SANS 515 UPDATED Exam Questions
and CORRECT Answers
Supply Chain BackDoor - CORRECT ANSWER - Combines 1st Stage Delivery and
Exploitation phases
Stuxnet: Host Observables - CORRECT ANSWER - DLL Injection: Lsass.exe,
winlogon.exe, svchost.exe
Registry Key Modification: new registry: mrxnet, 19790509
Multiple Files Dropped: oem7a.pnf, mdmeric3.pnf, mrxnet.sys, mrxcls.sy
Infected Project File: S7tgtopx.exe
USB Jumping: USB Loader~WTR4141.tmp, Delete after 3 jumps
Sliding Scale of Cyber Security - CORRECT ANSWER - Architecture, Passive Defense,
Active Defense, Intelligence, Offense
Active Defense Influences - CORRECT ANSWER - Mao Zedong: On Guerrilla Warfare
General Depuy: The Army's FM 100-5
Guiding Principles of Mao
1. No provocation of the enemy
2. No military bases on foreign soil
3. No seizure of enemy land
Active Cyber Defense Cycle - CORRECT ANSWER - Threat Intelligence Consumption ->
Visibility -> Threat Detection -> Incident Response -> Threat & Environment Manipulation
WinCC - CORRECT ANSWER - Siemens WinCC SCADA Monitoring was used to sync -
easily detectable on the network
, What is intelligence? - CORRECT ANSWER - Both a Product and a Process: Analyzed
information about a competitive entity that fulfills a requirement
Intelligence Life Cycle - CORRECT ANSWER - 1. Planning and Direction
2. Collection
3. Process and Exploitation
4. Analysis and Production
5. Dissemination and Integration
6. Evaluation and Feedback
Field of View Bias - CORRECT ANSWER - Operational Environment (location of
collection) and Intelligence Requirements yield a "field of view".
What is a threat? - CORRECT ANSWER - Threat can be established by evaluating
Capability + Intent + Opportunity.
1. Hostile Intent + Capability = impending
2. Capability + Opportunity = potential
3. Hostile Intent + Opportunity = insubstantial
Intended Audience - CORRECT ANSWER - The intended audience and their goals
determine the type of threat intelligence
1. Strategic
2. Operational
3. Tactical
The ACH Process - CORRECT ANSWER - 1. Hypothesis: Identify all potential
hypotheses
2. Evidence: List all evidence and arguments
3. Diagnostics: Use a matrix to apply evidence to the hypotheses
and CORRECT Answers
Supply Chain BackDoor - CORRECT ANSWER - Combines 1st Stage Delivery and
Exploitation phases
Stuxnet: Host Observables - CORRECT ANSWER - DLL Injection: Lsass.exe,
winlogon.exe, svchost.exe
Registry Key Modification: new registry: mrxnet, 19790509
Multiple Files Dropped: oem7a.pnf, mdmeric3.pnf, mrxnet.sys, mrxcls.sy
Infected Project File: S7tgtopx.exe
USB Jumping: USB Loader~WTR4141.tmp, Delete after 3 jumps
Sliding Scale of Cyber Security - CORRECT ANSWER - Architecture, Passive Defense,
Active Defense, Intelligence, Offense
Active Defense Influences - CORRECT ANSWER - Mao Zedong: On Guerrilla Warfare
General Depuy: The Army's FM 100-5
Guiding Principles of Mao
1. No provocation of the enemy
2. No military bases on foreign soil
3. No seizure of enemy land
Active Cyber Defense Cycle - CORRECT ANSWER - Threat Intelligence Consumption ->
Visibility -> Threat Detection -> Incident Response -> Threat & Environment Manipulation
WinCC - CORRECT ANSWER - Siemens WinCC SCADA Monitoring was used to sync -
easily detectable on the network
, What is intelligence? - CORRECT ANSWER - Both a Product and a Process: Analyzed
information about a competitive entity that fulfills a requirement
Intelligence Life Cycle - CORRECT ANSWER - 1. Planning and Direction
2. Collection
3. Process and Exploitation
4. Analysis and Production
5. Dissemination and Integration
6. Evaluation and Feedback
Field of View Bias - CORRECT ANSWER - Operational Environment (location of
collection) and Intelligence Requirements yield a "field of view".
What is a threat? - CORRECT ANSWER - Threat can be established by evaluating
Capability + Intent + Opportunity.
1. Hostile Intent + Capability = impending
2. Capability + Opportunity = potential
3. Hostile Intent + Opportunity = insubstantial
Intended Audience - CORRECT ANSWER - The intended audience and their goals
determine the type of threat intelligence
1. Strategic
2. Operational
3. Tactical
The ACH Process - CORRECT ANSWER - 1. Hypothesis: Identify all potential
hypotheses
2. Evidence: List all evidence and arguments
3. Diagnostics: Use a matrix to apply evidence to the hypotheses
