1.5 - 1.5 Explain different threat actors, vectors, and intelligence sources. Flashcards
Explain different threat actors, vectors, and intelligence sources.
Advanced persistent threat (APT)
-often associated wth Nation State Threat Actors
-well resourced/sophisticated perps engaged in targeted/prolonged net. + sys. intrusion
-infiltrate net. + remain inside undetected to get info over long period of time
-establish persistent access by;
->planting backdoors, creating privileged accts
Prevention
-regular patching
-employee training
-access ctrls
-threat intelligence sharing
Insider threats
-ppl wth legit access who intentionally/unintentionally harm orgs sec. (more than pswd on sticky notes)
-current/former employees, contractors, partners
-financial gain, revenge, ideology, negligence, competitive advantage
-unauthorized data access, data exfiltration, sabotage, sharing sensitive info, introducing malware
-could be malicious insiders or negligent insiders
Prevention
-behavioral assessments
-identify insiders exhibiting unusual behavior
-proper education/training
-policies to identify risky personnel
-proactive monitoring of net. and sys. activity
-usr access ctrls
-data encryption
-implement least privilege
-incidence response plans
(Nation) State actors
-most sophisticated threat actor/wth most resources (labor force, time, $ to finance ongoing attcks)
-govt. sponsored/affiliated groups (govt. ties not always acknowledged)
-to achieve strategic objectives
-> military ctrl, utilities, financial ctrl, national sec., cyber espionage, cyber warfare, economic/political influence
-establish long term presence in compromised nets.
-> ongoing surveillance, gather intel, precursor/complement to conventional military actions
-custom malware/exploits tailored to targets
-can lead to; diplomatic tensions, sanctions, inter nation agreements related to cyber norms/rules of engagement
Prevention
-hard b/c use of false flags, proxies
-advanced threat protection
-attribution efforts
-international cooperation
Hacktivists
-ppl/groups engage in hacking 4 political, social, ideological reasons
-social change, political agenda
-can be sophisticated (DoS, website defacing, release of priv. docs., data leaks)
-limited funding BUT some have fundraising option
-operate anonymously/pseudonyms to conceal identity + avoid legal repercussions
-legal gray area b/c can be ethical protest and illegal hacking so subject to debate
-can lead to data breaches, services disruptions, reputational damage, financial losses
-usually gets media attn + public awareness
Detection
-intrustion detection
-proactive defense
-DDoS mitigation
-incident response plans
-robust sec. measures
Script kiddies
-ppl that use hacking techniques but have limited skills
-rely on preexisting hacking tools/scripts to conduct attcks
-unsophisticated BUT dangerous b/c unaware of consequences of their actions
-can’t cover tracks well, lack financial means
-target low hanging fruit (websites, online forums, poorly secured sys.)
-could be internal/external
-could plant trojans/remote access tools within org.
-often associated wth website defacement attcks
-motivations: curiosity, ego, attention seeking, vandalism, educational opportunity
Criminal syndicates
-prof. criminals motivated by $
-highly sophisticated, profit driven, diversified, widespread activity
-operate internationally
-has financial means
-illegal use of force, fraud, corruption, malware, social engineering, identity theft, CC fraud, sale of stolen data
-funding comes from other illegal acts (gambling, property theft, loan sharking, etc)
-contribute to underground cybercrime economy (sale of hacking tools, services, stolen data)
-money laundering makes them hard to trace
Prevention
-threat intel.
-international cooperation among law enforcement agencies
Hackers
-ppl/groups who use tech skills to gain authorized/unauthorized access to comp. sys., nets, data
-financial gain, curiosity, activism, mal intent, ego, ethical/sec. training (don’t always have mal. intent)
-targets = ppl, govts, critical infra
-three types = authorized, unauthorized, semi authorized
-methods = software vulns, social engineering, phishing, malware, pswd cracking
-impact = data breaches, financial losses, service disruptions, reputational damage 4 vics
Prevention
-regular patching
-usr training
-robust access ctrls
Authorized
-white hat
-ethical hackers/sec. researchers
-good intentions
-work wth consent of sys. owner to improve cybersec.
-pen testers wth permission to attack/test sys.
Unauthorized
-black hat
-mal. activities/intent
-cybercriminals
-4 personal gain, financial profit, steal data, distribute malware
Semi-authorized
-grey hat
-generally don’t have mal. intent
-operates in morally ambiguous area btwn black + white hat hackers
-may hack wthout permission
->expose vulns, may notify affected parties
-doesn’t use vuln./exploit it > stops when they discover vuln.
Shadow IT
-use of unauthorized/unmanaged IT sys., apps, services within org.
->often wthout knowledge/approval from IT
-going rogue/working around internal IT
-employees might do this 4 convenience/more usr friendly to them
-unapproved sys. may lack proper sec. ctrls, updates, compliance wth org policies
-sensitive data could be exposed, mishandled, insecurely stored
-can lead to non compliance wth regulatory reqs/industry standards
->legal + financial penalties
-hard to monitor, secure, manage which makes it difficult to respond to sec. incidents
Prevention
-usr education
-policy enforcement
-provided approved alts
-collaboration btwn IT + end usrs
-usr friendly IT solutions
Competitors
-anticompetitive practices
-industrial espionage
-harm reputation
-gain economic benefits/steal financial info
-steal customer lists, product designs, pricing strats
-trade secrets, intellectual property, etc
-high level of sophistication + significant funding
-tactics = phishing, malware, social engineering, insider threats
Prevention
-data encryption
-access ctrls
-employee training
-threat intel.
Attributes of actors
-helps build better threat profiles + classification sys. to deploy relevant and proactive defenses
-helps asses their intent
Internal/external
Internal
-work on inside (sysadmins, end usrs)
-may not have motive/intent to cause harm
-have legit access = easier to carry out attcks wthout raising suspicion
-motives = financial gain, grievances, idealogical beliefs, etc.
-actions often accidental
Mitigation
-advanced monitoring
-behavior analysis
-employee awareness programs
External
-operate from outside org.
-lack legit access to internal sys. (script kiddies, hacktivists, nation state actors, organized crime)
-resources @ disposal varies
-tech expertise varies
-motives = financial gain, political/ideological agendas, espionage targeting orgs IP/sensitive data
Mitigation
-consider ext. attck surface (net. perimeter safety)
-firewalls
-intrusion detection sys.
-threat intel.
Level of sophistication/capability
-technical ability
-access
-political/social support
-persistence
-financial means
-sophisticated TAs develop custom malware, tactics/techniques, advanced evasion techniques, patient/persistent
-for financial gain, political goal, espionage, ideological goals
Prevention
-requires advanced cybersec. measures
-threat intel.
-continuous monitoring
Resources/funding
-financial backing…helps with…
->access to tech > enhances effectiveness
->establish/maintain sophisticated infra (cmd + control servers, botnets, etc)
->custom development > malware, tools, techniques
->recruitment + retention of skilled hackers, researchers, etc. = expands TAs capabilities
-advanced hacking tools
-zero day exploits
-global reach
Prevention
-invent in cybersec. measures + threat intel.
Intent/motivation
-helps orgs assess risks, tailor defenses, respond effectively
-some accidental, others driven by financial gain/ideological reasons
-could be mal. (sabotage) wth aim to destroy data, steal info…
-insights into why they engage + what they aim to achieve
->financial profit, grievances, curiosity, power/influence
-intent influences tactics, techniques, targets
-competitive advantage
Prevention
-tailor defenses/responses according to intent + motivation
Vectors
-means that threat actors use to obtain access (path they take to execute attcks)
-a lot of work goes into finding vulns.
-delivery mechanisms
-evolve as tech. advances
-encompass range of techniques/strats
-important 4 proper risk analysis + understanding countermeasures
Direct access
-gain access to comp. sys, net., device, etc by physically entering orgs facilities (data center)
-bypassing traditional digital defenses = makes this highly effective
-could modify OS (reset admin pswd quickly)
-attach keylogger, transfer files, DoS, compromise sys., install malware, extract data, compromise sys., modify configs
-easily accessible location
->sitting + working on laptop which is connected to unsecured net. jacks on the wall
-may find unsecured computer terminal, net. device, sys.
-EX: lobby, public areas, customer store
Prevention
-physical sec. measures (access ctrl)
-surveillance
-tamper evident seals
-secure facility design
-restrict unauthorized physical access to critical sys.
-assume perp who is able to physically touch a component will be able to compromise that device
-physical sec. = v important
Wireless
-exploiting vulns. in wireless nets. + comm. tech.
-targets = wifi nets, bluetooth connections, cellular nets., etc.
-gain unauthorized access to wireless nets, intercept data, launch man in the middle, compromise connected devices
-default login creds > modify AP config
-evil twin > perp collects auth. details (on path attck)
-perps don’t need to gain physical access if they’re able to sit in parking lot + access ur orgs. wireless net.
-unsecured/poorly secured wireless nets. = big sec. risk
Mitigation
-strong encryption (WPA3 for wifi)
-disable unncessary wireless services
-use secure pairing methods 4 bluetooth
-conduct reg. net. sec. assessments
-maintain up to date firmware + sec. patches
-monitor net. traffic
-use strong pswds 4 wireless access
-methods used to compromise email accts 4 unauthorized access/conduct mal. activity
-biggest/most successful attck vector
-common exploited vector (phishing, spam, cred stuffing, brute force, pswd resets, email fwding rules, man in the middle, 2fa bypass, actt takeover, etc)
-deliver malware to usr (attch to msg)
-social engineering tactics
-can send mal. emails, steal sensitive data, conduct further attcks
-easy to execute
-can be launched on many usrs simultaneously
-only need to succeed one time
-perp needs login creds of one usr to begin attck
Prevention
-strong email sec. measures
-robust spam filters
-usr training on email sec. best practices
-enable mfa
-use strong/unique pswds
Supply chain
-exploitinig vuln. with org supply chain/3rd party partners to gain unauthorized access + compromise sys. and data
-tamper wth underlying infra (EX: gain access to net. using a vendor)
-malware can modify manufacturing process
-counterfeit net. equipment > install backdoors, malware, vulns. into products b4 they reach end usr
-impersonate trusted suppliers/employees in supply chain
-social engineering, phishing, compromise updates/patch distribution process
-steal sensitive data, IP, trade secrets
-disrupt production/delivery of goods/services
->cause financial losses + reputational damage
Prevention
-rigorous vetting of 3rd party vendors
-implement sec. standards
-conduct reg. audits
-verify software/hardware integrity
-robust incident response plan
Social media
-exploits vuln. in ppl/orgs use of social media platforms
->where u are/when, vacay pics, usr profiling, where u were born, name of school mascot
-compromise sec/social media accts, conduct mal. activity, spread malware + spyware + trojans, identity theft, reputational damage, brand impersonation, data leakage
perps might directly target usrs
-might use in effort to harvest info about usrs
Prevention
-ppl/orgs use strong + unique pswds
-enable 2fa
-educate usrs about social engineering risks
-regularly review priv sttgs on accts
-usr education
Removable media
-using USB/etc. to spread malware
-might distribute in parking lots, airports, public areas in the hope that someone finds it + plugs into comp.
-device triggers malware infection that silently compromises vics comp. + places it under ctrl of the perp
Cloud
-perps scan pop. cloud services 4 files with improper access ctrls, sys. that have sec. flaws, accidently published API keys + pswds
Threat intelligence sources
-activities + resources available to prof. seeked to learn about changes in threat environ.
-many sources (open, commercial, closed source)
Prevention
-building threat intel. program = crucial part of orgs. approach to cybersec.
-b/c if ur not familiar wth current threats, u will be unable to build the right defenses to protect ur org.
Open-source intelligence (OSINT)
-gather from publicly available sources (broadly available)
-challenge = deciding what threat intel. sources to use, ensuring they’re reliable + up to date
-EX: Senki, Open threat exchange, mISP threat sharing project, threatfeeds)
Closed/proprietary
-commercial sec. vendors, govt orgs, other sec. orgs also create proprietary + close source intel
-do their own info gathering + research
-may use custom tools, analysis models, etc.
->to gather, curate, maintain their threat feeds
-used b/c orgs might want to keep their threat data secret + sell/license it
-may not want to take the chance of threat actors knowing about data they’re gathering
Vulnerability databases
-insight into types of exploits being discovered by researchers
-help direct orgs. defensive efforts
Public/private information
sharing centers
-platforms/orgs that facilitate exchange of cybersec. threat intel, best practices, incident info among stakeholders
-need to share critical sec. details
->realtime, high quality cybersec. info sharing
->both types encourage sharing cybersec. data
->IOCs, malware samples, incident reports, analysis of emerging threats
-foster collab/coordination, enables them to collectively defend against threats more effectively
-help increase awareness of evolving threat landscape + actionable insights
-CTA (cyber threat alliance)
->members upload specifically formatted threat intel.
->CTA score each submission + validates across other submissions
->other members can extract validated data
Public
-govt run/industry specific orgs provides platform 4 sharing cybersec. threat info among orgs in particular sector
->financial services, healthcare, critical infra
-often classified info
Private
-usually run by priv. orgs (cybersec vendors, industry consortia, commercial threat intel. providers)
-offers platforms 4 sharing threat intel. + best practices among customers/partners
-have extensive resources
Dark web
-net. run over standard internet connection BUT using multiple layers of encryption
-to provide anon. comm.
-often used by hackers to share info, sell creds + other stolen data
Indicators of compromise
-telltale signs attck has taken place
-may include;
->file signatures, log patterns, unusual net. activity, file hash values change, irregular international traffic, changes to DNS data, uncommon login patterns, other evidence left behind by perp
-may also be found in File and code repositories
-sources = net. monitoring, endpoint detection tools, threat intel feeds, sec. log analysis
Automated Indicator Sharing (AIS)
-standard to share important data/enables exchange of cybersec threat indicators + freely share info
-streamlines exchange of TI among trusted partners
-automates sharing of TI btwn orgs in near realtime = reduces manual effort required 4 info sharing
-data standardization (formats, protocols) 4 sharing data (STIX and TAXII)
-prioritize privacy + compliance wth legal and regulatory requirements
Automated Indicator Sharing (AIS) -> Structured Threat Information
eXpression (STIX)/Trusted Automated eXchange of Intelligence Information (TAXII)
STIX
-XML language
-standardized + structures language representing threat info in a;
->flexible, automobile, easy to user manner
-includes: motivations, abilities, capabilities, response info
-STIX 2.0 defines 12 STIX domain objects
->attck patterns, identities, malware, threat actors, tools
-objects then related to each other by one of two STIX relationship object models
->relationship OR sighting
TAXII
-STIX companion
-securely shares STIX data
-specification 4 machine to machine comms.
-enables org to share sec. info wth others
-intended to allow cyber threat info. to be communicated at app layer via HTTPS
-designed to support STIX data exchange
Predictive analysis
-threat intel. can be used for this to identify likely risks to the org.
Threat maps
-provide geographic view of threat intel.
-gain insight into sources of attcks aimed directly at their net.
-perps often relay attcks through cloud services + other compromised nets.
->hides their true geographic location from threat analysis tools
Important
-threat map info should ALWAYS be taken with grain of salt b/c geographic attribution is notoriously unreliable
File/code repositories
-used for code mgmt + collab
- many repos = publicly available
-centralized storage sys. where orgs. store files, source code, digital assets
-repos implement access ctrls
->incorporate version ctrl sys. to track changes/revisions
-securing repos = essential to prevent unauthorized access, data breaches, code vulns
->do this through: encryption, authentication, authorization
-some repos incorporate malware scanning
-see what hackers r building (github, public code repos)
-see what ppl r accidentally releasing (private code can often be published publicly)
-perps always looking (potential exploits exist, content 4 phishing attcks)
-report provide opportunities to obtain
->open source code, code specific to threat research + info gathering
-essential tools 4 efficient data + code mgmt, collab, version ctrl
Research sources
Vendor websites
-obtain info about products + services + sec. related udpates
-know when probs r announces b/c most vendors r involved in disclosure process
-usrs can access product docs, usr guides, manuals, knowledge bases, forums, etc
-some share threat intel. reports, research, analysis to help ppl understand threat landscape
Vulnerability feeds
-continous stream of info about known vuln. + best practices 4 addressing them
-sources of info that provides realtime/regular updates on known software vulns. + sec. weaknesses
-automated vuln. notifs (National vuln. database, CVE data feeds)
-could include recommendatoins + mitigations strats
-data from sources such as;
->sec. researchers, vendors, orgs, govt agencies
-orgs can integrate vuln. feeds into their sec. tools + processes 4 additional vuln. scanning, patch mgmt, risk assessment
Conferences
-provide platform 4 learning + knowledge sharing + collab
->watch learn, early warning of things to come, new DDos methods to protect ur data, build relationships, forge alliances
-share info about new attck techniques, malware, trends
Academic journals
-provide in depth, peer reviewed studies, analysis, insights, sec. analysis
-evaluations of existing sec. tech. (keep up with latest methods)
-detailed pat mortem? tear apart latest malware
-threat detection techniques
-sec. policy insights
Request for comments (RFC)
-providing standards, protocols, sec. considerations, historical context related to internet sec + tech
- NOT ALL are standards docs
->experimental, best current practice, etc
-defining how data should be secured during transmission, authentication methods, encryption algs, sec. considerations
-published by ISOC (internet sec) > often written by IETF (internet engineering task force)
-many analyze threats
-often provide guidance on how to mitigate cybersec. threats
-freely accessible online > widely available resource
Local industry groups
-gathering of local peers > shared industry + tech, geographical presence
-formed within specific geographical region/industry sector to collab, share knowledge, address cybersec challenges collectively
-networking opportunity
Threat feeds
-provide up to date detail about threats in a way ur org. can leverage
-includes technical details about threats
->IP, hostnames, domains, emails, URLs, file hashes, file paths, CVE #s, etc
-details about what may make ur org. a target/vuln. to threat, descriptions of threat actors, details about their motivation + methodologies
-threat feed combination can be challenging b/c might not use same format, classification model, etc.
->workaround by finding sources that already combine multiple feeds/finding feeds that use same description framework (STIX)
Prevention
-have reliable, up to date feeds
-may want to have multiple feeds u can check against each other b/c one feed may be faster/release info sooner
Adversary tactics, techniques,
and procedures (TTP)
-what r adversaries doing + how r they doing it
-search thru data + nets.
->proactively look 4 threats, signatures/firewall rules (can’t catch everything)
-methods/strats employed b4 perps
-insights into how threat actors operate
-diff types;
->info on targeted vics (finance 4 energy companies), infra used by perps (DNS + IPs), outbreak of a particular malware variant on a service type
