Lesson 2: Explaining Threat Actors and Threat Intelligence

1. What is Open Source Intelligence (OSINT)?

A. Obtaining information, physical access to premises, or even access to a user
account through the art of persuasion
B. The means the organization will take to protect the confidentiality, availability,
and integrity of sensitive data and resources
C. Using web search tools and social media to obtain information about the target
D. Using software tools to obtain information about a host or network topology
2. A Department of Defense (DoD) security team identifies a data breach(違
反) in progress, based on some anomalous(異常的) log entries, and take
steps to remedy(糾正) the breach and harden their systems. When they
resolve the breach, they want to publish the cyber threat intelligence (CTI)
securely, using standardized language for other government agencies to
use. The team will transmit threat data feed via which protocol?
A. Structured Threat Information eXpression (STIX)
B. Automated Indicator Sharing (AIS)
C. Trusted Automated eXchange of Indicator Information (TAXII)
D. A code repository protocol
3. An unknowing user with authorized access to systems in a software development
firm installs a seemingly harmless, yet unauthorized program on a workstation
without the IT department's sanction. Identify the type of threat that is a result of
this user's action.
A. Unintentional insider threat (無意識的內在威脅)
B. Malicious insider threat (惡意的)
C. Intentional attack vector (故意的)
D. External threat with insider knowledge
4. A system analyst is tasked with searching the dark web for harvested customer
data. Because these sites cannot be readily found in standard website searches,
what would the system analyst often find in "word of mouth" bulletin boards?
A. The Onion Router (TOR)
B. Dark web search engine
C. Dark Website URL
D. Open Source Intelligence (OSINT)
5. Which of the following are the best examples of an insider threat? (Select
all that apply.)
A. Former employee
B. Contractor
C. Hacktivist
D. White hat hacker
6. A contractor has been hired to conduct security reconnaissance on a company. The
contractor browses the company's website to identify employees and then finds
their Facebook pages. Posts found on Facebook indicate a favorite bar that
employees frequently visit. The contractor visits the bar and learns details of the
company's security infrastructure through small talk. What reconnaissance phase
techniques does the contractor practice? (Select all that apply.)
A. Open Source Intelligence (OSINT)
B. Scanning
C. Social engineering
D. Persistence
7. An IT manager in the aviation sector checks the industry's threat intelligence feed
to keep up on the latest threats and ensure the work center implements the best
practices in the field. What type of threat intelligence source is the IT manager
most likely accessing?
A. Open Source Intelligence (OSINT)
B. An Information Sharing and Analysis Center (ISAC)
C. A vendor website, such as Microsoft's Security Intelligence blog
D. A closed or proprietary threat intelligence platform
8. A security engineer is investigating(調查) a potential system breach. When
compiling a report of the incident, how does the engineer classify the actor
and the vector?
A. Threat
B. Vulnerability
C. Risk
D. Exploit
9. A company technician goes on vacation. While the technician is away, a
critical patch released for Windows servers is not applied. According to the
 National Institute of Standards and Technology (NIST), what does the
delay in applying the patch create on the server?
A. Control
B. Risk
C. Threat
D. Vulnerability
10. One aspect of threat modeling is to identify potential threat actors and the
risks associated with each one. When assessing the risk that any one type
of threat actor poses to an organization, what are the most critical factors
to profile? (Select all that apply.)
A. Education
B. Socioeconomic status
C. Intent
D. Motivation

1.C

OSINT is using web search tools and social media to obtain information about
the target. It requires almost no privileged access as it relies on finding
information that the company makes publicly available, whether intentionally
or not.

Obtaining information, physical access to premises(廠區), or access to a user

account through the art of persuasion(說服) is social engineering.

The means the organization will take to protect the confidentiality, availability,
and integrity of sensitive data and resources is considered a security policy.

Using software tools to obtain information about a host or network topology is

considered scanning.

2.C
The TAXII protocol provides a means for transmitting CTI data between
servers and clients. Subscribers to the CTI service obtain updates to the data
to load into analysis tools over TAXII.

While STIX provides the syntax for describing CTI, the TAXII protocol
transmits CTI data between servers and clients.

The Department of Homeland Security's (DHS) Automated Indicator Sharing

(AIS) is especially aimed at Information Sharing and Analysis Centers
(ISACs), but private companies can join too. AIS is based on the STIX and
TAXII standards and protocols.

A file/code repository holds signatures of known malware code.

3.A

Anyone who has or had authorized access to an organization’s network,

system, or data is considered an insider threat. Installing unauthorized
software is negligent, but the user is an unintentional attack vector.

A malicious insider intentionally exceeds or misuses his or her access for

purposes of sabotage, financial gain, or business advancement.

An attack vector is the path through which a threat actor gains access to a
secure system; in this case, the path is through an employee's negligent
software installation, which in all likelihood is not intentional.

An external threat with insider knowledge usually refers to former insiders,

such as ex-employees now working at another company or who have been
dismissed and now harbor a grievance. This is not the case with this situation.

4.C

Access to deep web sites, especially those hidden from search engines, are
accessed via the website's URL. These are often only available via "word of
mouth" bulletin boards.
The Onion Router (TOR) is software used to establish a network overlay to
the Internet infrastructure to create the dark net. TOR, along with other
software like Freenet or I2P, anonymizes the usage of the dark net.

A dark web search engine can be used to find dark web website collections,
which constitute roughly 1% of the deep web. Some dark web websites have
hidden IP addresses and cannot be found by search engines or require
additional software to gain access to the site.

Open-source intelligence (OSINT) is cybersecurity-relevant information

harvested from public websites and data records.

5.AB

Anyone who has or had authorized access to an organization’s network,

system, or data is considered an insider threat. In this example, a former
employee and a contractor fit the criteria.

Current employees, business partners, and contractors also qualify as insider

threats.

A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber

weapons to promote a political agenda.

A white hat hacker is given complete access to information about the network,
which is useful for simulating the behavior of a privileged insider threat, but
they are not an insider threat.

6.AC

OSINT refers to using web search tools and social media to obtain information
about the target. The contractor used this technique by identifying employees
and the local restaurant they go to after work.

Social engineering was used at the restaurant by learning about the vacant
positions and the shortfall in information security. This could be successful
due to the attacker being charismatic and also social norms of people wanting
to be friendly. The scenario also mentioned it was the popular location for
after work drinks, meaning that alcohol was also likely involved.

Scanning would be conducted if the contractor used software tools to obtain

the information.

Persistence refers to the tester's ability to reconnect to a compromised host.

7.B

ISACs are set up to share industry-specific threat intelligence and best

practices in critical sectors, such as the aviation industry.

OSINT includes any publicly available intelligence, in addition to threat

intelligence services companies operate on an open source basis.

Vendors often post proprietary intelligence on their websites and blogs, free of
cost, as a general benefit to their consumers.

Proprietary or closed threat intelligence platforms operate on a paid

subscription basis. The security solution provider will also make the most
valuable research available early to platform subscribers in the form of blogs,
white papers, and webinars.

8.A

A threat is the potential for something to exploit a vulnerability. The thing that
poses the threat is called an actor, while the path used can be referred to as
the vector.

A vulnerability is a weakness that could be triggered accidentally or exploited

intentionally to cause a security breach.

Risk is the likelihood and impact (or consequence) of a threat actor exploiting
a vulnerability.
An exploit is a method that is used to expose and compromise a vulnerability.

9.D

NIST defines vulnerability as a weakness that could be triggered accidentally

or exploited intentionally to cause a security breach. In addition to delays in
applying patches, other examples of vulnerabilities include improperly
installed hardware, untested software, and inadequate physical security.

Control is a system or procedure put in place to mitigate a risk. An example of

control is policies or network monitoring to identify unauthorized software.

Risk is the likelihood and impact of a threat actor exercising a vulnerability.

Threat is the potential for a threat agent to exercise a vulnerability.

10.CD

From the choices provided, the two most critical factors to profile for a threat
actor are intent and motivation. Greed, curiosity, or grievance may motivate
an attacker.

The intent could be to vandalize(破壞) and disrupt a system or to steal

something.

While education and socioeconomic traits could potentially be considered in a

threat actor profile, they are inferior to intent and motivation.

Malicious intents and motivations can be contrasted with accidental or

unintentional threat actors and agents. Unintentional threat actors represent
accidents, oversights, and other mistakes. In this sense, training is crucial to
ensuring employees are educated about security measures.