J.Dion Sec. 3 Threat Actors Flashcards
An individual or entity responsible for incidents that impact security and data protection.
Threat actor
Specific characteristics or properties that define and differentiate various threat actors from one another.
Threat actor attributes
Individuals with limited technical expertise who use readily available tools like downloaded scripts or exploits to carry out attacks.
Unskilled attackers
Cyber attackers who carry out their activities driven by political, social, or environmental ideologies who often want to draw attention to a specific cause or drive social change.
Hacktivists
Well-structured groups that execute cyberattacks for financial gain, usually through methods like ransomware, identity theft, or credit card fraud.
Organized crime
Highly skilled attackers that are sponsored by governments to carry out cyber espionage, sabotage, or cyber warfare against other nation states or specific targets in a variety of industries.
Nation-state actors
Security threats that originate from within the organization.
Insider threats
IT systems, devices, software, applications, and services that are managed and utilized without explicit organizational approval.
Shadow IT
Name the 6 different types of threat vectors.
Message-based
Imaged-based
File-based
Voice calls
Removable devices
Use of unsecured networks
Name the 4 deception and disruption technologies used to outsmart threat actors.
Honeypots
Honeynets
Honeyfiles
Honeytokens
Decoy systems or servers designed to attract and deceive potential attackers, simulating real-world IT assets to study their techniques.
Honeypots
Creates an entire network of decoy systems to observer complex, multi-stage attacks.
Honeynets
Decoy files placed within systems to detect unauthorized access or data breaches.
Honeyfiles
Fake pieces of data, like a fabricated user credential, inserted into databases or systems to alert administrators when they are accessed or used.
Honeytokens
List the types of threat actor motivations.
Data exfiltration
Blackmail
Espionage
Service disruption
Financial gain
Philosophical or political beliefs
Ethical reasons
Revenge
Disruption or chaos
War
The unauthorized transfer of data from a computer.
Data exfiltration
One of the most common motivations for cybercriminals.
Financial gain
What type of attacks do cybercriminals use to achieve financial gain?
Ransomware attacks
Banking trojans
Type of motivation where the attacker obtains sensitive/compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met.
Blackmail
This type of motivation is often achieved by Distributed Denial of Service (DDoS) attack to overwhelm a network, service, or server with excessive amounts of traffic so that it becomes unavailable to its normal users.
Service disruption
This motivation type is used by individuals or groups use hacking to promote a political agenda, social change, or to protest against organizations they perceive as unethical.
Philosophical or Political beliefs
Motivation type where ethical hackers, also known as, authorized hackers, are motivated by a desire to improve security.
Ethical reasons
Motivation type where an employee who is disgruntled, or one who has recently been fired/laid off, might want to harm their current/former employer by causing a data breach, disrupting services, or leaking sensitive information.
Revenge
Motivation type where threat actors, often referred to as unauthorized hackers, engage in malicious activities for the thrill of it, to challenge their skills, or simply to cause harm.
Disruption or chaos
Motivation type that involves spying on individuals, organizations, or nations to gather sensitive or classified information.
Espionage
Motivation type where cyberattacks have increasingly become a tool for nations to attack each other on/off the battlefield.
War
What are the three attributes of an attacker?
Origin: Internal vs external
Resources and funding
Level of sophistication and capability
Category that refers to individual/entities within an organization who pose a threat to its security.
Internal threat actors
Category that refers to individuals/groups outside of an organization who attempt to breach its cybersecurity defense.
External threat actors
Category that refers to the tools, skills, and personnel at the the disposal of a give threat actor.
Resources and Funding
Category that refers to their technical skill, the complexity of the tools and techniques they use, and their ability to evade detection and countermeasures.
Level of sophistication and capability
What level of sophistication and capability is a threat actor listed as who uses widely available tools and techniques such as the common malware or phishing attacks?
Low level
An low level categorized individual with limited technical knowledge who uses pre-made software or scripts to exploit computer systems and networks without understanding the underlying principles.
Script Kiddie
What type of attacks do hacktivists utilize?
Website defacement
DDoS attacks
Doxing
Leaking of sensitive data
Website defacement is treated as?
Website vandalism
Type of attack that releases an individuals or organizations private information such as name, home address, etc.
Doxxing
What is the notable hacktivist event that occurred in 2010.
In 2010, the hacktivist group named Anonymous launched their Operation Payback Campaign via DDoS attacks against various organizations of digital anti-piracy efforts.
What is the notable hacktivist event that occurred in 2011.
LulzSec launched a series of attacks known as “50 Days of Lulz” that targeted various organizations like Sony, CIA, FBI. The motivations were political and chaos driven.
Political motivation was against censorship and surveillance.
Sophisticated and well-structured entities that leverage resources and technical skills for illicit gain.
Organized Cyber Crime Groups
Sophisticated cybercrime group known for their advanced phishing campaigns and well crafted email and webpages to trick employees to login with their credentials or installing malware onto their systems as well as have been linked to numerous high-profile data breaches.
FIN7
Sophisticated cybercrime group that has stolen over $1 billion from various banks around the world by using custom malware they created that allows the hackers to transfer money between accounts and even dispense money remotely at ATMs.
Carbanak group
Groups that are sponsored by a government to conduct cyber operations against other nations, organizations, or individuals.
Nation-state actors
Attack that is orchestrated in such a way that it appears to originate from a different source/group.
False flag attack
Whenever we hear Advanced Persistent Threat, think
a prolonged and targeted cyberattack where an intruder gains unauthorized access to a network and remains undetected for an extended period of time monitoring and stealing data rather than causing immediate damage.
Sophisticated piece of malware that was designed by the American and Israeli governments to sabotage the Iranian government’s nuclear program by causing physical damage to the centrifuges used in the uranium enrichment process.
Stuxnet worm
How did the Stuxnet worm work?
By exploiting zero-day vulnerabilities in the Windows operating system that was used for the nuclear centrifuges enrichment process.
Cybersecurity threats that originate from withing the organization.
Insider threats
The use of information technology systems, devices, software, applications, and services without explicit organizational approval.
Shadow IT
The means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action.
Threat vector
Encompasses all the various points where an unauthorized user can try to enter data to or extract data from an environment.
Attack surface
When thinking of attack vector think
the how of an attack.
When thinking of the attack surface think
the location of an attack.
This threat vector type is delivered via email, simple message service, or forms of instant messaging.
Messages
Threat vector that involves the embedding of malicious code inside an image file and when image is opened the malicious code is executed.
Images
In 2017, cybersecurity researchers discovered this large scale image-based attack.
Stegano
How did the Stegano attack work?
Cyber criminals embedded malicious codes within the pixels of banner ads on popular websites to exploit older Internet Explorer web browser.
Threat vectors that involve the use of malicious files to deliver a cyber attack.
Files
Threat vectors that involve the used of voice calls to trick victims into revealing their sensitive information.
Voice calls
Threat vectors via removable devices such as USB.
Removable devices
Threat vectors that refer to the lack of appropriate security measures to protect networks.
Unsecure networks
Rogue access points of fake wifi networks that mimic an organization’s legitimate ones.
Evil twins
What are 3 types of attacks for wired networks?
Tapping into network cables to intercept/manipulate data.
Connecting unauthorized devices by using MAC address cloning.
VLAN hopping.
What are the exploits that have been used to attack Bluetooth technology?
BlueBorne
BlueSmack
Exploit with a set of vulnerabilities in Bluetooth technology that can allow an attacker to take over devices or spread malware.
BlueBorne exploit
Exploit that is a type of Denial of Service attack targeting Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a target device.
BlueSmack exploit
Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors.
Tactics, Techniques, and Procedures (TTPs)
Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats.
Deceptive and Disruptive Technologies
What are the 4 commonly used Deceptive and Disruptive Technologies used?
Honeypots
Honeynets
Honeyfiles
Honeytokens
Decoy system or network set up to attract potential hackers by mimicking a real system with vulnerabilities that seem attractive to attackers.
Honeypot
What is the primary purpose of a honeypot?
To gather information about the attacker’s methods, motives, and TTPs.
(Tactics, Techniques, and Procedures)
Where are honeypots placed in an enterprise network?
Install a honeypot in an enterprise network, place it within a screened subnet or isolated segment that is easily accessed by potential hackers.
Network of honeypots to create a more complex system that is designed to mimic an entire network of systems, including servers, routers, and switches.
Honeynet
How do honeypots and honeynets work?
They log all activities to provide data about both successful and unsuccessful attacks against network.
How can attackers use honeynets or honeypots against an organization’s security architecture?
The attacker can learn how the production systems are configured and use it to their advantage to attack the network.
Decoy file placed within a system to lure in potential attackers.
Honeyfile
What happens when an attacker accesses and opens a honeyfile?
An alert is triggered that notifies the security team. Some honeyfiles have embedded code that allows the security team to enumerate the attackers network.
What are 6 types of honeyfiles?
Word-processing documents
Spreadsheets
Presentation files
Database files
Executables
Images
Piece of data or a resource that has no legitimate value or use but is monitored for access or use.
Honeytoken
What are 5 other strategies to help secure an enterprise network?
Using bogus DNS directories
Creating decoy directories
Generating dynamic pages to slow down web crawlers.
Using port triggering to hide services.
Spoofing fake telemetry data during a detected network scan.
Fake DNS entries introduced into a system’s DNS server.
Bogus DNS
Why is using Bogus DNS entries useful?
Administrators can mislead attackers into accessing non-existent domains or trap systems to waste the attacker’s time/resources while simultaneously alerting defenders.
Fake folders and files placed within a system’s storage.
Decoy directories
Why are Decoy directories useful?
When unauthorized user(s) attempt to access/modify these directories the system can raise an alert while the attacker is misled by false data.
Used in websites to present every-changing content to web crawlers to confuse and slow down the threat actor.
Dynamic page generation
Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected.
Port triggering
System can respond to an attacker’s network scan attempt by sending out fake telemetry or network data.
Fake telemetry data
Which of the following is a primary motivation for a hacktivist threat actor?
a. Financial gain
b. Ideological beliefs
c. Espionage
d. Service disruption
b. Ideological beliefs
Hacktivists are motivated by ideological, political, and philosophical beliefs and they use cybercrime as a means to promote a particular agenda/cause.
Which attribute of a threat actor indicates the amount of financial, technological, and human resources they can use for their operations?
a. Their sophistication level
b. Their resource level
c. Their motivations
d. Their intent
b. Their resource level
Resource level is the attribute that reflects the depth and breadth of resources available to a threat actor.
Which of the following threat actors primarily operates based primarily on financial motivations and is considered to be highly structured and sophisticated in their attacks?
a. Organized crime
b. Script Kiddies
c. Hacktivists
d. Nation-state actors
a. Organized crime
Organized cybercrime consists of groups that are primarily motivated by financial gain and typically involved in data breaches, ransomware attacks, and financial fraud.
Which type of threat actor would BEST describe a disgruntled employee who may exploit their legitimate access for malicious purposes?
a. Unskilled attacker
b. Hacktivist
c. Insider threat
d. Nation-state actor
c. Insider threat
Which deceptive technology is a piece of data or a system entity that exists solely to alert the organization when someone accesses it?
a. Honeypot
b. Honeynet
c. Honeyfile
d. Honeytoken
d. Honeytoken
Honeytokens are a piece of information or a system entity that is created to serve as a decoy or alert mechanism. Honeytokens sole purpose is to be accessed or used illicitly.
