1.5 Threat Actors, Vectors & Intelligence Sources Flashcards
Define Advanced Persistent Threat (APT)
An advanced threat designed to infiltrate a network, stay there without detection, and perform a specific malicious action
Example of an APT
A worm
Define Insider Threat Actors
- Threat agent has direct and potentially authorized access
- May intentionally or unintentionally facilitate an attack or breach
- Can be an internal employee or an external person who gains internal physical access
Define State Threat Actors
- Nation state or government based
- External
- Have significant resources to wage an all-out-war attack
- Can be an act or war or done to influence policy of another nation
Define Hacktivist threat actors
- A hacker/activist with a specific agenda
- External
- Can be very sophisticated, but often lack funding
- Intent/Motivation is to send a political or social message
Define Script Kiddies threat actors
- An unsophisticated attacker who downloads attacks from the Internet
- External
- Unsophisticated, lacks funding
- Motivation is notoriety or self-satisfaction of breaching an organization
Define Criminal Syndicates threat actors
- Organized crime hires hackers for financial gain
- External
- Sophisticated, well-funded
- Motivation is financial gain
Define Authorized Hackers
AKA Ethical hackers, given permission to analyze and penetrate a network to identify and strengthen any weak points
Define Un-Authorized Hackers
Malicious hackers who breach networks without permission seeking to cause damage or steal information
Define Semi-Authorized Hackers (2)
- Hackers who breach networks without permission, or malicious intent
- Often done as a type of personal research, but doesn’t take advantage of the targets
Define Shadow IT
When employees bypass the IT Dept to implement their own technology solutions without approval or authorization
Examples of Shadow IT (2)
- Using a web-application not approved for company use by IT
- Bringing personal equipment to use on the job without IT approval
Define Competitors threat actors
- A competitor organization
- External
- Sophisticated, well-funded
- Motivation is damage the business or its reputation to gain a competitive edge
Define Attack Vector
Method or vulnerability used by an attacker to breach a network or computer
7 most common Attack Vectors
- Direct access
- Wireless
- Supply chain
- Social Media
- Removable media
- Cloud
Define Open-source Intelligence
Researching new threats through open sources, such as the Internet and discussion groups, social media sites, or government sites
Define Closed/Proprietary intelligence
Companies that research and provide compiled security threat information for a cost
Define Vulnerability Databases as source of threat intelligence
Publicly available databases of vulnerabilities and threats
Define CVE, who sponsors it, and where it is found
- Common Vulnerabilities and Exposures database
- Sponsored by Dept of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA)
- Published as the Us National Vulnerability Database (NVC) on the NIST website
Define public/private information sharing centers
Can be public government sites, private sites, or a membership-based organization that researches and shares data about threats and vulnerabilities
What is the Cyber Threat Intelligence (CTA)?
Membership-based organization that provides the sharing and evaluation of network traffic to determine if there is an active threat or attack
Define Automated Indicator Sharing (AIS)
the process to process and transfer threat information securely between organizations over the Internet
Define Structured Threat Information eXpression (STIX)
a standardized format to transfer threat information details
Define TAXII
A secure, trusted transport to exchange STIX over public networks
Define Darkweb
- Private websites hosted on the Internet that require specialized software to access
- A source used by hackers for illegal activity, such as hacking techniques and selling of information gathered illegally
Define Indicator of Compromise (IOC)
Abnormal activity outside of “normal” that may indicate a breach or attack
4 examples of Indicators of Compromise (IOC)
- Increase in specific network traffic
- Changes to static files
- User logins at odd times of day
- DNS record changes
Define Predictive analysis
Using machine learning or AI to apply statistical algorithms to historical network data to detect and prevent cyber attacks in real-time
Define Threat Maps
A visual perspective of the sources and destinations of real-time attacks available online
2 ways that file/code repositories are a source of information
- Sometimes the source code of the tools hackers might use for an attack are available publicly and provide insight into vulnerabilities hackers might use
- Threat agents monitor code/file repositories for source code that might be accidentally made public, instead of private, to gain insight into system vulnerabilities
How are vendor-sites a good source of threat research?
The vendors of software/hardware are often the first to know of vulnerabilities in their products and often publish these on their websites with patches
How are vulnerability feeds useful to stay updated on new threats?
Many organizations publish vulnerability feeds, such as the CVE by the NIST, that can be monitored and filtered for new threats relevant to software/hardware used by an organization
What is the benefit of conferences on staying up to date with security threats and vulnerabilities?
Researchers present new threat/vulnerability information, can network and learn from peoples’ experience in the field of security
How can academic journals provide valuable threat/vulnerability information?
Academic journals offer deep dives into various security technologies and how previous threats worked in detail
How are RFCs (request for comment) relevant to threat/vulnerability information?
RFCs provide a deep understanding of how a technology works as well as vulnerabilities that exist within those standards
How are local industry groups (such as a Microsoft or Cisco user group) a valuable source of information?
They provide valuable technical information on how various vendor products work to help better understand how to apply security policies and secure configurations
How can social media be a source of information on threats/vulnerabilities?
Vendors and hacker groups might post information on newly discovered threats or active attacks on social media
Describe what a threat feed is
Many organizations, such as the US DHS and FBI, post feeds with current information about newly emerging threats that is important to monitor
Define adversarial Tactic, Technique and Procedure (TTP)
provides an understanding of how attackers are penetrating networks in order to recognize active attacks on your network
