- Define Known Threats:, - This is a threat that can be identified using basic signature or pattern matching., - Define “ Malware “:, - This is any software intentionally designed to cause damage to a computer, server, client, or computer network., - Define “ Documented Exploits “:, - This is a piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data., - Define “ Unknown Threats “:, - This a threat that cannot be identified using basic signature or patter., - Define a “ matching Zero-day Exploit “:, - This is an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.

- Define “ Obfuscated Malware Code “:, - This is Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware., - Define “ Behavior-based Detection “:, - This is a malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior., - Define “ Recycled Threats “:, - Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning., - Define “ Known Unknowns “:, - This is a classification of malware that contains obfuscation techniques to circumvent signature-matching and detection., - Define “ Unknown Unknowns “:, - This is a classification of malware that contains completely new attack vectors and exploits.

- Define “ Threat Actors “:, - This is those who wish to harm networks or steal secure data., - Define” Hacker vs. Cracker in the media “:, - Crackers were hackers with malicious intent., - Hackers was the term hacker for computer enthusiast, but now media portrays them as having malicious intent as well., - Define and Categorize “ Hat based categories “:, - Define “ Black Hat Hacker “:, - This is an an unauthorized hacker /criminals., - Define “ White Hat Hacker “:, - This an ethical or authorized hacker., - Define the “ Gray Hat Hacker “:, - This is a semi-authorized hacker where it sometimes acts as a good or bad folk.

- What are the Basic activities that hackers perform:, - Social Media Profiling., - Social Engineering., - Network Scanning., - Fingerprinting., - Service Discovery., - Packet Capture.

- What are the 8 main types of threat actors:, - Define a “ Script Kiddie “:, - This uses other people’s tools to conduct their attacks as they do not have the skills to make their own tools., - Script kiddies often don’t understand what they’re doing., - Define a “ Insider Threat “:, - These are people who have authorized access to an organization’s network, policies, procedures, and business practices., - To prevent an insider threat, organizations need to have policies and enforcement technologies such as:, - Data Loss Prevention, - Internal Defenses, - SIEM Search, - 2 different types of insider threats:, - Intentional:, - This is an actor who deliberately seeks to cause harm., - Unintentional:, - An actor who causes harm because of carelessness., - What are the solid cybersecurity strategy to counter Insider Threats:, - Employee Education and Training, - Access Controls, - Incident Response Plans, - Regular Monitoring

- Define a “ Competitor “:, - This is a rogue business attempting to conduct cyber espionage against an organization., - Define “ Organized Crime “:, - This is focused on hacking and computer fraud to achieve financial gains., - Define a “ Hacktivist “:, - This is a politically - motivated hacker who targets governments or individuals to advance their political ideologies., - What is a “ Nation-State “:, - This is a group of attackers with exceptional capability, funding, and organization with an intent to hack a network or system., - Conducts highly covert hacks over long periods of time., - Not all APT are nation-states, but almost all nation-states are going to be considered an APT., - They’re going to be inside of a victimized network for six to nine months., - Many nation-states tried to present themselves as a threat actor inside of the other groups, so they can maintain a plausible deniability., - A nation-state actor refers to a government or government affiliated group that conducts cyber attacks.

- Define a “ Advanced Persistent Threat (APT) “:, - This is an attacker that establishes a long-term presence on a network in order to gather sensitive information., - The main goal of an APT is to harvest sensitive data, intellectual property, and other sensitive information., - “ Supply Chain Threats “:, - What are the Key differences between Nation-state and APT threat actors:, - Nation-state is affiliated with the government., - APT is a generic type of cyber attack that establishes long-term presence.

- Define “ Commodity Malware “:, - This is malicious software applications that are widely available for sale or easily obtainable and usable., - Targeted or custom malware is developed and deployed with a target in mind., - Identifying if the malware is commodity or targeted can help determine the severity of an incident., - Define a “ Zero-day Vulnerability “:, - This is a vulnerability that is discovered or exploited before the vendor can issue a patch to fix it., - Zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it., - Most adversaries will only use a zero-day vulnerability for high value attacks., - Define “ Advanced Persistent Threat (APT) “:, - This is an attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware., - APTs are considered a known unknown threat., - Define “ Command and Control (C2) “:, - This is an infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets., - APTs often target financial institutions, healthcare companies, and governments to get large PII data sets., - Define “ Persistence “:, - The is the ability of a threat actor to maintain covert access to a target host or network.

- Define “ Reputation Data “:, - These are Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains., - Define a “ Indicator of Compromise (IoC) “:, - This is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked., - What are some other “ Indicators of Compromises “:, - Unauthorized software and files, - Suspicious emails, - Suspicious registry and file system changes, - Unknown port and protocol usage, - Excessive bandwidth usage, - Rogue hardware, - Service disruption and defacement, - Suspicious or unauthorized account usage, - An IoC is evidence that an attack was successful.

- Define a “ Indicator of Attack (IoA) “:, - This is a term used for evidence of an intrusion attempt that is in progress., Define “ Behavioral Threat Research “:, - This is a term that refers to the correlation of IoCs into attack patterns., -Define “ Tactics, Techniques, and Procedures (TTP) “:, - These are Behavior patterns that were used in historical cyberattacks and adversary actions:, - DDoS, - Viruses or Worms, - Network Reconnaissance, - APTs, - Data Exfiltration, - Define “ Port Hopping “:, - An APT’s C2 application might use any port to communicate and may jump between different ports., - Define the “ Fast Flux DNS “:, - This is a technique rapidly changes the IP address associated with a domain., - Define “ Data Exfiltration “:, - This is the unauthorized transfer of data from a computer or other device.

- What are the 3 different attack frameworks:, - Lockheed Martin Kill Chain, - MITRE ATT&CK Framework, - Diamond Model of Intrusion Analysis, - Define the “ Lockheed Martin Kill Chain “:, - This describes the stages by which a threat actor progresses a network intrusion., - What are the steps of the Lockheed Martin Killchain:, - Reconnaissance:, - The attacker determines what methods to use to complete the phases of the attack., - Weaponization:, - The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system., - Delivery:, - The attacker identifies a vector by which to transmit the weaponized code to the target environment., - Exploitation:, - The weaponized code is executed on the target system., - Installation:, - This mechanism enables the weaponized code to run a remote access tool and achieve , - Command & Control (C2):, - The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.

- Actions on Objectives:, - The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives., - Kill Chain Analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage., - Define the “ MITRE ATT&CK Framework “:, - This is a knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)., - Define the “ pre-ATT&CK tactics matrix “:, - This is an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain., - Define the “ Diamond Model of Intrusion Analysis “:, - This is a framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: , - adversary, - capability, - infrastructure, -victim

- Define “ Structured Threat Information eXpression (STIX) “:, - This is a standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework., - STIX is expressed in JavaScript Object Notation (JSON) format that consists of attribute: , - value pairs, - STIX is built from high-level STIX domain objects (SDO) that contain multiple attributes and values:, - Observed Data, - Indicator, - Attack Pattern, - Campaign and Threat Actors, - Course of Action (COA)

- STIX v1 used an XML-based format, but the exam only covers STIX v2., - Define “ Trusted Automated eXchange of Indicator Information (TAXII) “:, - A protocol for supplying codified information to automate incident detection and analysis., - Subscribers obtain updates to the data for their analysis tools using TAXII., - Define “ OpenIOC “:, - This is a framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis., - Define the “ Malware Information Sharing Project (MISP) “:, - MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII.

- Here are the key controls that cover classifying threats:, - Organizational Controls:, - A.5.7 Threat Intelligence:, - This new control in ISO 27001:2022 directly addresses the need to collect and analyze information about information security threats to produce threat intelligence. , - This process involves understanding the nature of different threats, their potential impact, and the threat actors involved, which is a form of classification. , - By analyzing threat information, organizations can categorize threats based on their relevance and potential impact on their specific context., - Example:, - An organization might classify threats into categories like "phishing attacks targeting employees," "malware targeting critical infrastructure," or "denial-of-service attacks against public-facing services.", - A.5.12 Classification of Information:, - While primarily focused on classifying information assets based on confidentiality, integrity, and availability requirements, this control indirectly supports threat classification. , - Understanding the value and sensitivity of information helps prioritize which assets are most likely to be targeted by specific threats and the potential impact of a successful attack. , - This understanding aids in classifying threats based on the assets they target., - Example:., - Knowing that "customer financial data" is classified as highly confidential helps prioritize and classify threats that aim to exfiltrate this type of data as high-risk.

- A.5.36 Compliance with legal and contractual requirements:, - This control requires organizations to identify legal, statutory, regulatory, and contractual requirements related to information security and their approach to meeting these requirements. , - Different types of threats might trigger different legal or contractual obligations (e.g., data breaches involving personal data). , - Understanding these obligations helps classify threats based on their legal and contractual implications., - Example:, - A threat resulting in a data breach of personally identifiable information would be classified as a high-priority incident due to GDPR or CCPA requirements., - Technological Controls:, - A.8.12 Data leakage prevention:, - This control focuses on implementing measures to detect, prevent, and investigate data leakage incidents. , - Understanding the various ways data can be leaked (e.g., through email, removable media, cloud services) and the types of threats that exploit these channels is a form of threat classification that informs the implementation of appropriate prevention and detection mechanisms., - Example:.., - Classifying threats related to unauthorized data exfiltration via email helps in configuring email filtering and DLP tools to look for specific patterns and keywords associated with such threats., - A.8.16 Monitoring activities:, - This control emphasizes the need to monitor networks, systems, and applications for suspicious behavior and potential security incidents. , - Effective monitoring requires understanding different types of attack patterns and classifying anomalies to identify genuine threats from false positives., - Example:..., - Classifying network traffic anomalies as potential reconnaissance attempts helps security teams prioritize and investigate these events.