1.5 Explain different threat actors, vectors, and intelligence sources

Question 1

What is an internal/external threat actor?

Answer 1

An external threat actor or agent is one that has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using malware and/or social engineering. Note that an external actor may perpetrate an attack remotely or on-premises (by breaking into the company’s headquarters, for instance). It is the threat actor that is defined as external, rather than the attack method.

Conversely, an internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners.

Question 2

What is the intent/motivation of a threat actor?

Answer 2

Intent describes what an attacker hopes to achieve from the attack, while motivation is the attacker’s reason for perpetrating the attack. A malicious threat actor could be motivated by greed, curiosity, or some sort of grievance, for instance. The intent could be to vandalize and disrupt a system or to steal something. Threats can be characterized as structured or unstructured (or targeted versus opportunistic) depending on the degree to which your own organization is targeted specifically. For example, a criminal gang attempting to steal customers’ financial data is a structured, targeted threat; a script kiddie launching some variant on the “I Love You” email worm is an unstructured, opportunistic threat.

Malicious intents and motivations can be contrasted with accidental or unintentional threat actors and agents. Unintentional threat actors represents accidents, oversights, and other mistakes.

Question 3

What are the attributes for funding/sophistication of threat actors?

Answer 3

You must also consider the sophistication and level of resources/funding that different adversaries might possess. Capability refers to a threat actor’s ability to craft novel exploit techniques and tools. The least capable threat actor relies on commodity attack tools that are widely available on the web or dark web. More capable actors can fashion zero-day exploits in operating systems, applications software, and embedded control systems. At the highest level, a threat actor might make use of non-cyber tools, such as political or military assets. Capability is only funded through a substantial budget. Sophisticated threat actor groups need to be able to acquire resources, such as customized attack tools and skilled strategists, designers, coders, hackers, and social engineers. The most capable threat actor groups receive funding from nation states and criminal syndicates.

Question 4

What is an authorized hacker?

Answer 4

A hacker engaged in authorized penetration testing or other security consultancy.

Question 5

What is a semi-authorized hacker?

Answer 5

A gray hat hacker (semi-authorized) might try to find vulnerabilities in a product or network without seeking the approval of the owner; but they might not try to exploit any vulnerabilities they find. A gray hat might seek voluntary compensation of some sort (a bug bounty), but will not use an exploit as extortion. A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems.

Question 6

What is a black hat hacker?

Answer 6

An unauthorized hacker operating with malicious intent.

Question 7

What is a script kiddie?

Answer 7

A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.

Question 8

What is a hacktivist?

Answer 8

A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. Political, media, and financial groups and companies are probably most at risk, but environmental and animal advocacy groups may target companies in a wide range of industries.

Question 9

What is an APT?

Answer 9

Advanced persistent threat: An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware. Rather than think in terms of systems being infected with a virus or Trojan, an APT refers to the ongoing ability of an adversary to compromise network security—to obtain and maintain access—using a variety of tools and techniques.

Question 10

What is a state actor?

Answer 10

A type of threat actor that is supported by the resources of its host country’s military and security services.

State actors have been implicated in many attacks, particularly on energy and health network systems. The goals of state actors are primarily espionage and strategic advantage, but it has been known for countries—North Korea being a good example—to target companies purely for commercial gain.

Question 11

What is a criminal syndicate?

Answer 11

A type of threat actor that uses hacking and computer fraud for commercial gain.

A criminal syndicate×
A type of threat actor that uses hacking and computer fraud for commercial gain.

can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and extortion.

Question 12

What is an insider threat?

Answer 12

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

Question 13

What is an attack surface?

Answer 13

The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.

Question 14

What is an attack vector?

Answer 14

A specific path by which a threat actor gains unauthorized access to a system.

Question 15

What are the seven types of threat vectors?

Answer 15

Direct access, removable media, email, remote and wireless, supply chain, web and social media and cloud.

1. ) Direct access—this is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device, for example.
   2.) Removable media—the attacker conceals malware on a USB thumb drive or memory card and tries to trick employees into connecting the media to a PC, laptop, or smartphone. For some exploits, simply connecting the media may be sufficient to run the malware. In many cases, the attacker may need the employee to open a file in a vulnerable application or run a setup program.
   3.) Email—the attacker sends a malicious file attachment via email, or via any other communications system that allows attachments. The attacker needs to use social engineering techniques to persuade or trick the user into opening the attachment.
   4.) Remote and wireless—the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network.
   5.) Supply chain—rather than attack the target directly, a threat actor may seek ways to infiltrate it via companies in its supply chain. One high-profile example of this is the Target data breach, which was made via the company’s HVAC supplier (krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company).
   6.) Web and social media—malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of Trojans.
   7.) Cloud—many companies now run part or all of their network services via Internet-accessible clouds. The attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system.

Question 16

What is a STIX?

Answer 16

Structured Threat Information eXpression (STIX)
The OASIS cyber threat intelligence (CTI) framework (oasis-open.github.io/cti-documentation) is designed to provide a format for this type of automated feed so that organizations can share CTI. The Structured Threat Information eXpression (STIX) part of the framework describes standard terminology for IoCs and ways of indicating relationships between them.

Question 17

What is a thread data feed?

Answer 17

When you use a cyber threat intelligence (CTI) platform, you subscribe to a threat data feed. The information in the threat data can be combined with event data from your own network and system logs. An analysis platform performs correlation to detect whether any IoCs are present. There are various ways that a threat data feed can be implemented.

Question 18

What is TAXII?

Answer 18

Where STIX provides the syntax for describing CTI, the Trusted Automated eXchange of Indicator Information (TAXII) protocol provides a means for transmitting CTI data between servers and clients. For example, a CTI service provider would maintain a repository of CTI data. Subscribers to the service obtain updates to the data to load into analysis tools over TAXII. This data can be requested by the client (referred to as a collection), or the data can be pushed to subscribers (referred to as a channel).

Question 19

What is AIS?

Answer 19

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols.

Question 20

What are threat maps?

Answer 20

A threat map is an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform. The security solutions providers publish such maps showing global attacks on their customers’ systems (fortinet.com/fortiguard/threat-intelligence/threat-map).

Question 21

Who and how are vulnerabilities stored and fed to customers/administrators?

Answer 21

Security researchers look for vulnerabilities, often for the reward of bug bounties offered by the vendor. Lists of vulnerabilities are stored in databases such as Common Vulnerabilities and Exposures (CVE), operated by Mitre (cve.mitre.org). Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software.

Question 22

What is predictive analysis?

Answer 22

one of the goals of using AI-backed threat intelligence is to perform predictive analysis, or threat forecasting. This means that the system can anticipate a particular type of attack and possibly the identity of the threat actor before the attack is fully realized. For example, the system tags references to a company, related IP addresses, and account names across a range of ingested data from dark web sources, web searches, social media posts, phishing email attempts, and so on. The analysis engine associates this “chatter” with IP addresses that it can correlate with a known adversary group. This gives the target advance warning that an attack is in the planning stages and more time to prepare an effective defense.

Question 23

What are TTPs?

Answer 23

A tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior. The term is derived from US military doctrine (mwi.usma.edu/what-is-army-doctrine). TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).

Question 24

What is an IOC?

Answer 24

An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Put another way, an IoC is evidence of a TTP.

Question 25

What are some IOCs?

Answer 25

-Unauthorized software and files
-Suspicious emails
-Suspicious registry and file system changes
-Unknown port and protocol usage
-Excessive bandwidth usage
-Rogue hardware
-Service disruption and defacement
-Suspicious or unauthorized account usage

Question 26

How are closed/proprietary sources of threat intelligence used?

Answer 26

Closed/proprietary—the threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars. Some examples of such platforms include:
IBM X-Force Exchange (exchange.xforce.ibmcloud.com)
Mandiant (mandiant.com/advantage/threat-intelligence/subscribe)
Recorded Future (https://www.recordedfuture.com/platform/threat-intelligence)

Question 27

How are public/private information sharing centers used for sources of threat intelligence?

Answer 27

Public/private information sharing centers—in many critical industries, Information Sharing and Analysis Centers (ISACs) have been set up to share threat intelligence and promote best practice (nationalisacs.org/member-isacs). These are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. Where there is no coverage by an ISAC, local industry groups and associations may come together to provide mutual support.

Question 28

How is OSINT used for threat intelligence?

Answer 28

Open source intelligence (OSINT)—some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort. Some examples include:
AT&T Cybersecurity, previously Alien Vault Open Threat Exchange (OTX) (otx.alienvault.com)
Malware Information Sharing Project (MISP) (misp-project.org/feeds)
Spamhaus (spamhaus.org/organization)
VirusTotal (virustotal.com)

Question 29

What is the difference between dark net and dark web?

Answer 29

Dark net—a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity.

Dark web—sites, content, and services accessible only over a dark net. While there are dark web search engines, many sites are hidden from them. Access to a dark web site via its URL is often only available via “word of mouth” bulletin boards.

Question 30

What are some other forms of threat intelligence platforms?

Answer 30

Academic journals—results from academic researchers and not-for-profit trade bodies and associations, such as the IEEE, are published as papers in journals. Access to these papers is usually subscription-based. One free source is the arXiv preprint repository (arxiv.org/list/cs.CR/recent). Preprints are papers that have not been published or peer reviewed.
Conferences—security conferences are hosted and sponsored by various institutions and provide an opportunity for presentations on the latest threats and technologies.
Request for Comments (RFC)—when a new technology is accepted as a web standard, it is published as an RFC by the W3C (rfc-editor.org). There are also informational RFCs covering many security considerations and best practices.
Social media—companies and individual researchers and practitioners write informative blogs or social media feeds. There are too many useful blog and discussion sources to include here, but the list curated by Digital Guardian (digitalguardian.com/blog/top-50-infosec-blogs-you-should-be-reading) is a good starting point.

Question 31

How is a file/code repository used for threat intelligence?

Answer 31

A file/code repository such as virustotal.com holds signatures of known malware code. The code samples derive from live customer systems and (for public repositories) files that have been uploaded by subscribers.

Question 32

What is shadow IT?

Answer 32

Unintentional threats usually arise from lack of awareness or from carelessness, such as users demonstrating poor password management. Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process.