CompTIA Cybersecurity Analyst (CySA+)

Supporting Organizational Security

CompTIA Cybersecurity Analyst (CySA+)
Supporting Organizational Security
Introduction
Introduction
Organizational Security

Attack Frameworks

Threat Research

CVSS

Vulnerability Management

Threat Intelligence

Indicator of Compromise

Welcome to the Supporting Organizational Security Practice Lab. In this

module, you will be provided with the instructions and devices needed to
develop your hands-on skills.
Learning Outcomes
In this module, you will complete the following exercises:
 Exercise 1 - Attack Frameworks
 Exercise 2 - Threat Research
 Exercise 3 - Threat Modeling Methodologies
 Exercise 4 - Threat Intelligence Sharing with Supported Functions
After completing this module, you will be able to:
 Use the Common Vulnerability Scoring System (CVSS)
After completing this module, you have further knowledge of:
 MITRE ATT&CK
 The Diamond Model of Intrusion Analysis
  Kill Chain
 Indicator of Compromise (IOC)
 Adversary Capability
 Total Attack Surface
 Attack Vector
 Impact
 Likelihood
 Incident Response
 Vulnerability Management
 Detection and Monitoring
 Risk Management
 Security Engineering
Exam Objectives
The following exam objectives are covered in this lab:
 1.2 Given a Scenario, Utilize Threat Intelligence to Support
Organizational Security

Note: Our main focus is to cover the practical, hands-on aspects of the

exam objectives. We recommend referring to course material or a search

engine to research theoretical topics in more detail.

CompTIA Cybersecurity Analyst (CySA+)

Supporting Organizational Security
Exercise 1 - Attack Frameworks
Exercise 1 - Attack Frameworks
Various attack frameworks are available and can be used by organizations to
classify attacks and help identify security loopholes within their system. You
can use these attack frameworks to identify loopholes and prioritize them
based on the risk they pose.
In this exercise, you will learn about various types of attack frameworks.
Learning Outcomes
After completing this exercise, you will have further knowledge of:
 MITRE ATT&CK
 The Diamond Model of Intrusion Analysis
 Kill Chain

Your Devices
This exercise contains supporting materials for CySA+.
MITRE ATT&CK
MITRE ATT&CK is a knowledge base that provides nformation on the
adversary methods that they have collected from real-world incidents. It is
an open database that can be used by an individual or organization. The
information that it provides can be used without any charges.
It contains the information that anyone can use to develop their threat
models. The MITRE ATT&CK knowledge base is widely used across different
sectors, such as:
 Public Private
 Private
 Government
Organizations that are developing security software also uses this knowledge
to integrate information into their products. You can view the database using
the following URL:

https://attack.mitre.org/

Figure 1.1 Diagram showing the MITRE ATT&CK database: Showing various threats
in the MITRE ATT&CK database

MITRE gives you a lot of information about different tactics and techniques
used by attackers.
Figure 1.2 Diagram showing the MITRE ATT&CK page: Showing various tools and

It also provides mitigation methods for enterprises and mobile devices. The
following exhibit provides information for mobile security.
Figure 1.3 Diagram showing the MITRE ATT&CK page: Showing various mobile
mitigations on MITRE ATT&CK Website.

You can also find information on software that is used in attacks. An example
of AndroRAT is given below.
There is a dedicated Webpage for each software where MITRE provides
information about the tool and also the techniques that it uses.
Figure 1.4 Diagram showing the MITRE ATT&CK page: Showing the details of the
AndroRAT malware on the MITRE ATT&CK Website.

The Diamond Model of Intrusion Analysis

The Diamond Model helps security professionals to understand how the
adversaries work and how they go on to identify the targets. It also helps
them to understand the adversary’s capabilities and motives. It is an
approach that can be used to conduct intelligence on the intrusion events
that occur on the network.
Figure 1.5 Diagram showing the Diamond model: Showing the four key
characteristics of an event in the Diamond Model - Adversary > Capabilities >
Victim > Infrastructure.

The diamond represents some events that occur. Each event that takes
place has four different characteristics:
 Adversary: Is the key threat actor who is using various capabilities against
the target, such as the use of E-mail addresses
 Capabilities: Use of malware, exploit kits, and custom tools of the adversary
  Victim: Is the target of the adversary, such as individuals and organizations
 Infrastructure: Is the network, physical or logical, used by the adversary to
conduct the attack. It can contain network assets, IP addresses, and domain
names.
A few key examples:
 Adversary: GreenSky27
 Capabilities: Malware, Post-infection tools, and utilities exploit kits
 Victim: International, public and private organizations in the Energy sector
 Infrastructure: Attacker’s registered domains, Global Command & Control
Infrastructure, and Chinese Dynamic DNS Infrastructure Providers
Kill Chain
As part of the intelligence-driven defense, Cyber Kill Chain or Kill Chain that
helps you identify the steps that the attackers must perform to be able to
conduct an attack. It lists a series of steps that the attackers must perform
as part of the attack. Using the Cyber Kill Chain, you can identify and prevent
cyberattacks on your infrastructure. Using Cyber Kill Chain, you can gain
insights into the attackers’ methods and procedures that can be used for
conducting an attack.
There are various stages or phases in the Cyber Kill Chain. These stages are
as shown in the exhibit:

Figure 1.6 Diagram showing the Cyber Kill Chain: Showing various phases of the
Cyber Kill Chain - Reconnaissance > Weponization > Delivery > Exploitation >
Installation > Command & Control > Actions on Objectives.

The breakdown of each of the stage is as follows:

 Reconnaissance: Identifying and selecting the target
 Weaponization: Creating a package with the malware and deliverable
payload
 Delivery: Sending the malicious package to the target system via E-mail or
any other methods, such as USB or Website
 Exploitation: Triggering the malicious package after delivering it to the
target’s system
 Installation: Installing the backdoor for easy persistent access to the
target’s system
 Command & Control: Initiating the communication with the target’s system
using an external system and managing the system
 Actions on objectives: Meeting the objective by exfiltrating data or
spreading to the other systems
Detection methods for each stage:
 Reconnaissance: Web analytics
 Weaponization: Network Intrusion Detection System (NIDS)
  Delivery: Alert user
 Exploitation: Host Intrusion Detection System (HIDS)
 Installation: Host Intrusion Detection System (HIDS)
 Command & Control: Network Intrusion Detection System (NIDS)
 Actions on objectives: Audit log

There are no screenshot items for this exercise.

CompTIA Cybersecurity Analyst (CySA+)

Supporting Organizational Security
Exercise 2 - Threat Research
Exercise 2 - Threat Research
Assume a scenario in which a malware attack has taken place on a file
server. After the attack has been determined, you have found traces of the
malware in the log files, which contain events related to malware. It is then
your responsibility to research said threats for possible remediation.
In this exercise, we will discuss Threat Research action points in more detail.
Learning Outcomes
After completing this exercise, you will be able to:
 Use the Common Vulnerability Scoring System (CVSS)
After completing this exercise, you will have further knowledge of:
 Indicators of Compromise (IOC)

Your Devices
You will be using the following devices in this lab. Please power on these
devices.
 PLABDC01 - (Windows Server 2019 - Domain Server)
 PLABKALI01 - (Kali Linux 2019 - Linux Kali)
 PLABWIN10 - (Windows 10 - Domain Member)
Indicator of Compromise (IoC)
Assume a scenario in which a malware attack has taken place on a file
server. After the attack has been determined, you have found traces of the
malware in the log files, which contain events related to malware.
These events are considered to be the Indicators of Compromise (IoC). They
are also used for forensics purposes, where investigators can determine
activities performed by malware (or any other type of attack).
Several recent versions of antimalware applications have the capability of
using IoC. These IoC’s can also be used to determine breaches or any other
type of security threat within the system.
With the help of IoC, threat researches can determine the behavior of
specific malware and it’s working methodology.
Such information can then be shared with other organizations in the form of
threat intelligence, which can help in improving the threat response and
remediation methods.
IoC can be of various types. Some of these are:
1. Unusual network traffic, either inbound or outbound
2. Unusual activities performed by an administrative or privileged user account
3. Unusual changes in the operating system or registry
4. Unusual connections established from
5. Unusual DNS modifications and requests
6. Untimely system patching
Task 1 - Common Vulnerability Scoring System (CVSS)
When you find several vulnerabilities within an infrastructure, you would
probably not know how to rank them or assign scores to them. CVSS helps
you assign a score to each of vulnerability.
For example, you may have a vulnerability that is a risk to the
confidentiality, integrity, and availability of your data. Using CVSS, you can
determine the score of such.
Scores are calculated based on several metrics. Once you define these
metrics, you would be able to determine the CVSS score of a vulnerability.
For example, a score of 10 to a vulnerability would make it severe. You can
also use CVSS calculators that can help you calculate the scores.
In this task, you’ll be shown how to determine the CVSS score.
Step 1
Ensure that the required devices are powered on. Connect to PLABWIN10.
Click the Microsoft Edge icon.
Figure 2.1 Screenshot of PLABWIN10: Clicking the Microsoft Edge icon in the left
pane.

Step 2
In the address bar of Microsoft Edge, type the following URL:

https://www.first.org/cvss/calculator/3.0

Press Enter.
Figure 2.2 Screenshot of PLABWIN10: Entering the URL in the address bar of the
Microsoft Edge Web browser.

Step 3
The Common Vulnerability Scoring System Version 3.0
Calculator page is displayed.
In the Base Score section, select the following metrics:
Attack vector

Network

Attack Complexity (AC)

High

Privileges Required (PR)

Low

User Interaction (UI)

None

Scope (S)

Unchanged (U)

Confidentiality (C)

High

Integrity (I)

High

Availability (A)
High

Notice that the score is automatically calculated as 7.5, which is considered

to be High.
Figure 2.3 Screenshot of PLABWIN10: Showing the rating in the CVSS calculator.

Note: Why not spend some time on this page and try different combinations

of threats.

Let’s change the following values:

Confidentiality (C)

Low (L)

Integrity (I)

Low (L)

Availability (A)

Low (L)

Notice that the score is automatically calculated to 5.0, which is considered

to be Medium.
Figure 2.4 Screenshot of PLABKALI01: Showing the rating in the CVSS calculator.

CompTIA Cybersecurity Analyst (CySA+)

Supporting Organizational Security
Exercise 3 - Threat Modeling Methodologies
Exercise 3 - Threat Modeling Methodologies
Threat modeling methodology is a method using which an organization can
identify potential threats and provide insights to implement appropriate
security controls to mitigate these threats.
These methodologies can help a great deal to identify the absence of
appropriate security controls due to which several threats can emerge within
an organization.
In this exercise, you will learn about various terms that relate to threats.
Learning Outcomes
After completing this module, you will have further knowledge of:
 Adversary Capability
 Total Attack Surface
 Attack Vector
 Impact
 Likelihood

Your Devices
This exercise contains supporting materials for CySA+.
Adversary Capability
A capability is someone’s ability to perform a particular task. For example, an
electrician can install electrical systems and fix them as and when required.
Similarly, an adversary can also have different levels of capabilities. Each
adversary may differ in terms of capability.
For example, an adversary may have the capability to break into a system
but may not have the capability to exploit the vulnerabilities in a Web
application.
As and when an adversary gains the capability, he or she may change the
methods of conducting an attack. Organizations may define some generic
definitions of adversary capabilities. A generic set of capabilities is as
follows:
 Unsophisticated: script kiddies
 Limited: Spammers, politically motivated groups, insiders
 Moderate: Patriotic hackers, organized gangs
 Significant: Intelligence service, military intelligence groups
 Advanced: Nation-state, groups with sophisticated knowledge
Total Attack Surface
An attack surface is like an entry point that can be used by an attacker to get
into the network of an organization. It is a vulnerable point that can be
exploited by a threat actor. An attack surface can also be a vulnerability that
can be exploited.
An organization can implement security controls to reduce an attack surface.
Often, organizations make mistakes by implementing several security
controls that are not required. This causes the infrastructure or the network
to become complex, which leads to administrative issues and can also
increase vulnerabilities.
The attack surface can be logical or physical. For an organization to reduce
the attack surface, it should limit its physical and logical infrastructure.
To be able to do this, the organization must first identify the assets within
the infrastructure and then conduct a threat analysis of these assets. After
this, an organization should ensure that the risks and threats are eliminated
by implementing security controls or even by removing the unwanted assets.
An organization must also focus its attention on the most vulnerable assets.
Once those are identified, then there should be vulnerability management to
eliminate the vulnerabilities.
Attack Vector
A Threat Agent is someone who conducts an attack. Threat agents can use
various methods in an attack. For example, a threat actor can exploit a
vulnerability in an attack. The methods or techniques used by the threat
actor are known as a threat or attack vector.
Different types of attack vectors can be used by a threat actor. For example,
a threat actor can simply exploit the vulnerabilities. Another threat actor
may use social engineering methods to get into an organization.
Some of the key examples of threat vector are:
 Unpatched vulnerabilities
 Brute force/cracking
 Distributed denial-of-service (DDoS)
 Domain Shadowing or hijacking
 Credential reuse
Impact
The impact of the threats will vary from case to case. Depending on the type
of vulnerabilities and the criticality of the asset, the impact will differ. If there
is a vulnerability in a critical asset, the impact can be severe in such cases. If
there is a vulnerability in a non-critical asset, its impact may not be severe.
Likelihood
Threat likelihood is the probability of a threat to occur as there will be a
possibility that some threats are more likely to occur than others. You can
determine the likelihood of a threat to occur by using some of the possible
methods:
 Reviewing historical statistics
 Reviewing asset criticality
 Reviewing vulnerabilities within an asset
The likelihood of a threat to occur can be determined as:
 Very high
 High
 Moderate
 Low
The definition of each of the likelihood may differ from an organization to an
organization.

CompTIA Cybersecurity Analyst (CySA+)

Supporting Organizational Security
Exercise 4 - Threat Intelligence Sharing with
Supported Functions
Exercise 4 - Threat Intelligence Sharing with
Supported Functions
Threat intelligence is a method or process used by an organization to gather
and analyze information that they have either faced in the past or are likely
to face in the future. Threat intelligence helps an organization to gain
insights into different types of threats and the impact of such.
Based on the intelligence gathered, an organization can prepare for the
defense mechanism accordingly.
In this exercise, you will learn about the threat intelligence sharing with
supported functions.
Learning Outcomes
After completing this exercise, you will have further knowledge of:
 Incident Response
 Vulnerability Management
 Risk Management
 Security Engineering
 Detection and Monitoring

Your Devices
This exercise contains supporting materials for CySA+.
Incident Response
In an organization, you can face several types of incidents which are likely to
be unwanted and unauthorized. For example, a user is attempting to access
a restricted folder, or a user is copying confidential files on a USB drive. Both
of these incidents can be considered as unwanted and unauthorized.
An incident can also be a technical problem, such as a hard drive failure or
an application failure. Different organizations may have different definitions
of an incident. With whichever definition an organization goes by, a response
to both the incidents is required. When you encounter an incident, you have
to respond to it.
Incident response is part of the incident management process, which focuses
on managing and preventing incidents from reoccurring. It is a framework
that performs the following functions:
 Detect
 Report
 Assess
 Respond
 Deal
Incident Management focuses on restoring operations after an incident
occurs. The key focus of Incident Management is to minimize the impact of
incidents on users, systems, and overall business operations.
Incident handling is about coordination between different functions within an
organization to resolve an incident and reduce it’s impact. While Incident
Management is the umbrella term, Incident Handling is part of Incident
Management. Incident Response is of the functions that are performed under
Incident Handling, which has four key functions:

Figure 3.1 Diagram of Incident Response: Showing various stages of the Incident Response - Detection >
Triage > Analysis > Incident

Incident Response requires necessary actions to be taken to resolve

incidents and involves five steps that play a key role in resolving incidents.
These five steps can be applied in any incident response situation:
 Initial Reporting and Diagnosis: An incident by a user is reported to the
entities like Technical Support, which provides the answers to the problem.
 Incident Escalation: If the initial response to the incident (or
troubleshooting) does not work, then the incident is escalated to the next
level or another team. This could be some cases, but most of the issues
should be resolved by the first level of support to whom the user reports the
incident.
  An escalation of the incident can either be functional or hierarchical.
Functional escalation is with the team that is more knowledgeable and is
usually the second-line support. The hierarchical escalation is handled by the
senior IT staff with more knowledge. They are usually a separate team within
the organization who are trained to handle critical incidents that cannot be
handled by frontline or second-line support teams.
 Investigation and diagnosis: In this particular step, the team handling the
incident takes a deep dive into the incident and tries to understand what
needs to be done to resolve it. After incident investigation is performed and it
is diagnosed, a solution is applied. The nature of the solution depends on the
type of incident. For example, replacing hardware can be a solution if the
incident involves hardware failure.
 Resolution and Recovery: In this step, testing is performed to ensure that
the resolution applied is working. If testing is successful, then the services are
recovered to the normal function.
 Incident closure: In this step, the team handling the incident marks the
incident as closed.
Vulnerability Management
A vulnerability is a weakness that may exist within an operating system or
applications. A threat actor exploits the vulnerability to cause damage to the
system or gain access and control the system. The Vulnerability
Management process is about finding vulnerabilities within a system and
then remediating them to prevent the threat actor from exploiting them.
There are three parts of to a vulnerability:
 The weakness that causes the vulnerability
 Threat actor’s access to the vulnerability
 Threat actor’s ability to exploit the vulnerability using a tool
In between finding and closing vulnerabilities, several steps should be
followed. Vulnerabilities are discovered using an automated tool, which runs
the defined baseline on the assets to discover the vulnerabilities.
The steps in the Vulnerability Management Life Cycle are described below.
 Discover: In the discovery step, you need to first identify hosts and devices
on the network. Once this is done, you need to create baselines for these
devices and systems. You need to then run the baselines against the systems
and devices to discover security vulnerabilities.
 Prioritize Assets: An organization will contain hundreds to thousands of
assets. You need to then categorize the assets based on their criticality
factors.
 Assess: You will then need to create a baseline risk profile to further
eliminate the risks.
 Report: Based on the baseline risk profile, you need to now measure risks for
the assets. You also need to create a security plan to mitigate the risks and
vulnerabilities that may have been located.
 Remediate: You will need to then prioritize the vulnerabilities and fix them
accordingly. The low priority vulnerabilities can be handled later, but the high
priority vulnerabilities need to be handled with immediate attention.
  Verify: After remediation, you need to ensure that the vulnerabilities have
been eliminated. This can be verified through the re-running the assess step
and verifying if all vulnerabilities have been closed.
Risk Management
Over the last decade, there has been wide adoption of technology in day to
day work, be it personal or official. With the wide use of technology, the risks
relating to technology have also emerged.
There have been risks that have caused businesses to fail because of
different types of attacks. It is inevitable that any organization will be risk-
free or will not face risks. However, an organization is well prepared to
handle risks if they have adopted the principles of risk management.
In the old days, if any organization had adopted risk management principles,
it was only the IT team that was dealing with them. However, with the
technological developments and adoption, risk management cannot only be
left to the IT teams within an organization.
Several entities, including the senior management, should be involved in the
risk management, which can help an organization to understand the risks
and weaknesses within the processes and systems. It can also help to
identify the risks that an organization is exposed to.
Risk Management is an iterative process, which requires the organization to
keep reviewing the Risk Management plans and update them from time to
time. The organization must:
 Understand and know the assets that need to be protected
 Know how to protect the assets
 Know if an adopted approach is sufficient or adequate
 Monitor and improve controls based on the risk evaluation
Risk Management cannot be static. This is because the risks will evolve from
time to time within an organization. The organization must continue to
evaluate risks and accordingly perform Risk Management, which needs to be
an iterative process.
With the help of Risk Management, the organization can plan to minimize
risks or the losses that may occur due to the risks. With Risk Management,
an organization can gain the ability to make better decisions.
There are four key recurring phases in Risk Management cycle:
Figure 3.1 Diagram of Risk Management: Showing various stages of Risk Management. Risk Identification
> Risk Assessment > Risk Control > Risk Monitoring.

In the Risk Management process, you have to perform six key steps. These
are:
 Categorize information systems: An organization categorizes systems
based on its usage and business objectives.
 Select security controls: The organization then identifies the security
controls to be implemented to safeguard identified systems.
 Implement security controls: The security controls are implemented to
safeguard the systems and networks.
 Assess security controls: In this step, the security controls are assessed
for their weaknesses. A detailed report is generated based on the
assessment.
 Authorize Information Systems: Based on the report, an action plan is
created to handle the weaknesses in the security controls.
 Monitor security controls: With the changes in the security controls, the
organization needs to determine the security impact. This is a step where
continuous monitoring of the changes should take place.
Security Engineering
Security engineering is a focus field that intends to build robust systems that
can handle any type of unwanted incident, such as a natural disaster or a
malicious act.
Security engineering works in the same manner as any other engineering
stream, but it has an added responsibility of building robust systems that can
handle the misuse of incidents.
Security Engineering, a person is required to be equipped with cross-
disciplinary expertise. Some of the cross-disciplinary expertise are:
 Cryptography
 Software Development
 Security software tools
 Security hardware
When you refer to security engineering, it is about integrating security into
the engineering processes. Security, in this regard, is not an isolated domain
but rather an integrated domain within the engineering domain.
When an organization is engineering a product, the security must be
integrated at the time of development. When security is integrated at the
time of development, several vulnerabilities can be prevented and avoided
being built into the product. If security engineering is not into the product
building, then it may include several vulnerabilities, which if discovered later,
can lead to a huge cost in fixing the vulnerabilities.
The key intent of security engineering is to integrate security controls into
every part of the development as well as the part of the information
systems. This way, security is deep-rooted into the products and the
information systems. An organization does not need to re-create the concept
of security engineering. It can simply adopt the concepts from the following
standards:
 NIST Special Publication 800-27 Revision A
 DHS Software Assurance Workgroup, Software Assurance
 DoD Information Assurance Technology Analysis Center, Software Security
Assurance
 ISO/IEC 15026, Systems and Software Engineering: Systems and Software
Assurance
Detection and Monitoring
Threat detection is the method using which an organization can scan an
entire information system to detect any threats. If a threat is detected, then
the organization needs to put in efforts to mitigate it. It could be as simple as
ignoring the threat and as complex as the organization putting in security
controls to tackle it.
It becomes difficult for an organization to cope up with a breach. The
organization loses not only the reputation but also the data and can also be
liable to a legal lawsuit. Therefore, most organizations put in efforts to
perform threat detection, which can help in reducing the chances of a
breach.
The organizations tend to put in several complicated security controls to
raise the security level. However, this creates more complexity in the
infrastructure for several reasons. One of the key reasons is that
infrastructure becomes difficult to manage.
Second, with more controls, there are chances that more vulnerabilities may
also get introduced into the infrastructure, which are difficult to detect due to
the complexity. Therefore, the organizations must keep the infrastructure
and security controls as simple as possible and pay more attention to
detecting the threats, which requires continuous monitoring.
If a threat is detected, then mitigation efforts must be enacted to properly
neutralize the threat before it can exploit any present vulnerabilities.
The security teams within the organization must not wait for a threat to
materialize. Rather, they should spend time and effort in detecting the
threats. This would require continuous monitoring and would require
evaluating each aspect of an infrastructure, including the endpoints.
To be able to detect threats, the organization should implement solutions
that will:
 Aggregate events from various network services and devices
 Aggregate logs from various network services and devices
 Implement threat detection technology
 Monitor and analyze the traffic continuously
 Implement threat detection technology and monitoring the endpoints, which
are user systems

There are no screenshot items for this exercise.

CompTIA Cybersecurity Analyst (CySA+)

Supporting Organizational Security
Review
Review
Well done, you have completed the Supporting Organizational
Security Practice Lab.
Lab Assessment
Test your knowledge on the topics covered in this lab by completing the review
questions below.

2
Question
True or false: the diamond model helps understand an adversary’s
capabilities and motives.
True

False
Incorrect
The diamond model helps security professionals to understand how their
adversaries work and how they go on to identify targets. It also helps them to
understand the adversary’s capabilities and motives. It is an approach that can be
used to conduct intelligence on the intrusion events that occur on a network
2 of 6

3
Question
Which of the following options are different characteristics of the diamond
model?
(Choose all that apply)
Victim

Capacity

Adversary

Capabilities

Incorrect
The diamond represents the events that occur. Each event that takes place
has four different characteristics:
 Adversary: Is the key threat actor who is using various capabilities
against the target, such as the use of e-mail addresses
 Capabilities: Use of malware, exploit kits, and custom tools of the
adversary
 Victim: Is the target of the adversary, such as individuals and
organizations
 Infrastructure: Is the network, physical or logical, used by the
adversary to conduct the attack. It can contain network assets, IP
addresses, and domain names

3 of 6

4
Question
True or false: In indicators of compromise (IoC), traces of malware can be
found in log files.
True
 False
Incorrect
After an attack has been determined, you will find traces of malware in the log files.
These events are considered to be the indicators of compromise (IoC). They are also
used for forensics purposes, where investigators can determine the activities
performed by malware or any other type of attack.
4 of 6

5
Question
True or false: An attack surface is like an entry point that can be used by an
attacker to get into the network of an organization.
True

False
Incorrect
An attack surface is an entry point that can be used by an attacker to get into the
network of an organization.
5 of 6

Action item
Please ensure you have completed all items before submitting your report

1. Screenshot

2. Question

3. Question

4. Question

5. Question

Submit report
Summary
You completed the following exercises:
 Exercise 1 - Attack Frameworks
 Exercise 2 - Threat Research
 Exercise 3 - Threat Modeling Methodologies
 Exercise 4 - Threat Intelligence Sharing with Supported Functions
You should now be able to:
 Use the Common Vulnerability Scoring System (CVSS)
You should now have further knowledge of:
 MITRE ATT&CK
 The Diamond Model of Intrusion Analysis
 Kill Chain
 Indicator of Compromise (IOC)
 Adversary Capability
 Total Attack Surface
 Attack Vector
 Impact
 Likelihood
 Incident Response
 Vulnerability Management
 Detection and Monitoring
 Risk Management
 Security Engineering