Explain different threat actors, vectors, and intelligence sources Flashcards
What is Actors and threats
Actor == The person or entity responsible for an event that has been identified as a security incident or as a risk.
Threat == The potential for an entity to exercise a vulnerability (that is, to breach security).
What is Advanced persistent threat (APT)
An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.
What is Insider threats
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
What is State actors
A type of threat actor that is supported by the resources of its host country’s military and security services.
What is Hacktivists
An threat actor that is motivated by a social issue or political cause.
What is Script kiddies
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
What is Criminal syndicates
A type of threat actor that uses hacking and computer fraud for commercial gain.
What is Hackers
Often used to refer to someone who breaks into computer systems or spreads viruses, Ethical Hackers prefer to think of themselves as experts on and explorers of computer security systems.
What is Authorized Hacker/White hat
A hacker engaged in authorized penetration testing or other security consultancy.
What is Unauthorized Hacker/Black hat
An unauthorized hacker operating with malicious intent.
What is Semi-authorized Hacker/Grey hat
An unauthorized hacker operating with malicious intent.
What is Shadow IT
Computer hardware, software, or services used on a private network without authorization from the system owner.
What is Competitors
A rival using hacks to gain advantage.
What is Attributes of actors
Internal/External.
Intent/Motivation.
Level of Sophistication/Capability.
Resources/Funding.
What is Internal/external
External == No account or authorized access to the target system.
Internal == One that has been granted permissions on the system.
What isLevel of sophistication/capability
Level of sophistication == The ability to gather resources.
Capability == Refers to a threat actor’s ability to craft novel exploit techniques and tools.
What is Resources/funding
Resources == Customized attack tools and skilled strategists, designers, coders, hackers, and social engineers.
Funding == Access to money.
What is Intent/motivation
Intent == What an attacker hopes to achieve from the attack.
Motivation == Why the attacker is attacking.
What is Attack Vectors
A specific path by which a threat actor gains unauthorized access to a system.
What is Direct access
This is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device, for example.
What is Wireless
The attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network.
What is Email
The attacker sends a malicious file attachment via email, or via any other communications system that allows attachments. The attacker needs to use social engineering techniques to persuade or trick the user into opening the attachment.
What is Supply chain
Rather than attack the target directly, a threat actor may seek ways to infiltrate it via companies in its supply chain. One high-profile example of this is the Target data breach, which was made via the company’s HVAC supplier.
What is Social media
Malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of Trojans.
What is Removable media
The attacker conceals malware on a USB thumb drive or memory card and tries to trick employees into connecting the media to a PC, laptop, or smartphone. For some exploits, simply connecting the media may be sufficient to run the malware. In many cases, the attacker may need the employee to open a file in a vulnerable application or run a setup program.
What is Cloud
Many companies now run part or all of their network services via Internet-accessible clouds. The attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system.
What is Threat intelligence sources
Open source intelligence (OSINT) Closed/proprietary Vulnerability databases Public/private information-sharing centers Dark web Indicators of compromise Automated indicator sharing (AIS)
What is Open source intelligence (OSINT)
Some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort.
What is Closed/proprietary
The threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars.
What is Vulnerability databases
A platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities.
What is Public/private information-sharing centers
In many critical industries, Information Sharing and Analysis Centers (ISACs) have been set up to share threat intelligence and promote best practice. These are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. Where there is no coverage by an ISAC, local industry groups and associations may come together to provide mutual support.
What is Dark web
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.
What isIndicators of compromise
A sign that an asset or network has been attacked or is currently under attack.
What is Automated indicator sharing (AIS)
Is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols.
What is Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Indicator Information (TAXII)
STIX an XML structured language for expressing and sharing threat intelligence. Like TAXII, STIX is a community-driven project currently led and sponsored by the office of Cybersecurity and Communications at the United States DHS.
Trusted Automated eXchange of Indicator Information (TAXII™) is a free and open transport mechanism that standardizes the automated exchange of cyber threat information.
What is Predictive analysis
Identifying the signs of a past attack or the presence of live attack tools on a network quickly is valuable. However, one of the goals of using AI-backed threat intelligence is to perform predictive analysis, or threat forecasting. This means that the system can anticipate a particular type of attack and possibly the identity of the threat actor before the attack is fully realized.
What is Threat maps
Is an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform. The security solutions providers publish such maps showing global attacks on their customers’ systems
What is File/code repositories
A file/code repository such as virustotal.com holds signatures of known malware code. The code samples derive from live customer systems and (for public repositories) files that have been uploaded by subscribers.
What is Research sources
Academic journals Conferences Request for Comments (RFC) Social media Vendor websites Vulnerability feeds Local industry groups Adversary tactics, techniques, and procedures Threat feeds
What is Vendor websites
The website if the vendor.
What is Vulnerability feeds
As well as analyzing adversary tools and behaviors, another source of threat intelligence is identifying vulnerabilities in OS, software application, and firmware code. Security researchers look for vulnerabilities, often for the reward of bug bounties offered by the vendor. Lists of vulnerabilities are stored in databases such as Common Vulnerabilities and Exposures (CVE), operated by Mitre (cve.mitre.org). Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software.
What is Conferences
Security conferences are hosted and sponsored by various institutions and provide an opportunity for presentations on the latest threats and technologies.
What is Academic journals
Results from academic researchers and not-for-profit trade bodies and associations, such as the IEEE, are published as papers in journals. Access to these papers is usually subscription-based. One free source is the arXiv preprint repository (arxiv.org/list/cs.CR/recent). Preprints are papers that have not been published or peer reviewed.
What is Request for comments (RFC)
Request for Comments (RFC)—when a new technology is accepted as a web standard, it is published as an RFC by the W3C (rfc-editor.org). There are also informational RFCs covering many security considerations and best practices.
What is Local industry groups
Local industry partnerships to share info and data.
What is Social media
Companies and individual researchers and practitioners write informative blogs or social media feeds. There are too many useful blog and discussion sources to include here, but the list curated by Digital Guardian (digitalguardian.com/blog/top-50-infosec-blogs-you-should-be-reading) is a good starting point.
What is Threat feeds
Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.
What is Adversary tactics, techniques, and procedures (TTP)
Is a generalized statement of adversary behavior. The term is derived from US military doctrine (mwi.usma.edu/what-is-army-doctrine). TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).
