GRID - GIAC Response and Industrial Defense ICS Threat Intelligence Questions and Answers

Question 1

An OT security analyst at a chemical plant needs to gather threat intelligence specifically related to adversaries targeting their sector. Which of the following sources would provide the MOST relevant and contextualized information?

Accepted Answer

The Chemical Sector Information Sharing and Analysis Center (ISAC).

Answer

The Chemical Sector ISAC is specifically designed to facilitate the sharing of cybersecurity threat information, vulnerabilities, and best practices among members of the chemical industry. This source provides the most targeted and relevant intelligence, as it is contextualized for the unique systems, processes, and threats faced by chemical manufacturing.

Question 2

Which of the following is the BEST example of strategic threat intelligence for an ICS environment?

Accepted Answer

A detailed report on the geopolitical motivations and long-term objectives of nation-state actors targeting the global energy sector.

Answer

Strategic threat intelligence focuses on the high-level, long-term view of the threat landscape. [7, 29] A report on the motivations, intent, and objectives of threat actors targeting a sector provides decision-makers (like CISOs and executives) with the context needed for long-term planning, risk management, and resource allocation. The other options are examples of tactical (IP addresses, Snort signature) or operational (TTP analysis) intelligence. [5, 7]

Question 3

A threat intelligence analyst receives a bulletin from CISA detailing a new malware variant that targets a specific PLC model used in their facility. The malware uses a non-standard UDP port for command and control (C2). What is the most effective IMMEDIATE action to take based on this tactical intelligence?

Accepted Answer

Create a firewall rule to block the specific C2 port and a detection rule in the network security monitor to alert on traffic using that port.

Answer

This CISA bulletin provides tactical intelligence—specific, technical indicators of compromise (IOCs) that are immediately actionable. [27] Creating a firewall rule to block the known C2 port and an NSM rule to detect attempts to use it directly mitigates the described threat and provides visibility into potential infections. The other actions are either too slow (replacing PLCs), not the most immediate priority (budget request), or less targeted and potentially disruptive (full network scan).

Question 4

When analyzing an adversary's behavior within an OT network, a security analyst uses a framework that maps observed actions like "Modify Control Logic" and "Inhibit Response Function" to a common knowledge base of adversary techniques. Which framework is being used?

Accepted Answer

MITRE ATT&CK® for ICS

Answer

The MITRE ATT&CK® for ICS framework is specifically designed to categorize adversary behaviors in industrial control systems. [9, 11] It includes ICS-specific tactics and techniques such as "Modify Control Logic" and "Inhibit Response Function," providing a common language for defenders to describe and analyze attacker TTPs. [25] The other frameworks serve different purposes: the Cyber Kill Chain is more generic, the Diamond Model focuses on event meta-features, and the NIST CSF is a high-level risk management framework.

Question 5

A threat actor is observed using techniques specifically designed to manipulate a Safety Instrumented System (SIS) with the apparent goal of causing a physical consequence. This profile is MOST closely associated with which adversary group?

Accepted Answer

XENOTIME

Answer

XENOTIME is the threat actor group uniquely identified with the TRISIS/TRITON malware, which was specifically designed to target and manipulate Schneider Electric's Triconex Safety Instrumented Systems (SIS). [1, 8] Their focus on compromising safety systems makes them the most dangerous known ICS threat actor, as the goal is to prevent the system from failing safely, potentially leading to loss of life or catastrophic damage. [1, 19]

(GRID) GIAC Response and Industrial Defense Practice Test

(GRID) GIAC Response and Industrial Defense Practice Test

GRID - GIAC Response and Industrial Defense ICS Threat Intelligence Questions and Answers