2 Cybersecurity Threat Landscape Flashcards
What are the attributes of threat actors (IE SC RF MI)
IES CR FMI
Threat actors differ in several key attributes. We can classify threat actors using four major criteria. First, threat actors may be internal to the organization, or they may come from external sources. Second, threat actors differ in their level of sophistication and capability. Third, they differ in their available resources and funding. Finally, different threat actors have different motivations and levels of intent.
What sources can threat actors come from? (6)
1) unskilled attackers using exploit code written by others,
2) quite sophisticated, such as the advanced persistent threat posed by nation-state actors and organized crime
3) Hacktivists may seek to carry out political agendas,
4) whereas competitors may seek financial gain.
5) Employees and other users may pose an insider threat by working from within to attack your organization.
6) The use of unapproved shadow IT systems may also expose your data to risk.
What are motivations for Attackers? (9)
1) data exfiltration
2) espionage,
3) service disruption,
4) blackmail
5) financial gain
6) philosophical or political beliefs
7) revenge, disruption and
8) chaos, or war.
9) Some attackers may believe they are behaving ethically and acting in the best interests of society.
What vectors might Attackers exploit to gain initial access to an organization? (6) W P S M C S
1) remotely over the Internet, through a wireless connection,
2) or by attempting direct physical access. They may also approach employees over
3) email or social media.
4) Attackers may seek to use removable media to trick employees into unintentionally compromising their networks,
5) or they may seek to spread exploits through cloud services
6) Sophisticated attackers may attempt to interfere with an organization’s supply chain.
Threat intelligence provides organizations with valuable insight into the threat landscape. Where can Security teams may leverage threat intelligence from? (3) P&P I A
1) public and private sources to learn about current threats and vulnerabilities.
2) indicators of compromise and
3) predictive analytics on their own data
Threat intelligence teams often supplement open source and closed source intelligence that they obtain externally with their own research.
Security teams must monitor for supply chain risks - what should they pay particular attention to?.
Security teams must monitor for supply chain risks. Modern enterprises depend on hardware, software, and cloud service vendors to deliver IT services to their internal and external customers. Vendor management techniques protect the supply chain against attackers seeking to compromise these external links into an organization’s network.
Security professionals should pay particular attention to risks posed by
1) outsourced code development,
2) cloud data storage, and
3) integration between external and internal systems.
** techniques used for social engineering? **
1) Phishing
2) and its related techniques of smishing
3) and vishing seek to gain information using social engineering techniques.
4) Misinformation and disinformation campaigns are used to change opinions and to shift narratives.
5) Malicious actors will **impersonate **whomever they need to acquire information, to gain access or credentials, or to persuade individuals to take action.
6) Pretexting is often used with impersonation to provide a believable reason for the action or request.
7) Business email compromise and brand impersonation are both used to make malicious emails and other communications appear legitimate and thus more likely to fool targets into taking desired action.
8) Watering hole attacks focus on sites that target frequently visit, while
9) typosquatters rely on users who make typos while entering URLs.
What are ways to aquire and crack passwords? (O, O, B
1) Password attacks can be conducted both online against live systems and
2) offline using captured password stores.
3) Brute-force attacks like spraying and dictionary attacks as well as password cracking can recover passwords in many circumstances.
4) Unencrypted or plain-text passwords and** improper or unsecure storage methods** like the use of MD5 hashes make attacks even easier for attackers who can access them.
What are the main categories of cybersecurity threat actors?
Internal and External
Internal threats come from within the organization, while external threats originate from outside.
What does the term APT stand for?
Advanced Persistent Threat
APTs are often linked to nation-state attackers and involve sophisticated, ongoing attacks.
Who are white-hat hackers?
Authorized attackers who seek to discover and correct security vulnerabilities
They may be employees or contractors engaged in penetration testing.
What is a script kiddie?
A derogatory term for unskilled attackers who use automated tools for hacking
They often lack deep knowledge of hacking techniques.
What motivates organized crime in cyber activities?
Illegal financial gain
Organized crime groups typically do not embrace political causes.
What is shadow IT?
The use of technology services not approved by the organization
This often happens when employees seek to meet business needs independently.
What distinguishes hacktivists from other types of attackers?
They use hacking for activist goals and believe they are motivated by the greater good
Their activities may violate laws but are seen as justifiable.
Fill in the blank: APT attackers often conduct their own security vulnerability research in an attempt to discover _______.
[zero-day vulnerabilities]
What are insider threats?
Attacks by individuals with authorized access to information and systems
Insiders may have varying skill levels and motivations.
What is the primary focus of unskilled attackers?
Proving their skill by attacking convenient targets
They often target environments like schools.
What are the characteristics of organized crime in cyber activities?
- Motive: illegal financial gain
- Skill level: moderately to highly skilled
- Resources: more time and money than unskilled attackers
Organized crime groups are often involved in various cybercrime categories.
Which hacking group is most well-known for hacktivism?
Anonymous
They are known for collective decision-making regarding their agenda and targets.
True or False: All gray-hat hacking is legal.
False
Gray-hat hacking can still lead to criminal charges despite good intent.
What can behavioral assessments help identify?
Insider attacks
Cybersecurity teams should collaborate with HR to detect unusual behaviors.
What is a common tactic used by competitors for corporate espionage?
Using disgruntled insiders to steal sensitive information
Competitors may also purchase insider information on the dark web.
Fill in the blank: APT attacks are characterized by _______ and _______ techniques.
[advanced] and [persistent]
What is a zero-day attack?
An attack that exploits vulnerabilities unknown to product vendors
These vulnerabilities lack available patches for correction.
What is the primary goal of threat actors targeting an organization?
To gain access to the organization’s information or systems.
Define ‘attack surface.’
A system, application, or service that contains a vulnerability that threat actors might exploit.
What are ‘threat vectors’?
The means that threat actors use to obtain access.
What is the aim of security professionals regarding attack surfaces?
To reduce the size and complexity of the attack surface through effective security measures.
True or False: Phishing messages are a common example of a message-based threat vector.
True.
Name three types of message-based attacks.
- Phishing messages
- Spam messages
- Vishing attacks
What is ‘vishing’?
Voice phishing attacks conducted via phone calls.
How might attackers gain access to a wired network?
By physically entering the organization’s facilities and connecting to unsecured network jacks.
What does physical access to a component imply for security professionals?
An attacker who can physically touch a component will likely be able to compromise that device.
What is a significant risk associated with wireless networks?
Attackers can access the network from outside the organization’s facilities.
Fill in the blank: Individual systems may serve as threat vectors depending on their _______.
configuration and software installed.
What type of files may serve as threat vectors?
Files that contain embedded malicious code.
How do attackers commonly use removable media as a threat vector?
By distributing USB drives hoping someone will plug them into their computer.
What can attackers exploit in cloud services?
Files with improper access controls, security flaws, or accidentally published API keys.
What is a common tactic used by sophisticated attackers in the supply chain?
Interfering with hardware or software providers to indirectly attack an organization.
What is the challenge with supply chain attacks?
They involve risks that are difficult to anticipate and address.
True or False: Ethical attacks are motivated by a desire to expose vulnerabilities and improve security.
True.
List four motivations behind cyberattacks.
- Data exfiltration
- Espionage
- Service disruption
- Financial gain
What is the motivation behind hacktivist attacks?
Philosophical or political beliefs.
Define ‘revenge attacks.’
Attacks motivated by a desire to get even with an individual or organization.
What should organizations conduct periodically to assess threats?
Organizational threat assessments.
What do attackers seek to do in service disruption attacks?
Take down or interrupt critical systems or networks.
What are the implications of using legacy applications?
They may contain known vulnerabilities and are no longer supported by their vendor.
What is threat intelligence?
The set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.
Why is building a threat intelligence program crucial for organizations?
It helps organizations understand current threats and build appropriate defenses.
What can threat intelligence information be used for?
Predictive analysis to identify likely risks to the organization.
What are some sources of threat intelligence?
Open source intelligence (OSINT), commercial services, proprietary intelligence.
What do threat feeds provide?
Up-to-date details about threats, including technical details like IP addresses, hostnames, and CVE record numbers.
What is the purpose of vulnerability databases in threat intelligence?
They help direct an organization’s defensive efforts and provide insight into discovered exploits.
What are indicators of compromise (IoCs)?
Telltale signs that an attack has taken place, such as file signatures and log patterns.
What is open source threat intelligence?
Threat intelligence acquired from publicly available sources.
Name three sources of open source threat intelligence.
- Senki.org
- Open Threat Exchange
- MISP Threat Sharing project
True or False: The dark web uses standard Internet connections without encryption.
False
What is the Tor browser used for?
Accessing the dark web.
What is proprietary threat intelligence?
Threat intelligence created by commercial vendors or organizations that is not publicly available.
Why might an organization use proprietary intelligence?
To keep threat data secret, sell or license it, or to protect methods and sources.
What can happen if a threat feed fails?
Organizations may be exposed to threats due to outdated or unreliable information.
What is a threat map?
A geographic view of threat intelligence providing real-time insights into the cybersecurity threat landscape.
What factors should be assessed when evaluating threat intelligence?
- Timeliness
- Accuracy
- Relevance
What is a confidence score?
A summary metric that allows organizations to filter threat intelligence based on trust.
Fill in the blank: The Structured Threat Information eXpression (STIX) is an _______.
[XML language]
What does TAXII stand for?
Trusted Automated eXchange of Intelligence Information.
What are Information Sharing and Analysis Centers (ISACs)?
Organizations that help infrastructure owners share threat information.
When were ISACs introduced?
In 1998 as part of Presidential Decision Directive-63.
What should security professionals do regarding emerging cybersecurity threats?
Conduct their own research using various sources.
Name two sources for building a threat research toolkit.
- Vendor security information websites
- Academic journals and technical publications
What are adversary tactics, techniques, and procedures (TTPs)?
Information on the methods and practices used by adversaries in cyber threats.
What are some sources to consult for building a threat research toolkit?
Vendor security information websites, vulnerability and threat feeds, academic journals, professional conferences, social media accounts of security professionals
These sources provide valuable insights into current cybersecurity threats and best practices.
What type of documents are RFC documents?
Technical specifications for Internet protocols
RFC stands for Request for Comments and these documents are crucial for understanding internet standards.
What should you focus on when researching cybersecurity threats?
Adversary tactics, techniques, and procedures (TTPs)
Understanding TTPs helps improve threat intelligence programs.
Fill in the blank: Learning more about the ways that attackers function allows you to improve your own _______.
threat intelligence program
True or False: Academic journals and technical publications are irrelevant to cybersecurity threat research.
False
Academic journals and publications provide detailed insights and research findings.
What must cybersecurity professionals understand to assess risks?
The threat landscape
Understanding the threat landscape is crucial for evaluating risks and necessary controls.
How can cybersecurity threats be classified?
Based on:
* Internal or external status
* Level of sophistication and capability
* Resources and funding
* Intent and motivation
These classifications help in understanding the nature of the threats.
What are the different forms of threat actors?
They include:
* Unsophisticated attackers
* Advanced nation-state actors
* Hacktivists
* Organized crime
* Competitors
Each type of actor has different motivations and methods.
What is a common motivation for unsophisticated attackers?
The thrill of a successful hack
Unsophisticated attackers often act for personal satisfaction rather than financial gain.
What are common threat vectors for cyberattacks?
Common vectors include:
* Email
* Social media
* Direct physical access
* Supply chain exploits
* Network-based attacks
* Other vectors
Understanding these vectors is essential for implementing effective security measures.
What should organizations build to stay updated on threats?
Robust threat intelligence programs
These programs help organizations adapt their controls against emerging threats.
True or False: Cybersecurity threats only come from external sources.
False
Threats can be internal or external, highlighting the need for comprehensive security measures.
