Adventures In CyberSecurity: CYSA+ CS0-002 Study Area

Chapter 2

Attack Frameworks

Mitre Attack

A knowledge base of advesary tactics and techniques based upon real world observations.

Diamond Model of Intrusion Analysis

Emphasizes the relationships and characteristics of four basic components.

• Advesary
• Capabilities
• Infrastructure
• Victims

Adversary- The intent of the attack

Capabilities- Attacker intrusion tools and techniques

Infrastructure- Set of systems an attacker uses to launch attacks

Victim- a single or multiple target(s) of an attack

Kill Chain

A cyber intrusion indentification/prevention model that describes the stages of an intrusion.

Chapter 2 Key Terms

Heuristics- A method used in malware detection, behavioral analysis, incident detection, and other scenarios in which patterns must be detected in the midst of what may appear to be chaos.

Indicator of Compromise- Any activity, artifact, or log entry that is typically associated with an attack of some sort, and can include virus signatures, known malicious file types and Domain names of known botnet servers.

Common Vulerability Scoring System (CVSS) is a system of ranking Vulnerabilities that are discovered based on predetermined metrics.

• (AV)-Attack Vector describes how the attacker would exploit the vulnerability and has four possible values.
  • (l)Local- The attacker must have physical or logical access to the affected system
  • (a)Adjacent Network- The attacker must be on the local network
  • (n)Network- The attacker can use the vulnerability from any network
  • (p)Physical- The attacker must physically touch or manipulate the vulnerable component
• (AC)-Attack Complexity describes the difficulty of exploiting the vulnerability and has 2 values.
  • (h)High- The vulnerability requires special conditions that are hard to find
  • (l)Low- The vulnerabilitydoes not require any special conditions
• (Pr)-Privileges Required describes the authentication an attacker would need to get through to exploit the vulnerability and has 3 possible values.
  • (h)High- The attacker requires privileges that provide significant control (Administrative) over the vulnerable component allowing access to component wide settings andn files.
  • (l)Low- The attacker requires privileges that provide basic user Capabilities that could normally affect only setting and files owned by a user.
  • (n)None- No authentication mechanisms are in place to stop the exploit of the vulnerability
• (A)-Availability describes the disruption that might occur if the vulnerability is exploited. It has 3 values.
  • (n)None- There is no availability impact
  • (L)Low- The system performance is degraded
  • (h)High- The system is inaccessible
• (C)-Confidentiality describes the information disclosure that may occur if the vulnerability is esploited. It has 3 values.
  • (n)None- There is no confidentiality impact
  • (l)Low- Some access to information would occur
  • (h)High- All information on the system could be compromised
• (I)-Integrity describes the tpe of data alteration that might occur if the the vulnerability is exploited. It has 3 values
  • (n)None- There is no integrity impact
  • (l)Low- Some information modification would occur
  • (h)High- All information of the system would be compromised

Risk Management is a formal process that rates identified vulnerabilities by likelihood of their compromise and its impact.

Threat modeling methodology is a process that allows organizations the ability to identify threats and attacks.

Toatal Attack Surface comprises all the points in which vulnerabilities exist

Incident Response is the application of knowledge of the very latest threats and how those threats are relized to a security incident

Threat Intelligence is information gathered that educates and warns you about potential dangers not yet seen in the environment. It can assist in identifying behavior that accompanies malicious activity and alerts you to ongoing malicious activity.

Vulerability Management depends heavily upon shared intelligence and must be properly disseminated in a timely manner with those managing vulnerablilities when sharign platforms and protocols are used to discover new threats.

Security Engineeering is the process of architecting security features into the design of a set of systems

Chapter 2 Review

Describe the four components of the Diamond Attack Model.

• Advesary- The intent of the attack
• Victim- The intended target(s) of an attack
• Capabilties- The attacker intrusion tools and techniques
• Infrastructure- The set of systems an attacker uses to launch attacks

What does the Adversary corner of the Diamond Attack Model focus on? The intent of the attack.

What type of threat data describes a source that repeatedly sends large amounts of traffic to a single IP?

An Indicator of Compromise is? Any actvity, artifact, or log entry that is typically associated with an attack of some sort.

Give 2 examples of an IoC. Virus signatures, domain names of botnet servers

Match each acronym to its description.

• TLP - Traffic Light Protocol: A set of designations used to ensure sensitive information is shared with the appropriate audience
• MITRE ATT&CK - Knowledge base of adversary tactics and techniques based on real world observations
• CVSS - System of ranking vulnerabilities that are discovered based on predefined metrics
• IoC - Any activity, artifact, or log entry that is trypically associated with an attack of some sort

What does Pr:l designate? The attacker requires privileges that provide basic user capabilities that could usually affect only settings and files owned by a user. -Low

The base CVSS metric group describes? Characteristics of a vulnerability that are constant over time

The Attack Vector (AV) CVSS base metric describes? How the attacker would exploit the vulnerability

Match the CVSS Attack Vector (AV) with its description

• P - The attack requires the attacker to physically touch or manipulate the vulnerable component
• L - The attacker must have physical or logical access to the affected system
• A - The attacker must be on the local network
• N - The attacker can use the vulnerability from any network