On which device did I set an access control list rule for the malicious website?
Router
How many queries were built out during my threat hunt for KongTuke?
16
How many components does the DA currently have?
3
Who is the director of CTI at United?
Tony Mellow
What is the role of the DNS server in this scenario?
Map the human readable domains to their ip addresses as listed in the DNS service records - request is routed to correct web server
Which tool did I use to run my queries?
Splunk
What is the known upper limit of DA?
614 domains processed in seconds!
What is the main goal of CTI?
Translate raw data into actionable insights for our stakeholders
Why are PC and web servers not on the same subnet?
The server is the dividing point because it’s connected to two different switches that are not connected (by vlan or cable)
How many domains were originally returned after running the first query?
200+
What was the inspiration for the DA?
Bottleneck in the threat hunt workflow
What are 2 other workflows beside threat hunting in CTI?
Fraud and vulnerability management
From the PC, what are two ways I can use the browser to search for either the harmless or malicious domain?
By domain name or ip address/path_to_file
What was the hypothesis for the threat hunt?
WinPython launcher and ModeloRAT components will be found after comms with an external user in United’s environment.
Which technologies were used to create the DA?
Python 3 (back), pyside6 (front), and GPT model 5
What are the 6 steps in the CTI workflow?
Requirements
Collection
Processing
Analysis
Dissemination
Feedback
If from the PC I attempt to ping the ip of the malicious site (with ACL still in place), what would happen and why?
The server would respond to the ping as usual because I did not explicitly block ICMP. I only blocked the tcp protocol.
What is the purpose of a threat hunt?
To search for TA IOCs within United’s technology environment?
Give 3 planned features for the Domain Analyzer?
Visual of traffic over time, multiple API calls, and export functionality
Which one of CTI's stakeholders would we share information with if United's environment needed a defense mechanism built out?
Cyber Operations and Engineering - TDE