Question 1

Daniel is a professional hacker whose aim is to attack a system to steal data and money for profit. He
performs hacking to obtain confidential data such as social security numbers, personally identifiable
information (PII) of an employee, and credit card information. After obtaining confidential data, he
further sells the information on the black market to make money.
Daniel comes under which of the following types of threat actor.

Accepted Answer

D

Explanation: Daniel's activities align with those typically associated with organized hackers. Organized hackers or cybercriminals work in groups with the primary goal of financial gain through illegal activities such as stealing and selling data. These groups often target large amounts of data, including personal and financial information, which they can monetize by selling on the black market or dark web. Unlike industrial spies who focus on corporate espionage or state-sponsored hackers who are backed by nation-states for political or military objectives, organized hackers are motivated by profit. Insider threats, on the other hand, come from within the organization and might not always be motivated by financial gain. The actions described in the scenario—targeting personal and financial information for sale—best fit the modus operandi of organized cybercriminal groups. Reference: ENISA (European Union Agency for Cybersecurity) Threat Landscape Report Verizon Data Breach Investigations Report

Question 2

John, a professional hacker, is trying to perform APT attack on the target organization network. He
gains access to a single system of a target organization and tries to obtain administrative login
credentials to gain further access to the systems in the network using various techniques.
What phase of the advanced persistent threat lifecycle is John currently in?

Accepted Answer

C

Explanation: The phase described where John, after gaining initial access, is attempting to obtain administrative credentials to further access systems within the network, is known as the 'Expansion' phase of an Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold within the target's environment, often by escalating privileges, compromising additional systems, and moving laterally through the network. The goal is to increase control over the network and maintain persistence for ongoing access. This phase follows the initial intrusion and sets the stage for establishing long-term presence and eventual data exfiltration or other malicious objectives. Reference: MITRE ATT&CK Framework, specifically the tactics related to Credential Access and Lateral Movement "APT Lifecycle: Detecting the Undetected," a whitepaper by CyberArk

Question 3

Tracy works as a CISO in a large multinational company. She consumes threat intelligence to
understand the changing trends of cyber security. She requires intelligence to understand the current
business trends and make appropriate decisions regarding new technologies, security budget,
improvement of processes, and staff. The intelligence helps her in minimizing business risks and
protecting the new technology and business initiatives.
Identify the type of threat intelligence consumer is Tracy.

Accepted Answer

B

Explanation: Tracy, as a Chief Information Security Officer (CISO), requires intelligence that aids in understanding broader business and cybersecurity trends, making informed decisions regarding new technologies, security budgets, process improvements, and staffing. This need aligns with the role of a strategic user of threat intelligence. Strategic users leverage intelligence to guide long-term planning and decision-making, focusing on minimizing business risks and safeguarding against emerging threats to new technology and business initiatives. This type of intelligence is less about the technical specifics of individual threats and more about understanding the overall threat landscape, regulatory environment, and industry trends to inform high-level strategy and policy. Reference: "The Role of Strategic Intelligence in Cybersecurity," Journal of Cybersecurity Education, Research and Practice "Cyber Threat Intelligence and the Lessons from Law Enforcement," by Robert M. Lee and David Bianco, SANS Institute Reading Room

Question 4

Alison, an analyst in an XYZ organization, wants to retrieve information about a company’s website
from the time of its inception as well as the removed information from the target website.
What should Alison do to get the information he needs.

Accepted Answer

B

Explanation: To retrieve historical information about a company's website, including content that may have been removed or altered, Alison should use the Internet Archive's Wayback Machine, accessible at https://archive.org. The Wayback Machine is a digital archive of the World Wide Web and other information on the Internet, providing free access to snapshots of websites at various points in time. This tool is invaluable for researchers and analysts looking to understand the evolution of a website or recover lost information. Reference: "Using the Wayback Machine for Cybersecurity Research," Internet Archive Blogs "Digital Forensics with the Archive's Wayback Machine," by Jeff Kaplan, Internet Archive

Question 5

Jame, a professional hacker, is trying to hack the confidential information of a target organization. He
identified the vulnerabilities in the target system and created a tailored deliverable malicious
payload using an exploit and a backdoor to send it to the victim.
Which of the following phases of cyber kill chain methodology is Jame executing?

Accepted Answer

C

Explanation: In the cyber kill chain methodology, the phase where Jame is creating a tailored malicious deliverable that includes an exploit and a backdoor is known as 'Weaponization'. During this phase, the attacker prepares by coupling a payload, such as a virus or worm, with an exploit into a deliverable format, intending to compromise the target's system. This step follows the initial 'Reconnaissance' phase, where the attacker gathers information on the target, and precedes the 'Delivery' phase, where the weaponized bundle is transmitted to the target. Weaponization involves the preparation of the malware to exploit the identified vulnerabilities in the target system. Reference: Lockheed Martin's Cyber Kill Chain framework "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," leading to the development of the Cyber Kill Chain framework

Question 6

A threat analyst wants to incorporate a requirement in the threat knowledge repository that provides
an ability to modify or delete past or irrelevant threat data.
Which of the following requirement must he include in the threat knowledge repository to fulfil his
needs?

Accepted Answer

C

Explanation: Incorporating a data management requirement in the threat knowledge repository is essential to provide the ability to modify or delete past or irrelevant threat data. Effective data management practices ensure that the repository remains accurate, relevant, and up-to-date by allowing for the adjustment and curation of stored information. This includes removing outdated intelligence, correcting inaccuracies, and updating information as new insights become available. A well-managed repository supports the ongoing relevance and utility of the threat intelligence, aiding in informed decision-making and threat mitigation strategies. Reference: "Building and Maintaining a Threat Intelligence Library," by Recorded Future "Best Practices for Creating a Threat Intelligence Policy, and How to Use It," by SANS Institute Thank you for your visit.

Question 7

Alice, a threat intelligence analyst at HiTech Cyber Solutions, wants to gather information for
identifying emerging threats to the organization and implement essential techniques to prevent their
systems and networks from such attacks. Alice is searching for online sources to obtain information
such as the method used to launch an attack, and techniques and tools used to perform an attack
and the procedures followed for covering the tracks after an attack.
Which of the following online sources should Alice use to gather such information?

Accepted Answer

C

Explanation: Alice, looking to gather information on emerging threats including attack methods, tools, and post- attack techniques, should turn to hacking forums. These online platforms are frequented by cybercriminals and security researchers alike, where information on the latest exploits, malware, and hacking techniques is shared and discussed. Hacking forums can provide real-time insights into the tactics, techniques, and procedures (TTPs) used by threat actors, offering a valuable resource for threat intelligence analysts aiming to enhance their organization's defenses. Reference: "Hacking Forums: A Ground for Cyber Threat Intelligence," by Digital Shadows "The Value of Hacking Forums for Threat Intelligence," by Flashpoint

Question 8

An attacker instructs bots to use camouflage mechanism to hide his phishing and malware delivery
locations in the rapidly changing network of compromised bots. In this particular technique, a single
domain name consists of multiple IP addresses.
Which of the following technique is used by the attacker?

Accepted Answer

D

Explanation: Fast-Flux DNS is a technique used by attackers to hide phishing and malware distribution sites behind an ever-changing network of compromised hosts acting as proxies. It involves rapidly changing the association of domain names with multiple IP addresses, making the detection and shutdown of malicious sites more difficult. This technique contrasts with DNS zone transfers, which involve the replication of DNS data across DNS servers, or Dynamic DNS, which typically involves the automatic updating of DNS records for dynamic IP addresses, but not necessarily for malicious purposes. DNS interrogation involves querying DNS servers to retrieve information about domain names, but it does not involve hiding malicious content. Fast-Flux DNS specifically refers to the rapid changes in DNS records to obfuscate the source of the malicious activity, aligning with the scenario described. Reference: SANS Institute InfoSec Reading Room ICANN (Internet Corporation for Assigned Names and Numbers) Security and Stability Advisory Committee

Question 9

Kathy wants to ensure that she shares threat intelligence containing sensitive information with the
appropriate audience. Hence, she used traffic light protocol (TLP).
Which TLP color would you signify that information should be shared only within a particular
community?

Accepted Answer

D

Explanation: In the Traffic Light Protocol (TLP), the color amber signifies that the information should be limited to those who have a need-to-know within the specified community or organization, and not further disseminated without permission. TLP Red indicates information that should not be disclosed outside of the originating organization. TLP Green indicates information that is limited to the community but can be disseminated within the community without restriction. TLP White, or TLP Clear, indicates information that can be shared freely with no restrictions. Therefore, for information meant to be shared within a particular community with some restrictions on further dissemination, TLP Amber is the appropriate designation. Reference: FIRST (Forum of Incident Response and Security Teams) Traffic Light Protocol (TLP) Guidelines CISA (Cybersecurity and Infrastructure Security Agency) TLP Guidelines

Question 10

Kim, an analyst, is looking for an intelligence-sharing platform to gather and share threat information
from a variety of sources. He wants to use this information to develop security policies to enhance
the overall security posture of his organization.
Which of the following sharing platforms should be used by Kim?

Accepted Answer

D

Explanation: The Blueliv Threat Exchange Network is a collaborative platform designed for sharing and receiving threat intelligence among security professionals and organizations. It provides real-time information on global threats, helping participants to enhance their security posture by leveraging shared intelligence. The platform facilitates the exchange of information related to cybersecurity threats, including indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs) of threat actors, and other relevant data. This makes it an ideal choice for Kim, who is looking to gather and share threat information to develop security policies for his organization. In contrast, Cuckoo Sandbox is a malware analysis system, OmniPeek is a network analyzer, and PortDroid is a network analysis application, none of which are primarily designed for intelligence sharing. Reference: Blueliv's official documentation and resources "Building an Intelligence-Led Security Program," by Allan Liska

Free ECcouncil 312-85 Actual Exam Questions