Eccouncil 312-85 Exam Practice Test Instant Access

Question 1

John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques.

What phase of the advanced persistent threat lifecycle is John currently in?

AInitial intrusion

BSearch and exfiltration

CExpansion

DPersistence

Answer : C

The phase described where John, after gaining initial access, is attempting to obtain administrative credentials to further access systems within the network, is known as the 'Expansion' phase of an Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold within the target's environment, often by escalating privileges, compromising additional systems, and moving laterally through the network. The goal is to increase control over the network and maintain persistence for ongoing access. This phase follows the initial intrusion and sets the stage for establishing long-term presence and eventual data exfiltration or other malicious objectives. Reference:

MITRE ATT&CK Framework, specifically the tactics related to Credential Access and Lateral Movement

'APT Lifecycle: Detecting the Undetected,' a whitepaper by CyberArk

Question 2

In which of the following attacks does the attacker exploit vulnerabilities in a computer application before the software developer can release a patch for them?

AActive online attack

BZero-day attack

CDistributed network attack

DAdvanced persistent attack

Answer : B

A zero-day attack exploits vulnerabilities in software or hardware that are unknown to the vendor or for which a patch has not yet been released. These attacks are particularly dangerous because they take advantage of the window of time between the vulnerability's discovery and the availability of a fix, leaving systems exposed to potential exploitation. Zero-day attacks require a proactive and comprehensive approach to security, including the use of advanced threat detection systems and threat intelligence to identify and mitigate potential threats before they can be exploited. Reference:

'Understanding Zero-Day Exploits,' by MITRE

'Zero-Day Threats: What They Are and How to Protect Against Them,' by Symantec

Question 3

A threat analyst obtains an intelligence related to a threat, where the data is sent in the form of a connection request from a remote host to the server. From this data, he obtains only the IP address of the source and destination but no contextual information. While processing this data, he obtains contextual information stating that multiple connection requests from different geo-locations are received by the server within a short time span, and as a result, the server is stressed and gradually its performance has reduced. He further performed analysis on the information based on the past and present experience and concludes the attack experienced by the client organization.

Which of the following attacks is performed on the client organization?

ADHCP attacks

BMAC spoofing attack

CDistributed Denial-of-Service (DDoS) attack

DBandwidth attack

Answer : C

The attack described, where multiple connection requests from different geo-locations are received by a server within a short time span leading to stress and reduced performance, is indicative of a Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the attacker floods the target's resources (such as a server) with excessive requests from multiple sources, making it difficult for the server to handle legitimate traffic, leading to degradation or outright unavailability of service. The use of multiple geo-locations for the attack sources is a common characteristic of DDoS attacks, making them harder to mitigate. Reference:

'Understanding Denial-of-Service Attacks,' US-CERT

'DDoS Quick Guide,' DHS/NCCIC

Question 4

A network administrator working in an ABC organization collected log files generated by a traffic monitoring system, which may not seem to have useful information, but after performing proper analysis by him, the same information can be used to detect an attack in the network.

Which of the following categories of threat information has he collected?

AAdvisories

BStrategic reports

CDetection indicators

DLow-level data

Answer : D

The network administrator collected log files generated by a traffic monitoring system, which falls under the category of low-level data. This type of data might not appear useful at first glance but can reveal significant insights about network activity and potential threats upon thorough analysis. Low-level data includes raw logs, packet captures, and other granular details that, when analyzed properly, can help detect anomalous behaviors or indicators of compromise within the network. This type of information is essential for detection and response efforts, allowing security teams to identify and mitigate threats in real-time. Reference:

'Network Forensics: Tracking Hackers through Cyberspace,' by Sherri Davidoff and Jonathan Ham, Prentice Hall

'Real-Time Detection of Anomalous Activity in Dynamic, Heterogeneous Information Systems,' IEEE Transactions on Information Forensics and Security

Question 5

An analyst is conducting threat intelligence analysis in a client organization, and during the information gathering process, he gathered information from the publicly available sources and analyzed to obtain a rich useful form of intelligence. The information source that he used is primarily used for national security, law enforcement, and for collecting intelligence required for business or strategic decision making.

Which of the following sources of intelligence did the analyst use to collect information?

AOPSEC

BISAC

COSINT

DSIGINT

Answer : C

The analyst used Open Source Intelligence (OSINT) to gather information from publicly available sources. OSINT involves collecting and analyzing information from publicly accessible sources to produce actionable intelligence. This can include media reports, public government data, professional and academic publications, and information available on the internet. OSINT is widely used for national security, law enforcement, and business intelligence purposes, providing a rich source of information for making informed decisions and understanding the threat landscape. Reference:

'Open Source Intelligence (OSINT) Tools and Techniques,' by SANS Institute

'The Role of OSINT in Cybersecurity and Threat Intelligence,' by Recorded Future

Question 6

Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network?

ARisk tolerance

BTimeliness

CAttack origination points

DMultiphased

Answer : D

Advanced Persistent Threats (APTs) are characterized by their 'Multiphased' nature, referring to the various stages or phases the attacker undertakes to breach a network, remain undetected, and achieve their objectives. This characteristic includes numerous attempts to gain entry to the target's network, often starting with reconnaissance, followed by initial compromise, and progressing through stages such as establishment of a backdoor, expansion, data exfiltration, and maintaining persistence. This multiphased approach allows attackers to adapt and pursue their objectives despite potential disruptions or initial failures in their campaign. Reference:

'Understanding Advanced Persistent Threats and Complex Malware,' by FireEye

MITRE ATT&CK Framework, detailing the multiphased nature of adversary tactics and techniques

Question 7

A team of threat intelligence analysts is performing threat analysis on malware, and each of them has come up with their own theory and evidence to support their theory on a given malware.

Now, to identify the most consistent theory out of all the theories, which of the following analytic processes must threat intelligence manager use?

AThreat modelling

BApplication decomposition and analysis (ADA)

CAnalysis of competing hypotheses (ACH)

DAutomated technical analysis

Answer : C

Analysis of Competing Hypotheses (ACH) is an analytic process designed to help an analyst or a team of analysts evaluate multiple competing hypotheses on an issue fairly and objectively. ACH assists in identifying and analyzing the evidence for and against each hypothesis, ultimately aiding in determining the most likely explanation. In the scenario where a team of threat intelligence analysts has various theories on a particular malware, ACH would be the most appropriate method to assess these competing theories systematically. ACH involves listing all possible hypotheses, collecting data and evidence, and assessing the evidence's consistency with each hypothesis. This process helps in minimizing cognitive biases and making a more informed decision on the most consistent theory. Reference:

Richards J. Heuer Jr., 'Psychology of Intelligence Analysis,' Central Intelligence Agency

'A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis,' Central Intelligence Agency

Eccouncil Certified Threat Intelligence Analyst 312-85 Exam Practice Test