J.Dion Sec. 3 Threat Actors Flashcards by Melissa Curylo

An individual or entity responsible for incidents that impact security and data protection.

Threat actor

How well did you know this?

Not at all

Perfectly

Specific characteristics or properties that define and differentiate various threat actors from one another.

Threat actor attributes

How well did you know this?

Not at all

Perfectly

Individuals with limited technical expertise who use readily available tools like downloaded scripts or exploits to carry out attacks.

Unskilled attackers

How well did you know this?

Not at all

Perfectly

Cyber attackers who carry out their activities driven by political, social, or environmental ideologies who often want to draw attention to a specific cause or drive social change.

Hacktivists

How well did you know this?

Not at all

Perfectly

Well-structured groups that execute cyberattacks for financial gain, usually through methods like ransomware, identity theft, or credit card fraud.

Organized crime

How well did you know this?

Not at all

Perfectly

Highly skilled attackers that are sponsored by governments to carry out cyber espionage, sabotage, or cyber warfare against other nation states or specific targets in a variety of industries.

Nation-state actors

How well did you know this?

Not at all

Perfectly

Security threats that originate from within the organization.

Insider threats

How well did you know this?

Not at all

Perfectly

IT systems, devices, software, applications, and services that are managed and utilized without explicit organizational approval.

Shadow IT

How well did you know this?

Not at all

Perfectly

Name the 6 different types of threat vectors.

Message-based
Imaged-based
File-based
Voice calls
Removable devices
Use of unsecured networks

How well did you know this?

Not at all

Perfectly

Name the 4 deception and disruption technologies used to outsmart threat actors.

Honeypots
Honeynets
Honeyfiles
Honeytokens

How well did you know this?

Not at all

Perfectly

Decoy systems or servers designed to attract and deceive potential attackers, simulating real-world IT assets to study their techniques.

Honeypots

How well did you know this?

Not at all

Perfectly

Creates an entire network of decoy systems to observer complex, multi-stage attacks.

Honeynets

How well did you know this?

Not at all

Perfectly

Decoy files placed within systems to detect unauthorized access or data breaches.

Honeyfiles

How well did you know this?

Not at all

Perfectly

Fake pieces of data, like a fabricated user credential, inserted into databases or systems to alert administrators when they are accessed or used.

Honeytokens

How well did you know this?

Not at all

Perfectly

List the types of threat actor motivations.

Data exfiltration
Blackmail
Espionage
Service disruption
Financial gain
Philosophical or political beliefs
Ethical reasons
Revenge
Disruption or chaos
War

How well did you know this?

Not at all

Perfectly

The unauthorized transfer of data from a computer.

Data exfiltration

How well did you know this?

Not at all

Perfectly

One of the most common motivations for cybercriminals.

Financial gain

How well did you know this?

Not at all

Perfectly

What type of attacks do cybercriminals use to achieve financial gain?

Ransomware attacks
Banking trojans

How well did you know this?

Not at all

Perfectly

Type of motivation where the attacker obtains sensitive/compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met.

Blackmail

How well did you know this?

Not at all

Perfectly

This type of motivation is often achieved by Distributed Denial of Service (DDoS) attack to overwhelm a network, service, or server with excessive amounts of traffic so that it becomes unavailable to its normal users.

Service disruption

How well did you know this?

Not at all

Perfectly

This motivation type is used by individuals or groups use hacking to promote a political agenda, social change, or to protest against organizations they perceive as unethical.

Philosophical or Political beliefs

How well did you know this?

Not at all

Perfectly

Motivation type where ethical hackers, also known as, authorized hackers, are motivated by a desire to improve security.

Ethical reasons

How well did you know this?

Not at all

Perfectly

Motivation type where an employee who is disgruntled, or one who has recently been fired/laid off, might want to harm their current/former employer by causing a data breach, disrupting services, or leaking sensitive information.

Revenge

How well did you know this?

Not at all

Perfectly

Motivation type where threat actors, often referred to as unauthorized hackers, engage in malicious activities for the thrill of it, to challenge their skills, or simply to cause harm.

Disruption or chaos

How well did you know this?

Not at all

Perfectly

Motivation type that involves spying on individuals, organizations, or nations to gather sensitive or classified information.

Espionage

Motivation type where cyberattacks have increasingly become a tool for nations to attack each other on/off the battlefield.

War

What are the three attributes of an attacker?

Origin: Internal vs external Resources and funding Level of sophistication and capability

Category that refers to individual/entities within an organization who pose a threat to its security.

Internal threat actors

Category that refers to individuals/groups outside of an organization who attempt to breach its cybersecurity defense.

External threat actors

Category that refers to the tools, skills, and personnel at the the disposal of a give threat actor.

Resources and Funding

Category that refers to their technical skill, the complexity of the tools and techniques they use, and their ability to evade detection and countermeasures.

Level of sophistication and capability

What level of sophistication and capability is a threat actor listed as who uses widely available tools and techniques such as the common malware or phishing attacks?

Low level

An low level categorized individual with limited technical knowledge who uses pre-made software or scripts to exploit computer systems and networks without understanding the underlying principles.

Script Kiddie

What type of attacks do hacktivists utilize?

Website defacement DDoS attacks Doxing Leaking of sensitive data

Website defacement is treated as?

Website vandalism

Type of attack that releases an individuals or organizations private information such as name, home address, etc.

Doxxing

What is the notable hacktivist event that occurred in 2010.

In 2010, the hacktivist group named Anonymous launched their Operation Payback Campaign via DDoS attacks against various organizations of digital anti-piracy efforts.

What is the notable hacktivist event that occurred in 2011.

LulzSec launched a series of attacks known as "50 Days of Lulz" that targeted various organizations like Sony, CIA, FBI. The motivations were political and chaos driven. Political motivation was against censorship and surveillance.

Sophisticated and well-structured entities that leverage resources and technical skills for illicit gain.

Organized Cyber Crime Groups

Sophisticated cybercrime group known for their advanced phishing campaigns and well crafted email and webpages to trick employees to login with their credentials or installing malware onto their systems as well as have been linked to numerous high-profile data breaches.

FIN7

Sophisticated cybercrime group that has stolen over $1 billion from various banks around the world by using custom malware they created that allows the hackers to transfer money between accounts and even dispense money remotely at ATMs.

Carbanak group

Groups that are sponsored by a government to conduct cyber operations against other nations, organizations, or individuals.

Nation-state actors

Attack that is orchestrated in such a way that it appears to originate from a different source/group.

False flag attack

Whenever we hear Advanced Persistent Threat, think

a prolonged and targeted cyberattack where an intruder gains unauthorized access to a network and remains undetected for an extended period of time monitoring and stealing data rather than causing immediate damage.

Sophisticated piece of malware that was designed by the American and Israeli governments to sabotage the Iranian government's nuclear program by causing physical damage to the centrifuges used in the uranium enrichment process.

Stuxnet worm

How did the Stuxnet worm work?

By exploiting zero-day vulnerabilities in the Windows operating system that was used for the nuclear centrifuges enrichment process.

Cybersecurity threats that originate from withing the organization.

Insider threats

The use of information technology systems, devices, software, applications, and services without explicit organizational approval.

Shadow IT

The means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action.

Threat vector

Encompasses all the various points where an unauthorized user can try to enter data to or extract data from an environment.

Attack surface

When thinking of attack vector think

the how of an attack.

When thinking of the attack surface think

the location of an attack.

This threat vector type is delivered via email, simple message service, or forms of instant messaging.

Messages

Threat vector that involves the embedding of malicious code inside an image file and when image is opened the malicious code is executed.

Images

In 2017, cybersecurity researchers discovered this large scale image-based attack.

Stegano

How did the Stegano attack work?

Cyber criminals embedded malicious codes within the pixels of banner ads on popular websites to exploit older Internet Explorer web browser.

Threat vectors that involve the use of malicious files to deliver a cyber attack.

Files

Threat vectors that involve the used of voice calls to trick victims into revealing their sensitive information.

Voice calls

Threat vectors via removable devices such as USB.

Removable devices

Threat vectors that refer to the lack of appropriate security measures to protect networks.

Unsecure networks

Rogue access points of fake wifi networks that mimic an organization's legitimate ones.

Evil twins

What are 3 types of attacks for wired networks?

Tapping into network cables to intercept/manipulate data. Connecting unauthorized devices by using MAC address cloning. VLAN hopping.

What are the exploits that have been used to attack Bluetooth technology?

BlueBorne BlueSmack

Exploit with a set of vulnerabilities in Bluetooth technology that can allow an attacker to take over devices or spread malware.

BlueBorne exploit

Exploit that is a type of Denial of Service attack targeting Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a target device.

BlueSmack exploit

Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors.

Tactics, Techniques, and Procedures (TTPs)

Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats.

Deceptive and Disruptive Technologies

What are the 4 commonly used Deceptive and Disruptive Technologies used?

Honeypots Honeynets Honeyfiles Honeytokens

Decoy system or network set up to attract potential hackers by mimicking a real system with vulnerabilities that seem attractive to attackers.

Honeypot

What is the primary purpose of a honeypot?

To gather information about the attacker's methods, motives, and TTPs. (Tactics, Techniques, and Procedures)

Where are honeypots placed in an enterprise network?

Install a honeypot in an enterprise network, place it within a screened subnet or isolated segment that is easily accessed by potential hackers.

Network of honeypots to create a more complex system that is designed to mimic an entire network of systems, including servers, routers, and switches.

Honeynet

How do honeypots and honeynets work?

They log all activities to provide data about both successful and unsuccessful attacks against network.

How can attackers use honeynets or honeypots against an organization's security architecture?

The attacker can learn how the production systems are configured and use it to their advantage to attack the network.

Decoy file placed within a system to lure in potential attackers.

Honeyfile

What happens when an attacker accesses and opens a honeyfile?

An alert is triggered that notifies the security team. Some honeyfiles have embedded code that allows the security team to enumerate the attackers network.

What are 6 types of honeyfiles?

Word-processing documents Spreadsheets Presentation files Database files Executables Images

Piece of data or a resource that has no legitimate value or use but is monitored for access or use.

Honeytoken

What are 5 other strategies to help secure an enterprise network?

Using bogus DNS directories Creating decoy directories Generating dynamic pages to slow down web crawlers. Using port triggering to hide services. Spoofing fake telemetry data during a detected network scan.

Fake DNS entries introduced into a system's DNS server.

Bogus DNS

Why is using Bogus DNS entries useful?

Administrators can mislead attackers into accessing non-existent domains or trap systems to waste the attacker's time/resources while simultaneously alerting defenders.

Fake folders and files placed within a system's storage.

Decoy directories

Why are Decoy directories useful?

When unauthorized user(s) attempt to access/modify these directories the system can raise an alert while the attacker is misled by false data.

Used in websites to present every-changing content to web crawlers to confuse and slow down the threat actor.

Dynamic page generation

Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected.

Port triggering

System can respond to an attacker's network scan attempt by sending out fake telemetry or network data.

Fake telemetry data

Which of the following is a primary motivation for a hacktivist threat actor? a. Financial gain b. Ideological beliefs c. Espionage d. Service disruption

b. Ideological beliefs Hacktivists are motivated by ideological, political, and philosophical beliefs and they use cybercrime as a means to promote a particular agenda/cause.

Which attribute of a threat actor indicates the amount of financial, technological, and human resources they can use for their operations? a. Their sophistication level b. Their resource level c. Their motivations d. Their intent

b. Their resource level Resource level is the attribute that reflects the depth and breadth of resources available to a threat actor.

Which of the following threat actors primarily operates based primarily on financial motivations and is considered to be highly structured and sophisticated in their attacks? a. Organized crime b. Script Kiddies c. Hacktivists d. Nation-state actors

a. Organized crime Organized cybercrime consists of groups that are primarily motivated by financial gain and typically involved in data breaches, ransomware attacks, and financial fraud.

Which type of threat actor would BEST describe a disgruntled employee who may exploit their legitimate access for malicious purposes? a. Unskilled attacker b. Hacktivist c. Insider threat d. Nation-state actor

c. Insider threat

Which deceptive technology is a piece of data or a system entity that exists solely to alert the organization when someone accesses it? a. Honeypot b. Honeynet c. Honeyfile d. Honeytoken

d. Honeytoken Honeytokens are a piece of information or a system entity that is created to serve as a decoy or alert mechanism. Honeytokens sole purpose is to be accessed or used illicitly.