Assets, Vulnerabilities, Threats and Attacks

Question 1

What is an Asset?

Answer 1

In the context of cybersecurity, an asset refers to any resource that holds value to an organisation and therefore needs protection.

There are two types of Assets; tangible or intangible and can include anything that is critical to the organisation’s operations, reputation, or security. Protecting these assets is a primary goal of cybersecurity.

In cybersecurity, the goal is to protect these assets from threats such as unauthorised access, theft, damage, or disruption. Effective asset management involves identifying and prioritising assets, assessing the risks they face, and implementing measures to mitigate those risks.

Question 2

What is a Critical Asset?

Answer 2

A critical asset in the context of cybersecurity is an asset that is essential to the functioning, security, and success of an organisation. The loss, compromise, or disruption of a critical asset would have a significant negative impact on the organisation’s operations, reputation, financial stability, or compliance with legal and regulatory requirements.

Critical assets are often prioritised for protection because of their importance to the overall mission and objectives of the organisation.

Identifying and protecting critical assets is a key component of a robust cybersecurity strategy. Organisations often conduct risk assessments to identify which assets are critical and then implement measures to ensure their security and availability. This might include enhanced monitoring, access controls, encryption, disaster recovery plans, and other protective measures.

Question 3

What is a Tangible Asset?

Answer 3

In the context of cybersecurity, a tangible asset refers to physical hardware or infrastructure that is critical to the security and operation of an organisation’s digital environment. These assets are the physical components that support the IT infrastructure, enabling the storage, processing, and transmission of data, and they require protection both from cyber threats and physical threats.

Examples of tangible assets in cybersecurity include:

1. Servers: Physical machines that host critical applications, databases, and services. They are central to the organisation’s operations, and their security is crucial to prevent unauthorised access or data breaches.
2. Networking Equipment: Routers, switches, firewalls, and other hardware that control and manage the flow of data within and between networks. Securing these devices is vital to protect against attacks such as man-in-the-middle (MITM) attacks or network intrusions.
3. Data Storage Devices: Physical devices like hard drives, solid-state drives (SSDs), and storage arrays that hold sensitive data. Protecting these from theft, tampering, or destruction is essential to prevent data loss or breaches.
4. Workstations and End-User Devices: Computers, laptops, smartphones, and other devices used by employees to access the network. These devices must be secured to prevent malware infections, unauthorised access, and data leaks.
5. Security Appliances: Dedicated hardware devices such as intrusion detection systems (IDS), intrusion prevention systems (IPS), and hardware security modules (HSMs) that provide specialised security functions. These appliances must be protected from physical tampering or attacks.
6. Backup and Recovery Systems: Physical systems used to back up data and ensure business continuity, such as tape drives or dedicated backup servers. Ensuring the physical security of these systems is key to maintaining reliable recovery options in the event of a cyber incident.
7. Software required for the delivery of a service: despite being unable to physically touch it, service delivery software is considered a tangible asset.

In cybersecurity, tangible assets must be protected not only through traditional physical security measures (like locks, surveillance, and access controls) but also through cybersecurity measures that prevent unauthorised access, tampering, or other forms of compromise that could impact the organisation’s digital infrastructure.

Question 4

What is an Intangible Asset?

Answer 4

An intangible asset in the context of cybersecurity refers to a non-physical asset that holds value to an organisation and is crucial to its operations, reputation, or competitive advantage. Unlike tangible assets, intangible assets cannot be touched or measured physically, but they play a vital role in the success and sustainability of a business.

Examples of intangible assets in cybersecurity include:

1. Intellectual Property (IP): This includes patents, trademarks, copyrights, trade secrets, and proprietary software or algorithms. Protecting IP is critical to maintaining a competitive edge and ensuring that the organisation’s innovations are not stolen or copied.
2. Data: While data can be stored on physical media, the information itself is intangible. This includes customer data, financial records, research data, and other critical information that is essential to the organisation’s operations. Ensuring the confidentiality, integrity, and availability of data is a core objective in cybersecurity.
3. Brand Reputation: An organisation’s reputation and the trust it has built with customers, partners, and the public are intangible but extremely valuable. A security breach can severely damage an organisation’s reputation, making its protection a priority.
4. Goodwill: The value of the organisation’s relationships with customers, employees, and suppliers. Goodwill represents the reputation and customer loyalty that have been built over time. It can be significantly impacted by a cybersecurity incident.
5. Software Licences and Digital Rights: These include the rights to use specific software, databases, or digital content. Protecting these licences from theft or misuse is essential to maintaining legal and operational integrity.
6. Business Processes: Proprietary business methods, models, and operational procedures that provide a competitive advantage. These processes may be documented digitally, making them susceptible to cyber threats.
7. Customer Lists and Contracts: Confidential agreements, contracts, and client information that are critical for business operations. The loss or theft of such data could lead to competitive disadvantages or legal liabilities.

In cybersecurity, protecting intangible assets involves implementing measures to safeguard data integrity, prevent unauthorised access, and ensure compliance with legal and regulatory requirements. Intangible assets are often more challenging to protect than tangible ones because they can be easily transferred, copied, or altered, making robust cybersecurity practices essential.

Question 5

What is a Vulnerability?

Answer 5

A vulnerability in the context of cybersecurity is a weakness or flaw in a system, software, hardware, or process that can be exploited by a threat actor to gain unauthorized access, cause disruption, or damage the system. Vulnerabilities can arise from various sources, such as design flaws, implementation errors, misconfigurations, or lack of proper security controls.

Vulnerabilities are commonly divided into either technological vulnerabilities or organisational vulnerabilities.

Question 6

What is a Technological Vulnerability?

Answer 6

A technological vulnerability refers to weaknesses in the design, implementation, or configuration of technical components like hardware or software.

Question 7

What is an Organisational Vulnerability?

Answer 7

An organisational vulnerability involves weaknesses related to people, processes, and procedures.

Question 8

What is the Window of Vulnerability?

Answer 8

The window of vulnerability refers to the period during which a system, application, or network is exposed to potential threats due to an existing vulnerability. This timeframe begins when the vulnerability is first introduced or discovered and ends when it is effectively mitigated, usually through a patch, update, or other corrective measures.

During the window of vulnerability, the system is at increased risk because attackers may exploit the weakness before it is addressed.

Question 9

What are Common Vulnerabilities and Exposures (CVEs)?

Answer 9

Hosted by the MITRE corporation, CVEs (Common Vulnerabilities and Exposures) are publicly disclosed cybersecurity vulnerabilities and exposures. The CVE system provides a reference method for publicly known information-security vulnerabilities and exposures. Each CVE is assigned a unique identifier, such as “CVE-2024-1234,” which allows security professionals and organisations to quickly and accurately share information about specific vulnerabilities.

Question 10

What is a Threat?

Answer 10

Anything that is capable of acting in a manner that results in harm to an asset and/or organisation; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures.
(The Open Group, 2009, p. 3)

Threats will usually fall under one of two categories; human or non-human threats (like geological events).

Human threats can be further subdivided into either unintentional/accidental or intentional/malicious.

Question 11

What is an Attack?

Answer 11

An attack is the realisation of a threat that takes advantage of one or more vulnerabilities in order to negatively impact an organisation’s assets.

Attacks can be categorised as passive, active, targeted or non-targeted.

Question 12

What is a Passive Attack?

Answer 12

An attempt to learn, understand or make use of information without directly impacting the state of a system resource (Stallings and Brown, 2012).

Question 13

What is an Active Attack?

Answer 13

An attempt to alter a system, such as by stealing or destroying data, or to disrupt its operation, such as through a denial-of-service attack.

Question 14

What is an Attack Vector?

Answer 14

An attack vector is the method or pathway that a threat actor uses to gain unauthorised access to a system, network, or application in order to carry out malicious activities. It represents the route or technique that an attacker exploits to deliver a threat and compromise the security of a target.

Attack vectors can take many forms, including:

1. Phishing: Sending fraudulent emails or messages to trick individuals into revealing sensitive information, such as login credentials or financial details.
2. Malware: Infecting systems with malicious software, such as viruses, worms, trojans, or ransomware, to steal data, disrupt operations, or gain control of systems.
3. Exploiting Vulnerabilities: Taking advantage of weaknesses in software, hardware, or configurations to gain unauthorized access or escalate privileges within a system.
4. Social Engineering: Manipulating people into divulging confidential information or performing actions that compromise security, often bypassing technological safeguards.
5. Brute Force Attacks: Repeatedly trying different combinations of passwords or encryption keys to gain access to a system.
6. Man-in-the-Middle (MITM) Attacks: Intercepting and potentially altering communications between two parties without their knowledge.
7. SQL Injection: Inserting malicious code into a database query via an insecure input field to manipulate the database and access or modify data.
8. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: Overwhelming a system or network with excessive traffic to render it unusable or disrupt its normal operations.

Understanding attack vectors is crucial for organisations as it helps in identifying potential entry points for attacks and implementing appropriate security measures to defend against them.

Question 15

What is the Attack Surface?

Answer 15

The attack surface refers to the total sum of all possible entry points (attack vectors) through which an unauthorised user or malicious actor could try to gain access to a system, network, or application. It encompasses all the exposed areas where an attacker could potentially exploit vulnerabilities, including hardware, software, networks, and even human factors.

The attack surface is sometimes divided into three separate surfaces:
• Digital attack surface: attacks made possible through technological vulnerabilities; for example, those in operating systems, applications and network connections
• Physical attack surface: attacks made possible because attackers are in the same location as the target; for example, attacking through physical access to servers, laptops, mobile phones, printers and so on
• Social engineering attack surface: attacks made possible by exploiting human behaviours;

Question 16

What is an Advanced Persistent Threat (APT)?

Answer 16

An Advanced Persistent Threat (APT) is a sophisticated and sustained cyber attack in which an unauthorised actor, often a nation-state or a highly organized group, gains access to a network and remains undetected for an extended period. The goal of an APT is typically to steal sensitive data, disrupt operations, or conduct espionage rather than causing immediate damage.

Key characteristics of an APT include:

1. Advanced: APTs use a range of sophisticated and often custom-built techniques and tools to exploit vulnerabilities, evade detection, and maintain access to the target system. These may include zero-day exploits, social engineering, and other complex attack methods.
2. Persistent: The attackers focus on maintaining long-term access to the target network. They continuously monitor and extract data over a prolonged period, often months or even years, without alerting the victim to their presence.
3. Targeted: APTs are usually directed at high-value targets such as government agencies, defense contractors, financial institutions, and large corporations. The attackers are typically motivated by specific goals, such as stealing intellectual property, conducting espionage, or disrupting critical infrastructure.
4. Stealthy: APTs are designed to avoid detection by traditional security measures. Attackers often use techniques like encryption, tunneling, and obfuscation to hide their activities and communicate with compromised systems covertly.

The lifecycle of an APT typically involves several stages:

• Initial Compromise: The attackers gain access to the target network, often through phishing, exploiting vulnerabilities, or using malware.
• Establishing a Foothold: Once inside, the attackers deploy additional tools to create backdoors or install rootkits, allowing them to maintain access even if their initial entry point is discovered.
• Lateral Movement: The attackers move laterally within the network, escalating their privileges and compromising additional systems to reach their ultimate targets.
• Data Exfiltration or Disruption: The attackers begin extracting valuable data or carrying out their intended objectives, such as sabotage or espionage.
• Maintaining Persistence: The attackers establish mechanisms to ensure they can return to the network even after being discovered and removed, often by using multiple redundant access methods.

APTs represent a significant threat because of their ability to evade detection, their focus on high-value targets, and their potential to cause long-term damage. Defending against APTs requires advanced security measures, continuous monitoring, and a proactive approach to threat detection and response.

Question 17

What are the seven stages in Lockheed Martin’s Cyber Kill Chain?

Answer 17

The Lockheed Martin Cyber Kill Chain is a framework that outlines the stages of a cyber attack, helping organisations understand and defend against advanced threats. It breaks down an attack into seven distinct stages:

1. Reconnaissance: The attacker gathers information about the target, such as identifying potential vulnerabilities, understanding the network architecture, and gathering data on employees or systems that could be exploited. This stage involves activities like scanning networks, researching publicly available information, and profiling employees through social engineering.
2. Weaponisation: The attacker creates a malicious payload tailored to exploit the vulnerabilities identified during reconnaissance. This stage often involves crafting malware, such as a virus, worm, or Trojan, and preparing it for delivery. The payload is typically designed to bypass security measures and establish a foothold in the target’s system.
3. Delivery: The attacker transmits the weaponised payload to the target. This can occur through various methods, such as phishing emails, malicious attachments, drive-by downloads, or direct exploitation of vulnerabilities in public-facing systems. Delivery is the stage where the attack moves from the attacker’s system to the target’s environment.
4. Exploitation: Once the payload is delivered, the attacker exploits a vulnerability to execute the malicious code on the target system. This could involve exploiting a software flaw, bypassing security controls, or using social engineering techniques to trick a user into executing the payload.
5. Installation: The attacker installs malware or other malicious tools on the target system to maintain access. This could include backdoors, rootkits, or other persistence mechanisms that allow the attacker to regain access even after the initial compromise is discovered and addressed.
6. Command and Control (C2): The attacker establishes a communication channel between the compromised system and a remote server they control. This allows them to issue commands, move laterally within the network, exfiltrate data, or deploy additional payloads. The C2 channel is often encrypted or obfuscated to avoid detection by security systems.
7. Actions on Objectives: Finally, the attacker achieves their goals, which could include stealing data, disrupting operations, destroying systems, or conducting espionage. The specific actions depend on the attacker’s motives, whether they are financially motivated, seeking information, or aiming to cause damage.

Understanding these seven stages of the Cyber Kill Chain helps organisations detect, analyse, and respond to cyber attacks at different stages, ideally stopping the attack before it progresses to the later, more damaging stages.

Question 18

What is the MITRE ATT&CK framework?

Answer 18

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a comprehensive and widely adopted knowledge base that catalogs the tactics, techniques, and procedures (TTPs) used by cyber adversaries. Developed by MITRE Corporation, the framework provides a detailed matrix of attack techniques mapped to different stages of the cyber attack lifecycle, helping organisations understand, detect, and defend against threats.

Key aspects of the MITRE ATT&CK framework include:

1. Tactics: These are the adversaries’ high-level objectives during an attack, representing the “why” behind their actions. Examples of tactics include Initial Access, Persistence, Privilege Escalation, Defense Evasion, and Exfiltration.
2. Techniques: Techniques describe “how” adversaries achieve their objectives, providing more specific details on the methods used to accomplish each tactic. For example, within the Persistence tactic, techniques might include creating new user accounts or modifying system binaries.
3. Sub-techniques: Some techniques are further broken down into sub-techniques that provide even more granular details about the specific methods an adversary might use. For instance, the Phishing technique might include sub-techniques like Spearphishing Attachment or Spearphishing Link.
4. Procedures: These describe the specific ways in which adversaries implement techniques and sub-techniques in real-world scenarios. Procedures provide context on how a particular attack was carried out by a known threat group.
5. Threat Actor Profiles: The framework includes profiles of known threat groups and their associated techniques. This helps organisations understand the specific TTPs that might be used by adversaries they are concerned about.
6. Use Cases: The MITRE ATT&CK framework can be used for various purposes, including threat hunting, red teaming, and improving security operations. It provides a common language and structure for organisations to discuss and address cybersecurity threats.
7. Community Contributions: The framework is continuously updated with contributions from the global cybersecurity community, including new techniques, adversary profiles, and real-world attack examples.

The MITRE ATT&CK framework is used by cybersecurity professionals to improve their understanding of adversary behaviors, develop more effective defenses, and enhance their threat detection and response capabilities. By mapping real-world attack scenarios to the framework, organisations can identify gaps in their security posture and take targeted actions to mitigate risks.