This is a Write up for the MITRE Room Created by heavenraiza


TASK 1 & 2 are simple click and complete tasks



Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)


Question 2: we need to head over to

*Keep in mind it mentions to start your research on the Phishing page


Question 3: is found under the Mitigations section on the Phishing page


Question 4: can be found under the Detection section of this same page


Question 5: Is located on the same page near the top


Question 6: click on the Groups link to learn more about them and the information is located under

Associated Group Descriptions


Question 7: is located under the Software Section


Question 8: is found when we click the hyperlink for PsExec we are led to a page about the tool and who has been known to use it and this will help us answer this question.


Question 9: Click on the FIN5 Group hyperlink to be taken to their page to find the next answers


Question 10: This located under the software section where we learn that the Windows Credential Editor is used by FIN5


And here is our TASK 3 Recap


Task 4

Question 1: Splunk search is pseudo


Question 2: Head to and click on the search icon on the top right and enter TA0003, if we click on the first link we are then taken to What type of Tactic this is.


Question 3: Head to and I searched for Zeek


Question 4: Head to and I searched for hash ( only 3 results )


Question 5: There is a section for Test Cases located on the same page

TASK 4 Recap



Question 1 & 2: we need to go to > Matrix > this lists all the techniques and we see that Detect has the most.


Question 3: all we need to do is a quick search from the search bar shows that DTE0011 is Decoy Content >


Question 4: involves continuing your search from the DTE0011


Question 5: > get here by using the navigation bar and clicking Att&ck Mapping > Overview > then a few lines down there is a hyperlink for the complete mapping.


Task 5 Recap



Question 1: Click the APT3 hyperlink they provided in the room to find this answer


Question 2: This can be located via > Phase 2 > Persistence | utilize the table of contents to find this easily!


Question 3: This can be found by reading the First Scenario section via 


Question 4: This can be found by reading the Second Scenario section via 

Task 6 Recap



Question 1 & 2: We need to head back to MITRE and use the navigation bar to search groups ( or here is a link ) a search on the page for Aviation reveals that APT33 is the group who may target us in this scenario

Question 3: Go to the APT33 Group page > scroll to software


Question 4: If we Take a look at what Techniques they use under T1078.004 we find the information below to help us find this answer


Question 5: Further on this page we have a Detection writeup that we can use.


Question 6: On the top right of the page we will find the ID information to finish up this room!

Task 7 Recap


Thanks for stopping by and I hope this is able to help you complete any tasks/questions that were proving difficult to find!



CISSP Domain 1 Study notes and Resources

Security Governance


(insert photo)               


Parkerian Hexad

(insert photo)







Possession or Control


Confidentiality Terms

sensitivity – The Level of damage or harm that could occur if the asset is revealed or disclosed.

Discretion – The ability for a person to control the level of access to, or disclosure of and asset.

Criticality – The level of importance of an asset to the mission or objective.

Concealment – The act of hiding or preventing disclosure of an asset.

Secrecy – The practice of preventing or limiting information disclosure.

Privacy – The protection of confidential or personal information.

Seclusion – The act of storing something in a location that is out of the way and thus not easily observed or found.

Isolation – The act of keeping something separate from other things that are similar in nature.


Integrity Terms

Accuracy – The degree to which the data is correct and precise.

Truthfulness – The quality of a source of information being factual and realistic.

Validity – The quality of an asset being genuine.

Accountability – The condition of a person or entity being held responsible for their actions.

Responsibility – The obligation of a person or entity to take ownership or components.

Completeness – The quality of an asset that has all its necessary parts or components.

Comprehensiveness – The quality of an asset being complete in scope, and fully inclusive or all relevant elements.


Availability Terms

Usability – Learned, understood, utilized or controlled by a subject

Accessibility – Under a wide range of circumstances an asset can be used by a subject regardless of capabilities or limitations.

Timeliness – Asset ( for example information ) needs to be prompt and available within a reasonable frame of time with low latency.


Auditing and Accounting

  • Auditing – internal process of providing a manual or systematic, measurable technical assessment of a system or application
  • Accounting – logging of access and use of information resources.
  • Accountability – tracing actions to the source
  • Non-Repudiation – the assurance that an action taken cannot be denied
  • Identification – Claiming an identity – ie username
  • Authentication – Proving your identity – ie password, fingerprint, pin number
  • Authorization – What are you allowed to do / have access to after you are Authenticated


Security Terms – P4 and P5

Asset – Anything of Value

Threat – event or action that could potentially cause damage to an asset or an interruption of service.

Threat Actor – Person/group or other entity that could potentially damage attack or compromise a system resource.

  • ||| Finish this section |||


IT Governance


Security Control Frameworks


ISO/IEC 27000 Series

  • Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
  • 27000:2018 – Overview of ISMSs and vocabulary
  • 27001:2013 – ISMS Requirements
  • 27002:2013 – Code of Practice for IS controls
  • 27003:2017 – Guidance on the requirements for an ISMS
  • 27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines


Zachman Framework

  • Six Communications Questions
  • What
  • Where
  • When
  • Why
  • Who
  • How
  • Perspectives
    • Executive
    • Business Management
    • Architect
    • Engineer
    • Technician
    • Enterprise


TOGAF – The open architecture group framework

  • Technology
  • Applications
  • Data
  • Business


DoDAF – Department of Defense Architecture Framework

  • AV – All Viewpoint
  • CV – Capability Viewpoint
  • DIV = Data and Information Viewpoint
  • OV – Operation ViewPoint
  • PV – Project Viewpoint
  • SvcV – Services Viewpoint
  • STDV – Standards Viewpoint
  • SV – Sytems Viewpoint



  • Strategic StV
  • Operational OV
  • Service-Oriented SOV
  • Systems Viewpoint SV
  • Acquisition AcV
  • Technical TV
  • All Viewpoint AV



  • Sherwood Applied Business Security Architecture

(insert photo)


COBIT – Control Objectives for Information and Related Technology

  • Five Principles

o             Meeting Stakeholder Needs

o             Covering the Enterprise end-to-end

o             Applying a single integrated framework

o             Enabling a holistic approach

o             Separating governance from management

  • Seven Enablers

o             Principles, Policies, and frameworks

o             Processes

o             Organization Structures

o             Culture, Ethics, and behavior

o             Information

  • Services, infrastructure, and applications
  • People, skills, and competencies





NIST – National Institute of Standards and Technology – 800 Special Publication Series


HITRUST CSF (Common Security Framework)

  • 14 control categories

o             0.0: Information Security Management Program

o             1.0: Access Control

o             2.0: Human Resources Security

o             3.0: Risk Management

o             4.0: Security Policy

o             5.0: Organization of Information Security

o             6.0: Compliance

o             7.0: Asset Management

o             8.0: Physical and Environmental Security

o             9.0: Communications and Operations Management

o             10.0: Information Systems Acquisition, Development, and Maintenance

o             11.0: Information Security Incident Management

o             12.0: Business Continuity Management

o             13.0: Privacy Practices



Center for Internet Security – CIS – Critical Security Controls

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous vulnerability management
  4. Controlled use of administrative privileges
  5. Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
  6. Maintenance, monitoring, and analysis of audit logs
  7. Email and web browser protections
  8. Malware defenses
  9. Limitation and control of network ports, protocols, and services
  10. Data recovery capabilities
  11. Secure configurations for network devices, such as firewalls, routers, and Switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on the need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Implement a security awareness training program
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises



COSO – Committee of Sponsoring Organizations of the Treadway Commission Framework

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and communication
  • Monitoring Activities


OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation

(insert photo)


ITIL – Information Technology Infrastructure Library

  • These certifications are GREAT add-ons for CISSP
  • Currently at v4


Six Sigma

(insert photo) and example


CMMI – Capability Maturity Model Integration


CRAMM – CCTA Risk Analysis and Management Method

  • Qualitative Risk Analysis Management tool
  • Three Steps
  • Identify and Value Assets
  • Identify threats and vulnerabilities and calculate risks
  • Identify and prioritize countermeasures



Due Care vs Due Diligence

[write definitions]


Major Legal Systems

  • Civil Code Law
    • Napoleonic
  • Common Law
    • Criminal Law
    • Civil Tort Law
    • Administrative Law
  • Customary Law
  • Religious
  • Mixed


US Information Privacy Law – page 19  

  • ECPA
  • GLBA
    • USA Freedom Act
  • SOX
  • FCRA


Licensing and Intellectual Property




Trade Secrets

2 Issues

  • Piracy / Licensing
  • DRM – Digital Rights Management



CCCA – Comprehensive Crime Control Act of 1984


CFAA – Computer Fraud and Abuse Act – 1986

Raised threshold of damage from $1000 to $5000

  • Any computer used exclusively by the US gov
  • Any computer used exclusively by a financial institution
  • Any computer .., when the offense impedes the ability of the gov or inst. To use that system
  • Any combination of computers used to commit an offense when they are not all located in the same state
  • Amended in 1986, 1994 (Computer Abuse Amendments), 1996, 2001, 2002, 2008


Federal Sentencing Guidelines

  • Formalized the Prudent Man Rule
  • Minimize punishment by demonstrating due diligence
  • Three burdens of proof for negligence
    • Legally recognized obligation
    • Failed to comply with recognized standards
    • Causal relationship between the negligent act and damages


National Information Infrastructure Protection Act of 1996 -NIIPA

                Set of amendments to CFAA



FISMA – Federal Information Security Management Act – 2002

Replaced and Repealed

  • Computer Security Act of 1987 (CSA)
  • GISRA – General Information Security Reform Act of 2000


FISMA – Federal Information Systems Modernization Act – 2014


Cybersecurity Enhancement Act – 2014

                NIST SP 800-53

                NIST SP 800-171

                NIST CSF

National Cybersecurity Protection Act – 2014


Risk Terminology

  • Asset
  • Asset Valuation
  • Threats
    • Threat Agent – usually people – intentional
    • Threat Event – Accidental (but could be intentional)
  • Vulnerability
  • Exposure
  • Risk
    • Risk = threat * vulnerability
  • Safeguard
  • Attack
  • Breach


Quantitative Risk Analysis


AV – Asset Value

EF – Exposure Factor

SLE – Single Loss Expectancy

ARO- Annualized Rate of Occurrence

ALE – Annualized Loss Expectancy


Single Loss Expectancy


SLE = $20,000 X 25%

SLE = 20000 x .25 = 5000

SLE = $5,000


Annualized Loss Expectancy


ALE = 5000 x .5 = 2500

ALE= $2,500


Value of the Safeguard

(ALE before Safeguard) – (ALE After Safeguard) – (Annual Cost of the Safeguard) = Value of Safeguard


(ALE1 – ALE2) – ACS = Cost Benefit / Value

(2500 – 500) – 1000 = 1000


Residual Risk = Inherent Risk – Countermeasures

Residual Risk = Total Risk x Controls gap

Residual risk = total risk – security controls


A Great Resource for Risk Analysis by Thor –