1.5 - Threat Actors, Vectors, and Intelligence Sources Flashcards

1
Q

Threat Actor

A
  • The entity responsible for an event that has an impact on the safety of another entity
  • aka malicious actor
  • broad scope of actors and motivations vary greatly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

APT

A
  • Advance Persistent Threat
  • Goal of most threat actors
  • Attackers are in the network and undetected
  • Can take along time to identify that an APT exists
  • Average in:
  • N. America (71 days)
  • Europe, Middle East, Africa (177 days)
  • Asia Pacific (204 days)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Insiders

A
  • Very dangerous threat actors
  • Have a lot of control
  • Sophistication may not be advanced, but it has institutional knowledge
  • Ex: where data center is, network design
  • They can direct their attacks, big advantage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Nation State

A
  • Usually a government
  • In charge of national security (usually external gov’t)
  • Have a lot of resources, high sophistication
  • Constant attacks, commonly a APT (advance persistent threat)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hacktivist

A
  • Hacker with a purpose
  • often social / political
  • Usually sophisticated with a specific target
  • not usually a financial gain
  • usually has to go outside for funding
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Script Kiddies

A
  • Runs pre-made scripts without any knowledge of what’s happening
  • Not necessarily a young person
  • simple scripts
  • Usually an external actor, but not overly sophisticated
  • throwing a lot of different scripts at a system and hoping one sticks
  • doesn’t often have a financial gain, looking for low hanging fruit
  • often looking for bragging writes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Organized Crime

A
  • Professional criminals
  • motivated by money
  • almost always external entity
  • very sophisticated
  • can be highly organized (ex: one person sells data, one exploits, another handles customer support)
  • lots of capital to fund hacking efforts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Hacker

A
  • Very broad definition
  • An expert with technology
  • Could be good or bad
  • Often driven by money, power, ego
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Ethical Hacker

A
  • Authorized
  • Has permissions to hack
  • help resolve weak points to help make the system stronger
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Semi-authorized Hacker

A
  • In the middle of an authorized and unauthorized hacker
  • may be looking for vulnerability but doesn’t use it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Shadow IT

A
  • Going rogue
  • working around the internal IT organization
  • Create your own IT entity
  • Sometimes ppl who doesn’t understand IT policies will see them as road blocks
  • Ex: Purchasing own cloud resources or own equipment
  • may be short term benefits, there are often significant disadvantages (waste time and money, IT dept can usually do things faster, security risks, compliance issues)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Competitor motivation

A
  • Could be DoS, espionage, tarnish reputation
  • Usually significant resources b/c can be private entities
  • Can gain competitive advantage (very unethical)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Attack Vector

A
  • Method attacker will use to get access to target
  • Attackers spend a lot of time to find these vectors
  • IT professionals will spend a lot of time watching attack vectors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Direct Access Attack Vectors

A
  • If attacker has physical access they have a lot of access
  • Reason why data centers are highly secure
  • Ex: can reset administrator password
  • Key logger to keyboard (can collect user names and passwords)
  • Connect a flash drive / portable media and copy files
  • DoS, pull power cord, pour water on system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Wireless attack vectors

A
  • Usually have user name / passwords, don’t use default credential
  • Ex: Rogue access point, unauthorized access point, then they could turn on wide open access point
  • Ex: Evil twin (more malicious version of a rogue access point) for man in the middle attack. Then can use an on path attack
  • Want to ensure clients are using the latest protocols, older encryption protocols (like WEP and WPA) you want to run WPA2 or later on wireless attack points
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Email attack vectors

A
  • Biggest/ most successful attack vectors
  • Everyone has email
  • Phishing attacks, people want to click links, can deliver malware, social engineering attacks (invoice scam)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Supply chain attack vectors

A
  • Each step along the supply chain is an attack vector
  • Can tamper with underlying infrastructure
  • Many third parties involved
  • Ex: fake cisco switches
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Social Media attack vectors

A
  • See your personal timeline
  • Can be used to attack MFA (ex: know where you were born or name of school mascot) can be exploited during a password reset
  • fake friends be wary
19
Q

Removable Media Attack Vectors

A
  • Get around the firewall
  • USB drive to gather info and circumvent existing security
  • This might be the only way to do it in an airgapped system
  • USB drive can act as a keyboard, hacker inside a USB
  • Data exfiltration as USB drive storage grows, zero bandwidth used
20
Q

Cloud based attack vectors

A
  • Publicly - facing applications and services
  • Ensure that data in cloud is protected, but misconfigurations can be made
  • Attackers often use brute force to access public facing clouds
  • Or phishing
  • Or using more and more cloud resources
  • Must plan for a possible DoS attack
21
Q

Threat Intelligence

A
  • Research threats
  • Can come from public / private threat databases
  • May come directly from hackers
  • Important to know that the threat exists
22
Q

OSINT

A
  • Open- Source intelligence
  • Publicly available sources are a good place to start
  • Ex: internet, discussion groups, social media
  • Ex: government data, public hearings
  • Commercial data (ex: maps, data)
23
Q

Closed/proprietary Intelligence

A
  • Someone has compiled information and provide solutions for a price
  • You can see what threats may be for your organization
24
Q

Vulnerability DB

A
  • Researchers find vulnerabilities and publish
25
Q

CVE

A
  • Common Vulnerabilities and Exposures
  • Sponsored by DoD and DHS
  • Community managed list of vulnerabilities
  • Resource to prevent attacks an example of OSINT (open source intelligence)
26
Q

NVD

A
  • U.S. National Vulnerability Database
  • A summary of CVEs (Common Vulnerabilities and Exposures)
  • Provides severity scoring for vulnerabilities
  • Provides patching ideas
27
Q

Public / Private Information - sharing

A
  • Public threat intelligence (often classified info that has been provided by the government)
  • Private threat intelligence ( have extensive resources)
  • Challenges, need to get cyber threat data quickly and need to make sure it’s high quality. CTA developed as a solution
28
Q

CTA

A
  • Cyber Threat Alliance
  • Members upload specifically formatted threat intelligence
  • CTA scores each submission and validates across other submissions
  • Other members can extract validated data
29
Q

AIS

A
  • Automated Indicator Sharing
  • Intelligence industry needs a standard way to share important threat data
30
Q

STIX

A
  • Structured Threat Information eXpression
  • Describes cyber threat information
  • Includes motivations, abilities, capabilities and response information
31
Q

TAXII

A
  • Trusted Automated eXchange of Indicator Information
  • a trusted transport, securely shares STIX data
32
Q

Dark web intelligence

A
  • Dark web is an overlay to existing internet
  • Requires specific software and configurations to access
  • Extensive information to gather from the dark web (find people wanting to sell information they’ve stolen, can lists tools and techniques for hacking)
  • Forums to monitor for activity
33
Q

IOC

A
  • Indicators of Compromise
  • Event that indicates an intrusion
  • Confidence is high
  • Indicators - unusual amount of network activity or files that normally don’t change now have hash values, changes in DNS, or unusual login times
34
Q

Predictive Analysis

A
  • Sometimes can predict an attack
  • Analyze a large amount of data quickly and see where hackers are focusing
  • Ex: evaluate the type of DNS queries you’re getting to your server, can see if it’s domestic or internationals
  • If you combine with known vulnerabilities you might be able to predict an attack
  • Not looking for a specific signature but looking for patterns, often combined with machine learning
35
Q

Threat Maps

A
  • Identify attacks and trends, a worldwide view
  • real-time
36
Q

File/Code repositories

A
  • See what hackers are building
  • Ex: GitHub
  • Sometimes ppl accidently misconfigure their repositories, attackers will look through to see if they can find vulnerable configurations to gain access to source code
37
Q

Threat Research

A
  • Know your enemy and their tools
  • A never ending process, constantly moving and changing
  • Information comes from many different place (can’t rely on a single source) Need to synthesize the information
  • Conferences
  • Academic journals
  • Local industry groups
    -Social media (ex: Honeypot monitoring on Twitter)
  • Ex: keyword monitoring (ex: bugbounty, 0-day)
38
Q

Vendor websites

A
  • Vendor websites often first to know about vulnerabilities
  • Usually a notification process when a new vulnerability is discovered
39
Q

RFC

A
  • Request for Comment
  • A way to track and formalize a set of standards that anyone on internet can use
  • Published by the ISOC (Internet Society)
  • Often written by the IETF (Internet Engineering Task Force)
  • Not all RFCs are standards documents (ex: experimental, historic)
40
Q

ISOC

A
  • Internet Society
  • Publishes RFCs (Request for Comment)
41
Q

IETF

A
  • Internet Engineering Task Force
  • Often authors RFCs (Request for Comment)
42
Q

RFC 3822

A
  • Threat Analysis of the DNS (Domain Name System)
  • By reading through these RFCs can not only understand the standards and how things are supposed to operate, but can also understand vulnerabilities
43
Q

RFC 7624

A
  • Confidentiality in the Face of Pervasive Surveillance
44
Q

TTP

A
  • Tactic, Technique and Procedure
  • Understanding how / what attackers are doing
  • Challenges: TTP will change depending on the situation