Practical Cyber Security for Cyber Security

Practitioners
Prof. Sandeep Kumar Shukla

Department of Computer Science and Engineering

Indian Institute of Technology, Kanpur

Assignment 3 Answers

1. What is the primary purpose of an attack bridge simulation?

a) To simulate the creation of network topologies
b) To simulate the analysis of financial risks
c) To simulate new encryption methods
d) To simulate real-world cyber attacks for training and testing purposes
e) To simulate the design of physical security systems

Ans. d
Explanation: Attack bridge simulations are used in cybersecurity to mimic real-world
cyber threats in a controlled environment. This allows security teams to practice their
defensive responses and improve their skills in identifying, responding to, and mitigating
attacks, thereby enhancing their preparedness for actual incidents.

2. Which of the following is not a usage of the MITRE ATT&CK framework?

a) Threat Hunting
b) Authentication
c) Comparing two threat groups
d) Adversary Emulation
e) Attack Detection

Ans. b
Explanation: The MITRE ATT&CK framework is designed for categorizing and
describing adversarial behaviors in the context of cybersecurity, such as attack
detection, adversary emulation, and threat hunting. However, it does not cover
authentication processes, which are outside the scope of this framework and are more
related to verifying the identity of users or systems.
3. What does "Resource Development" refer to in the context of MITRE ATT&CK?
a) The phase where an attacker establishes persistence on a target system
b) The process of gathering public information about a target organization
c) The tactic where adversaries develop, purchase, or acquire resources needed for
future operations
d) The stage of exploiting known vulnerabilities in target systems
e) The phase involving cleanup and anti-forensic actions after an attack

Ans. C
Explanation: In the MITRE ATT&CK framework, "Resource Development" refers to the
activities adversaries undertake to acquire, establish, or build resources necessary to
support operations. This could include setting up infrastructure, acquiring credentials, or
developing capabilities for future attacks.

4. Which of the following is associated with "Easy" difficulty in the Pyramid of Pain?
a) TTPs (Tactics, Techniques, and Procedures)
b) IP Addresses
c) Domain Names
d) Hash Values
e) Network/Host Artifacts

Ans. b
Explanation: According to the Pyramid of Pain, IP addresses are classified under the
"Easy" difficulty category. This is because, while they are useful indicators for tracking
and blocking malicious activities, attackers can easily change or spoof IP addresses,
making it less impactful for disrupting their operations.

5. How can we check if Command and Control (C&C) connections are happening?
a) Application log analysis
b) Host Intrusion Detection
c) Web server log monitoring
d) Network Intrusion Detection
e) Firewall configuration review

Ans. d
Explanation: Network Intrusion Detection Systems (NIDS) are used to monitor network
traffic for suspicious activities, such as Command and Control (C&C) connections that
attackers use to communicate with compromised systems. By analyzing network traffic
patterns and identifying anomalies, NIDS can detect and alert security teams to potential
C&C activities, allowing them to respond promptly.

6. The STIX format is used to communicate:

a) Software Licensing Information
b) Malware
 c) Cyber Threat Intelligence
d) Networking protocol
e) Network Configurations

Ans. c
Explanation: STIX (Structured Threat Information eXpression) is a standardized
language designed for representing and sharing cyber threat intelligence (CTI). It
facilitates the communication of threat information across different systems and
organizations, enabling them to collaborate more effectively in identifying and mitigating
cyber threats.

7. Which of the following is not a technique for Initial Access in MITRE ATT&CK?
a) Drive-by Compromise
b) Exploit Public-Facing Application
c) Content Injection
d) Phishing
e) Active Scanning

Ans. e
Explanation: The MITRE ATT&CK framework categorizes tactics and techniques used
by adversaries to accomplish their objectives. "Active Scanning" refers to the process of
probing a network or system for vulnerabilities and is typically associated with the
"Reconnaissance" phase, rather than "Initial Access". Initial Access techniques involve
methods to gain an initial foothold in a system, such as "Content Injection", "Drive-by
Compromise", "Exploit Public-Facing Application", and "Phishing".

8. Which of the following is not a step in the process of mapping to ATT&CK?

a) Compare your results to other analysts
b) Develop new cybersecurity tools
c) Research the behavior
d) Understand ATT&CK
e) Find the behavior

Ans. b
Explanation: Mapping to the MITRE ATT&CK framework involves understanding the
framework, identifying and researching behaviors associated with adversaries, and
comparing findings to those of other analysts. While developing new cybersecurity tools
is essential for enhancing defenses, it is not part of the specific process of mapping
behaviors to the ATT&CK framework. Mapping focuses on understanding and
categorizing existing adversary tactics and techniques, not on creating new tools.

9. An attacker uses command injection to run a command on a web server host. Which
MITRE ATT&CK tactic does this fall under?
a) Privilege Escalation
 b) Initial Access
c) Persistence
d) Execution
e) Reconnaissance

Ans. d
Explanation: Command injection is a form of code injection where an attacker provides
malicious input that is executed as a command on the host system. This clearly falls
under the "Execution" tactic, as the main objective of command injection is to execute
commands on the target system.

10. What is the difference in responsibilities between the red team and blue team in
cybersecurity?
a) The red team finds vulnerabilities by simulating attacks, while the blue team responds
to incidents and defends against attacks.
b) The red team emulates attacks to find vulnerabilities, while the blue team creates
security policies.
c) The red team defends against cyber threats, while the blue team finds vulnerabilities
by breaking through defenses.
d) The red team monitors network traffic for threats, while the blue team responds to
incidents and creates defenses.
e) The red team defends against attacks and responds to incidents, while the blue team
simulates attacks to test defenses.

Ans. a
Explanation: In cybersecurity, red teams and blue teams have distinct but
complementary roles. The red team acts as an adversary, simulating attacks to identify
and exploit vulnerabilities within an organization’s defenses. The blue team, on the other
hand, is responsible for defending against attacks, monitoring the system, and
responding to security incidents. This division of labor helps organizations identify
weaknesses in their security posture and strengthen their defenses.