1.5 Explain different threat actors, vectors, and intelligence sources Flashcards
Advanced Persistent Threat or APT
(Actors and threats)
As defined in the NIST (National Institute of Standards and Technology) SP 800-39, An APT is “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (cyber, physical, and deception)”
The APT: (i) pursues its objectives repeatedly over an extended period of time, (ii) adapts to defenders’ effort to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
- Level of sophistication/capability:
Highly skilled and tools are advanced tools not just available on the internet
*Resources/funding: Significant resources
*Intent/motive: The motive could be political or economic. In some cases, the attack is done for traditional espionage goals: to gather information about the target’s defense capabilities.
Insider threats (Actors and threats)
Insider attacks occur when an employee, contractor, vendor, or other individual, with authorized access to information and systems uses that access to wage an attack against the organization. These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes.
- Level of sophistication/capability:
An insider can be of any skill level. They could be script kiddie or very technically skilled.
*Resources/funding: Limited funding and time, but since they are insiders that gives them an advantage with the organizations’ network and some level of knowledge.
*Intent/motive: Motives can range from activists goals to financial goals to simply being upset with not getting a promotion or anything in that manner.
State actors (Actors and threats)
State actors are generally the top-tier cyber threat actors, and they bring a level of sophistication that, when executed well, allows them to be an APT.
Nation-state actors are highly skilled, well-funded, and motivated to use cyber tools, techniques, and procedures to gain a certain end state —– whether it be the exfiltration of another country’s sensitive data, the disruption of an adversary’s electrical grid, intellectual property theft, election interference, or even a denial-of-service (DoS) attack targeting multinational banking systems.
- Level of sophistication/capability:
Highly skilled, allows them to be an APT.
*Resources/funding: well-funded
*Intent/motive: Motivated to use cyber tools, techniques, and procedures to gain a certain end state—-whether it be the exfiltration of another country’s sensitive data, the disruption of an adversary’s electrical grid, intellectual property theft, election interference, or even a denial-of-service (DoS) attack targeting multinational banking systems.
Hacktivists (Actors and threats)
Hacktivists use hacking techniques to accomplish some activist goal.
- Level of sophistication/capability:
Range from script kiddies to quite skilled to highly skilled
*Resources/funding: The resources of hacktivists also vary somewhat. Many are working alone and have very limited resources. Large groups will always have more time and other resources than a lone attacker.
*Intent/motive: They are motivated by the greater good, even if their activity violates the law.
Script Kiddies (Actors and threats)
The term Script kiddie is a derogatory term for people who use hacking techniques but have limited skills.
- Level of sophistication/capability:
These attackers often have little knowledge of how their attacks actually work, and they are simply seeking out convenient targets of opportunity.
*Resources/funding: These individuals tend to be rather young, they work alone, and they have very few resources.
*Intent/motive: The motivations of script kiddies revolve around trying to prove their skill.
Criminal Syndicates (Actors and threats)
Otherwise known as organized crime, criminal syndicates are exactly what they sound like: the extension of classic crime techniques into cyberspace to extort, harass, or otherwise pursue illegal ends.
- Level of sophistication/capability:
Organized crime tends to have attackers who range from moderately skilled to highly skilled.
*Resources/funding: Organized group crimes tend to have more resources.
*Intent/motive: The motive is simply illegal financial gain.
Hackers (Actors and threats)
Hackers often are depicted as wearing different colors of “hats” depending on their intent and motivation.
Authorized or White-hat hackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat attackers may either be employees of the organization or contractors hired to engage in penetration testing.
Unauthorized or Black-hat hackers, also known as unauthorized attackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized, purposes.
Semi-authorized attackers or Gray-hat attackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do with the intent of informing their targets of any security vulnerabilities.
Shadow IT (Actors and threats)
Shadow IT refers to networks and systems that are managed outside of the IT organization, often without the IT organization’s permission or even awareness. Shadow IT often does not meet security requirements, which is often why it is stood up “in the shadows” to begin with and can pose a serious vulnerability to the larger architecture, especially if it’s connected to the managed environment.
Competitors (Actors and threats)
Competitors may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.
This may include theft of customer information, stealing proprietary software, identifying confidential product development plans, or gaining access to any other information that would benefit the competitor.
Internal/External (Attributes of actors)
Very simply, actors can be internal, such as a disgruntled employee, or external, such as a competing company.
Level of sophistication/capability (Attributes of actors)
On a spectrum from the most unskilled individual to a highly technical team able to exploit niche systems and applications, often through zero-day attacks.
Resources/funding (Attributes of actors)
On a spectrum of no funding to a full nation-state level budget similar to other weapons program development.
Intent/motivation (Attributes of actors)
Varies widely across poor behaviors, curiosity, fame, organizational disgruntlement, political causes, to national-level intelligence gathering , etc.
Vector
A threat vector describes the actual means by which a threat is realized.
Direct access —– Ex. Dumpster Diving
Wireless —– Ex. Wardriving
E-mail —– Ex. Phishing
Supply chain —– Ex. Compromised supplier
or contractor
Social media —– Ex. Eliciting information
Removable media —- Malicious USB drive
Cloud —- Ex. Denial-of-Service against cloud provider
Open-source intelligence or OSINT (Threat intelligence sources)
Open-source intelligence or OSINT is threat intelligence that is acquired from publicly available sources.
Many organizations have recognized how useful open sharing of threat information can be, and open source threat intelligence has become broadly available. In fact, now the challenge is often around deciding what threat intelligence sources to use, ensuring that they are reliable and up-to-date and leveraging them well.
