Exam CAS-004 topic 1 question 33 discussion

MITRE ATT&CK is all about APTs

I think that it is C, NIST is for U.S. federal information systems.

B can be used to identify TTPs and map to a specific APT to identify their motives and plan ahead. Techniques used by their past attacks can be used as IOCs to identify further compromised machines.

Detailed TTPs: It provides a comprehensive and detailed list of tactics and techniques used by adversaries, which is crucial for threat hunting. Mapping Capabilities: Allows security teams to map observed adversary behavior to known techniques, aiding in detection and analysis. Proactive Hunting: Facilitates proactive threat hunting by providing a structured approach to look for specific behaviors and indicators of compromise.

Detailed TTPs: It provides a comprehensive and detailed list of tactics and techniques used by adversaries, which is crucial for threat hunting. Mapping Capabilities: Allows security teams to map observed adversary behavior to known techniques, aiding in detection and analysis. Proactive Hunting: Facilitates proactive threat hunting by providing a structured approach to look for specific behaviors and indicators of compromise.

"Threat Hunting Team" is the key phrase here. Ops teams will use NIST standards to harden systems against attacks. Ops will work with Cyber to implement MITRE ATT&CK to prevent exploitation of attack vectors. Threat Hunting Teams use the Cyber Kill Chain to Identify and Neutralize active APTs on the network. The Diamond model is some stupid diagram I've never heard of before. Answer is C.

Answer: C When dealing with a report of possible Advanced Persistent Threat (APT) activity in a network, one of the threat management frameworks that the threat hunting team could consider implementing is the "Cyber Kill Chain." The Cyber Kill Chain is a framework developed by Lockheed Martin that describes the stages of a targeted cyberattack, allowing organizations to understand and defend against the various phases of an APT.

The question is asking what framework to implement to respond to an APT. NIST SP 800-53 - Set of standards and guidelines to meet FISMA requirements; not an APT response framework. MITRE ATT&CK - knowledge base of adversary tactics and techniques. Used as a foundation for development of threat models The Cyber Kill Chain - Provides visibility into steps APTs must complete to achieve objectives. The Diamond Model of Intrusion Analysis - this is more of a lessons learned / incident review model or a preparation tool than a threat management framework. I think the answer boils down to MITRE or Kill Chain. MITRE provides tactics used as well as the same structure of the Kill Chain, so going with MITRE

I want to go with A but can't because Threat hunters use the MITRE ATT&CK Framework. CSIRT uses the NIST 800-53 so therefore, I'm 100 % sure on B MITRE ATT&CK. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

B. MITRE ATT&CK is a threat management framework that can be used to identify, categorize, and prioritize potential threats, including APT activity. It provides a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs) that can be used to conduct threat hunting and improve defenses. NIST SP 800-53, the Cyber Kill Chain, and the Diamond Model of Intrusion Analysis are other frameworks that can be used for threat management but do not specifically focus on APT activity.

MITRE ATT&CK is all about APTs like RevZig97 mentioned. Great example is APT28. that's already been mapped out for you by the MITRE team. APT28 is an advanced persistent threat that's been identified as being a Russian cyber espionage group that's likely associated with the Russian military intelligence agency known as GRU.

Reading through the NIST publication, it is mostly about developing secure networks. Stuff related to APTs is most education and security controls already in place. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf MITRE ATT&CK is proactively testing your network (Red Team). It is about emulating your adversaries not necessarily stopping current attacks. https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf Cyber Kill Chain framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. Seems the best answer. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

NIST is the National Institute of Standards and Technology; 800-53 is specific to software development life cycles MITRE ATT&CK The MITRE ATT&CK framework is a matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization’s risk. The aim of the framework is to improve post-compromise detection of adversaries in enterprises by illustrating the actions an attacker may have taken

B makes sense to me

Go with B as well

CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. https://www.cisa.gov/uscert/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf

B - MITRE ATT&CK is the right answer, Cyber kill chain doesn't hand persistent as specific case since in chain event persistence is part of it. Review the link below for side by side comparison and also talks about how MITRE handles persistence attacks (search for the word). https://verveindustrial.com/resources/blog/what-is-mitre-attack-framework/