SANS FOR578 Book 2 UPDATED Exam
Questions and CORRECT Answers
Kill chain (CTI) - CORRECT ANSWER - - established in 2011
- determanistic process
- seven stages to defend
Kill chain 7 sreps - CORRECT ANSWER - 1. Reconnaissance and precursors
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. C2
7. Action on objectives
Stage 1 - recon / precursors - CORRECT ANSWER - - tasking - receipt or generation of
objectives
- acquisition of various tool
- acquisition of infrastructure
- identification of targets
- organizational research
Stage 2 - weaponization - CORRECT ANSWER - - configuring {backdrops, droppers}
- packaging {container, exploit, first stage binary, decoy}
Stage 3 - delivrey - CORRECT ANSWER - - mechanism = payload gets to target
- common vectors {protocol =SMTP,HTTP} or {media = USB, CD, DVD}
, Stage 4 - exploitation - CORRECT ANSWER - - disposition of the exploit {human or
technical}
- affected application
- exploitation method
- characteristics of exploit shellcode
Stage 5 - installation - CORRECT ANSWER - - associated with persistence
- properties of installation {filenames,directories, reg keys, reg values, communication}
- droppers
Stage 6 - C2 command and control - CORRECT ANSWER - - establishing communication
- properties of C2 {Trojan family, MD5, carrier protocol, embedded protocol, infrastructure,
operating mode characteristics}
Stage 7 - action on objectives - CORRECT ANSWER - - commands executed
- additional tools transferred to VI machine
- files extracted
- files modified
Diamond Model - CORRECT ANSWER - - made of 4 parts
- {adversary, capability, infrastructure,victim}
- has 7 AXIOMS
AXIOM 1 - Diamond model - CORRECT ANSWER - In every intrusion event an
adversary takes a step towards an intended goal by using capability over infrastructure against a
victim to produce a result
AXIOM 2 - diamond model - CORRECT ANSWER - There exist a set of adversaries
which seek to compromise computer systems or networks to further their intent and satisfy their
needs
Questions and CORRECT Answers
Kill chain (CTI) - CORRECT ANSWER - - established in 2011
- determanistic process
- seven stages to defend
Kill chain 7 sreps - CORRECT ANSWER - 1. Reconnaissance and precursors
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. C2
7. Action on objectives
Stage 1 - recon / precursors - CORRECT ANSWER - - tasking - receipt or generation of
objectives
- acquisition of various tool
- acquisition of infrastructure
- identification of targets
- organizational research
Stage 2 - weaponization - CORRECT ANSWER - - configuring {backdrops, droppers}
- packaging {container, exploit, first stage binary, decoy}
Stage 3 - delivrey - CORRECT ANSWER - - mechanism = payload gets to target
- common vectors {protocol =SMTP,HTTP} or {media = USB, CD, DVD}
, Stage 4 - exploitation - CORRECT ANSWER - - disposition of the exploit {human or
technical}
- affected application
- exploitation method
- characteristics of exploit shellcode
Stage 5 - installation - CORRECT ANSWER - - associated with persistence
- properties of installation {filenames,directories, reg keys, reg values, communication}
- droppers
Stage 6 - C2 command and control - CORRECT ANSWER - - establishing communication
- properties of C2 {Trojan family, MD5, carrier protocol, embedded protocol, infrastructure,
operating mode characteristics}
Stage 7 - action on objectives - CORRECT ANSWER - - commands executed
- additional tools transferred to VI machine
- files extracted
- files modified
Diamond Model - CORRECT ANSWER - - made of 4 parts
- {adversary, capability, infrastructure,victim}
- has 7 AXIOMS
AXIOM 1 - Diamond model - CORRECT ANSWER - In every intrusion event an
adversary takes a step towards an intended goal by using capability over infrastructure against a
victim to produce a result
AXIOM 2 - diamond model - CORRECT ANSWER - There exist a set of adversaries
which seek to compromise computer systems or networks to further their intent and satisfy their
needs
