1.5 - Threat Actors, Vectors, and Intelligence Sources Flashcards
1
Q
Threat Actor
A
- The entity responsible for an event that has an impact on the safety of another entity
- aka malicious actor
- broad scope of actors and motivations vary greatly
2
Q
APT
A
- Advance Persistent Threat
- Goal of most threat actors
- Attackers are in the network and undetected
- Can take along time to identify that an APT exists
- Average in:
- N. America (71 days)
- Europe, Middle East, Africa (177 days)
- Asia Pacific (204 days)
3
Q
Insiders
A
- Very dangerous threat actors
- Have a lot of control
- Sophistication may not be advanced, but it has institutional knowledge
- Ex: where data center is, network design
- They can direct their attacks, big advantage
4
Q
Nation State
A
- Usually a government
- In charge of national security (usually external gov’t)
- Have a lot of resources, high sophistication
- Constant attacks, commonly a APT (advance persistent threat)
5
Q
Hacktivist
A
- Hacker with a purpose
- often social / political
- Usually sophisticated with a specific target
- not usually a financial gain
- usually has to go outside for funding
6
Q
Script Kiddies
A
- Runs pre-made scripts without any knowledge of what’s happening
- Not necessarily a young person
- simple scripts
- Usually an external actor, but not overly sophisticated
- throwing a lot of different scripts at a system and hoping one sticks
- doesn’t often have a financial gain, looking for low hanging fruit
- often looking for bragging writes
7
Q
Organized Crime
A
- Professional criminals
- motivated by money
- almost always external entity
- very sophisticated
- can be highly organized (ex: one person sells data, one exploits, another handles customer support)
- lots of capital to fund hacking efforts
8
Q
Hacker
A
- Very broad definition
- An expert with technology
- Could be good or bad
- Often driven by money, power, ego
9
Q
Ethical Hacker
A
- Authorized
- Has permissions to hack
- help resolve weak points to help make the system stronger
10
Q
Semi-authorized Hacker
A
- In the middle of an authorized and unauthorized hacker
- may be looking for vulnerability but doesn’t use it
11
Q
Shadow IT
A
- Going rogue
- working around the internal IT organization
- Create your own IT entity
- Sometimes ppl who doesn’t understand IT policies will see them as road blocks
- Ex: Purchasing own cloud resources or own equipment
- may be short term benefits, there are often significant disadvantages (waste time and money, IT dept can usually do things faster, security risks, compliance issues)
12
Q
Competitor motivation
A
- Could be DoS, espionage, tarnish reputation
- Usually significant resources b/c can be private entities
- Can gain competitive advantage (very unethical)
13
Q
Attack Vector
A
- Method attacker will use to get access to target
- Attackers spend a lot of time to find these vectors
- IT professionals will spend a lot of time watching attack vectors
14
Q
Direct Access Attack Vectors
A
- If attacker has physical access they have a lot of access
- Reason why data centers are highly secure
- Ex: can reset administrator password
- Key logger to keyboard (can collect user names and passwords)
- Connect a flash drive / portable media and copy files
- DoS, pull power cord, pour water on system
15
Q
Wireless attack vectors
A
- Usually have user name / passwords, don’t use default credential
- Ex: Rogue access point, unauthorized access point, then they could turn on wide open access point
- Ex: Evil twin (more malicious version of a rogue access point) for man in the middle attack. Then can use an on path attack
- Want to ensure clients are using the latest protocols, older encryption protocols (like WEP and WPA) you want to run WPA2 or later on wireless attack points
16
Q
Email attack vectors
A
- Biggest/ most successful attack vectors
- Everyone has email
- Phishing attacks, people want to click links, can deliver malware, social engineering attacks (invoice scam)
17
Q
Supply chain attack vectors
A
- Each step along the supply chain is an attack vector
- Can tamper with underlying infrastructure
- Many third parties involved
- Ex: fake cisco switches
18
Q
Social Media attack vectors
A
- See your personal timeline
- Can be used to attack MFA (ex: know where you were born or name of school mascot) can be exploited during a password reset
- fake friends be wary
19
Q
Removable Media Attack Vectors
A
- Get around the firewall
- USB drive to gather info and circumvent existing security
- This might be the only way to do it in an airgapped system
- USB drive can act as a keyboard, hacker inside a USB
- Data exfiltration as USB drive storage grows, zero bandwidth used
20
Q
Cloud based attack vectors
A
- Publicly - facing applications and services
- Ensure that data in cloud is protected, but misconfigurations can be made
- Attackers often use brute force to access public facing clouds
- Or phishing
- Or using more and more cloud resources
- Must plan for a possible DoS attack
21
Q
Threat Intelligence
A
- Research threats
- Can come from public / private threat databases
- May come directly from hackers
- Important to know that the threat exists
22
Q
OSINT
A
- Open- Source intelligence
- Publicly available sources are a good place to start
- Ex: internet, discussion groups, social media
- Ex: government data, public hearings
- Commercial data (ex: maps, data)
23
Q
Closed/proprietary Intelligence
A
- Someone has compiled information and provide solutions for a price
- You can see what threats may be for your organization
24
Q
Vulnerability DB
A
- Researchers find vulnerabilities and publish
25
Q
CVE
A
- Common Vulnerabilities and Exposures
- Sponsored by DoD and DHS
- Community managed list of vulnerabilities
- Resource to prevent attacks an example of OSINT (open source intelligence)
26
Q
NVD
A
- U.S. National Vulnerability Database
- A summary of CVEs (Common Vulnerabilities and Exposures)
- Provides severity scoring for vulnerabilities
- Provides patching ideas
27
Q
Public / Private Information - sharing
A
- Public threat intelligence (often classified info that has been provided by the government)
- Private threat intelligence ( have extensive resources)
- Challenges, need to get cyber threat data quickly and need to make sure it’s high quality. CTA developed as a solution
28
Q
CTA
A
- Cyber Threat Alliance
- Members upload specifically formatted threat intelligence
- CTA scores each submission and validates across other submissions
- Other members can extract validated data
29
Q
AIS
A
- Automated Indicator Sharing
- Intelligence industry needs a standard way to share important threat data
30
Q
STIX
A
- Structured Threat Information eXpression
- Describes cyber threat information
- Includes motivations, abilities, capabilities and response information
31
Q
TAXII
A
- Trusted Automated eXchange of Indicator Information
- a trusted transport, securely shares STIX data
32
Q
Dark web intelligence
A
- Dark web is an overlay to existing internet
- Requires specific software and configurations to access
- Extensive information to gather from the dark web (find people wanting to sell information they’ve stolen, can lists tools and techniques for hacking)
- Forums to monitor for activity
33
Q
IOC
A
- Indicators of Compromise
- Event that indicates an intrusion
- Confidence is high
- Indicators - unusual amount of network activity or files that normally don’t change now have hash values, changes in DNS, or unusual login times
34
Q
Predictive Analysis
A
- Sometimes can predict an attack
- Analyze a large amount of data quickly and see where hackers are focusing
- Ex: evaluate the type of DNS queries you’re getting to your server, can see if it’s domestic or internationals
- If you combine with known vulnerabilities you might be able to predict an attack
- Not looking for a specific signature but looking for patterns, often combined with machine learning
35
Q
Threat Maps
A
- Identify attacks and trends, a worldwide view
- real-time
36
Q
File/Code repositories
A
- See what hackers are building
- Ex: GitHub
- Sometimes ppl accidently misconfigure their repositories, attackers will look through to see if they can find vulnerable configurations to gain access to source code
37
Q
Threat Research
A
- Know your enemy and their tools
- A never ending process, constantly moving and changing
- Information comes from many different place (can’t rely on a single source) Need to synthesize the information
- Conferences
- Academic journals
- Local industry groups
-Social media (ex: Honeypot monitoring on Twitter) - Ex: keyword monitoring (ex: bugbounty, 0-day)
38
Q
Vendor websites
A
- Vendor websites often first to know about vulnerabilities
- Usually a notification process when a new vulnerability is discovered
39
Q
RFC
A
- Request for Comment
- A way to track and formalize a set of standards that anyone on internet can use
- Published by the ISOC (Internet Society)
- Often written by the IETF (Internet Engineering Task Force)
- Not all RFCs are standards documents (ex: experimental, historic)
40
Q
ISOC
A
- Internet Society
- Publishes RFCs (Request for Comment)
41
Q
IETF
A
- Internet Engineering Task Force
- Often authors RFCs (Request for Comment)
42
Q
RFC 3822
A
- Threat Analysis of the DNS (Domain Name System)
- By reading through these RFCs can not only understand the standards and how things are supposed to operate, but can also understand vulnerabilities
43
Q
RFC 7624
A
- Confidentiality in the Face of Pervasive Surveillance
44
Q
TTP
A
- Tactic, Technique and Procedure
- Understanding how / what attackers are doing
- Challenges: TTP will change depending on the situation
