GRID - GIAC Response and Industrial Defense Threat Hunting in ICS Questions and Answers

Question 1

An ICS threat hunter is following a structured, hypothesis-driven methodology. After reviewing recent threat intelligence about adversaries targeting their industry, what is the most logical first step for the hunter to take?

Accepted Answer

Formulate a specific, testable question about potential adversary activity in their environment.

Answer

Hypothesis-driven threat hunting begins with creating a specific, testable hypothesis. This educated guess, often informed by threat intelligence, guides the subsequent search for evidence. Directly deploying rules or scanning for IOCs are reactive measures, and starting a new data collection without a clear goal is inefficient. The core of this proactive methodology is to first form a hypothesis to focus the investigation.

Question 2

A threat hunting team at a large electric utility needs to prioritize its efforts to protect the most critical operational processes. Which of the following methodologies provides a structured approach for identifying the systems whose compromise would cause the most significant operational impact?

Accepted Answer

Crown Jewel Analysis

Answer

Crown Jewel Analysis (CJA) is a methodology specifically designed to identify the most critical assets in an environment, where their failure or compromise would lead to mission or operational failure. By focusing on the potential impact and consequence, CJA helps prioritize security efforts, including threat hunting, on the assets that matter most. While the other options are valuable security activities, they do not specifically focus on prioritizing assets based on operational criticality in the same structured way as CJA.

Question 3

While hunting in a well-established and baselined process control network, a security analyst observes an engineering workstation (EWS) initiating an RDP session to another EWS within the same Purdue Level 2 segment. This activity is not associated with any scheduled maintenance or known operator task. This is an example of which potential adversary tactic?

Accepted Answer

Lateral Movement

Answer

Lateral movement describes the techniques attackers use to move from one system to another within a compromised network. Using legitimate tools like Remote Desktop Protocol (RDP) to move between workstations is a common lateral movement technique. Since the activity is from one trusted system to another within the same security level, it is not Initial Access. While it could be a precursor to other goals, the act itself is best described as lateral movement.

Question 4

To effectively hunt for anomalies in an ICS network, it is crucial to first understand what constitutes normal operations. Which of the following is the MOST fundamental prerequisite for successful anomaly-based threat hunting?

Accepted Answer

A well-defined and established baseline of network traffic and device behavior.

Answer

Anomaly-based detection works by identifying deviations from normal, expected behavior. Therefore, having a well-defined and established baseline of what is 'normal' for network traffic, protocols, and device interactions is the most critical prerequisite. Without a baseline, it is impossible to accurately identify anomalous activity and distinguish it from legitimate operational fluctuations. The other options are helpful but not as foundational for this specific hunting methodology.

Question 5

A threat hunter hypothesizes that an attacker is attempting to discover active devices and open ports on the process control network. Which of the following data sources would provide the MOST direct evidence to prove or disprove this hypothesis?

Accepted Answer

Network traffic captures from a SPAN port or network tap inside the OT network

Answer

Network scanning and device discovery activities are most directly observed in the network traffic itself. Data from a SPAN port or network tap provides full packet-level visibility into all communications, including scans (like ARP, ICMP, or TCP port scans) between devices within the OT network. Firewall logs would only show traffic crossing a boundary, historian data relates to the process, and HMI authentication logs show logins, not network-level discovery attempts.

(GRID) GIAC Response and Industrial Defense Practice Test

(GRID) GIAC Response and Industrial Defense Practice Test

GRID - GIAC Response and Industrial Defense Threat Hunting in ICS Questions and Answers