1.5 Threat Actors, Vectors & Intelligence Sources

Question 1

Define Advanced Persistent Threat (APT)

Answer 1

An advanced threat designed to infiltrate a network, stay there without detection, and perform a specific malicious action

Question 2

Example of an APT

Answer 2

A worm

Question 3

Define Insider Threat Actors

Answer 3

1. Threat agent has direct and potentially authorized access
2. May intentionally or unintentionally facilitate an attack or breach
3. Can be an internal employee or an external person who gains internal physical access

Question 4

Define State Threat Actors

Answer 4

1. Nation state or government based
2. External
3. Have significant resources to wage an all-out-war attack
4. Can be an act or war or done to influence policy of another nation

Question 5

Define Hacktivist threat actors

Answer 5

1. A hacker/activist with a specific agenda
2. External
3. Can be very sophisticated, but often lack funding
4. Intent/Motivation is to send a political or social message

Question 6

Define Script Kiddies threat actors

Answer 6

1. An unsophisticated attacker who downloads attacks from the Internet
2. External
3. Unsophisticated, lacks funding
4. Motivation is notoriety or self-satisfaction of breaching an organization

Question 7

Define Criminal Syndicates threat actors

Answer 7

1. Organized crime hires hackers for financial gain
2. External
3. Sophisticated, well-funded
4. Motivation is financial gain

Question 8

Define Authorized Hackers

Answer 8

AKA Ethical hackers, given permission to analyze and penetrate a network to identify and strengthen any weak points

Question 9

Define Un-Authorized Hackers

Answer 9

Malicious hackers who breach networks without permission seeking to cause damage or steal information

Question 10

Define Semi-Authorized Hackers (2)

Answer 10

1. Hackers who breach networks without permission, or malicious intent
2. Often done as a type of personal research, but doesn’t take advantage of the targets

Question 11

Define Shadow IT

Answer 11

When employees bypass the IT Dept to implement their own technology solutions without approval or authorization

Question 12

Examples of Shadow IT (2)

Answer 12

1. Using a web-application not approved for company use by IT
2. Bringing personal equipment to use on the job without IT approval

Question 13

Define Competitors threat actors

Answer 13

1. A competitor organization
2. External
3. Sophisticated, well-funded
4. Motivation is damage the business or its reputation to gain a competitive edge

Question 14

Define Attack Vector

Answer 14

Method or vulnerability used by an attacker to breach a network or computer

Question 15

7 most common Attack Vectors

Answer 15

1. Direct access
2. Wireless
3. Email
4. Supply chain
5. Social Media
6. Removable media
7. Cloud

Question 16

Define Open-source Intelligence

Answer 16

Researching new threats through open sources, such as the Internet and discussion groups, social media sites, or government sites

Question 17

Define Closed/Proprietary intelligence

Answer 17

Companies that research and provide compiled security threat information for a cost

Question 18

Define Vulnerability Databases as source of threat intelligence

Answer 18

Publicly available databases of vulnerabilities and threats

Question 19

Define CVE, who sponsors it, and where it is found

Answer 19

1. Common Vulnerabilities and Exposures database
2. Sponsored by Dept of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA)
3. Published as the Us National Vulnerability Database (NVC) on the NIST website

Question 20

Define public/private information sharing centers

Answer 20

Can be public government sites, private sites, or a membership-based organization that researches and shares data about threats and vulnerabilities

Question 21

What is the Cyber Threat Intelligence (CTA)?

Answer 21

Membership-based organization that provides the sharing and evaluation of network traffic to determine if there is an active threat or attack

Question 22

Define Automated Indicator Sharing (AIS)

Answer 22

the process to process and transfer threat information securely between organizations over the Internet

Question 23

Define Structured Threat Information eXpression (STIX)

Answer 23

a standardized format to transfer threat information details

Question 24

Define TAXII

Answer 24

A secure, trusted transport to exchange STIX over public networks

Question 25

Define Darkweb

Answer 25

1. Private websites hosted on the Internet that require specialized software to access
2. A source used by hackers for illegal activity, such as hacking techniques and selling of information gathered illegally

Question 26

Define Indicator of Compromise (IOC)

Answer 26

Abnormal activity outside of “normal” that may indicate a breach or attack

Question 27

4 examples of Indicators of Compromise (IOC)

Answer 27

1. Increase in specific network traffic
2. Changes to static files
3. User logins at odd times of day
4. DNS record changes

Question 28

Define Predictive analysis

Answer 28

Using machine learning or AI to apply statistical algorithms to historical network data to detect and prevent cyber attacks in real-time

Question 29

Define Threat Maps

Answer 29

A visual perspective of the sources and destinations of real-time attacks available online

Question 30

2 ways that file/code repositories are a source of information

Answer 30

1. Sometimes the source code of the tools hackers might use for an attack are available publicly and provide insight into vulnerabilities hackers might use
2. Threat agents monitor code/file repositories for source code that might be accidentally made public, instead of private, to gain insight into system vulnerabilities

Question 31

How are vendor-sites a good source of threat research?

Answer 31

The vendors of software/hardware are often the first to know of vulnerabilities in their products and often publish these on their websites with patches

Question 32

How are vulnerability feeds useful to stay updated on new threats?

Answer 32

Many organizations publish vulnerability feeds, such as the CVE by the NIST, that can be monitored and filtered for new threats relevant to software/hardware used by an organization

Question 33

What is the benefit of conferences on staying up to date with security threats and vulnerabilities?

Answer 33

Researchers present new threat/vulnerability information, can network and learn from peoples’ experience in the field of security

Question 34

How can academic journals provide valuable threat/vulnerability information?

Answer 34

Academic journals offer deep dives into various security technologies and how previous threats worked in detail

Question 35

How are RFCs (request for comment) relevant to threat/vulnerability information?

Answer 35

RFCs provide a deep understanding of how a technology works as well as vulnerabilities that exist within those standards

Question 36

How are local industry groups (such as a Microsoft or Cisco user group) a valuable source of information?

Answer 36

They provide valuable technical information on how various vendor products work to help better understand how to apply security policies and secure configurations

Question 37

How can social media be a source of information on threats/vulnerabilities?

Answer 37

Vendors and hacker groups might post information on newly discovered threats or active attacks on social media

Question 38

Describe what a threat feed is

Answer 38

Many organizations, such as the US DHS and FBI, post feeds with current information about newly emerging threats that is important to monitor

Question 39

Define adversarial Tactic, Technique and Procedure (TTP)

Answer 39

provides an understanding of how attackers are penetrating networks in order to recognize active attacks on your network