Exam (elaborations)
CTI100, CTI200.
- Course
- Institution
Exam of 41 pages for the course CTI - at CTI - (CTI100, CTI200.)
[Show more]
Seller
Follow
Content preview
CTI100, CTI200-analyze each to determine strengths and weaknesses
-evaluate how well each meets the COA criteria
-determine which COA has the greatest advantage with the lowest risk (this is usually the one
chosen)
-be aware they may choose 2nd or 3rd best because they know that we know their most likely
-examine recent activity - ANS-how to prioritize each COA
-attempts to anticipate future possibilities and probabilities
-most important
-most demanding - ANS-estimative intelligence
-be one of many sources of information, but one that is focused on the organization's mission
and operations
-understanding our operating environment
-have a more detailed knowledge of all threats that exist
-help decision makers make better decisions more efficiently (through reduction or the informed
acceptance of risk, appropriate allocation of resources, awareness of operations that exist
currently or may exist in the future, and selection of the most profitable or least costly of
available options) - ANS-what is the purpose of intelligence?
-characterize/categorize organized threats and threat actors
-consistently track them as they evolve
-creates analytical accuracy with use of hypothesis and testing along with documentation in the
process
-course of action development support directly moves to mitigation efficiency
-designed for 'real-time' event visualization and tracking - ANS-purpose of the diamond model
-composition (who are they, how are they organized/equipped, how is it controlled?)
-effectiveness
-doctrine and tactics
-support and relationships
-capabilities and limitations
-modus operandi (MO)
-misc data - ANS-adversary characteristics
-data source: source of the data that detected the event
-author: analyst or author of the event
-detection method: tool, technique, or capability that detected the malicious event
-detection signature: signature or heuristic that detected the event - ANS-additional meta
features
,-economic and budget influences
-social influences (attitudes, morals, ethics)
-demographic influences (users, recruits, population)
-political influences (internal/external leadership)
-legal and regulatory influences
-technological influences
-international influences - ANS-external environmental analysis (7 factors)
-educated assumptions
-identification of available/acceptable resources
-conclusions about the strategic and operational environment
-strategic and threat objectives
-supported business mission - ANS-primary end products of strategic guidance planning
-effects on friendly (our customers, vendors, contractors, etc)
-effects on adversary (what are the pros and cons of the adversary attacking this network) -
ANS-IPCE step 2: describe the effects
-ends, ways, means
-digital environment
-likely threats
-threat course of action
-red/blue threat modeling - ANS-IPCE contains:
-existing and previously existing conditions
-basic intel
-current intel - ANS-descriptive intelligence
-exists as a framework to answer analytical questions requiring a breadth of activity knowledge
-development of mitigation strategies with an intended effect broader than activity threads
(advanced level threat analysis) - ANS-purpose of activity groups
-expendable
-loss of attack will not justify expending additional adversary resources
-'fleeting'
-vulnerable and available at the right time (low hanging fruit) - ANS-victim of opportunity
-frame the operational environment (current state and desired state)
-frame the problem (determine obstacles impeding progression from current state to desired
state)
-develop an operational approach (what broad general changes will resolve the problem)
-develop plans (use existing planning methods to develop necessary detailed products) -
ANS-operational design steps
,-green (unrestricted): easy access without any work to enhance mobility
-yellow (restricted): hinder movement to some degree. slow progress
-red (severely restricted): slows or stops movement to a significant degree. mobility
enhancement required - ANS-combined cyber overlay: terrain restriction colors
-highlights the special relationship between capability and infrastructure
-by using structured analysis, technology and the potential anomalies/misuse, a threat analyst
may discover new malicious activity regardless of the underlying infrastructure and capability
already associated with the adversary
-understanding the technologies involved in adversary activity assist in the identification of the
most appropriate detection locations, data types, and capabilities - ANS-technology axis
-ID significant characteristics (network, data, access, cloud, VOIP, SFTPs, APIs, database,
systems, applications, etc)
-ID limits of areas of operation and areas of interest (for threat actors)
-ID amount and detail of information required and what is feasible based on time available
-evaluate existing data/information/intelligence and ID gaps
-collect required intelligence and materials - ANS-IPCE step 1: define the cyber environment
-identify adversary characteristics: threat profiling
-create adversary model: diamond model (and identify adversary capabilities)
-adversary template
-adversary capabilities statement - ANS-IPCE step 3: evaluate the threat
-identify likely objectives and end state
-identify full set of COAs available to the adversary
-evaluate and prioritize adversary COA
-develop each COA as much as time allows
-identify high value target (HVT) for each COA
-identify initial collection requirements - ANS-IPCE step 4: determine adversary COA
-information requirements are needed for business planning and operations.
-what sets the intelligence requirements apart is the focused context of the threat or
environment on a gap in the knowledge or understanding of the decision makers - ANS-what is
the difference between information requirement (IR) and the intelligence requirement (IR)?
-intent and desired end state
-2nd and 3rd order effects of operation
-threat vulnerabilities
-threat perception of friendly forces
-current political climate - ANS-threat COA factors to consider
, -makes hard choices
-can adjust to the reality of: resources, will, interests
-balances risk: not necessarily an even distribution, but balance may mean balanced to meet a
threat or cover a vulnerability
-the ability to prioritize areas when not everything can be balanced - ANS-qualities of a strategic
leader
-mission: what is the purpose/end state of the analysis?
-adversary: who is your adversary and what are their capabilities?
-terrain: what does the cyber terrain look like (key terrain and otherwise)
-time: how much time do you have
-assets: what assets (money, talent, equipment) do you have available?
-customers: who is your customer? what are their needs and idiosyncrasies? - ANS-MATTAC
-non-expendable commodity, targeted
-loss of access/attack would trigger expenditure of resources
-"enduring"
-dynamic relationship - ANS-victim of interest
-observation: what can the threat see and how would they see it? this is recon
-concealment & cover: where can the threat hide? where can we hide? what protects either of
you?
-obstacles: what is in the threat's way, what is in yours? (firewall, air gap, proxy, policies, etc)
-key terrain: cyber key terrain
-avenues of approach: how will the threat enter the environment? - ANS-aspects of cyber terrain
-political considerations
-threat pattern of life
-economics
-security
-auditing procedures
-backup systems - ANS-IPCE: other aspects of the environment
-readying the organization for the next decade, not the last
-nature of the future is so unclear that the vision of the strategic leader is crucial
-creating the organizational structure and capability for tomorrow
-turning political and conceptual programs into practical initiatives - ANS-strategic leadership
makeup
-relative strength
-risk perceived in continued efforts
-cost required to maintain effect
-uniqueness of the victim to satisfy the need
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller CHichii. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
82215 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now