Ch.2 - Risk Management Flashcards
Threat Source
- Adversarial
- Accidental
- Structural
- Environmental
*These threats don’t exist in isolation – One can lead to another
Adversarial
Attacks from malicious users, inside or outside the organization.
Accidental
Errors made by users who did not intend to hurt organizational security.
Structural
Failures of hardware, software, or other equipment such as environmental controls which are directly controlled by the organization.
Environmental
Natural disasters, or structural failures to resources the organization depends on but does not control, such as power or network access.
About Hackers
People bypassing security measures
Unauthorized (Black Hat)
Criminal hackers
o Break computer security for personal gain or other malicious purposes
o Steal/destroy information, spread malware, or damage your computing assets
Authorized (White Hat)
Security experts
o Practice hacking for legal purposes (finding countermeasures against hackers)
o Ethical hackers
Semi-Authorized (Grey Hat)
Hackers who are not unauthorized/authorized
o Research security flaws as recreational exercise
o No intentional harm, but don’t care if they violate law
Attacker Qualities
- Intent/Motivation: Motivated by any number of reasons (personal/financial/political)
- Sophistication/Capability Level: Some are inexperienced, relying on automated tools or simple vulnerabilities. Others are more subtle/personalized (threats).
- Resource/Funding: Attackers can be in groups working to a common cause or alone to launch a major and powerful attacks on security.
- Location: Some requires physical proximity to your computing resources, others can be anywhere in the world. Can be outside/inside your org.
- Target Information: Some can hack randomly until they find something vulnerable. Others know your assets/vulnerabilities. Others use open-source intelligence.
Common Attacker Types
- Script Kiddies: Unskilled hackers relying on available attack tools (malicious scripts)
o Deface websites, spread malware, or interrupt services,
o Against poorly secured networks, they can do even more damage - Hacktivists: Hackers who attack organizations to further a political or ideological message
- Criminal Syndicates: Criminal hackers seeking financial gain (work as part of a larger org)
o Target resources they can sell to others - Insiders: Employees (or former ones) who have retained network access/knowledge
o Inside thieves/embezzlers target financial resources/valuable intellectual property
o Disgruntled employees motivated by revenge want to sabotage systems/data
o Employees misusing resources (hurt performance/security)
o Employees wanting to keep their job creating problems to fix - Nation-states: Nations employing intelligence agencies to attack rivals (orgs/business/political)
o Have unparalleled attack resources - APT (Advanced Persistent Threat): Ongoing series of sophisticated attacks against an org
o Target orgs with high-value data
o Used by nation-states or most capable criminal groups - Shadow IT: Many orgs have IT resources that are not managed by the IT department
o Not an attack, but can compromise org’s security
Threat Vectors
Technical methods used to enter your org and target your resources.
- AKA “Tactics, Techniques, and Procedures” (TTPs)
▪ Direct Access: Comes from source that can directly contact your resources (insiders)
▪ Wired and wireless networks: No direct access, but still affect your local network
o Remote access, data breaches, network service outages
▪ Email/Personal Communications: Email, internet messaging, telephone, other comm tools
o Mainly emails – spread malware, credential theft, phishing
▪ Social Media: Become part of how businesses comms with their customers/public
o Scanning postings for sensitive info, spreading misinfo, perform social engineering
▪ Supply Chains: Org’s vendors, outside contractors, customers
o Malicious trusted partner gaining direct access, business partner leaking data
▪ Removable media and mobile devices: Any kind of electronic device which can be connected to your computing/network infrastructure
▪ Cloud Services: Service on someone else’s computer
o Can be attacked by cloud service provider, other tenants on same cloud
Artificial Intelligence (AI) Risks
- Most AI use ML (Machine Learning) which uses algorithms to analyze data and learn to recognize existing patterns and map relationships*
1. If training data for AI is tainted or non-representative, the trained algorithm will not respond appropriately to real-world data.
2. If ML algorithms have unknown biases or oversights introduced during development, AI will not behave appropriately regardless of how well-designed training data set was (undetected harms).
3. attacker who knows enough about the AI “thinking” can game the system by meddling with real-world data to obscure own activities or create false alarms that keep security analysts busy.
Third-Party Risks
Any business relationship with a third party introduces risks apart from anyone attacking you.
Incident Impact
Impact if a threat acted on a given vulnerability
- Availability Loss: Disabled/compromised resource can prevent your org from achieving goals like producing goods/providing services
- Recovery Costs: Equipment/labor cost required to repair/replace asset harmed by a threat
o System is down, reduced operating capacity
• Data Loss: Damage done to data itself
• Information Disclosure: Damage done when sensitive data is exposed to untrusted parties
o Data exposure: Human error causes sensitive data to be placed in untrusted environment
o Data breach: Situation where unauthorized party accesses sensitive data
o Data exfiltration: Breach where data is copied without affecting the source data
- Identity Theft: Use of private data (personal info) at victim’s expense (can impersonate)
- Other Financial Costs: Theft of financial resources, physical assets, valuable intellectual property
- Public/Professional Reputation: Loss of customers/business partners with loss of reputation
- Legal Consequences: Failure to comply with laws/regulations leads to fines/charges
Threat Awareness
Know who will attack, asset vulnerabilities and how to mitigate threats
- Known Threats: Long-established threats (variant) can breach weak security
o Rely on heavy internal monitoring - Current Vulnerabilities: Documented vulnerabilities in hardware, software, or procedures are continually changing (stay aware)
o Use cybersecurity resources, penetration tests, vulnerability scans - Trending Attacks: New strategies (defenses and vulnerabilities change) – Spearphishing
o Recognize and prioritize those threats - Emerging Threat Sources: Ongoing changes in technologies/business practices
o Adapt to them – Training, update security controls, complete rethinking - Zero-Day Vulnerabilities: Newly discovered vulnerabilities (before we know they exist)
o Need software patch or alternative mitigation strategy
Intelligence Gathering
Intelligence cycle practiced by military and gov intelligence agencies
1) Define intelligence requirements – Goals/priorities
2) Collect and process info likely to meet your requirements (process raw data)
3) Analyze processed info to turn into actionable intelligence
4) Disseminate intelligence to decision makers who can act on it
5) Generate feedback to improve next cycle
Intelligence Source Types
- Open-Source Intelligence (OSINT): Free to use and available to anyone
o Ex: public threat feeds released by security orgs, news media, websites, forums - Closed-Source/Proprietary Intelligence: Only available to paying/exclusive customers
o Ex: Commercial treat feeds from security vendors, advice from consultants, private orgs
Threat Intelligence Types
- Strategic Intelligence: Non-technical, high-level info – focuses on big picture – slow
- Operational Intelligence: Adversaries and their actions – changes rapidly
- Tactical Intelligence: Immediate, specific threats – Short-term, highly technical
- Counterintelligence: Active security strategy – offensively, expensive (illegal)
Cybersecurity Information Sources
- Social Media: Twitter – excellent source for instant alerts, FB/LinkedIn – in-dept discussions
- Vendor Websites: Strong interest to keep customers updated on threats and mitigating them
- Academic Journals: Detailed knowledge of some field (technical and theoretical)
- Conferences: Excellent place to meet security professionals, expert advice, demonstrations
- Threat Actor Activities: Studying (un)successful attacks or reviewing incidents on your own
- Request for Comments (RFC): Set of IETF publications – standards, practices, protocols
Threat Intelligence Organizations
A. Computer Emergency Response Teams (CERT)
a. Expert groups that respond to security incidents or coordinate responses to widespread threats (Computer Emergency Readiness Teams)
b. Publish general-purpose security docs, alerts, tips about current threats
B. Information Sharing and Analysis Center (ISAC)
a. Organizations/communities related to CERTs, aka Information Sharing and Analysis Organizations (ISAO)
b. Each is gov or private non-profit to gather/share info – cybersecurity and threats
C. MITRE
a. US-based non-profit corporation that manages federally funded research and development centers to support government agencies such as NIST and DHS
Threat Intelligence Sources
- Data Repositories: Databases of known vulnerabilities, threat, security controls
- Vulnerability Feeds: Regularly updated/distributed sources of info about new vulnerabilities
- Threat Intelligence Feeds: Similar to vulnerability feeds, but with info about known threats
- Threat Maps: Visual maps showing real-time/recently reported cyberattacks on world map
- Predictive Analytics: App of ML that analyzes existing data to predict future trends
Threat Indicators
Info used to describe security vulnerability, attack, its impact, or some other aspect
Reputational Indicator
Indicator of attack (IoA) associated with known/likely threat source
o IP address/email associated with attackers, URLs to phishing, or files to malware
Behavioural Indicator
IoA associated with a known or suspected action performed by attackers
o Unauthorized network scans, failed login attempts, phishing attempts, human behaviors
Indicator of Compromise (IoC)
Forensic data associated with malicious activity on sys or net
o Unusual login behaviors, unexpected outbound net traffic, unauthorized config change
An IoA or IoC can indicate more than the presence of an attack; it can explicitly suggest a specific threat actor or threat actor category.
Vulnerability
Weakness in system/network which can be exploited by threat actor
o Its target, how to exploit it, and potential impact of exploitation
Attack Framework
Systematic threat modeling processes to map how threats, vulnerabilities, and security controls in a system are likely to interact
- Defensive modeling: Begins with threats and uses them to identify potential vulnerabilities
- Attack modeling: Begins with vulnerability and finds attack path that can compromise it
Cyber Kill Chain
Model real-world network intrusions conducted by APTs
- Consists of several phases linked in sequence to represent necessary steps of successful attack
- By blocking any of those steps, you can defend against the threat as a whole
- Interrupting any one of these steps will interrupt the entire attack.
- Useful to model many attacks and teach defenders how to think about them proactively