Cyber Kill Chain
Diamond Model
Incident Response
Acronyms
Misc
100

The moment after an unwary user clicks a link and executes the malware

Installation

100

The threat actor who initiated the attack

Adversary

100

The step that includes disabling ports and quarantining systems

Containment

100

FIM

File Integrity Monitoring

100

Which of the following are threats discovered in live environments that have no current fix or patch?

Zero day

200

The point that a threat actor decides on the tool to exploit the chosen vulnerability

Weaponization

200

An attacker first compromises a device, then an account, then another account, then a server followed by the target server. How many analyses are needed?

5 (Five)

200

The step where you perform OSINT research and Vulnerability Assessments

Preparation

200

EDR

Endpoint Detection & Response

200

Knowledge of threat actor tactics & techniques relies on Timeliness, Relevance, and _____________

Accuracy

300

Harvesting information concerning the target

Reconnaissance

300

The target of the attack by the threat actor

Victim

300

An IDS, Firewall, Proxy Server, End User, or Log Audit would be found involved in which step?

Detection

300

SWG

Secure Web Gateway

300

Linux command used to interact with a web server via the CLI.

Wget or cURL

400

What happens after the payload (malware) is triggered upon an action by the careless end-user

Installation

400

The source-to-destination path used to accomplish the exploit

Infrastructure

400

The step that includes changing passwords, performing updates, and reinstate data

Recovery

400

RCE

Remote Command Execution

400

Linux command used to extract human-readable text from a binary or data file

Hint: NOT grep

Strings

500

The effort by a threat actor after they have gained access to a device or network

Action on Objectives

500

When a threat actor uses their knowledge, research, and tools to exploit a vulnerability

Capability

500

The NIST Standard that outlines Incident Handling and Response

800-61

500

OSSTMM

Open Source Security Testing Methodology Manual

500

Protocol provides sender and domain authentication, receipt verification, and destination feedback for email traffic

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

M
e
n
u