QUESTIONS AND ANSWERS WITH
VERIFIED SOLUTIONS GRADED A+
CORRECTLY
How can you provide true attribution of a group responsible for an intrusion? -
CORRECT ANSWES -- Generally 2 attribution types such as:
A leak + supporting intrusion analysis
What does the term RTU refer to in the indicator lifecycle? - CORRECT ANSWES --
Reported To Us - An indicator from a threat feed
What is an ISAO? - CORRECT ANSWES -- Sharing of intelligence data between
PRIVATE parties
What service does third-party DNS registrant provide to adversaries looking for a
domain to host their malware? - CORRECT ANSWES -- Anonymity
Keep-alive beacons are relevant to which KC phase? - CORRECT ANSWES -- Phase 6
- C2
An analyst is tasked with querying internet space that does not get indexed by google,
what OSINT tool can he use for the job? - CORRECT ANSWES -- Recorded Future
What is the main benefit of sharing CTI among peer groups? - CORRECT ANSWES --
To reduce the effectiveness of adversary operations
Give 3 open source TIPs - CORRECT ANSWES -- MISP
CRITs
Threat Note (threat_note)
What is a characteristic of passive DNS? - CORRECT ANSWES -- Provides ability to
run queries at past points in time
What can show there is insufficient evidence to form a nation-state attribution
hypothesis? - CORRECT ANSWES -- Categorizing evidence by intent, capability, and
opportunity
,A team wants to analyze their incidents to find areas where they are having difficulty
uncovering intelligence, what would provide the best answer? - CORRECT ANSWES --
Count of diamond vertices with incident information collected mapped against kill chain
phases
What method can be used to discover what occurred in KC phase 3 and 4? -
CORRECT ANSWES -- Timeline analysis
Sattelite photography relates to what type of intelligence? - CORRECT ANSWES --
GEOINT
Network traffic intercepts relate to what type of intelligence? - CORRECT ANSWES --
SIGINT
A whistleblower leaking documents relates to what type of intelligence? - CORRECT
ANSWES -- HUMINT
Import hashing is a method used to identify what? - CORRECT ANSWES -- Code
Reuse
What format is used for comments in YARA? - CORRECT ANSWES -- /**/ for multiline
// for singleline
What 3 types of strings are there in YARA? - CORRECT ANSWES -- Text - "example"
Hex - {AA FF DD}
Regular expression
Which TAXII implementation allows subscribers to push and pull data but requires
validation first? - CORRECT ANSWES -- Hub and Spoke
Give 5 intelligence sharing best practices - CORRECT ANSWES -- Ensure
authentication and logging
Include references and appendices
Strip all unneeded data (e.g. PII)
Use recognized standards that make sense for your organization
Interface to share in common standards
What is a mitigation scorecard? - CORRECT ANSWES -- One way to measure utility of
passive and mitigating courses of action.
It maps specific incidents to the capabilites of network defenders, organised by kill chain
phase
, Which phases of the diamond model are facts? - CORRECT ANSWES -- Infrastructure
Capability
Victim
A SOC intends to ingest a large number of IOCs through threat feeds, what should they
be aware of? - CORRECT ANSWES -- IOCs require tailoring to avoid false positives
Which word represents a probability of roughly 25% - CORRECT ANSWES -- Unlikely
What do metrics provide? - CORRECT ANSWES -- Opportunity for clear, concise
communication of messages
How should analysts structure their analysis to avoid ambiguous writing/thinking? -
CORRECT ANSWES -- Clearly seperate facts, observables, and evidence from
interpretations and conclusions
Why is strategic threat intel important to executives? - CORRECT ANSWES -- The
reports reveal global threat analyses, trends, and implications for international
organizations such as foreign policy or economic considerations
Why might leaks not be trustworthy? - CORRECT ANSWES -- They may contain false
information
When attempting state campaign attribution, what step should be conducted in addition
to completing an analysis of competing hypotheses? - CORRECT ANSWES -- Classify
evidence based on the definition of a threat (intent, capability, opportunity)
What is a rule of thumb for a high confidence assessment? - CORRECT ANSWES --
Intrusions whose distinct indicators align to other intrusions in a campaign in two or
more phases of the kill chain, are HIGH CONFIDENCE intrusions
What is include in the assessment equation - CORRECT ANSWES -- Confidence +
assessment + evidence + sources
What should analysts keep in mind when analyzing intent behind intrusions? -
CORRECT ANSWES -- Intent DOES NOT EQUAL impact
When considering operational threat intelligence, national-level government information
can be derived from which of the following? - CORRECT ANSWES -- Criminal
Investigations
Public/Private Partnerships
Foreign Intelligence
Infraguard provides what type of intel? - CORRECT ANSWES -- Operational