Classifying Threats Flashcards
A threat that can be identified using basic signature or pattern matching
Known Threats
Malware
Any software intentionally designed to cause damage to a computer, server,
client, or computer network
A piece of software, data or sequence of commands that takes advantage of
a vulnerability to cause unintended behavior or to gain unauthorized access
to sensitive data
Documented Exploits
A threat that cannot be identified using basic signature or pattern matching
Unknown Threats
An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong
Zero-day Exploit
Malicious code whose execution the malware author has attempted to hide
through various techniques such as compression, encryption, or encoding to
severely limit attempts to statically analyze the malware
Obfuscated Malware Code
A malware detection method that evaluates an object based on its intended
actions before it can actually execute that behavior
Behavior-based Detection
Refers to the process of combining and modifying parts of existing exploit code to
create new threats that are not as easily identified by automated scanning
Recycled Threats
A classification of malware that contains obfuscation techniques to circumvent
signature-matching and detection
Known Unknowns
A classification of malware that contains completely new attack vectors and
exploits
Unknown Unknowns
A type of threat actor that is supported by the resources of its host country’s
military
and security services
Nation-state Actor
A type of threat actor that uses hacking and computer fraud for commercial gain
Organized Crime
A type of threat actor that is motivated by a social issue or political cause
Hacktivist
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
Insider threats can be either intentional or unintentional
Insider Threat
A threat actor who conducts an attack with a specific purpose
Intentional
A threat actor that causes a vulnerability or exposes an attack vector without malicious intent
Shadow IT is a form of unintentional insider threat
Unintentional
Malicious software applications that are widely available for sale or easily obtainable and usable
Commodity Malware
A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it
Zero-day Vulnerability
An attacker’s ability to obtain, maintain, and diversify access to network systems
using exploits and malware
Advanced Persistent Threat (APT)
An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets
Command and Control (C2)
Blacklists of known threat sources, such as malware signatures, IP address ranges,
and DNS domains
Reputation Data
A residual sign that an asset or network has been successfully attacked or is continuing to be attacked
Indicator of Compromise (IoC)
A term used for evidence of an intrusion attempt that is in progress
Indicator of Attack (IoA)
A term that refers to the correlation of IoCs into attack patterns
Behavioral Threat Research
Behavior patterns that were used in historical cyber-attacks and adversary actions
▪ DDoS
▪ Viruses or Worms
▪ Network Reconnaissance
▪ APTs
▪ Data Exfiltration
Tactics, Techniques, and Procedures (TTP)
APT techniques to retain persistence
Port Hopping
Fast Flux DNS
An APT’s C2 application might use any port to communicate
and may jump between different ports
Port Hopping
A technique rapidly changes the IP address associated with a
domain
Fast Flux DNS
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.
Kill chain analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage
Lockheed Martin Kill Chain
Lockheed Martin Kill Chain Stages
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Actions on Objectives
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)
The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain
MITRE ATT&CK Framework
A framework for analyzing cybersecurity incidents and intrusions by exploring the
relationships between four core features: adversary, capability, infrastructure,
and victim
Diamond Model of Intrusion Analysis
A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework STIX is expressed in JavaScript Object Notation (JSON) format that consists of
attribute: value pairs
Structured Threat Information eXpression (STIX)
A protocol for supplying codified information to automate incident detection and
analysis
Trusted Automated eXchange of Indicator Information (TAXII)
A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis
OpenIOC
MISP provides a server platform for cyber threat intelligence sharing, a
proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII
Malware Information Sharing Project (MISP)
The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system
Threat modeling may be used to analyze corporate networks in general or against specific targets like a website or application being deployed
Threat Modeling
A formal classification of the resources and expertise available to a threat actor
Adversary Capability
The points at which a network or application receives external connections or inputs/outputs
that are potential vectors to be exploited by a threat actor
▪ The holistic network
▪ Websites or cloud-services
▪ Custom software applications
Attack Surface
A specific path by which a threat actor gains unauthorized access to a system
▪ Cyber
▪ Human
▪ Physical
Attack Vector
Likelihood - The chance of a threat being realized which is usually expressed as a percentage
Impact - The cost of a security incident or disaster scenario which is usually expressed in cost (dollars)
Risk
A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring
Threat Hunting
A hypothesis is derived from the threat modeling and is based on potential events with higher likelihood and higher impact
Establishing a Hypothesis
Involves the creation of scenarios that show how a prospective attacker might
attempt an intrusion and what their objectives might be
Profiling Threat Actors and Activities
Publicly available information plus the tools used to aggregate and search it
Open-Source Intelligence (OSINT)
An Open Source Intelligence (OSINT) technique used to gather email addresses for a domain
Email Harvesting
A public listing of all registered domains and their registered administrators
whois
A method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack
DNS Zone Transfer
Using Open Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on
DNS Harvesting
A techniques used to copy the source code of website files to analyze for information and vulnerabilities
Website Harvesting
