Daniel is a professional hacker whose aim is to attack a system to steal data and money for profit. He
performs hacking to obtain confidential data such as social security numbers, personally identifiable
information (PII) of an employee, and credit card information. After obtaining confidential data, he
further sells the information on the black market to make money.
Daniel comes under which of the following types of threat actor.
D
Explanation:
Daniel's activities align with those typically associated with organized hackers. Organized hackers or
cybercriminals work in groups with the primary goal of financial gain through illegal activities such as
stealing and selling data. These groups often target large amounts of data, including personal and
financial information, which they can monetize by selling on the black market or dark web. Unlike
industrial spies who focus on corporate espionage or state-sponsored hackers who are backed by
nation-states for political or military objectives, organized hackers are motivated by profit. Insider
threats, on the other hand, come from within the organization and might not always be motivated by
financial gain. The actions described in the scenario—targeting personal and financial information for
sale—best fit the modus operandi of organized cybercriminal groups.
Reference:
ENISA (European Union Agency for Cybersecurity) Threat Landscape Report
Verizon Data Breach Investigations Report
An attacker instructs bots to use camouflage mechanism to hide his phishing and malware delivery
locations in the rapidly changing network of compromised bots. In this particular technique, a single
domain name consists of multiple IP addresses.
Which of the following technique is used by the attacker?
D
Explanation:
Fast-Flux DNS is a technique used by attackers to hide phishing and malware distribution sites behind
an ever-changing network of compromised hosts acting as proxies. It involves rapidly changing the
association of domain names with multiple IP addresses, making the detection and shutdown of
malicious sites more difficult. This technique contrasts with DNS zone transfers, which involve the
replication of DNS data across DNS servers, or Dynamic DNS, which typically involves the automatic
updating of DNS records for dynamic IP addresses, but not necessarily for malicious purposes. DNS
interrogation involves querying DNS servers to retrieve information about domain names, but it does
not involve hiding malicious content. Fast-Flux DNS specifically refers to the rapid changes in DNS
records to obfuscate the source of the malicious activity, aligning with the scenario described.
Reference:
SANS Institute InfoSec Reading Room
ICANN (Internet Corporation for Assigned Names and Numbers) Security and Stability Advisory
Committee
Kathy wants to ensure that she shares threat intelligence containing sensitive information with the
appropriate audience. Hence, she used traffic light protocol (TLP).
Which TLP color would you signify that information should be shared only within a particular
community?
D
Explanation:
In the Traffic Light Protocol (TLP), the color amber signifies that the information should be limited to
those who have a need-to-know within the specified community or organization, and not further
disseminated without permission. TLP Red indicates information that should not be disclosed outside
of the originating organization. TLP Green indicates information that is limited to the community but
can be disseminated within the community without restriction. TLP White, or TLP Clear, indicates
information that can be shared freely with no restrictions. Therefore, for information meant to be
shared within a particular community with some restrictions on further dissemination, TLP Amber is
the appropriate designation.
Reference:
FIRST (Forum of Incident Response and Security Teams) Traffic Light Protocol (TLP) Guidelines
CISA (Cybersecurity and Infrastructure Security Agency) TLP Guidelines
Moses, a threat intelligence analyst at InfoTec Inc., wants to find crucial information about the
potential threats the organization is facing by using advanced Google search operators. He wants to
identify whether any fake websites are hosted at the similar to the organization’s URL.
Which of the following Google search queries should Moses use?
A
Explanation:
The "related:" Google search operator is used to find websites that are similar or related to a
specified URL. In the context provided, Moses wants to identify fake websites that may be posing as
or are similar to his organization's official site. By using the "related:" operator followed by his
organization's URL, Google will return a list of websites that Google considers to be similar to the
specified site. This can help Moses identify potential impersonating websites that could be used for
phishing or other malicious activities. The "info:", "link:", and "cache:" operators serve different
purposes; "info:" provides information about the specified webpage, "link:" used to be used to find
pages linking to a specific URL (but is now deprecated), and "cache:" shows the cached version of the
specified webpage.
Reference:
Google Search Operators Guide by Moz
Google Advanced Search Help Documentation
A team of threat intelligence analysts is performing threat analysis on malware, and each of them
has come up with their own theory and evidence to support their theory on a given malware.
Now, to identify the most consistent theory out of all the theories, which of the following analytic
processes must threat intelligence manager use?
C
Explanation:
Analysis of Competing Hypotheses (ACH) is an analytic process designed to help an analyst or a team
of analysts evaluate multiple competing hypotheses on an issue fairly and objectively. ACH assists in
identifying and analyzing the evidence for and against each hypothesis, ultimately aiding in
determining the most likely explanation. In the scenario where a team of threat intelligence analysts
has various theories on a particular malware, ACH would be the most appropriate method to assess
these competing theories systematically. ACH involves listing all possible hypotheses, collecting data
and evidence, and assessing the evidence's consistency with each hypothesis. This process helps in
minimizing cognitive biases and making a more informed decision on the most consistent theory.
Reference:
Richards J. Heuer Jr., "Psychology of Intelligence Analysis," Central Intelligence Agency
"A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis," Central
Intelligence Agency
Miley, an analyst, wants to reduce the amount of collected data and make the storing and sharing
process easy. She uses filtering, tagging, and queuing technique to sort out the relevant and
structured data from the large amounts of unstructured data.
Which of the following techniques was employed by Miley?
B
Explanation:
Normalization in the context of data analysis refers to the process of organizing data to reduce
redundancy and improve efficiency in storing and sharing. By filtering, tagging, and queuing, Miley is
effectively normalizing the data—converting it from various unstructured formats into a structured,
more accessible format. This makes the data easier to analyze, store, and share. Normalization is
crucial in cybersecurity and threat intelligence to manage the vast amounts of data collected and
ensure that only relevant data is retained and analyzed. This technique contrasts with sandboxing,
which is used for isolating and analyzing suspicious code; data visualization, which involves
representing data graphically; and convenience sampling, which is a method of sampling where
samples are taken from a group that is conveniently accessible.
Reference:
"The Application of Data Normalization to Database Security," International Journal of Computer
Science Issues
SANS Institute Reading Room, "Data Normalization Considerations in Cyber Threat Intelligence"
Bob, a threat analyst, works in an organization named TechTop. He was asked to collect intelligence
to fulfil the needs and requirements of the Red Tam present within the organization.
Which of the following are the needs of a RedTeam?
B
Explanation:
Red Teams are tasked with emulating potential adversaries to test and improve the security posture
of an organization. They require intelligence on the latest vulnerabilities, threat actors, and their
TTPs to simulate realistic attack scenarios and identify potential weaknesses in the organization's
defenses. This information helps Red Teams in crafting their attack strategies to be as realistic and
relevant as possible, thereby providing valuable insights into how actual attackers might exploit the
organization's systems. This need contrasts with the requirements of other teams or roles within an
organization, such as strategic decision-makers, who might be more interested in intelligence related
to strategic risks or Blue Teams, which focus on defending against and responding to attacks.
Reference:
Red Team Field Manual (RTFM)
MITRE ATT&CK Framework for understanding threat actor TTPs
Michael, a threat analyst, works in an organization named TechTop, was asked to conduct a cyber-
threat intelligence analysis. After obtaining information regarding threats, he has started analyzing
the information and understanding the nature of the threats.
What stage of the cyber-threat intelligence is Michael currently in?
C
Explanation:
The "known unknowns" stage in cyber-threat intelligence refers to the phase where an analyst has
identified threats but the specific details, implications, or full nature of these threats are not yet fully
understood. Michael, in this scenario, has obtained information on threats and is in the process of
analyzing this information to understand the nature of the threats better. This stage involves
analyzing the known data to uncover additional insights and fill in the gaps in understanding, thereby
transitioning the "unknowns" into "knowns." This phase is critical in threat intelligence as it helps in
developing actionable intelligence by deepening the understanding of the threats faced.
Reference:
"Intelligence Analysis: A Target-Centric Approach," by Robert M. Clark
"Structured Analytic Techniques for Intelligence Analysis," by Richards J. Heuer Jr. and Randolph H.
Pherson
Enrage Tech Company hired Enrique, a security analyst, for performing threat intelligence analysis.
While performing data collection process, he used a counterintelligence mechanism where a
recursive DNS server is employed to perform interserver DNS communication and when a request is
generated from any name server to the recursive DNS server, the recursive DNS servers log the
responses that are received. Then it replicates the logged data and stores the data in the central
database. Using these logs, he analyzed the malicious attempts that took place over DNS
infrastructure.
Which of the following cyber counterintelligence (CCI) gathering technique has Enrique used for data
collection?
A
Explanation:
Passive DNS monitoring involves collecting data about DNS queries and responses without actively
querying DNS servers, thereby not altering or interfering with DNS traffic. This technique allows
analysts to track changes in DNS records and observe patterns that may indicate malicious activity. In
the scenario described, Enrique is employing passive DNS monitoring by using a recursive DNS server
to log the responses received from name servers, storing these logs in a central database for analysis.
This approach is effective for identifying malicious domains, mapping malware campaigns, and
understanding threat actors' infrastructure without alerting them to the fact that they are being
monitored. This method is distinct from active techniques such as DNS interrogation or zone
transfers, which involve sending queries to DNS servers, and dynamic DNS, which refers to the
automatic updating of DNS records.
Reference:
SANS Institute InfoSec Reading Room, "Using Passive DNS to Enhance Cyber Threat Intelligence"
"Passive DNS Replication," by Florian Weimer, FIRST Conference Presentation
John, a professional hacker, is trying to perform APT attack on the target organization network. He
gains access to a single system of a target organization and tries to obtain administrative login
credentials to gain further access to the systems in the network using various techniques.
What phase of the advanced persistent threat lifecycle is John currently in?
C
Explanation:
The phase described where John, after gaining initial access, is attempting to obtain administrative
credentials to further access systems within the network, is known as the 'Expansion' phase of an
Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold
within the target's environment, often by escalating privileges, compromising additional systems,
and moving laterally through the network. The goal is to increase control over the network and
maintain persistence for ongoing access. This phase follows the initial intrusion and sets the stage for
establishing long-term presence and eventual data exfiltration or other malicious objectives.
Reference:
MITRE ATT&CK Framework, specifically the tactics related to Credential Access and Lateral
Movement
"APT Lifecycle: Detecting the Undetected," a whitepaper by CyberArk
Jim works as a security analyst in a large multinational company. Recently, a group of hackers
penetrated into their organizational network and used a data staging technique to collect sensitive
dat
a. They collected all sorts of sensitive data about the employees and customers, business tactics of
the organization, financial information, network infrastructure information and so on.
What should Jim do to detect the data staging before the hackers exfiltrate from the network?
C
Explanation:
In the scenario described, where attackers have penetrated the network and are staging data for
exfiltration, Jim should focus on monitoring network traffic for signs of malicious file transfers,
implement file integrity monitoring, and scrutinize event logs. This approach is crucial for detecting
unusual activity that could indicate data staging, such as large volumes of data being moved to
uncommon locations, sudden changes in file integrity, or suspicious entries in event logs. Early
detection of these indicators can help in identifying the staging activity before the data is exfiltrated
from the network.
Reference:
NIST Special Publication 800-61 Rev. 2, "Computer Security Incident Handling Guide"
SANS Institute Reading Room, "Detecting Malicious Activity with DNS and NetFlow"
Andrews and Sons Corp. has decided to share threat information among sharing partners. Garry, a
threat analyst, working in Andrews and Sons Corp., has asked to follow a trust model necessary to
establish trust between sharing partners. In the trust model used by him, the first organization makes
use of a body of evidence in a second organization, and the level of trust between two organizations
depends on the degree and quality of evidence provided by the first organization.
Which of the following types of trust model is used by Garry to establish the trust?
D
Explanation:
In the trust model described, where trust between two organizations depends on the degree and
quality of evidence provided by the first organization, the model in use is 'Validated Trust.' This
model relies on the validation of evidence or credentials presented by one party to another to
establish trust. The validation process assesses the credibility, reliability, and relevance of the
information shared, forming the basis of the trust relationship between the sharing partners. This
approach is common in threat intelligence sharing where the accuracy and reliability of shared
information are critical.
Reference:
"Building a Cybersecurity Culture," ISACA
"Trust Models in Information Security," Journal of Internet Services and Applications
A threat analyst obtains an intelligence related to a threat, where the data is sent in the form of a
connection request from a remote host to the server. From this data, he obtains only the IP address
of the source and destination but no contextual information. While processing this data, he obtains
contextual information stating that multiple connection requests from different geo-locations are
received by the server within a short time span, and as a result, the server is stressed and gradually
its performance has reduced. He further performed analysis on the information based on the past
and present experience and concludes the attack experienced by the client organization.
Which of the following attacks is performed on the client organization?
C
Explanation:
The attack described, where multiple connection requests from different geo-locations are received
by a server within a short time span leading to stress and reduced performance, is indicative of a
Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the attacker floods the target's
resources (such as a server) with excessive requests from multiple sources, making it difficult for the
server to handle legitimate traffic, leading to degradation or outright unavailability of service. The
use of multiple geo-locations for the attack sources is a common characteristic of DDoS attacks,
making them harder to mitigate.
Reference:
"Understanding Denial-of-Service Attacks," US-CERT
"DDoS Quick Guide," DHS/NCCIC
Jame, a professional hacker, is trying to hack the confidential information of a target organization. He
identified the vulnerabilities in the target system and created a tailored deliverable malicious
payload using an exploit and a backdoor to send it to the victim.
Which of the following phases of cyber kill chain methodology is Jame executing?
C
Explanation:
In the cyber kill chain methodology, the phase where Jame is creating a tailored malicious
deliverable that includes an exploit and a backdoor is known as 'Weaponization'. During this phase,
the attacker prepares by coupling a payload, such as a virus or worm, with an exploit into a
deliverable format, intending to compromise the target's system. This step follows the initial
'Reconnaissance' phase, where the attacker gathers information on the target, and precedes the
'Delivery' phase, where the weaponized bundle is transmitted to the target. Weaponization involves
the preparation of the malware to exploit the identified vulnerabilities in the target system.
Reference:
Lockheed Martin's Cyber Kill Chain framework
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains," leading to the development of the Cyber Kill Chain framework
Steve works as an analyst in a UK-based firm. He was asked to perform network monitoring to find
any evidence of compromise. During the network monitoring, he came to know that there are
multiple logins from different locations in a short time span. Moreover, he also observed certain
irregular log in patterns from locations where the organization does not have business relations. This
resembles that somebody is trying to steal confidential information.
Which of the following key indicators of compromise does this scenario present?
D
Explanation:
The scenario described by Steve's observations, where multiple logins are occurring from different
locations in a short time span, especially from locations where the organization has no business
relations, points to 'Geographical anomalies' as a key indicator of compromise (IoC). Geographical
anomalies in logins suggest unauthorized access attempts potentially made by attackers using
compromised credentials. This is particularly suspicious when the locations of these logins do not
align with the normal geographical footprint of the organization's operations or employee locations.
Monitoring for such anomalies can help in the early detection of unauthorized access and potential
data breaches.
Reference:
SANS Institute Reading Room, "Indicators of Compromise: Reality's Version of the Minority Report"
"Identifying Indicators of Compromise" by CERT-UK