:
Discover
Prioritize assets
Assess
Report
Remediate
Verify

Explanation: Nmap is a low-level network scanner that is available to the public and which has the ability to perform port scanning, to identify open TCP and UDP ports, and perform system identification. It can also be used to identify Layer 3 protocols that are running on a system.

Explanation: The “Analyze” category of the workforce framework includes specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness.

Explanation: To recover infected user workstations, use clean and recent backups or rebuild the PCs with installation media if no backups are available or they have been compromised. Also, fully update and patch the operating system and installed software of all hosts. All users are encouraged to change their passwords for the workstation or workstations they use. Rebuilding DHCP servers is needed only if they are affected by the incident.Also not all devices need to change the name and password configuration setting unless they are affected by the incident.

Explanation: International Information Systems Security Certification Consortium (ISC2) is a network security organization that provides vendor neutral education products and career services.

Explanation: The Computer Fraud and Abuse Act (CFAA) provides the foundation for US laws criminalizing unauthorized access to computer systems.

Explanation: Employees in an organization are typically granted access to the data and information that they need to do their job. The U.S. government uses the “need to know” principle in its access control models.

Explanation: One of the primary functions of the SysAdmin, Audit, Network, Security (SANS) Institute is the maintenance of the Internet Storm Center early warning system.

Explanation: Asset management involves tracking the location and configuration of networked devices and software across an enterprise.

Explanation: Place the options in the following order:

Explanation: Risk mitigation lessens the exposure of an organization to threats and vulnerabilities by transferring, accepting, avoiding, or taking an action to reduce risk.

Explanation: A server profile will often contain the following:
Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
User accounts – the parameters defining user access and behavior
Service accounts – the definitions of the type of service that an application is allowed to run on a server
Software environment – the tasks, processes, and applications that are permitted to run on the server

Explanation: A cybersecurity specialist needs to be familiar with the different frameworks and models for managing information security.

Explanation: IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization. There are several key roles in good data governance programs:

• Data owner -A person who ensures compliance with policies and procedures, assigns the proper classification to information assets, and determines the criteria for accessing information assets.
• Data controller – A person who determines the purposes for which, and the way in which, personal data is processed.
• Data custodian – A person who implements the classification and security controls for the data in accordance with the rules set out by the data owner.
• Data steward – A person who ensures that data supports an organization’s business needs and meets regulatory requirements.
• Data protection officer – A person who oversees an organization’s data protection strategy.

Explanation: A chain of custody refers to the documentation of evidence collected about an incident that is used by authorities during an investigation.

Explanation: A mandatory activity in risk assessment is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities, also called threat-vulnerability (T-V) pairing.

Explanation: The attack vector is one of several metrics defined in the Common Vulnerability Scoring System (CVSS) Base Metric Group Exploitability metrics. The attack vector is how close the threat actor is to the vulnerable component. The farther away the threat actor is to the component, the higher the severity because threat actors close to the network are easier to detect and mitigate.

Explanation: A threat intelligence platform (TIP) centralizes the collection of threat data from numerous data sources and formats. TIP is designed to aggregate the data in one place and present it in a comprehensible and usable format. This is especially important as the volume of threat intelligence data can be overwhelming.

Explanation: A chain of custody refers to the proper accounting of evidence collected about an incident that is used as part of an investigation. The chain of custody should include the location of all evidence, the identifying information of all evidence such as serial numbers and hostnames, identifying information about all persons handing the evidence, and the time and date that the evidence was collected.

Explanation: Important elements of a network profile include:

• Total throughput – the amount of data passing from a given source to a given destination in a given period of time
• Session duration – the time between the establishment of a data flow and its termination
• Ports used – a list of TCP or UDP processes that are available to accept data
• Critical asset address space – the IP addresses or the logical location of essential systems or data

Explanation: SIEM, which is a combination of Security Information Management and Security Event Management products, is used for forensic analysis and provides real-time reporting of security events.

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

Explanation: Trusted Automated Exchange of Indicator Information (TAXII) is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support Structured Threat Information Expression (STIX).

Explanation: The security policy of an organization accomplishes several tasks:

• It demonstrates the commitment to security by an organization.
• It sets the rules for expected behavior.
• It ensures consistency in system operations, and software and hardware acquisition use and maintenance.
• It defines the legal consequences of violations.
• It gives security staff the backing of management.

Explanation: There are many security tests that can be used to assess a network. Penetration testing is used to determine the possible consequences of successful attacks on the network. Integrity checking is used to detect and report changes made to systems. Vulnerability scanning is used to find weaknesses and misconfigurations on network systems. Network scanning is used to discover available resources on the network.

Explanation: Organizations will implement corrective access controls after a system experiences a threat. Recovery security controls restore resources, functions and capabilities back to a normal state after a violation of a security policy.

Explanation: When evaluating a cyber security risk, the analyst takes into account the likelihood of an attack occurring, who the potential threat actors might be, as well as the consequences that might occur if the exploit is successful.

Explanation: The steps in the Vulnerability Management Life Cycle include these:

• Discover – inventory all assets across the network and identify host details, including operating systems and open services to identify vulnerabilities
• Prioritize assets – categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations
• Assess – determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification
• Report – measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities
• Remediate – prioritize according to business risk and fix vulnerabilities in order of risk
• Verify – verify that threats have been eliminated through follow-up audits

Explanation: CybOX is an open standards set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations that support many cybersecurity functions.

Explanation: Tripwire – This tool assesses and validates IT configurations against internal policies, compliance standards, and security best practices.

Explanation: The meta-feature element results are used to delineate what the adversary gained from the intrusion event.

Explanation: There are six steps in the vulnerability management life cycle:

• Discover
• Prioritize assets
• Assess
• Report
• Remediate
• Verify

Explanation: The Cloud Security Alliance (CSA) provides security guidance to any organization that uses cloud computing or wants to assess the overall security risk of a cloud provider.