2C. Utilising Threat Modelling and Hunting methodologies obj 1.2, 3.3 Flashcards
3 ways an organisation can identify threats
1) Asset Focus
2) Threat Focus
3) Service Focus
When Threat Modelling, what key elements should we consider?
1) Adversary capabilities
2) Total Attack surface
3) possible Attack vectors
4) Impact of successful attack
5) Likelihood of attack/threat succeeding
What do we mean by Adversary Capabilities?
A classification of the resources and expertise available to the threat. MITRE have outlined some classifications:
- Acquired and Augmented
- Developed
- Advanced
- Integrated
What do we mean by Attack Surface?
This refers to systems, devices, networks, staff, or other targets that a threat may target
What do we mean by Attack Vector?
This refers to the means by which an attacker uses to gain access to their target e.g., MITRE identify 3 main vectors:
1) Cyber - use of hardware/software (e.g., email phishing)
2) Human - use of social engineering to initiate an attack thru coercion or impersonation, for example
3) Physical - gaining local access to premises
How it Likelihood measured?
As a probability or percentage
How is Impact measured?
As a cost value
What is Threat Reputation?
The identification and classification of threat actors based on IP addresses, domains, and file hashes associated with known malicious activity
What is Threat Hunting?
Threat Hunting is based on Assumption of Compromise. It is the search for threats that have not been identified by normal security monitoring systems.
What is the importance of establishing a Hypothesis in proactive threat hunting?
This gives analysts direction and indicates what types of TTPs they should be looking out for so that actionable results can be obtained
What is the importance of Profiling Threat Actors and Activities in proactive threat hunting?
Helps to ensure you have considered who may be a threat (e.g., hacktivist, APT, nationstate) and what their TTPs are, so you can be one step ahead with security defences and prioritisation of certain assets
What is the importance of Threat Hunting Tactics in proactive threat hunting?
The use of threat hunting tactics allows security teams to identify potential threats that might not be detected by traditional security tools, such as signature-based antivirus software or intrusion detection systems
What are some benefits to Proactive Threat Hunting?
Improves detection capabilities
- allows analysts to improve technical skills in less-pressured environment
- results from TH can be used to improve sig-based detection and identify new sources for logging
Integrated Intelligence
- TH can be used for correlating external threat intelligence with internal security intelligence (e.g., logs) to produce actionable intelligence
Reducing attack surface and blocking attack vectors
- TH may identify previously unsuspected attack vectors, or failed security controls, providing an opportunity to redesign systems
Bundling critical assets
- assets that have been identified as a likely target can be grouped together, helping reduce the attack surface as each asset does not need to be individually managed
What are some Google Hacking and Search tools to be aware of?
Google Hacking (Dorking)
- quotes
- NOT and AND/OR
- scope
- URL modifiers
Google Hacking Database
- Database of search strings optimized for locating vulnerable websites and services
Shodan
- allows users to find Internet-connected devices, scans internet for open ports, and monitor and track the devices connected to the internet to identify systems that are misconfigured and might be vulnerable to attacks
Why might Whois be of use to a threat actor?
Crafting Attacks - Whois identifies the registrant of a domain meaning that a threat actor can this information to craft a spear-phishing attack or aid with a social engineering attack
Recon - reveals employee info, names, emails, phone numbers, physical addresses
Identify potential business parters and suppliers
identify expired domains
