1.5 Threat Actors, Vectors, Intelligence Sources Flashcards
Actor:
- Inside the organization
- Low sophistication but high institutional knowledge
- Extensive resources
Insiders
Actor
- Governmental
- High sophistication
- Militaristic
- APT
Nation States
Actor:
- Has a strong purpose for social change or agenda
- Can be sophisticated
- Limited funding
Hacktivists
Actor:
- Uses pre-made scripts without any technical knowledge
- No sophistication or funding
- Often do it for the fun of it
Script Kiddies
Actor:
- High sophistication
- Money motivated
- Highly illegal activities
- Highly organized
Organized Crime
Actor:
- experts with technology
- Can be authorized or unauthorized to perform activities
Hacker
Actor:
- Rogue team that circumvents IT department
- Unencumbered and can make quick progress
- Often leads to wasted time and money, security risks, and compliance issues
Shadow IT
This is used to describe the general pathways that an attacker can access a system or send an attack.
Attack vector
Vector:
- When an attacker is able to access a system directly via hardware
Direct access
Vector:
- Often easily accessed by poor configuration such as default admin credentials or rogue access points
Wireless
Vector:
- Most commonly exploited as it is the most successful
- Usually involves phishing attacks
Vector:
- Compromise of vendor’s system which in turn creates a vulnerability for your organization
Supply Chain
Vector:
- Vector commonly used to gather personal data to be used in other attacks
- Uses web applications such as Facebook and Twitter
Social Media
Vector:
- Physical level attack vector that involves USB drives, external hard drives, and CDs
Removable media
The process of researching threats and threat actors
threat intelligence
This type of information is publicly available and provides a good foundational start. Includes intelligence from the internet, Gov’t agencies, and commercial data.
Open Source Intelligence (OSINT)
- This type of intelligence is generally compiled and owned by a private party
- Can often be purchased
- Can provide Constant threat monitoring
Closed/Proprietary Intel
- Community managed list of vulnerabilities
- Sponsored by the US Dept. Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA)
Common Vulnerabilities and Exposures (CVE)
What is the US National Vulnerability Database and what does it provide over the CVE listings?
Summary of CVEs
Additional details such as patch availablity and severity scoring
Information sharing centers provide a source of real-time, high quality cyber threat information. What is one example of an information sharing center?
Cyber Threat Alliance (CTA)
This is the method used by the security community to standardize and share important threat data.
Automated indicator sharing (AIS)
The “language” and syntax of AIS data that describes the cyber threat info and includes motivations, abilities, capabilities, and response info.
Structured Threat Information eXpression (STIX)
The method used for securely sharing STIX data.
Trusted Automated eXchange of Indicator Information (TAXII)
This source of intelligence is an overlay network that uses the internet but is not indexable by search engines. Houses a number of hacking groups and services.
Dark Web
