1.5 - 1.5 Explain different threat actors, vectors, and intelligence sources. Flashcards
Explain different threat actors, vectors, and intelligence sources.
Advanced persistent threat (APT)
-often associated wth Nation State Threat Actors
-well resourced/sophisticated perps engaged in targeted/prolonged net. + sys. intrusion
-infiltrate net. + remain inside undetected to get info over long period of time
-establish persistent access by;
->planting backdoors, creating privileged accts
Prevention
-regular patching
-employee training
-access ctrls
-threat intelligence sharing
Insider threats
-ppl wth legit access who intentionally/unintentionally harm orgs sec. (more than pswd on sticky notes)
-current/former employees, contractors, partners
-financial gain, revenge, ideology, negligence, competitive advantage
-unauthorized data access, data exfiltration, sabotage, sharing sensitive info, introducing malware
-could be malicious insiders or negligent insiders
Prevention
-behavioral assessments
-identify insiders exhibiting unusual behavior
-proper education/training
-policies to identify risky personnel
-proactive monitoring of net. and sys. activity
-usr access ctrls
-data encryption
-implement least privilege
-incidence response plans
(Nation) State actors
-most sophisticated threat actor/wth most resources (labor force, time, $ to finance ongoing attcks)
-govt. sponsored/affiliated groups (govt. ties not always acknowledged)
-to achieve strategic objectives
-> military ctrl, utilities, financial ctrl, national sec., cyber espionage, cyber warfare, economic/political influence
-establish long term presence in compromised nets.
-> ongoing surveillance, gather intel, precursor/complement to conventional military actions
-custom malware/exploits tailored to targets
-can lead to; diplomatic tensions, sanctions, inter nation agreements related to cyber norms/rules of engagement
Prevention
-hard b/c use of false flags, proxies
-advanced threat protection
-attribution efforts
-international cooperation
Hacktivists
-ppl/groups engage in hacking 4 political, social, ideological reasons
-social change, political agenda
-can be sophisticated (DoS, website defacing, release of priv. docs., data leaks)
-limited funding BUT some have fundraising option
-operate anonymously/pseudonyms to conceal identity + avoid legal repercussions
-legal gray area b/c can be ethical protest and illegal hacking so subject to debate
-can lead to data breaches, services disruptions, reputational damage, financial losses
-usually gets media attn + public awareness
Detection
-intrustion detection
-proactive defense
-DDoS mitigation
-incident response plans
-robust sec. measures
Script kiddies
-ppl that use hacking techniques but have limited skills
-rely on preexisting hacking tools/scripts to conduct attcks
-unsophisticated BUT dangerous b/c unaware of consequences of their actions
-can’t cover tracks well, lack financial means
-target low hanging fruit (websites, online forums, poorly secured sys.)
-could be internal/external
-could plant trojans/remote access tools within org.
-often associated wth website defacement attcks
-motivations: curiosity, ego, attention seeking, vandalism, educational opportunity
Criminal syndicates
-prof. criminals motivated by $
-highly sophisticated, profit driven, diversified, widespread activity
-operate internationally
-has financial means
-illegal use of force, fraud, corruption, malware, social engineering, identity theft, CC fraud, sale of stolen data
-funding comes from other illegal acts (gambling, property theft, loan sharking, etc)
-contribute to underground cybercrime economy (sale of hacking tools, services, stolen data)
-money laundering makes them hard to trace
Prevention
-threat intel.
-international cooperation among law enforcement agencies
Hackers
-ppl/groups who use tech skills to gain authorized/unauthorized access to comp. sys., nets, data
-financial gain, curiosity, activism, mal intent, ego, ethical/sec. training (don’t always have mal. intent)
-targets = ppl, govts, critical infra
-three types = authorized, unauthorized, semi authorized
-methods = software vulns, social engineering, phishing, malware, pswd cracking
-impact = data breaches, financial losses, service disruptions, reputational damage 4 vics
Prevention
-regular patching
-usr training
-robust access ctrls
Authorized
-white hat
-ethical hackers/sec. researchers
-good intentions
-work wth consent of sys. owner to improve cybersec.
-pen testers wth permission to attack/test sys.
Unauthorized
-black hat
-mal. activities/intent
-cybercriminals
-4 personal gain, financial profit, steal data, distribute malware
Semi-authorized
-grey hat
-generally don’t have mal. intent
-operates in morally ambiguous area btwn black + white hat hackers
-may hack wthout permission
->expose vulns, may notify affected parties
-doesn’t use vuln./exploit it > stops when they discover vuln.
Shadow IT
-use of unauthorized/unmanaged IT sys., apps, services within org.
->often wthout knowledge/approval from IT
-going rogue/working around internal IT
-employees might do this 4 convenience/more usr friendly to them
-unapproved sys. may lack proper sec. ctrls, updates, compliance wth org policies
-sensitive data could be exposed, mishandled, insecurely stored
-can lead to non compliance wth regulatory reqs/industry standards
->legal + financial penalties
-hard to monitor, secure, manage which makes it difficult to respond to sec. incidents
Prevention
-usr education
-policy enforcement
-provided approved alts
-collaboration btwn IT + end usrs
-usr friendly IT solutions
Competitors
-anticompetitive practices
-industrial espionage
-harm reputation
-gain economic benefits/steal financial info
-steal customer lists, product designs, pricing strats
-trade secrets, intellectual property, etc
-high level of sophistication + significant funding
-tactics = phishing, malware, social engineering, insider threats
Prevention
-data encryption
-access ctrls
-employee training
-threat intel.
Attributes of actors
-helps build better threat profiles + classification sys. to deploy relevant and proactive defenses
-helps asses their intent
Internal/external
Internal
-work on inside (sysadmins, end usrs)
-may not have motive/intent to cause harm
-have legit access = easier to carry out attcks wthout raising suspicion
-motives = financial gain, grievances, idealogical beliefs, etc.
-actions often accidental
Mitigation
-advanced monitoring
-behavior analysis
-employee awareness programs
External
-operate from outside org.
-lack legit access to internal sys. (script kiddies, hacktivists, nation state actors, organized crime)
-resources @ disposal varies
-tech expertise varies
-motives = financial gain, political/ideological agendas, espionage targeting orgs IP/sensitive data
Mitigation
-consider ext. attck surface (net. perimeter safety)
-firewalls
-intrusion detection sys.
-threat intel.
Level of sophistication/capability
-technical ability
-access
-political/social support
-persistence
-financial means
-sophisticated TAs develop custom malware, tactics/techniques, advanced evasion techniques, patient/persistent
-for financial gain, political goal, espionage, ideological goals
Prevention
-requires advanced cybersec. measures
-threat intel.
-continuous monitoring
Resources/funding
-financial backing…helps with…
->access to tech > enhances effectiveness
->establish/maintain sophisticated infra (cmd + control servers, botnets, etc)
->custom development > malware, tools, techniques
->recruitment + retention of skilled hackers, researchers, etc. = expands TAs capabilities
-advanced hacking tools
-zero day exploits
-global reach
Prevention
-invent in cybersec. measures + threat intel.
Intent/motivation
-helps orgs assess risks, tailor defenses, respond effectively
-some accidental, others driven by financial gain/ideological reasons
-could be mal. (sabotage) wth aim to destroy data, steal info…
-insights into why they engage + what they aim to achieve
->financial profit, grievances, curiosity, power/influence
-intent influences tactics, techniques, targets
-competitive advantage
Prevention
-tailor defenses/responses according to intent + motivation
Vectors
-means that threat actors use to obtain access (path they take to execute attcks)
-a lot of work goes into finding vulns.
-delivery mechanisms
-evolve as tech. advances
-encompass range of techniques/strats
-important 4 proper risk analysis + understanding countermeasures