Network
Threat Hunt
Domain Analyzer
CTI
100

On which device did I set an access control list rule for the malicious website?

Router

100

How many queries were built out during my threat hunt for KongTuke?

16

100

How many components does the DA currently have?

3

100

Who is the director of CTI at United?

Tony Mellow

200

What is the role of the DNS server in this scenario?

Map the human readable domains to their ip addresses as listed in the DNS service records - request is routed to correct web server 

200

Which tool did I use to run my queries?

Splunk

200

What is the known upper limit of DA?

614 domains processed in seconds!

200

What is the main goal of CTI?

Translate raw data into actionable insights for our stakeholders

300

Why are PC and web servers not on the same subnet? 

The server is the dividing point because it’s connected to two different switches that are not connected (by vlan or cable)

300

How many domains were originally returned after running the first query?

200+

300

What was the inspiration for the DA?

Bottleneck in the threat hunt workflow 

300

What are 2 other workflows beside threat hunting in CTI?

Fraud and vulnerability management 

400

From the PC, what are two ways I can use the browser to search for either the harmless or malicious domain?

By domain name or ip address/path_to_file

400

What was the hypothesis for the threat hunt?

WinPython launcher and ModeloRAT components will be found after comms with an external user in United’s environment.

400

Which technologies were used to create the DA?

Python 3 (back), pyside6 (front), and GPT model 5

400

What are the 6 steps in the CTI workflow?

Requirements
Collection
Processing
Analysis
Dissemination
Feedback

500

If from the PC I attempt to ping the ip of the malicious site (with ACL still in place), what would happen and why?

The server would respond to the ping as usual because I did not explicitly block ICMP. I only blocked the tcp protocol. 

500

What is the purpose of a threat hunt?

To search for TA IOCs within United’s technology environment?

500

Give 3 planned features for the Domain Analyzer?

Visual of traffic over time, multiple API calls, and export functionality

500

Which one of CTI's stakeholders would we share information with if United's environment needed a defense mechanism built out?

Cyber Operations and Engineering - TDE