The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?
A. Act on Objectives
B. Exploitation
C. Delivery
D. Installation
Explanation: The Lockheed Martin Cyber Kill Chain® is a widely recognized framework that breaks down the stages of a cyber attack. The stages are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. The scenario described—modifying the registry on a compromised Windows system to ensure malware runs at boot time—fits into theInstallationphase. This phase involves placing a persistent backdoor or other malicious software on the victim's system, ensuring it can be executed again, even after a system reboot. By modifying the registry, the attacker is achieving persistence, a classic example of the Installation phase.
A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
A. MTTR (Mean Time to Respond)
B. MTBF (Mean Time Between Failures)
C. MTTA (Mean Time to Acknowledge)
D. MTTD (Mean Time to Detect)
Explanation: In incident response and cybersecurity operations, Mean Time to Respond (MTTR) is a key metric. It measures the average time it takes from when an alert is created to when it is resolved or closed. In the scenario, an analyst identifies a Risk Notable Event as a false positive and closes it; the time taken from the alert's creation to its closure is what MTTR measures. This metric is crucial in understanding how efficiently a security team responds to alerts and incidents, thus contributing to overall security posture improvement.
An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available. What event disposition should the analyst assign to the Notable Event?
A. Benign Positive, since there was no evidence that the event actually occurred.
B. False Negative, since there are no logs to prove the activity actually occurred.
C. True Positive, since there are no logs to prove that the event did not occur.
D. Other, since a security engineer needs to ingest the required logs.
Explanation: In this scenario, the analyst cannot conclude whether the Notable Event is a true positive or a false positive due to the absence of necessary logs and artifacts. The appropriate eventdisposition in this case is "Other," as it indicates that further action is required, such as ingesting the missing logs. The involvement of a security engineer to ensure the necessary data is available for proper investigation is implied, making "Other" the most suitable option.
Upon investigating a report of a web server becoming unavailable, the security analyst
finds that the web server’s access log has the same log entry millions of times:
147.186.119.200 - - [28/Jul/2023:12:04:13 -0300] "GET /login/ HTTP/1.0" 200 3733
What kind of attack is occurring?
A. Denial of Service Attack
B. Distributed Denial of Service Attack
C. Cross-Site Scripting Attack
D. Database Injection Attack
Explanation:
The log entry showing the same request repeated millions of times indicates aDenial of
Service (DoS) Attack, where the server is overwhelmed by a flood of requests to a specific
resource, in this case, the/login/page. This type of attack is aimed at making the server
unavailable to legitimate users by exhausting its resources.
The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?
A. IAM Activity
B. Malware Center
C. Access Anomalies
D. New Domain Analysis
Explanation: For creating a custom dashboard focused on typosquatting, theNew Domain Analysisdashboard in Splunk Enterprise Security (ES) would be a relevant starting point. Typosquatting typically involves the registration of domains similar to legitimate domains to deceive users, which is closely related to the analysis of newly registered or observed domains. This dashboard already includes tools and visualizations for monitoring and analyzing domain name activity, which can be adapted for the specific needs of monitoring for typosquatting.
During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?
A. Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
B. Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory
C. Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs
D. Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
Explanation: An executable running from theC:\Windows\Tempdirectory is a significant
red flag because temporary directories are often world writable, meaning any user or
process can write files to them. This characteristic makes these directories an attractive target for attackers who want to drop, stage, and execute malware without worrying about
restrictive file permissions.
Temp Directories Characteristics:
Security Risks:
Investigation Importance: The fact that an executable is running
fromC:\Windows\Tempwarrants further investigation to determine whether it is
malicious. Analysts should check:
Windows Security Best Practices: Documentation on how to secure temp
directories and monitor for suspicious activity is available from both Microsoft and
various security communities.
Incident Response Playbooks: Many playbooks include steps for investigating
suspicious activity in temp directories as part of broader malware detection and
response strategies.
MITRE ATT&CK Framework: Techniques involving the use of temporary directories
are well-documented in the framework, offering insights into how adversaries
leverage these locations during an attack.
| Page 1 out of 11 Pages |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved