1.5 Threat Actors, Vectors, Intelligence Sources Flashcards
Actor:
- Inside the organization
- Low sophistication but high institutional knowledge
- Extensive resources
Insiders
Actor
- Governmental
- High sophistication
- Militaristic
- APT
Nation States
Actor:
- Has a strong purpose for social change or agenda
- Can be sophisticated
- Limited funding
Hacktivists
Actor:
- Uses pre-made scripts without any technical knowledge
- No sophistication or funding
- Often do it for the fun of it
Script Kiddies
Actor:
- High sophistication
- Money motivated
- Highly illegal activities
- Highly organized
Organized Crime
Actor:
- experts with technology
- Can be authorized or unauthorized to perform activities
Hacker
Actor:
- Rogue team that circumvents IT department
- Unencumbered and can make quick progress
- Often leads to wasted time and money, security risks, and compliance issues
Shadow IT
This is used to describe the general pathways that an attacker can access a system or send an attack.
Attack vector
Vector:
- When an attacker is able to access a system directly via hardware
Direct access
Vector:
- Often easily accessed by poor configuration such as default admin credentials or rogue access points
Wireless
Vector:
- Most commonly exploited as it is the most successful
- Usually involves phishing attacks
Vector:
- Compromise of vendor’s system which in turn creates a vulnerability for your organization
Supply Chain
Vector:
- Vector commonly used to gather personal data to be used in other attacks
- Uses web applications such as Facebook and Twitter
Social Media
Vector:
- Physical level attack vector that involves USB drives, external hard drives, and CDs
Removable media
The process of researching threats and threat actors
threat intelligence
This type of information is publicly available and provides a good foundational start. Includes intelligence from the internet, Gov’t agencies, and commercial data.
Open Source Intelligence (OSINT)
- This type of intelligence is generally compiled and owned by a private party
- Can often be purchased
- Can provide Constant threat monitoring
Closed/Proprietary Intel
- Community managed list of vulnerabilities
- Sponsored by the US Dept. Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA)
Common Vulnerabilities and Exposures (CVE)
What is the US National Vulnerability Database and what does it provide over the CVE listings?
Summary of CVEs
Additional details such as patch availablity and severity scoring
Information sharing centers provide a source of real-time, high quality cyber threat information. What is one example of an information sharing center?
Cyber Threat Alliance (CTA)
This is the method used by the security community to standardize and share important threat data.
Automated indicator sharing (AIS)
The “language” and syntax of AIS data that describes the cyber threat info and includes motivations, abilities, capabilities, and response info.
Structured Threat Information eXpression (STIX)
The method used for securely sharing STIX data.
Trusted Automated eXchange of Indicator Information (TAXII)
This source of intelligence is an overlay network that uses the internet but is not indexable by search engines. Houses a number of hacking groups and services.
Dark Web
Events that indicate an intrution. These come with high confidence.
Indicator of Compromise (IOC)
Name a few indicators of compromise on a network or system
- Unusually high network traffic
- Changes to file hash values
- Irregular internation traffic
- Changes to DNS traffic
- Uncommon login patterns
- Spikes in read requests of certain files
This is a method for using big data in cybersecurity with the goal of identifying suspicious patterns and behaviours. Often combined with machine learning
Predictive analysis
Used to identify attacks and trends from a worldwide perspective
Created from real attack data
Threat maps
This resource allows you to see what hackers are building as well as developers who may accidentally release private code to early revealing vulnerabilities and flaws. Can includes sites such as Github.
File/code repositories
This is the process of getting to know your enemy when it comes to cybersecurity
Threat research
Where might you be able to find problems and vulnerabilities regarding a specific piece of software?
Vendor websites
This threat resource is a form of automated vulnerability notification that may include the National Vulnerability Database (NVD), CVE datafeeds, or a number of third-party feeds.
Vulnerability feeds
What are the benefits of attending conferences in terms of threat intelligence?
- Meet researchers and learn new methods of intelligence gathering and new technologies
- Get stories from the trenches
- Forge alliances
This intelligence resource provides cutting edge security anaylysis from academic professionals which often involves extremely detailed breakdowns of the information.
Academic journals
This threat resource is generally a way to track and formalize a set of standards to be published on the internet for anyone to use.
Request for commends (RFC)
This type of threat resource involves the gathering of local peers, particularly in the same industry as your own, who share a geographical presence
Local industry groups
What you are looking for when performing threat research. Involves determing how the attackers are gaining access and what they are doing once they are in.
TTP (Tactics, Techniques, and procedures)