Pass CompTIA CySA+ Certification Exams in First Attempt Easily

CompTIA CySA+ Certification Practice Test Questions, CompTIA CySA+ Exam Practice Test Questions

Want to prepare by using CompTIA CySA+ certification exam practice test questions efficiently. 100% actual CompTIA CySA+ practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. CompTIA CySA+ exam practice test questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with CompTIA CySA+ certification practice test questions and answers with Exam-Labs VCE files.

Threat Intelligence

1. Threat Intelligence Sharing (Introduction)

In this section of the course, we're going to cover threat intelligence sharing. Now, our focus in this section is going to be on domain one. Objectives one one and one two. Objective one one states that you have to be ableto explain the importance of threat data and intelligence. Objective one and two state that given a scenario, you must be able to utilise threat intelligence to support organisational security. Now, as we move through this section, we're going to start out with an overview of security intelligence and threat intelligence. Then we're going to move into the five steps of the intelligence cycle. After that, we're going to talk about sources of intelligence and the factors that identify the value of threat intelligence. things like timeliness, relevancy, accuracy, and confidence level. Then we're going to talk about the value of public and private partnerships that allow for the dissemination of sector-specific threat intelligence to our organizations, depending on where we work. Finally, we're going to describe the dissemination of threat information to support risk management and our security engineering. instant response, response vulnerability management, and detection and monitoring functions within our organizations. So let's jump right in.

2. Security and Threat Intelligence (OBJ 1.1)

Security and threat intelligence. These days, we have to use our intelligence-driven defence to create a solid defensive posture. We can't rely on the way we've done things historically. Now, historically, our focus was on configurations. We would set up the right firewalls, the right ACLs, and install the right antivirus, and then we would say, "Hey, we're protected." But these days, that simply isn't enough. Well, all these technologies are very important. They don't by themselves give you enough defence against a thinking adversary that uses modern cyber attacks.So instead, it's really important for us to think about the ideas of security intelligence and cyber threat intelligence. And that's what we're going to focus on in this lesson. Now, security intelligence is the process through which data is generated in the ongoing use of the information system. And that data is going to be collected, processed, analyzed, and disseminated to provide us with insights into the security status of those systems. So if you think of a standard system administrator, they log things on their system and then review those logs. That is a form of security intelligence. It's for them to be able to understand what their system is doing as they go through their firewall logs, their intrusion detection alerts, and other things like that. You're gaining an understanding of your network's internal posture and the security posture of your organization. Now, on the other hand, we have to consider our cyber threat intelligence as well.

Now, cyber threat intelligence is the process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources to provide data about the external threat landscape. So when we're talking about security intelligence, we're thinking inward. How are our systems looking? But when we think about cyberthreat intelligence, we're looking outward. We're thinking about the attacker groups; we're thinking about malware outbreaks; we're thinking about zero-day exploits and things like that. all those bad things that are out there that can attack us and hurt us. That is what we're focused on when we're doing cyber threat intelligence. And we need both of these. We need to know our posture with security intelligence, but we also have to know what can attack us using cyber threat intelligence. Now, when we look at cyber threat intelligence, it really does come to us in two forms. It can come in the form of a narrative report or a data feed. Now, when we're dealing with a narrative report, this is going to give us the analysis of a certain adversary group or a certain type of malware, and we're going to get a written report based on that. There are a lot of places you can buy these from, and these come in a format that was really manually created by some threat analyst. And so if you get a job as an intelligence analyst or a threat analyst, you may spend all day going through different packet captures and going through honeypots, learning about some kind of adversary or malware, and then writing a report on it. And these reports are then sold to all the different stocks around the world, who use them in their defence of their networks. Now, this is very useful at a strategic level.

This gives you intelligence about what the bad guys are doing, and that can help us decide where we want to put money and which security controls we want to have to be able to defend ourselves from these bad guys and their types of attacks. Now, on the other hand, we also have data feeds. And data feeds can be a list of known bad indicators. Things like indicators of compromises, domain names, and IP addresses might be something like hashes of exploit malware code. All of these types of things are tactical-level information. This gives us something that is very operational, something we can do something with. If you tell me that this IP address is a known bad IP, I can block it in my firewall so no connections can go to it, right? That's the idea with a data feed. Now, which one is better? Do we want data feeds or narrative reports? Well, we want both. We don't want to use just one or the other. We have to use both to get the best security for our networks. We're going to use those narrative reports to get the big picture of what the landscape looks like, and then we're going to use the data feeds to get those specific tactical things that we can programme our sensors and our defences against to be able to protect ourselves.

Now, the combination of both of these is very useful to us, and it allows us to have a better security posture for our organization. Now, if you want to be able to sign up for some of these data feeds or these narrative reports, your organisation can do that. And most of this is done as a monthly subscription or a yearly subscription. There are a lot of companies out there that do this, like McAfee, FireEye, Red Canary, and many, many other ones. For example, if you want to learn more about a specific adversary or a certain tactic, you could search for that on Google or use your subscription to one of these services. In one of my previous organizations, we had a subscription to the FireEye service. And so if I wanted to learn more about Apt.28, which happens to be a group of Russian hackers, I could learn more about them and the techniques they use. And in that report, it tells me what type of targets they're going after. Are they going after military or commercial targets? Are they going after the banking sector or the film industry? And then we can see how that affects me and my industry and how we can better defend against it. If you want to see an example of one of these reports, you can go to Google and type in Apt.28 FireEye PDF. This report will come up, and you can see what these look like. They're generally around 20 to 30 pages, and they give you a lot of great information about a particular adversary group or a specific malware type.

3. Intelligence Cycle (OBJ 1.1)

the security intelligence cycle. Now, intelligence is a process. It's not just about collecting data, but you have to collect that data. You have to plan to collect that data, and you have to go through and process that data and get it through. So when you look at the process, it's going to start out with requirements, planning, and direction.

This is where we're going to be focused on what we want to collect and figuring out how we can best do that. Then we move into our second phase, which is collection and processing. Now that we know what we want to collect, we have to go about actually collecting it. Third, we need to move into analysis, where we start taking all that data we have and start looking through it to try to make some decisions based on it. And then we move into our fourth phase, which is dissemination. This is how we take that information that we've analysed and present it to other people. And then we move into our fifth phase, which is feedback. This is how we look back through the cycle, see what went right, what went wrong, and what we could do better. And then we start it all over again. Let's take a little bit more in-depth look at each of these five phases as we move through the security intelligence cycle. First, we want to talk about the requirements phase. Now, requirements also include planning and direction. The requirements phase is going to set up the goals for the intelligence gathering effort. At this point, we need to figure out what it is that we want to collect. That way, we can figure out what we care about and where we want to spend our time, money, and resources.

This is really important, because if you don't understand what your goals are and what your use cases are for this data, you're going to be spending a lot of time and a lot of money collecting a lot of data for no reason at all. For example, if I worked for an auto manufacturer like Tesla, Honda, or Ford, I would probably want to make sure that we're gathering intelligence on any threats to automobile systems, especially if you're somebody like Tesla that's trying to work towards self-driving cars. There's a big cyber-threat component to that. And so we'd want to be looking out there at the entire landscape to figure out what adversaries are out there, what APTs are out there, and what type of malware and vulnerabilities are out there for our type of systems that could affect the safety of our systems. Consequently, we might also look at any kind of thing that would affect our supply chain. We have to buy those computers somewhere, right? And so we need to make sure we understand what threats exist there and how we can mitigate those risks. There's a lot of information out there. And what is the idea here about gathering requirements gathering?The planning and direction part is figuring out what we want to measure. That's what we have to deal with here. Now, another thing we have to think about here is any kind of special factors or constraints we might have. For example, depending on the type of government you work for, there are certain things you can and cannot collect on your citizens. For example, I'm in the United States. The US has a policy thatthey cannot collect information on US. Citizens. So if you work for the NSA or the CIA, they are not allowed to collect information on me as a US citizen. No matter if I'm sitting in theUnited States or if I'm sitting abroad. If I'm a US citizen, they can't collect on me. That's part of the rules. And so there are legal restrictions on what they can and cannot do. For instance, if they want to collect information on me, they would have to go and get a warrant to do that because, as a US citizen, I am protected by the Fourth Amendment against unlawful search and seizure. Every country has different rules. Every location has different rules.

So your organisation is going to have to consider that as you're planning what your collection process is going to be. So now that we've considered all of that and figured out what we want to plan to do, we now need to actually move into collection. and the second phase is collection and processing. The collection process is implemented by software tools such as Seams, and then it's processed for later analysis. Now, when we collect things, this is where we're gathering all the data. So if I put a network sensor out there that's collecting PCAP data, packet capture data, it can collect all the information and send it back to a centralised server. I may collect logs from a router, from an intrusion detection system, from a firewall, from servers, or from endpoints. All that data has to be collected and then sent someplace. Generally, we'll put this into a SEAM, which is a security information and event management system, and then we can use that as our centre point for all the collection. Now, the one challenge we have, though, is that all this data is coming from different systems, right? Well, when all this stuff is coming from different systems, it might come in a different format. So we need to normalise that data. and that is the processing part. This is where we'll convert all the data into a standard format that a single solution, like a single Seam, can actually use. This means all the source IP addresses will be in a certain column, all the destinations will be in another column, and all the timestamps will be in a third column. And in this way, we can search and index all of this information and use it later in our analysis cycle when we are looking for those things. Now, another consideration you have to think about is: how are you going to keep all this data secure? So we just took all of this data from our network and sensors and put it in the seam. Well, we need to make sure we protect that seam too. and so we might be using things like encryption on the theme. We might be using things like access control at the scene.

We could be using things like hashing on the scene for integrity. All that data needs to be protected as well because if it's useful to us, it could also be useful to an attacker. The third step we're going to have is going into the analysis process. Now, the analysis phase is performed against the giving-use cases that we had from our planning phase. And we can utilise things like automated analysis, artificial intelligence, and machine learning. Now, this is really important because there is so much data that we are collecting at this point that a single person cannot read it and analyse it fast enough. So we have to use some sort of way to automate this. So these days, one of the most common ways of attacking this problem is by separating our data first into three buckets. First, what do we know is good? Second, what do we know is bad? And third, what we're really concerned with is what we're not sure of. Because, once again, if it's known to be good, we'll allow it. If it's bad, we're going to block it. If we're not sure, that's where further analysis needs to be done. Now, because there's so much data at this point, we have to use things like machine learning and artificial intelligence to help our humans go through this data because there is just so much stuff going over our networks. This allows us to normalise it again because of our processing, we've normalised it.And now, in our analysis, we can filter it, we can organise it into a useful form, and we can start doing our analysis on it. Now, all the analysis we do should be done in the context of a use case. And these use cases were developed all the way back in our planning phase. This says I'm interested in this type of information for this reason: there might be some interesting information. But if it doesn't impact business decisions for you and your organization, why do you even care? And that's the idea here. Our job here is to go through these large data sets, and we want to start figuring out what doesn't look right, what looks funky, and what is not going to be good for our organization.

And we want to start building our models against that. For example, if I start looking through the domain authentications that are occurring in your organisation and I know what good looks like and I know what bad looks like, There may be some things there that are suspect, and it may be the indication of an insider threat. And so if I'm looking at that through the lens of an insider threat use case, that will help me do my analysis better and use the right filters and query strings to extract the relevant data that I need. Now, the fourth phase is dissemination, and the dissemination phase refers to publishing the information produced by an analyst to a consumer who needs to act on the insights developed. Now, this can take a lot of different forms, and it depends on your organisation and what the intended audience is. You may have oral reports, you may have written reports, you may have a PowerPoint presentation, or you may have an email. It really does depend on your organization. Now, three of the most common ways we like to break up this dissemination are by level of intelligence. It can be strategic, operational, or tactical. When it's strategic intelligence, this is going to address broad themes and objectives, and these usually affect projects and business priorities over weeks, months, and years. Most often, I see this done as a report to an executive or a PowerPoint presentation to a large group. The second one we have is operational intelligence. Now, operational intelligence is going to address the day-to-day priorities of managers and specialists. Oftentimes I'll see this put out as a checklist of "these are the things you should be worried about today" and "these are the things we need to focus on today." The third type we have is tactical intelligence, and tactical intelligence informs real-time decisions made by staff as they encounter different alerts and system indications. So, if you're sitting on the sock watchfloor and an alert appears on your screen, that's tactical intelligence. It needs to be dealt with right now, and it is real time.

Our fifth and final phase of the cycle is feedback and review. Now this phase is going to aim to clarify the requirements and improve the collection, analysis, and dissemination of information by reviewing the current inputs and outputs. Basically, how can we do things better? That's our goal. We always want to improve the implementation of our requirements, our collection, our analysis, and our dissemination, and how we can improve over time and get better at what we do. For example, you might be doing things like applying lessons learned by figuring out what incidents occurred during the intelligence gathering this cycle so we can avoid those problems. Next cycle, we might want to figure out how we're going to measure success—what metrics are going to show the success or failure of the intelligence gathering? We also want to think about evolving threat issues. Maybe we've been looking a lot at fishing, but now we're seeing that phishing isn't popular. Instead, people are going against "bring our own devices." And so we want to start shifting our intelligence collection towards that threat vector. These are the kind of things you want to think about as you move through the intelligence lifecycle. So one more time, as a quick review, the five phases of the intelligence lifecycle One requirement is planning and direction. collection and processing. Three analysis. Four dissemination. And five feedbacks.

4. Intelligence Sources (OBJ 1.1)

Intelligence sources. Now, in addition to having our five phases of the lifecycle, we have to dive a little bit deeper into one particular phase, the collection and processing phase. This is important because we have to consider the sources of our intelligence. Now, there are lots of different sources of intelligence that we can get out there, but not all are created equal, and so we have to be able to identify some factors to weigh the value of the intelligence that we're getting. Now, there are several factors that we can use. There are three: timeliness, relevancy, accuracy, and confidence level. When we talk about timeliness, this is the property of an intelligence source that ensures that it is up-to-date because, over time, the information is not nearly as valuable. If I know that somebody has been attacking your network today and I don't tell you about it for three years, it's not going to be very useful to you. It would be a lot more useful if I told you today. And so that's the idea with timeliness: once an adversary understands they've been identified, they're going to change tactics and they're going to change the way they do things, and that means your report that you wrote today may not be valid in a week, three weeks, three months, or three years from now because things change, and so timeliness is important. Our second factor is relevancy.

Now, this is the property of an intelligent source that ensures it matches the use case it was intended for. Let's go back to my example of working for a large auto manufacturer. If I start seeing that there are a lot of attacks going against the Mac OS X operating system, does that really apply to me as somebody who is running a car company and is using Windows machines or is using Linux in my embedded systems? Probably not. As a result, it's not at all relevant to my use case. And so you need to consider that as you're looking at all the different information out there because it can be overwhelming, and you have to think about what affects my organisation so I can defend against it. The third area is accuracy. Now, accuracy is the property of an intelligent source that ensures that it produces effective results. Now, this means that the information needs to be valid and true. If you tell me that I've been attacked and I look and I can't find anything, well, was I really attacked, or was your information bad? We really don't know, and so it's really important to make sure the information we're getting is accurate. This means we want to try to eliminate as many false positives as possible, especially when using automated software and machine learning and artificial intelligence, and make sure that we're getting the right information so that we can do our analysis properly on good information and make good decisions.

The fourth and final factor we have to consider is confidence levels. Now, this is the property of an intelligence source that ensures it produces qualified statements about reliability. When an analyst publishes a report, they don't have 100% of the facts. It's just the way this works. We are trying to get our way through this, and we're getting lots of different pieces of information and lots of different indicators, and we try to put together the best report we can. Well, when we deal with this and we start taking all these sources, we have to look at these sources and figure out: are they reliable? Are they accurate? Are they relevant, and are they timely? And when we start talking about confidence level, we are going to actually put a grade on it for how good we think that information is. For example, the Misproject codifies the use of the Abmaltiscale for grading data and estimated language. Now, you can choose any scale you want, but the Admiralty scale is one of the more common ones. The way this works is that it breaks it down into two areas. It evaluates you based on source reliability and information content. If I look at the source's reliability, this is going to get a letter grade from A through F. It tells you if it's reliable all the way down to "I can't judge the reliability." For example, if I got this piece of data from my own sensors and I trusted them, then there's no doubt this is reliable. Give it a grade of A. Next, we have the information content, and when we grade this, we do it on a scale of one to six. Now, when we grade this from one to six, we're going to say that this could be confirmed or that it cannot be judged. When I confirm it, this means that I had multiple independent sources that told me this information. It's not just hearsay from one person.

Now, as I go down the scale, I get less and less stringent on how well I can confirm that information all the way down to "cannot be judged," which means it's basically just a best guess. Now, this is useful, especially when reporting up to higher authorities or up to your bosses, because you can say, "Hey, I have this information." I heard there's this threat, but I'm not really confident about it. It only has a grade letter of C, and you may take fewer actions against it than against something that has a grade letter of A, because A is much more certain. And this is the idea. When you deal with the Admiralty scale for the exam, you do not need to know the Admiralty scale in depth, but it is something I want to make you aware of because you may see it out in the workplace. Now, the next thing we need to talk about are the three places you can get information from. You can find information that's proprietary, closed-source, sourced, or open source.The first source we have is what's known as proprietary. Proprietary intelligence is a threat intelligence.That comes as a commercial service offering where you're going to pay for access to these updates and research based on a subscription fee. Some of these commercial services are simply repackaging information available in free public registries without including any of their own data. And these aren't nearly as useful. This brings us to the second type, which is closed source data. Now, closed-source data is data that's derived from the provider's own research and analysis efforts, such as data from honeypots as they operate, plus information that's mined from their other customer systems and suitably anonymized.

So for example, if you and 1000 other people all subscribe to a certain service, and they're monitoring your networks, they can collect all that data from the 1000 users and then be able to make analysis and reports based off of that in an anonymized fashion and send them back to those 1000 users so you all can share the information. Now, a good example of this is FireEye. FireEye is a proprietary information source that is closed source.They provide their own data, and you can subscribe using their Threat Intelligence subscription service to get data and updates from them. Now, the third type we have is what's known as open source. Open source is data that's available for use without a subscription, and this may include threat feeds similar to those from commercial providers. It can also contain reputation lists and malware signature databases too.There are a lot of great sources of open-source intelligence out there. And so if your organisation is a little weary about spending a lot of money on commercial source information, they can start out with open source information and then upgrade from there later on.

Now, when you talk about open source intelligence, there are lots of different sources. First we have the US search, which is the United States. computer emergency readiness team. This provides you with feeds of current activity and alert news, plus regular bulletins and analysis reports. They also have a bidirectional threat feed called the Automated Indicator Service that you can use. The next one we have is the UK's National Cyber Security Center, which provides similar services to the US CERT. There are some other ones out there as well, though. We have ANDP Security, which was actually Alien Vault Open Threat Exchange previously but was bought out by AT&T after that. We have mist, which we talked about before. This is the Malware Information Sharing Project, and again, it's an open source intelligence feed that you can use. We also have Virus Total, which is a great place to upload any file you're not sure of. If you upload this file, it will check across 40 to 50 different antivirus products to see if any of them know if it's a virus or not, and it's a public repository for malware. Another one we have is Spam Hoss, which is very focused on spam and email. And finally, we have Sand ISC suspicious domains, which, as the name implies, is focused on providing a feed of suspicious domains that they think might be malicious. Now, all of these feeds are really great and they provide you with what's known as explicit knowledge, which is knowledge you can write down, see, feel, and touch. But there's another great source of knowledge out there too, and it's known as implicit knowledge.

Implicit knowledge is really useful, but you can only get it from experienced practitioners in the field. This is kind of that sense that they have, that they just go, "I know something is wrong here because of my 20 years of experience." Now, they may not always have the latest trends in cybersecurity, although most of the time they do, but they also have the ability to give you that attitude and instinct because of their career as a cybersecurity professional. Over time, you're going to develop this as you become a senior cybersecurity analyst, where you just know this is wrong because you've seen it 100 times before, and you start getting this feeling of what's going to come next based on your experience. And that is something that we call implicit knowledge because you can't write it down or codify it in a procedure. It's just something you know based on your years of experience. Now, the last thing I want to mention here is what's known as ocent. Now, open source intelligence, or OSINT, is a very popular thing these days. This is a method of obtaining information about a person or organisation through public records, websites, and social media. We're going to talk about this later on as we talk about pen testing and other parts of the course. However, when you look at your organisation from the outside, anything that people can find out about you on Google, Facebook, or by performing enumeration scans is considered public. There are ways for you to get information from public records, websites, and social media. So we'll talk more about that later on. But I just want to introduce that concept now because it is a form of open source intelligence that a lot of people consider.

5. Information Sharing and Analysis Centers (ISACS) (OBJ 1.1)

Information Sharing and Analysis Information Sharing and Analysis Centers began back in the 1990s as a form of a public-private partnership here in the United States. For each critical industry, an ISEC was set up. ISAC is a not-for-profit group setup to share sector-specific threats, intelligence, and security best practises among its members. Now, these were set up here in the United States, but over in the UK they have a similar thing known as CSIP, which is the Cybersecurity Information Sharing Partnership. And this serves a similar purpose over there. Now, as I said, there is an Isaac for many different industries. For instance, there's one for critical infrastructure, one for government, one for health care, one for finance, and one for aviation. These are the ones we're going to cover in this lesson, but there are many other ones out there for the exam. You don't have to delve too deeply into an Isaac to understand what it is and how it works. So let's talk about critical infrastructure first. What is critical infrastructure? Well, critical infrastructure is defined by the Department of Homeland Security here in the United States. They define it as any physical or virtual infrastructure that is considered so vital to the United States that its incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these.

Basically, these are really important things. These include the chemical sector, the commercial facility sector, the communication sector, the critical manufacturing sector, the dam sector, the defence industrial base sector, the emergency services sector, the energy sector, the financial services sector, the food and agriculture sector, the government facility sector, the healthcare and public health sector, the information technology sector, nuclear reactors, the materials and waste sector, the transportation system sector, and the water and wastewater system sector. These are the 16 critical infrastructures that are listed by the Department of Homeland Security. Again, for the exam, you do not need to memorise all 16 of these, but you should understand that these are really important things and we want to make sure they're secure. And so as a cybersecurity analyst, there are a lot of people working in these 16 sectors around the country. Now, if you happen to be working for one of these 16 sectors, you're probably going to be dealing with a lot of ICS, SCADA, and embedded systems because these are a main focus within critical infrastructure and therefore the threats against them are a big concern for you as a cybersecurity analyst. The next ISAC we want to talk about is the government. Now the government has their own, and we're not talking about the federal government here. Instead, this government, ISAC, is focused on serving non-federal governments in the United States, such as the state, local, tribal, and territorial governments. For example, my company is based out of Puerto Rico, which is a territory of the United States. So our government is a territorial government, and they work as part of this ISAC with the federal government in this public-private partnership to make sure they're being served and they understand what threats are against their government. The next ISAC we're going to talk about is health care.

This ISAC serves healthcare providers that are often targets of criminals who are seeking to blackmail them or looking for ransom opportunities by compromising patient data records or interfering with medical devices. As you saw earlier, healthcare is considered one of the critical infrastructures in this country. But then we have this separate ISEChem to help support healthcare providers directly. Next we have financial And this benefits the financial sector by preventing consumer and financial institution fraud and extortion. For example, we want to make sure we're getting information about anyone who's trying to affect a major trading platform like the Nasdaq or the stock market—or someone who might be able to go after ATMs to have them give out money for free. All of these could pose a national security risk or an economic risk to our country. And finally, we have aviation. Aviation is focused on serving the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe operations of air traffic control systems. Again, this is an area we don't want to have problems in because if somebody could take over the air traffic control system, they could start crashing planes into each other, and that would be a really bad day for us. So obviously, these are things that we have to worry about. And so there's an Isaac set up to help support the aviation industry in the fight against this.

6. Threat Intelligence Sharing (OBJ 1.2)

Threat intelligence sharing Now, in addition to being part of ISAK if that's part of one of your industries, you also need to think about threat intelligence sharing within your organization. As we start identifying this timely, relevant, and accurate source of threat intelligence, we need to think about how we make that data actionable. And one of the ways we do that is by disseminating this information to different people within our organisation or even outside our organization. That's the idea that we're going to talk about in this lesson. We're going to talk about how we can use this through risk management and security engineering. Instant response, vulnerability management, and detection and monitoring first, risk management.

What is risk management? Well, risk management is the process of identifying, evaluating, and prioritising different threats and vulnerabilities in order for us to reduce their negative impact. Now, the reason that threat intelligence is important to risk management is that it tells us how risky a certain thing is based on outside threats. Because we know our own vulnerabilities through our vulnerability management and our scanning. But if we don't know what attackers are coming after us, we can't really think about the threat. So putting those two together is really important. Now the reason why we put risk management and security engineering together is because by putting them together, we can start designing the architecture of the hardware, the software, and the network platforms to respond to these different threats and reduce our attack surface. This way, we can start figuring out what attacks we're vulnerable to and what controls we can put in place. For instance, if we're looking at strategic threat intelligence and we start seeing that people are going after Linux systems more than Mac or Windows systems, for instance, that may mean that if we're running a lot of Linux servers, we need to make sure we're prepared for those additional attacks. This is the idea of thinking strategically about what changes we can make inside our organisation for the long term to try to outsmart or outmanoeuvre the different bad actors that are out there.

Now the second area we have to use threat intelligence for is incident response. Incident response is an organised approach to addressing and managing the aftermath of a cybersecurity breach or attack. So if somebody has been successful in penetrating our network, we need intelligence to help keep them out. Now, the best type of intelligence here is going to be tactical-level intelligence, though, because we need to know where they are in our networks and what IP address they are coming from. What are they doing once they're in our network? And all those tactical pieces of threat intelligence will help us identify where they are and how we can get them out of our network and prevent them from coming back. Then we can start using those strategic insights to prevent them from coming back over and over again in the future. But right now we're really focused on the tactical threat intelligence to get this instant response resolved. The third one we have is vulnerability management. Now, when we deal with vulnerability management, this is the practise of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Now, as we start thinking about vulnerability management at a strategic level, we're going to use our threat intelligence to identify unrecognised sources of vulnerabilities that we may not have thought of. For instance, do we have a WiFi-enabled thermostat? That's an IoT device and the Internet of Things, and that's something we have to consider, and many people don't think about that inside their organizations. What about the concept of deep fakes? That is a big issue these days. What about AI-facilitated fuzzing to discover zero-day vulnerabilities? There are lots of different things out there, and if we think about them from a strategic level, we can make sure that we're doing a good vulnerability management programme that addresses those concerns. Also, we can be thinking about things at a more tactical level.

We know that a certain piece of malware is now on the market. Are we vulnerable to it? So we can run a scan looking specifically for that one thing. This is very popular. Once there's a big, well-known malware attack that goes out there, For example, when "Want to Cry" was released, you'd want to perform vulnerability management on your own network to see if you were vulnerable to it and what mitigations you could put in place before being attacked. And using threat intelligence allows you to do that. Finally, we have detection and monitoring. This is the practise of observing activity to identify anomalous patterns for further analysis. Now, as we think about detection and monitoring, we also need to use threat intelligence here too, because as we know what threats are out there, we can tune our sensors better. This will allow us to add more rules and definitions based on different observed incidences that have happened either to our organisation or partner organisations or to one of those commercial data feeds that we are subscribed to. By getting that information, we can tune our sensors better and have a lot more true positives and a lot fewer false positives. So this is why it's a good idea to make sure you're on the dissemination chain for threat intelligence if you work in detection and monitoring. Overall, our goal here is to share our threat intelligence within our organisation so we can improve our organisational capabilities and protect ourselves from additional threats.

Classifying Threats

1. Classifying Threats (Introduction)

In this section of the course, we're going to cover classifying threats. Now, our focus in this section is going to continue to be on domain one. In this case, objectives one (1) and two (2) According to objective one, you must be able to explain the significance of threat data and intelligence. And objective one states that given a scenario, you must utilise threat intelligence to support organisational security. As we move through this section, we're going to start out by describing how we can classify our threats as either known or unknown using the Jahari window. Then we're going to dive into the concept of threat actors such as script kiddies, hacktivists, and APTs. After that, we're going to take a look at the commodityization of malware and zero-day threats, uncovering where there are some really large amounts of money being spent and earned in this sector. Then we're going to talk about the different types of threat research that's being conducted to classify different threats. And then we'll jump into several different attack frameworks to help us identify these threats and attacks. This includes the Lockheed Martin cyber killchain, the Miter attack framework, and the Diamond model of intrusion analysis frameworks. Finally, we'll spend some time discussing various indicator management frameworks such as the Structured Threat Information Expression, or Sticks, the Trusted Automated Exchange of Indicator Information, or TAEI, the open IOC, and the missed frameworks. So let's go ahead and get started.

2. Threat Classification (OBJ 1.1)

Back in your Security Plus studies, you learned a lot about the different types of threats that occur to the safety and security of our networks and our systems. In this lesson, we're going to talk about the two highest levels of threat classification categories that we have. They are known as known threats and unknown threats. Now, "known threats" are any threats that can be identified using basic signature or pattern matching. These are things like malware and documented exploits. When I talk about malware, I'm talking about any software that is intentionally designed to cause damage to a computer, a server, a client, or a computer network. These are things like viruses and root kits and Trojans and botnets—all the things you talked about back in Security Plus. Now, these are very straightforward to identify and scan for because we have a matching signature in our database that can help us detect them. This brings us to the idea of a documented exploit. Now, a documented exploit is a piece of software data or a sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data. If we're using a vulnerability scanner, we can look for certain things in our environment that we know have documented exploits against them, and therefore we can detect those things, making them a known threat. These are very static, and we deal with known threats.

These are things that are easily detected using signatures, hash values, or other things like that. Now, the next thing we want to talk about is the other category, which is unknown threats. And this is a more dangerous area for us as cybersecurity analysts. An unknown threat is any threat that cannot be identified using basic signature or pattern matching. Now, when we talk about unknown threats, there are lots of these things out there. We have zero-day exploits, we have obfuscated malware code, we have behavior-based detection, we have recycled threats, we have known unknowns, and we have unknown unknowns. We're going to talk about each of those through the rest of this lesson. A zero-day exploit is any unknown exploit in the wild that exposes a vulnerability in the software or hardware, and it can create complicated problems for us well before anyone realises that something is wrong. When we are dealing with a zero-day vulnerability, this is something that somebody found out in the wild and they said, "Hi, I found a new way to break into something, and we don't have a way to detect that or stop it yet." And so it is a zero day because the attack happens on day zero, the first day it was discovered. And this becomes a big problem and is one of the most dangerous areas for us as cybersecurity analysts. The next area we want to talk about is obsolete malware code. This is malicious code whose execution the malware author has attempted to hide through various techniques, such as compression encryption or encoding, to severely limit our attempts to statistically analyse that malware. Now, when you do this, you're essentially scrambling the code or changing it slightly. And if you keep doing this randomly at different intervals, you're going to be able to take an unknown threat and essentially make it unknown because you continually scramble that code, making those signatures inaccurate, and they won't detect it anymore. The next thing we want to talk about is behavior-based detection.

Now, behavior-based detection is really important when we're trying to identify unknown threats and discover them.The reason is that we can't use a signature because they're unknown. But using behavior-based detection, this is a malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior. For example, if you send me a piece of email with an attachment in it, that attachment may be opened in a sandbox and first evaluated based on its behavior to see if it's malicious or not. And if it isn't malicious, then send it into my inbox. And if it is malicious, it can be sent out and destroyed. That's the idea of behavior-based detection. When we're looking at behavior-based detection, we're going to be doing things heuristically. We're looking at all the different things that are going on around this, like what ports are being opened and what calls are being made in the software. And based on that, we can determine if it's good or bad and whether we should allow it or not. Now, the next one we're going to talk about is what's known as a recycled threat. Now, a "recycled threat" refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning. Again, by combining different pieces and parts of different malware code, we can now avoid signature-based detection of a known threat because it is now something new.

We've recycled it, we've changed it, and now we might be able to get it through that system and pass the antimalware scans. The next two we're going to talk about are known unknowns and unknown knowns. Now, "known unknowns" is a classification of malware that contains obfuscated techniques to circumvent signature matching and detection. And we discuss the unknown unknowns. This is a classification of malware that contains completely new attack vectors and exploits. Now, these both come from this chart. And you'll see that I have four quadrants on the screen. I have the unknown knowns, the known knowns, the unknown knowns, and the known unknowns. Now, when I deal with all of these and we start looking at them, each one is going to tell us something different. And when we take the malware that we're looking at, we can put it in one of these four categories. For instance, if we start in the upper right corner, we have the known unknowns. These are things that we are certain of. We have a piece of malware, we have a good signature for it, and therefore it is a known threat. We know what it is, and when it comes into our system, we can immediately stop it, block it, alert on it, or do whatever we need to do because we are certain, clear, and transparent. This is a bad thing. Now the next one we have is what's known as an unknown known.This is on the top left. Now, an unknown known is something that is known to other people, but it may not be known to you. For example, there might be a signature out there inside the McAfee firewall, but there's not one inside your firewall. and so McAfee knows about it and they can stop it. It's a known thing, but to you, it's unknown. And that's what an unknown is known as. that top-left corner. Now the two we really have to be concerned with are at the bottom of this chart. And these are our known unknowns as well as our unknown knowns.

When we deal with a known unknown, this is where there is something that is unknown thing.We don't have a signature for it. All the things here at the bottom where they are marked "unknown" mean we don't have a signature. Now, if it's a known unknown, these are things that we can't predict. So we need to start doing research to start reducing the uncertainty we have around this thing. This unknown has to become known at some point. And so what we do is we know that it's bad; that's the known part of it, but we don't know any signatures that are related to it, so we don't have an easy way to block it. And this is generally where you're going to see a lot of your behavior-based analysis being done. And then we have our known unknowns. Now, when you deal with unknown unknowns, these are things that we don't know, and we just don't have any way to know about them yet. And so we have to experiment more and more, and we have to do a lot more research and try to figure these things out. For example, if there is a zero day, we've never seen it before, and it's doing something that we never thought was malicious behavior. This is a known unknown. And eventually we might find out, "Oh, that thing they're doing with these 20 steps, when you put all those together, that is a bad thing." And then it becomes a known unknown. And eventually, if we can create a signature, we can make it a known fact. That's the idea here. We begin preparing for the exam by categorising threats. No one is going to ask you to put a threat into one of these categories, but in the real world, this is a good way to think about things as you start bucketing pieces of malware and different behaviours you're seeing within your network. And all of this is based on a concept known as the jihadi window. In the Jaari window, you have four quadrants. Again, we have open, blind, hidden, and unknown. And our whole goal is to try to make things more known to us. So, for example, if it's something open to both ourselves and others, we all know that two plus two equals four. That is an open piece of knowledge that everybody knows. Now, there are some things that are knownto yourself, but they're not known to others.

And we call them hidden. For instance, I know a lot about cyber security, and you may not know as much as I do, but if there are things that are known to me but not to you, well, if I tell you about them, it's going to move you from this hidden area up into the open area where you start learning about it too. And now it's known to me and you. When we start dealing with other things, there might be things that you know but I don't know. And so I am blind to those things. For me to know about those things that I'm blind to, you have to tell me. And so if you tell me about it, it's going to take me from blind to open. And if we have an unknown, that means you don't know it, and I don't know it. So it's not known to others, and it's not known to me. And so in that area, one of us has to eventually discover it. And once we do, we can then tell the otherand we can get ourselves back up to open. The goal here is that we always want to try to get in if we can. And that's the idea here with the malware. If we have something that is unknown but a security researcher learns about it, they can tell others about it. And when they do, it helps us enter the hidden or the blind. And then, from hidden or blind to open, once we all know about it, it becomes open. It becomes very easy to know this as a known threat. And it's something that we can build a structure for or automate to block that attack.

So when looking for preparing, you need CompTIA CySA+ certification practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, CompTIA CySA+ exam practice test questions in VCE format are updated and checked by experts so that you can download CompTIA CySA+ certification exam practice test questions and answers files in VCE format.