1.5 Threat Actors & 1.6 Types of Vulnerabilities

Question 1

What is a Threat Actor?

Answer 1

A threat actor also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts - or has the potential to impact – an organization’s security.

Question 2

What is Advanced Persistent Threat (APT)

Answer 2

Groups of attackers who are highly motivated, funded, skilled, and patient. APTs are funded by nation-states (i.e governments) and organized crime. An APT often takes advantage of unknown flaws and zero-day exploits and tries to remain stealthy throughout the attack.

Question 3

What is are Insider Threats?

Answer 3

An insider threat is a disgruntled employee who might have been overlooked for promotion and their relationship with their company has gone sour. ex. Edward Snowden

Question 4

What are Nation-State Actors?

Answer 4

It is another country that poses a threat; their motivation is that they want to undermine another nation.

Question 5

What is a Hacktivist?

Answer 5

It is an external threat that defaces your website or breaks into your computer or network. They are politically motivated. Ex. Anonymous

Question 6

What is a Script Kiddie?

Answer 6

It is an individual who uses scripts or software written by someone else to exploit or break into a computer system.

Question 7

What are Criminal Syndicates?

Answer 7

A loose affiliation of gangsters in charge of organized criminal activities.

Question 8

Hacker Types: What is a White Hat Hacker?

Answer 8

(Authorized) A hacker discovers and exposes security flaws in applications and operating systems with an organization’s consent so that they can be fixed before they become widespread problems.

Question 9

Hacker Types: What is a Black Hat Hacker?

Answer 9

(UnAuthorized) A hacker discovers and exposes security vulnerabilities without organizational consent, for financial gain, or for some malicious purpose.

Question 10

Hacker Types: What is a Grey Hat Hacker?

Answer 10

(Semi-Authorized) A hacker who exposes security flaws in applications and operating systems without consent, but not ostensibly for malicious purposes.

Question 11

What is Shadow IT?

Answer 11

It refers to information technology systems developed by departments other than the central IT department, to work around the shortcomings of the central information systems.

Question 12

What are Competitors?

Answer 12

A competitor is another company in the same industry
as your company who tries to gain information from you on new products in the hope that they can build it faster and get it to market before you.

Question 13

Attributes of Actors: Level of Sophistication

Answer 13

Several components must be considered here, including technical ability, financial means, access, political and social support, and persistence.

Question 14

Attributes of Actors: Internal/External

Answer 14

Threats can be internal or external to the organization, or might even come from a partner.

Question 15

Attributes of Actors: Resources/Funding

Answer 15

Although not all attacks are financially motivated, money can play a role in an attack.

Question 16

Attributes of Actors: Intent/Motivation

Answer 16

The threat could be malicious, with the aim to destroy data or steal information or tangible property.

Question 17

What are Attack Vectors?

Answer 17

Attack vectors are the methods that adversaries use to breach or infiltrate your network.

Question 18

Attack Vector- Direct Access

Answer 18

Physically connecting to the target or target network via Cat-5, a machine left unlocked, or line tap

Question 19

Attack Vector- Wireless

Answer 19

Exploiting insecure Wi-Fi, radio signals, Bluetooth, NFC, or other means without having to be physically connected.

Question 20

Attack Vector- Email

Answer 20

Exploitation or misuse of electronic mail. This method is usually in the form of Phishing.

Question 21

Attack Vector- Supply Chain

Answer 21

An organization’s vendors, outside contractors, and customers can be exploited.

Question 22

Attack Vector- Removable Media

Answer 22

Any kind of electronic device which can be connected to your computing and network infrastructure can be used to attack it.

Question 23

Attack Vector- Social Media

Answer 23

Attackers will target personal information, create false identities. or take over trusted accounts to gain valuable information.

Question 24

Attack Vector- Cloud

Answer 24

Attackers will target poorly configured cloud services to access private environments. Many times, poor configurations come from a lack of understanding between vendor and user.

Question 25

What is Threat Intelligence Source?

Answer 25

Dedicated centers, databases, and technical specifications cataloging information about attacks (and attackers) to help understand past events and promote proactive defense

Question 26

What is Open-Source Intelligence (OSINT)?

Answer 26

The gathering of information from any publicly available resource. The process, techniques, and methodologies used to collect open-source intelligence can be called reconnaissance, information gathering, footprinting, fingerprinting, or target research in hacking methodologies.

Question 27

What are Closed/proprietary threat intelligence sources?

Answer 27

Require membership in a certain group such as a specific industry, government, or military. Also referred to as a vertical community threat intelligence. Many also require a paid membership or subscription. This latter type can be known as a commercial threat intelligence source.

Question 28

What are Vulnerability Databases?

Answer 28

Indexes and repositories of information about threats, exploits, and attacks. The two dominate examples are the Common Vulnerabilities and Exposures (CVE) hosted at cve.mitre.org and National Vulnerability Database (NVD) hosted as nvd.nist.gov

Question 29

What is CVE?

Answer 29

Common Vulnerabilities and Exposures

Question 30

What is NVD?

Answer 30

National Vulnerability Database

Question 31

What are Public/Private Information Sharing Centers?

Answer 31

Locations where you can post information about your own security compromise events as well as access information posted by others. A private information sharing center requires membership. Examples of public centers include Exploit Database at exploit-db.com and US-CERT at us-cert.gov. These centers are also known by the phrase Information Sharing and Analysis Centers (ISAC)

Question 32

What is the Dark Web?

Answer 32

The part of the internet that is only accessible by means of special software such as TOR, which can be used to redirect to a web browser to content hosted on hidden servers.

Question 33

What is the Deep Web?

Answer 33

The part of the “regular” Internet that is not searchable using a standard public search engine. Instead, this is the collection of data, information, and resources that is contained in a walled-garden. Estimates are that 95% of the content available online is in the deep web and therefore not indexed by the major search engines.

Question 34

What is a Walled Garden?

Answer 34

Separate networks from that of the Internet itself. Many walled-gardens grant easy access to their content, but you have to access through their own portal. One example of this are the US government databases that you can access through searchsystems.net. Some require that you have a valid account with them, such as Facebook and Twitter. While still others may require that you pay for a subscription or membership to access, such as Lexis-Nexus or Morningstar.

Question 35

What are indicators of compromise? (IoC)

Answer 35

Evidence that an intrusion or security breach has taken place. Some IoCs are entries in log files, others are the appearance of new files, others are changes to configurations, while others may be active on a network.

Question 36

What is Automated Indicator Sharing (AIS)?

Answer 36

An initiative by the Department of Homeland Security (DHS) to facilitate the open and free exchange of IoCs and other cyberthreat information between the US federal government and the private sector in an automated and timely manner. AIS makes full use of STIX and TAXII. It is managed by National Cybersecurity and Communications Integration Center (NCCIC)

Question 37

What is a Structured Threat Information Expression (STIX)?

Answer 37

A common language or format for describing cyber threat information so it can be shared, stored, and otherwise used in a consistent manner that facilitates automation. STIX is for anyone involved in defending networks or systems against cyber threats, including cyber defenders, cyber threat analysts, malware analysts, security tool vendors, security researchers, threat sharing communities, and more.

Question 38

What is a Trusted Automated Exchange Of Intelligence Information (TAXII)?

Answer 38

The main transport mechanism for cyber threat information is represented in STIX. Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner. As a standardized set of communication services, protocols, and message exchanges TAXII helps organizations exchange STIX information related to IoCs.

Question 39

What is Predictive Analysis?

Answer 39

Employs IoCs, observables, and other cyber threat intelligence to determine when an attack is imminent. The earlier in the cyber kill chain that we can detect an attack, exploit, breach, or intrusion even, the more likely the malicious event will be deflected and stopped. Bots/agents are used to respond in near real-time to mitigate the impending threat.

Question 40

What are Threat Maps?

Answer 40

A “real-time” map of cyber attacks that are taking place. These are also called cyber threat maps, cyber-attack maps, and DoS maps. Most threat maps are animated and can provide a wealth of detail in their presentation. You should explore a few threat maps to see what they have to offer.

Question 41

What are File/Code Repositories?

Answer 41

Storage locations used by programmers to organize and structure their development efforts, such as GitHub. However, these same services can support the crafting of malicious tools, exploits, and malware.

Question 42

What are Research Sources?

Answer 42

A security manager, chief information security officer (CISO), chief security officer (CSO), or just a security administrator needs to be knowledgeable about the current state of security

Question 43

Research Sources: Vendor Websites

Answer 43

A useful source of security information related to updates, patches, and fixes for their product. However, it is rare for a vendor to publish information about vulnerabilities and security issues of their product for which there is not a current patch to fix.

Question 44

Research Sources: Vulnerability Feeds

Answer 44

List weaknesses, attack points, and compromise issues

Question 45

Research Sources: Conferences

Answer 45

Collaborative meetings both in-person and virtually

Question 46

Research Sources: Request for Comments (RFC)

Answer 46

Documents drafted by the technical community that defines, describe, and prescribe technology specifications.

Question 47

Research Sources: Threat Feeds

Answer 47

Another term for a vulnerability feed

Question 48

Research Sources: Tactics, techniques, and procedures (TTP)

Answer 48

The collection of information about the means, motivations, and opportunities related to APTs. TTP is often used in establishing attribution (i.e assigning responsibility) of an attack to a specific hacker, group, or APT.

Question 49

What is a Vulnerability?

Answer 49

Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.

Question 50

What is Cloud-Based Vulnerability?

Answer 50

A deployment concept where an organization contracts with a third-party cloud provider. The cloud provider owns, operates, and maintains the hardware and software. The organization pays a monthly fee to use the cloud solution.

Question 51

What is On-Premise Vulnerability?

Answer 51

The traditional deployment concept is in which an organization owns the hardware licenses the software, and operates and maintains the systems on its own, usually within its own building.

Question 52

What is a Zero Day?

Answer 52

Newly discovered attacks for which there is no specific defense available from the vendor of the vulnerable product. A zero-day exploit aims to exploit flaws or vulnerabilities in targeted systems that are unknown or undisclosed to the world in general.

Question 53

What are Weak Configurations?

Answer 53

Weak configurations can be devastating to institutions holding large amounts of (sensitive) data such as financial service firms.

Question 54

Examples of Weak Configurations

Answer 54

• Open Permissions: These are defaults from the vendor and they have not been set to restrict or deny access or access controls.
• Unsecure root accounts: A root account should be limited to local keyboard logon only.
• Errors: Refers to the anticipation, detection, and resolution of programming, application, and communication errors.
• Weak Encryption: An encryption/decryption algorithm that uses a key of insufficient length.
• Unsecure Protocols: It is any protocol that does not provide authenticity, integrity, and confidentiality.
• Default settings: An option offered to you, which is either recommended or safe to choose if you’re not sure. Defaults are intended for ease of installation and initial configuration to minimize support calls from new customers.
• Open ports and services: Open ports can be dangerous when the service listening on the port is misconfigured, unpatched, or has poor rules.

Question 55

What is Third-Party Risk?

Answer 55

It is the potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems.

Question 56

Examples of Third-Party Risk

Answer 56

• Vendor Management: It is the process of fully identifying all of the significant companies that aid in the delivery of a product or service to your organization, or to your customers, on behalf of the organization.
• System Integration: It is the process of connecting different sub-systems (components) into a single larger system that functions as one.
• Lack of vendor support: It occurs when the vendor does not provide any improvements, support, or patching/upgrading of the product after the initial sale.
• Supply chain: It is the activities required by the organization to deliver goods or services to the consumer
• Outsourced code development: It takes place when companies choose to have custom code solutions developed by a third party.
• Data storage: It is the collective methods and technologies that capture and retain digital information on electromagnetic, optical, or silicon-based storage media.

Question 57

What is Improper or Weak Patch Management?

Answer 57

• Patch management is applying new or changing existing code to a software program. It stems from enhancements to bug fixes and in today’s world it’s more popularly associated with security fixes.
• Effective patch management has become more complex with time as the threat landscape is more sophisticated. Thus, investment firms are encouraged to regularly monitor their infrastructure and implement prompt fixes as necessary.

Question 58

Examples of Improper or Weak Patch Management

Answer 58

• Firmware: It is a specific class of computer software that provides low-level control for a device’s specific hardware.
• Operating System (OS): It is system software that manages computer hardware, software resources, and provides common services for computer programs.
• Application: It is computing software designed to carry out a specific task other than one relating to the operation of the computer itself, typically to be used by end-users.

Question 59

What is a Legacy Party Platform?

Answer 59

A legacy party platform, also called a legacy operating system, is an operating system (OS) no longer in widespread use, or that has been supplanted by an updated version of earlier technology.

• Many enterprises that use computers have legacy platforms, as well as legacy applications, that serve critical business needs.

Question 60

What is an Impact Vulnerability?

Answer 60

An impact can be best described as the type of vulnerability that describes the type of harm an attack could cause if the vulnerability were exploited. For example, if an intrusion takes place, then there are consequences and impacts that must be survived, handled, and managed.

Question 61

Examples of Impacts

Answer 61

• Data Loss: It occurs when sensitive, confidential, proprietary, or personal data is stolen by an attacker.
• Data breaches: It is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.
• Data exfiltration: It occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer.
• Identity theft: It is a crime of obtaining the personal or financial information of another person to use their identity to commit fraud
• Financial: It can be described as any security breach that will cause an increase in financial expenses as the issue is resolved.
• Reputation: It is the potential loss of financial capital, social capital, and/or market share resulting from damage to a firm’s reputation.
• Availability loss: It is the final component of the CIA Triad and refers to the actual availability of your data.