Explain different threat actors, vectors, and intelligence sources

Question 1

What is Actors and threats

Answer 1

Actor == The person or entity responsible for an event that has been identified as a security incident or as a risk.
Threat == The potential for an entity to exercise a vulnerability (that is, to breach security).

Question 2

What is Advanced persistent threat (APT)

Answer 2

An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.

Question 3

What is Insider threats

Answer 3

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

Question 4

What is State actors

Answer 4

A type of threat actor that is supported by the resources of its host country’s military and security services.

Question 5

What is Hacktivists

Answer 5

An threat actor that is motivated by a social issue or political cause.

Question 6

What is Script kiddies

Answer 6

An inexperienced, unskilled attacker that typically uses tools or scripts created by others.

Question 7

What is Criminal syndicates

Answer 7

A type of threat actor that uses hacking and computer fraud for commercial gain.

Question 8

What is Hackers

Answer 8

Often used to refer to someone who breaks into computer systems or spreads viruses, Ethical Hackers prefer to think of themselves as experts on and explorers of computer security systems.

Question 9

What is Authorized Hacker/White hat

Answer 9

A hacker engaged in authorized penetration testing or other security consultancy.

Question 10

What is Unauthorized Hacker/Black hat

Answer 10

An unauthorized hacker operating with malicious intent.

Question 11

What is Semi-authorized Hacker/Grey hat

Answer 11

An unauthorized hacker operating with malicious intent.

Question 12

What is Shadow IT

Answer 12

Computer hardware, software, or services used on a private network without authorization from the system owner.

Question 13

What is Competitors

Answer 13

A rival using hacks to gain advantage.

Question 14

What is Attributes of actors

Answer 14

Internal/External.
Intent/Motivation.
Level of Sophistication/Capability.
Resources/Funding.

Question 15

What is Internal/external

Answer 15

External == No account or authorized access to the target system.

Internal == One that has been granted permissions on the system.

Question 16

What isLevel of sophistication/capability

Answer 16

Level of sophistication == The ability to gather resources.

Capability == Refers to a threat actor’s ability to craft novel exploit techniques and tools.

Question 17

What is Resources/funding

Answer 17

Resources == Customized attack tools and skilled strategists, designers, coders, hackers, and social engineers.
Funding == Access to money.

Question 18

What is Intent/motivation

Answer 18

Intent == What an attacker hopes to achieve from the attack.

Motivation == Why the attacker is attacking.

Question 19

What is Attack Vectors

Answer 19

A specific path by which a threat actor gains unauthorized access to a system.

Question 20

What is Direct access

Answer 20

This is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device, for example.

Question 21

What is Wireless

Answer 21

The attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network.

Question 22

What is Email

Answer 22

The attacker sends a malicious file attachment via email, or via any other communications system that allows attachments. The attacker needs to use social engineering techniques to persuade or trick the user into opening the attachment.

Question 23

What is Supply chain

Answer 23

Rather than attack the target directly, a threat actor may seek ways to infiltrate it via companies in its supply chain. One high-profile example of this is the Target data breach, which was made via the company’s HVAC supplier.

Question 24

What is Social media

Answer 24

Malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of Trojans.

Question 25

What is Removable media

Answer 25

The attacker conceals malware on a USB thumb drive or memory card and tries to trick employees into connecting the media to a PC, laptop, or smartphone. For some exploits, simply connecting the media may be sufficient to run the malware. In many cases, the attacker may need the employee to open a file in a vulnerable application or run a setup program.

Question 26

What is Cloud

Answer 26

Many companies now run part or all of their network services via Internet-accessible clouds. The attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system.

Question 27

What is Threat intelligence sources

Answer 27

``` Open source intelligence (OSINT) Closed/proprietary Vulnerability databases Public/private information-sharing centers Dark web Indicators of compromise Automated indicator sharing (AIS) ```

Question 28

What is Open source intelligence (OSINT)

Answer 28

Some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort.

Question 29

What is Closed/proprietary

Answer 29

The threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars.

Question 30

What is Vulnerability databases

Answer 30

A platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities.

Question 31

What is Public/private information-sharing centers

Answer 31

In many critical industries, Information Sharing and Analysis Centers (ISACs) have been set up to share threat intelligence and promote best practice. These are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. Where there is no coverage by an ISAC, local industry groups and associations may come together to provide mutual support.

Question 32

What is Dark web

Answer 32

Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.

Question 33

What is Indicators of compromise

Answer 33

A sign that an asset or network has been attacked or is currently under attack.

Question 34

What is Automated indicator sharing (AIS)

Answer 34

Is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols. 

Question 35

What is Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Indicator Information (TAXII)

Answer 35

STIX an XML structured language for expressing and sharing threat intelligence. Like TAXII, STIX is a community-driven project currently led and sponsored by the office of Cybersecurity and Communications at the United States DHS. Trusted Automated eXchange of Indicator Information (TAXII™) is a free and open transport mechanism that standardizes the automated exchange of cyber threat information.

Question 36

What is Predictive analysis

Answer 36

Identifying the signs of a past attack or the presence of live attack tools on a network quickly is valuable. However, one of the goals of using AI-backed threat intelligence is to perform predictive analysis, or threat forecasting. This means that the system can anticipate a particular type of attack and possibly the identity of the threat actor before the attack is fully realized.

Question 37

What is Threat maps

Answer 37

Is an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform. The security solutions providers publish such maps showing global attacks on their customers' systems

Question 38

What is File/code repositories

Answer 38

A file/code repository such as virustotal.com holds signatures of known malware code. The code samples derive from live customer systems and (for public repositories) files that have been uploaded by subscribers.

Question 39

What is Research sources

Answer 39

``` Academic journals Conferences Request for Comments (RFC) Social media Vendor websites Vulnerability feeds Local industry groups Adversary tactics, techniques, and procedures Threat feeds ```

Question 40

What is Vendor websites

Answer 40

The website if the vendor.

Question 41

What is Vulnerability feeds

Answer 41

As well as analyzing adversary tools and behaviors, another source of threat intelligence is identifying vulnerabilities in OS, software application, and firmware code. Security researchers look for vulnerabilities, often for the reward of bug bounties offered by the vendor. Lists of vulnerabilities are stored in databases such as Common Vulnerabilities and Exposures (CVE), operated by Mitre (cve.mitre.org). Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software.

Question 42

What is Conferences

Answer 42

Security conferences are hosted and sponsored by various institutions and provide an opportunity for presentations on the latest threats and technologies.

Question 43

What is Academic journals

Answer 43

Results from academic researchers and not-for-profit trade bodies and associations, such as the IEEE, are published as papers in journals. Access to these papers is usually subscription-based. One free source is the arXiv preprint repository (arxiv.org/list/cs.CR/recent). Preprints are papers that have not been published or peer reviewed.

Question 44

What is Request for comments (RFC)

Answer 44

Request for Comments (RFC)—when a new technology is accepted as a web standard, it is published as an RFC by the W3C (rfc-editor.org). There are also informational RFCs covering many security considerations and best practices.

Question 45

What is Local industry groups

Answer 45

Local industry partnerships to share info and data.

Question 46

What is Social media

Answer 46

Companies and individual researchers and practitioners write informative blogs or social media feeds. There are too many useful blog and discussion sources to include here, but the list curated by Digital Guardian (digitalguardian.com/blog/top-50-infosec-blogs-you-should-be-reading) is a good starting point.

Question 47

What is Threat feeds

Answer 47

Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.

Question 48

What is Adversary tactics, techniques, and procedures (TTP)

Answer 48

Is a generalized statement of adversary behavior. The term is derived from US military doctrine (mwi.usma.edu/what-is-army-doctrine). TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).