J.Dion Sec. 3 Threat Actors

Question 1

An individual or entity responsible for incidents that impact security and data protection.

Answer 1

Threat actor

Question 2

Specific characteristics or properties that define and differentiate various threat actors from one another.

Answer 2

Threat actor attributes

Question 3

Individuals with limited technical expertise who use readily available tools like downloaded scripts or exploits to carry out attacks.

Answer 3

Unskilled attackers

Question 4

Cyber attackers who carry out their activities driven by political, social, or environmental ideologies who often want to draw attention to a specific cause or drive social change.

Answer 4

Hacktivists

Question 5

Well-structured groups that execute cyberattacks for financial gain, usually through methods like ransomware, identity theft, or credit card fraud.

Answer 5

Organized crime

Question 6

Highly skilled attackers that are sponsored by governments to carry out cyber espionage, sabotage, or cyber warfare against other nation states or specific targets in a variety of industries.

Answer 6

Nation-state actors

Question 7

Security threats that originate from within the organization.

Answer 7

Insider threats

Question 8

IT systems, devices, software, applications, and services that are managed and utilized without explicit organizational approval.

Answer 8

Shadow IT

Question 9

Name the 6 different types of threat vectors.

Answer 9

Message-based
Imaged-based
File-based
Voice calls
Removable devices
Use of unsecured networks

Question 10

Name the 4 deception and disruption technologies used to outsmart threat actors.

Answer 10

Honeypots
Honeynets
Honeyfiles
Honeytokens

Question 11

Decoy systems or servers designed to attract and deceive potential attackers, simulating real-world IT assets to study their techniques.

Answer 11

Honeypots

Question 12

Creates an entire network of decoy systems to observer complex, multi-stage attacks.

Answer 12

Honeynets

Question 13

Decoy files placed within systems to detect unauthorized access or data breaches.

Answer 13

Honeyfiles

Question 14

Fake pieces of data, like a fabricated user credential, inserted into databases or systems to alert administrators when they are accessed or used.

Answer 14

Honeytokens

Question 15

List the types of threat actor motivations.

Answer 15

Data exfiltration
Blackmail
Espionage
Service disruption
Financial gain
Philosophical or political beliefs
Ethical reasons
Revenge
Disruption or chaos
War

Question 16

The unauthorized transfer of data from a computer.

Answer 16

Data exfiltration

Question 17

One of the most common motivations for cybercriminals.

Answer 17

Financial gain

Question 18

What type of attacks do cybercriminals use to achieve financial gain?

Answer 18

Ransomware attacks
Banking trojans

Question 19

Type of motivation where the attacker obtains sensitive/compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met.

Answer 19

Blackmail

Question 20

This type of motivation is often achieved by Distributed Denial of Service (DDoS) attack to overwhelm a network, service, or server with excessive amounts of traffic so that it becomes unavailable to its normal users.

Answer 20

Service disruption

Question 21

This motivation type is used by individuals or groups use hacking to promote a political agenda, social change, or to protest against organizations they perceive as unethical.

Answer 21

Philosophical or Political beliefs

Question 22

Motivation type where ethical hackers, also known as, authorized hackers, are motivated by a desire to improve security.

Answer 22

Ethical reasons

Question 23

Motivation type where an employee who is disgruntled, or one who has recently been fired/laid off, might want to harm their current/former employer by causing a data breach, disrupting services, or leaking sensitive information.

Answer 23

Revenge

Question 24

Motivation type where threat actors, often referred to as unauthorized hackers, engage in malicious activities for the thrill of it, to challenge their skills, or simply to cause harm.

Answer 24

Disruption or chaos

Question 25

Motivation type that involves spying on individuals, organizations, or nations to gather sensitive or classified information.

Answer 25

Espionage

Question 26

Motivation type where cyberattacks have increasingly become a tool for nations to attack each other on/off the battlefield.

Answer 26

War

Question 27

What are the three attributes of an attacker?

Answer 27

Origin: Internal vs external
Resources and funding
Level of sophistication and capability

Question 28

Category that refers to individual/entities within an organization who pose a threat to its security.

Answer 28

Internal threat actors

Question 29

Category that refers to individuals/groups outside of an organization who attempt to breach its cybersecurity defense.

Answer 29

External threat actors

Question 30

Category that refers to the tools, skills, and personnel at the the disposal of a give threat actor.

Answer 30

Resources and Funding

Question 31

Category that refers to their technical skill, the complexity of the tools and techniques they use, and their ability to evade detection and countermeasures.

Answer 31

Level of sophistication and capability

Question 32

What level of sophistication and capability is a threat actor listed as who uses widely available tools and techniques such as the common malware or phishing attacks?

Answer 32

Low level

Question 33

An low level categorized individual with limited technical knowledge who uses pre-made software or scripts to exploit computer systems and networks without understanding the underlying principles.

Answer 33

Script Kiddie

Question 34

What type of attacks do hacktivists utilize?

Answer 34

Website defacement
DDoS attacks
Doxing
Leaking of sensitive data

Question 35

Website defacement is treated as?

Answer 35

Website vandalism

Question 36

Type of attack that releases an individuals or organizations private information such as name, home address, etc.

Answer 36

Doxxing

Question 37

What is the notable hacktivist event that occurred in 2010.

Answer 37

In 2010, the hacktivist group named Anonymous launched their Operation Payback Campaign via DDoS attacks against various organizations of digital anti-piracy efforts.

Question 38

What is the notable hacktivist event that occurred in 2011.

Answer 38

LulzSec launched a series of attacks known as “50 Days of Lulz” that targeted various organizations like Sony, CIA, FBI. The motivations were political and chaos driven.

Political motivation was against censorship and surveillance.

Question 39

Sophisticated and well-structured entities that leverage resources and technical skills for illicit gain.

Answer 39

Organized Cyber Crime Groups

Question 40

Sophisticated cybercrime group known for their advanced phishing campaigns and well crafted email and webpages to trick employees to login with their credentials or installing malware onto their systems as well as have been linked to numerous high-profile data breaches.

Answer 40

FIN7

Question 41

Sophisticated cybercrime group that has stolen over $1 billion from various banks around the world by using custom malware they created that allows the hackers to transfer money between accounts and even dispense money remotely at ATMs.

Answer 41

Carbanak group

Question 42

Groups that are sponsored by a government to conduct cyber operations against other nations, organizations, or individuals.

Answer 42

Nation-state actors

Question 43

Attack that is orchestrated in such a way that it appears to originate from a different source/group.

Answer 43

False flag attack

Question 44

Whenever we hear Advanced Persistent Threat, think

Answer 44

a prolonged and targeted cyberattack where an intruder gains unauthorized access to a network and remains undetected for an extended period of time monitoring and stealing data rather than causing immediate damage.

Question 45

Sophisticated piece of malware that was designed by the American and Israeli governments to sabotage the Iranian government’s nuclear program by causing physical damage to the centrifuges used in the uranium enrichment process.

Answer 45

Stuxnet worm

Question 46

How did the Stuxnet worm work?

Answer 46

By exploiting zero-day vulnerabilities in the Windows operating system that was used for the nuclear centrifuges enrichment process.

Question 47

Cybersecurity threats that originate from withing the organization.

Answer 47

Insider threats

Question 48

The use of information technology systems, devices, software, applications, and services without explicit organizational approval.

Answer 48

Shadow IT

Question 49

The means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action.

Answer 49

Threat vector

Question 50

Encompasses all the various points where an unauthorized user can try to enter data to or extract data from an environment.

Answer 50

Attack surface

Question 51

When thinking of attack vector think

Answer 51

the how of an attack.

Question 52

When thinking of the attack surface think

Answer 52

the location of an attack.

Question 53

This threat vector type is delivered via email, simple message service, or forms of instant messaging.

Answer 53

Messages

Question 54

Threat vector that involves the embedding of malicious code inside an image file and when image is opened the malicious code is executed.

Answer 54

Images

Question 55

In 2017, cybersecurity researchers discovered this large scale image-based attack.

Answer 55

Stegano

Question 56

How did the Stegano attack work?

Answer 56

Cyber criminals embedded malicious codes within the pixels of banner ads on popular websites to exploit older Internet Explorer web browser.

Question 57

Threat vectors that involve the use of malicious files to deliver a cyber attack.

Answer 57

Files

Question 58

Threat vectors that involve the used of voice calls to trick victims into revealing their sensitive information.

Answer 58

Voice calls

Question 59

Threat vectors via removable devices such as USB.

Answer 59

Removable devices

Question 60

Threat vectors that refer to the lack of appropriate security measures to protect networks.

Answer 60

Unsecure networks

Question 61

Rogue access points of fake wifi networks that mimic an organization’s legitimate ones.

Answer 61

Evil twins

Question 62

What are 3 types of attacks for wired networks?

Answer 62

Tapping into network cables to intercept/manipulate data.
Connecting unauthorized devices by using MAC address cloning.
VLAN hopping.

Question 63

What are the exploits that have been used to attack Bluetooth technology?

Answer 63

BlueBorne
BlueSmack

Question 64

Exploit with a set of vulnerabilities in Bluetooth technology that can allow an attacker to take over devices or spread malware.

Answer 64

BlueBorne exploit

Question 65

Exploit that is a type of Denial of Service attack targeting Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a target device.

Answer 65

BlueSmack exploit

Question 66

Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors.

Answer 66

Tactics, Techniques, and Procedures (TTPs)

Question 67

Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats.

Answer 67

Deceptive and Disruptive Technologies

Question 68

What are the 4 commonly used Deceptive and Disruptive Technologies used?

Answer 68

Honeypots
Honeynets
Honeyfiles
Honeytokens

Question 69

Decoy system or network set up to attract potential hackers by mimicking a real system with vulnerabilities that seem attractive to attackers.

Answer 69

Honeypot

Question 70

What is the primary purpose of a honeypot?

Answer 70

To gather information about the attacker’s methods, motives, and TTPs.
(Tactics, Techniques, and Procedures)

Question 71

Where are honeypots placed in an enterprise network?

Answer 71

Install a honeypot in an enterprise network, place it within a screened subnet or isolated segment that is easily accessed by potential hackers.

Question 72

Network of honeypots to create a more complex system that is designed to mimic an entire network of systems, including servers, routers, and switches.

Answer 72

Honeynet

Question 73

How do honeypots and honeynets work?

Answer 73

They log all activities to provide data about both successful and unsuccessful attacks against network.

Question 74

How can attackers use honeynets or honeypots against an organization’s security architecture?

Answer 74

The attacker can learn how the production systems are configured and use it to their advantage to attack the network.

Question 75

Decoy file placed within a system to lure in potential attackers.

Answer 75

Honeyfile

Question 76

What happens when an attacker accesses and opens a honeyfile?

Answer 76

An alert is triggered that notifies the security team. Some honeyfiles have embedded code that allows the security team to enumerate the attackers network.

Question 77

What are 6 types of honeyfiles?

Answer 77

Word-processing documents
Spreadsheets
Presentation files
Database files
Executables
Images

Question 78

Piece of data or a resource that has no legitimate value or use but is monitored for access or use.

Answer 78

Honeytoken

Question 79

What are 5 other strategies to help secure an enterprise network?

Answer 79

Using bogus DNS directories
Creating decoy directories
Generating dynamic pages to slow down web crawlers.
Using port triggering to hide services.
Spoofing fake telemetry data during a detected network scan.

Question 80

Fake DNS entries introduced into a system’s DNS server.

Answer 80

Bogus DNS

Question 81

Why is using Bogus DNS entries useful?

Answer 81

Administrators can mislead attackers into accessing non-existent domains or trap systems to waste the attacker’s time/resources while simultaneously alerting defenders.

Question 82

Fake folders and files placed within a system’s storage.

Answer 82

Decoy directories

Question 83

Why are Decoy directories useful?

Answer 83

When unauthorized user(s) attempt to access/modify these directories the system can raise an alert while the attacker is misled by false data.

Question 84

Used in websites to present every-changing content to web crawlers to confuse and slow down the threat actor.

Answer 84

Dynamic page generation

Question 85

Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected.

Answer 85

Port triggering

Question 86

System can respond to an attacker’s network scan attempt by sending out fake telemetry or network data.

Answer 86

Fake telemetry data

Question 87

Which of the following is a primary motivation for a hacktivist threat actor?

a. Financial gain
b. Ideological beliefs
c. Espionage
d. Service disruption

Answer 87

b. Ideological beliefs

Hacktivists are motivated by ideological, political, and philosophical beliefs and they use cybercrime as a means to promote a particular agenda/cause.

Question 88

Which attribute of a threat actor indicates the amount of financial, technological, and human resources they can use for their operations?

a. Their sophistication level
b. Their resource level
c. Their motivations
d. Their intent

Answer 88

b. Their resource level

Resource level is the attribute that reflects the depth and breadth of resources available to a threat actor.

Question 89

Which of the following threat actors primarily operates based primarily on financial motivations and is considered to be highly structured and sophisticated in their attacks?

a. Organized crime
b. Script Kiddies
c. Hacktivists
d. Nation-state actors

Answer 89

a. Organized crime

Organized cybercrime consists of groups that are primarily motivated by financial gain and typically involved in data breaches, ransomware attacks, and financial fraud.

Question 90

Which type of threat actor would BEST describe a disgruntled employee who may exploit their legitimate access for malicious purposes?

a. Unskilled attacker
b. Hacktivist
c. Insider threat
d. Nation-state actor

Answer 90

c. Insider threat

Question 91

Which deceptive technology is a piece of data or a system entity that exists solely to alert the organization when someone accesses it?

a. Honeypot
b. Honeynet
c. Honeyfile
d. Honeytoken

Answer 91

d. Honeytoken

Honeytokens are a piece of information or a system entity that is created to serve as a decoy or alert mechanism. Honeytokens sole purpose is to be accessed or used illicitly.