CySA+ 180.L2 - Exploring Threat Intelligence and Threat Hunting Concepts Flashcards
What is Threat intelligence and threat hunting?
strategies used to detect and protect against active threats.
Threat intelligence
describes gathering and analyzing data to help identify potential threats and determine the most effective way to
mitigate them.
Threat intelligence enables the proactive identification of malicious
activity and the capabilities and objectives of different threat actor groups.
Threat hunting
describes actively searching for signs of malicious activity on an organization’s network.
Threat hunting involves using various tools and techniques to search for potential threats, such as analyzing log files, monitoring suspicious traffic, and performing manual searches.
Threat actors
a person, group, or organization responsible for malicious
activities.
They are often motivated by financial gain, political gain, or simply a
desire to cause harm.
Threat Actor Types
- Nation-State
- Organized Crime
- Hacktivist
- Insider Threat
- Script Kiddie
- Supply Chain Access
attacks can be characterized as either
opportunistic or targeted
Opportunistic attacks
can be launched without much
sophistication or funding simply by using tools widely available on the Internet.
Targeted attack
use highly sophisticated tools and might be backed by a budget that can allocate resources and skilled professionals to achieving its aims.
Nation-State
Developed cybersecurity expertise for military and commercial goals.
The goals of nation-state actors are primarily espionage and strategic advantage,
Mandiant’s APT1 report influenced understanding of modern cyberattack life cycles.
Nation-state actors have been implicated in many attacks, particularly on energy
and electoral systems.
Organized Crime
Organized crime groups leverage the global nature of the Internet to conduct their illicit activities from various locations around the world, often spanning multiple jurisdictions.
Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.
Blackmail
a form of extortion where someone threatens to reveal embarrassing, damaging, or incriminating information about another person unless they are given money or some other form of benefit.
Hacktivist
A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda.
Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.
Political, media, and financial groups and companies
are probably most at risk, but environmental and animal advocacy groups may
target companies in a wide range of industries.
Insider Threat
an actor who has been identified by the organization and granted some sort of access.
Within this group of internal threats, you
subdivide the threat to 1) insiders with permanent privileges, such as employees, and 2) insiders with temporary privileges, such as contractors and guests.
Intentional insider - Threat Actors
An intentional insider is very much aware of their actions and has a clear intent and goal.
Unintentional insiders
An unintentional insider may cause a vulnerability to be realized by misconfiguring a system or service in IT, clicking links and opening attachments in phishing emails, or by acquiring and using unauthorized software and/or cloud services, also referred to as Shadow IT.
Script Kiddie
someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks.
Script kiddie attacks might have no specific target or reasonable goal other than gaining attention or proving technical abilities.
Supply Chain Access
A common trend observed in attacks involves identifying the vendors and/or products an organization uses on an ongoing basis.
For example, a vendor may supply software products so an attacker can work to gain access to the software supplier, whose security practices may be lackluster, to insert malicious code into the vendor software prior to delivery to the target organization.
Advanced Persistent Threat (APT)
An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time.
One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack.
Forensics
in the context of cybersecurity, refers to the process of collecting, analyzing, and interpreting digital evidence to investigate and respond to security incidents or cybercrimes.
Command and Control (C&C or C2)
the centralized system used by attackers to manage and control compromised devices or networks.
It allows attackers to issue commands, receive data, and coordinate malicious activities remotely.
Rootkit
malware that can give a threat actor the highest privileges to control your computer without your consent or knowledge.
Advanced Persistent Threat (APT) typically targets
Large organizations, such as financial institutions, companies
in healthcare, and other organizations that store large volumes of personally
identifiable information (PII), especially when the PII describes important
government and political figures.
Historically, APTs have been observed targeting governments to carry out political objectives, interfere in elections, or spy on another country.
As APT groups are identified and profiled, they are assigned
unique number identifiers and code names.
Advanced Persistent Threat (APT) - Advance Nature
They are rarely executed by lone attackers using publicly available exploits.
Advanced Persistent Threats (APTs), typically carried out by well-resourced and organized threat actors.
APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution.
APTs spend considerable time gathering intelligence on their targets to develop highly specific exploits.
APT groups often combine many
different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.
most APTs are interested in
maintaining access—or persistence—to networks and systems. Because of this,
APTs are some of the most notorious and harmful threats to organizations and governments
Orchestrated Attacks
APT groups often combine many
different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer.
through the use of spear-phishing emails followed by malware deployment and lateral movement within the target network.
Tactics, techniques, and procedures (TTPs)
Core concept in computer security that describe a method that threat actors or groups use when they want to compromise a target.
Cybersecurity teams leverage the documented TTPs attributed to various threat actor groups to fingerprint how adversaries conduct cyberattacks to compromise organizations.
profile, or fingerprint
Cybersecurity analysts carefully deconstruct and document methods used by well-known threat actor groups to create a profile, or fingerprint, that identifies them.
These profiles can also help improve an organization’s defensive capabilities by
understanding the methods attackers will use to gain access to their environment.
TTPs - Improving Defensive Capabilities:
Understanding attacker methods enhances an organization’s defensive capabilities.
Enables Organizations to anticipate and counter potential attacks more effectively.
Behavioral analysis
identifies abnormal behaviors,
Threat information
feeds
insight into popular attack patterns and active threat actors.
This information helps defensive teams identify if any associated TTPs appear in their environments.
User and Entity behavior analytics (UEBA)
UEBA is a critical risk management solution that leverages ML algorithms and behavior analytics to provide comprehensive user and entity insights.
A system that can provide automated identification of suspicious activity by user accounts and computer hosts.
By delving into these insights, security teams can identify anomalies and take measures to mitigate potential impacts.
Adversarial Tactics, Techniques, and Common Knowledge
(ATT&CK)
ATT&CK - A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.
Open-Source Intelligence (OSINT)
The collection and analysis of data gathered from open sources (overt sources and publicly available information) to produce actionable intelligence.
OSINT sources are diverse and include social media, blog posts, news articles, chat forums, and many other sources.
Once potential threats are identified, threat-intelligence sharing platforms can help identify specific details about them, such as origin, methods, and potential targets, and track how they evolve.
OSINT can allow an attacker to develop any number of strategies for compromising
a target.