Adventures In CyberSecurity: CYSA+ CS0-002 Study Area
Chapter 2
Attack Frameworks
Mitre Attack
A knowledge base of advesary tactics and techniques based upon real world observations.
Diamond Model of Intrusion Analysis
Emphasizes the relationships and characteristics of four basic components.
- Advesary
- Capabilities
- Infrastructure
- Victims
Adversary- The intent of the attack
Capabilities- Attacker intrusion tools and techniques
Infrastructure- Set of systems an attacker uses to launch attacks
Victim- a single or multiple target(s) of an attack
Kill Chain
A cyber intrusion indentification/prevention model that describes the stages of an intrusion.
Chapter 2 Key Terms
Heuristics- A method used in malware detection, behavioral analysis, incident detection, and other scenarios in which patterns must be detected in the midst of what may appear to be chaos.
Indicator of Compromise- Any activity, artifact, or log entry that is typically associated with an attack of some sort, and can include virus signatures, known malicious file types and Domain names of known botnet servers.
Common Vulerability Scoring System (CVSS) is a system of ranking Vulnerabilities that are discovered based on predetermined metrics.
- (AV)-Attack Vector describes how the attacker would exploit the vulnerability and has four possible values.
- (l)Local- The attacker must have physical or logical access to the affected system
- (a)Adjacent Network- The attacker must be on the local network
- (n)Network- The attacker can use the vulnerability from any network
- (p)Physical- The attacker must physically touch or manipulate the vulnerable component
- (AC)-Attack Complexity describes the difficulty of exploiting the vulnerability and has 2 values.
- (h)High- The vulnerability requires special conditions that are hard to find
- (l)Low- The vulnerabilitydoes not require any special conditions
- (Pr)-Privileges Required describes the authentication an attacker would need to get through to exploit the vulnerability and has 3 possible values.
- (h)High- The attacker requires privileges that provide significant control (Administrative) over the vulnerable component allowing access to component wide settings andn files.
- (l)Low- The attacker requires privileges that provide basic user Capabilities that could normally affect only setting and files owned by a user.
- (n)None- No authentication mechanisms are in place to stop the exploit of the vulnerability
- (A)-Availability describes the disruption that might occur if the vulnerability is exploited. It has 3 values.
- (n)None- There is no availability impact
- (L)Low- The system performance is degraded
- (h)High- The system is inaccessible
- (C)-Confidentiality describes the information disclosure that may occur if the vulnerability is esploited. It has 3 values.
- (n)None- There is no confidentiality impact
- (l)Low- Some access to information would occur
- (h)High- All information on the system could be compromised
- (I)-Integrity describes the tpe of data alteration that might occur if the the vulnerability is exploited. It has 3 values
- (n)None- There is no integrity impact
- (l)Low- Some information modification would occur
- (h)High- All information of the system would be compromised
Risk Management is a formal process that rates identified vulnerabilities by likelihood of their compromise and its impact.
Threat modeling methodology is a process that allows organizations the ability to identify threats and attacks.
Toatal Attack Surface comprises all the points in which vulnerabilities exist
Incident Response is the application of knowledge of the very latest threats and how those threats are relized to a security incident
Threat Intelligence is information gathered that educates and warns you about potential dangers not yet seen in the environment. It can assist in identifying behavior that accompanies malicious activity and alerts you to ongoing malicious activity.
Vulerability Management depends heavily upon shared intelligence and must be properly disseminated in a timely manner with those managing vulnerablilities when sharign platforms and protocols are used to discover new threats.
Security Engineeering is the process of architecting security features into the design of a set of systems
Chapter 2 Review
Describe the four components of the Diamond Attack Model.
- Advesary- The intent of the attack
- Victim- The intended target(s) of an attack
- Capabilties- The attacker intrusion tools and techniques
- Infrastructure- The set of systems an attacker uses to launch attacks
What does the Adversary corner of the Diamond Attack Model focus on? The intent of the attack.
What type of threat data describes a source that repeatedly sends large amounts of traffic to a single IP?
An Indicator of Compromise is? Any actvity, artifact, or log entry that is typically associated with an attack of some sort.
Give 2 examples of an IoC. Virus signatures, domain names of botnet servers
Match each acronym to its description.
- TLP - Traffic Light Protocol: A set of designations used to ensure sensitive information is shared with the appropriate audience
- MITRE ATT&CK - Knowledge base of adversary tactics and techniques based on real world observations
- CVSS - System of ranking vulnerabilities that are discovered based on predefined metrics
- IoC - Any activity, artifact, or log entry that is trypically associated with an attack of some sort
What does Pr:l designate? The attacker requires privileges that provide basic user capabilities that could usually affect only settings and files owned by a user. -Low
The base CVSS metric group describes? Characteristics of a vulnerability that are constant over time
The Attack Vector (AV) CVSS base metric describes? How the attacker would exploit the vulnerability
Match the CVSS Attack Vector (AV) with its description
- P - The attack requires the attacker to physically touch or manipulate the vulnerable component
- L - The attacker must have physical or logical access to the affected system
- A - The attacker must be on the local network
- N - The attacker can use the vulnerability from any network