Lesson 2: Compare Threat Types Flashcards
Define ‘Risk’
Likelihood/consequence of a threat actor exercising a vulnerability.
What is the reason for calculating risk?
To determine the likelihood/imapct that a successful exploit would have.
Define a ‘Vulnerability’
A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
List examples of a vulnerability
Misconfiguration of hardware/software or network device; out-of-date software/firmware; poor network architecture; inadequate policies.
What determines how vulnerable an asset is?
The value of the asset and ease of exploiting the fault.
Define a ‘Threat’
Attack vector; The potential for someone/something to exploit a vulnerability and breach security intentionally or unintentionally.
Define an external threat actor
Has no authorized access to the target system; Infiltrates the security system using unauthorized access.
Define an internal threat actor
Was granted permissions on the system; Typically an employee, contractors or business partners.
What are general motivations for perpetrating a cyber attack?
Greed/Financial, Curiosity/Chaos, Grievance/Revenge, Political
List 3 general strategies/method threat actors use to perpetrate a cyber attack
- Service Disruption
- Data exfiltration
- Disinformation
Define ‘Service Disruption’
Type of attack that compromises the availability of an asset or business process.
Define ‘Data Exfiltration’
Process by which an attacker takes data stored in a private network and moves it to an external network without authorization.
Define ‘Disinformation’
Type of attack that falsifies an information resource that is normally trusted by others.
List examples of a disinformation attack
Changing the content of a website; Manipulating search engines to inject fake sites; Using bots to post false information to social media sites.
Define a ‘Hacktivist’
Threat actor motivated by a social issue or political cause.
Define an advanced persistent threat (APT)
Ability of an adversary to achieve ongoing compromise of network security (obtaining and maintaining access).
Define a ‘Nation-state actor’
Threat actor that is supported by the resources of its host country’s military and security services.
What are the typical targets of nation-state actors?
Energy, health, and electoral systems/organizations.
What are the typical goals of nation-state actors?
Primarily disinformation and espionage for strategic advantage - typically not for financial reason.
What is ‘Shadow IT’?
Computer hardware, software, or services used on a private network without authorization from the system owner.
What are the typical motivations/goals of an internal/insider threat actor?
Revenge and Financial gain.
Which three types of threat actor are most likely to have high levels of funding?
State actors, organized crime, and competitors.
Define an ‘Attack Surface’
All the points at which a malicious threat actor could try to exploit a vulnerability.
What are examples of what could be apart of an attack surface?
Any location or method where a threat actor can interact with a network port, application, computer, or user.
Define the process of minimizing attack surface
Restricting access so that only trusted endpoints, protocols/ports, and services are permitted.
Define a ‘Threat Vector’
A specific path a threat actor uses to gain unauthorized access to a system.
Define ‘Vulnerable software’
Contains a flaw in its code or design that can be exploited to circumvent access control or to crash the process.
Define an ‘Unsupported System/Application’
System/Application whose vendor no longer develops updates and patches for the product.
What are the two vectors a software vulnerability is exploited?
- Remote
- Local
Define a ‘Remote’ exploit
An exploit performed by sending code to the target over a network and does not depend on an authenticated session with the target to execute.
Define a ‘Local’ exploit
The exploit code must be executed from an authenticated session on the computer; Threat actor needs to use some valid credentials or hijack an existing session to execute it.
Define an ‘Unsecure Network’
One that lacks the attributes of confidentiality, integrity, and availability.
What constitutes an unsecure network?
Unnecessary open ports, weak/no authentication, use of default credentials, or lack of secure communications/encryption.
What is the outcome from a ‘Lack of Confidentiality’
Allows threat actors to snoop on network traffic and recover passwords or other sensitive information.
What is the outcome from a ‘Lack of Integrity’
Allows threat actors to use unauthorized devices to manipulate traffic/data, run exploit code, or spoof a service.
Define a ‘Lack of Availability’
Threat actors are able to perform service disruption attacks; aka denial of service (DoS) attacks.
What are qualities of a secure network?
Uses an access control framework and cryptographic to identify, authenticate, authorize, and audit network users, hosts, and traffic.
Define a ‘Direct Access’ threat vector
Threat actor uses physical access to the site to perpetrate an attack; Unlocked workstation, boot disk to install malicious tool, stealing a PC/disk drive.
Define a ‘Wired Network’ threat vector
Threat actor accesses a site to attach an unauthorized device to a physical network port.
Define a ‘Remote and Wireless Network’ threat vector
Attacker obtains credentials for remote access or wireless connection to the network or cracks the security protocols used for authentication; Rouge/spoofed APs/Evil Twin APs
Define a ‘Cloud Access’ threat vector
Gaining access to a cloud system through an account/service/hose with weak configuration; Potentially attacking a cloud service provider.
Define a ‘Bluetooth Network’ threat vector
Threat actor exploits a vulnerability or misconfiguration to transmit a malicious file to a user’s device over Bluetooth.
Define a ‘Default Credentials’ threat vector
Attacker gains control of a network device or app because it has been left configured with a default password.
Define a ‘Open Service Port’ threat vector
Threat actor is able to establish an unauthenticated connection to a logical TCP or UDP network port.
Define a ‘Lure’ threat vector
Entices a victim into interacting with a removable device, file, image, or program that conceals malware.
What is the purpose of a lure attack?
If the threat actor cannot gain access to run a remote or local exploit directly, a lure might trick a user into facilitating the attack.
How are lure attacks prevented?
Vulnerability management, antivirus, program execution control, and intrusion detection.
What is the typical attack vector used to deliver a lure attack?
Any form of direct messaging; Email, SMS, Instant Messaging (iMessage), Websites/Social Media
Define a ‘Supply chain’
End-to-end process of supplying, manufacturing, distributing/providing goods and services to a customer.
Define ‘procurement management’
Process of ensuring reliable sources of equipment and software
Define a ‘Supplier’ in a supply chain
Obtains products directly from a manufacturer to sell in bulk to other businesses; Referred to as business to business (B2B).
Define a ‘Vendor’
Obtains products from suppliers to sell to retail businesses (B2B) or directly to customers (B2C); Might add some level of customization and direct support for the product(s).
Define a ‘Business Partner’
Implies a closer relationship where two companies share quite closely aligned goals and marketing opportunities.
Define a ‘managed service provider’ (MSP)
Provisions and supports IT resources such as networks, security, or web infrastructure.
What is the downside of using a managed service provider (MSP)?
Difficult to monitor the MSP; The MSP’s employees are all potential sources of insider threat.
What nmap option performs a scan that displays service identification?
-sV
What are two primary response options to the discovery of an open port hosting an insecure service?
Close the exposed port and configure service encryption if its a necessary service.
Define ‘Social engineering’
Hacking the human; Goal is to deceive unsuspecting users into providing sensitive data or violating security guidelines in preparation for an intrusion or to effect an actual intrusion.
Define ‘Impersonation’
Social engineering attack where an attacker pretends to be someone they are not.
What are the two types of impersonation attacks?
- Persuasion/liking
- Coercion/threat/urgency
Define ‘Pretexting’
Social engineering tactic communicating a lie or half-truth in order to get someone to trick a victim; Combination of persuasion and coercion.
Define ‘Phishing’
Email/SMS based attack that persuades the target into interacting with a malicious resource or providing sensitive data disguised as a trusted source.
What two attack methods combine to create phishing?
A combination of social engineering and spoofing.
Define ‘Vishing’
A human-based attack where the attacker extracts information over the phone or VoIP.
Define ‘Pharming’
Impersonation attack that corrupts the name resolution process and redirects users from a legitimate website to a malicious one.
What do phishing and pharming both depend on?
Impersonation and spoofing.
Define ‘Typosquatting’
Attacker registers a domain name with a common misspelling of an existing domain, so a user who misspells a URL into a browser is taken to the attacker’s website.
Define ‘Business email compromise’
Impersonation attack where the attacker gains control of an employee’s account and uses it to convince other employees to perform fraudulent actions.
Define ‘Brand impersonation’
Threat actor accurately duplicates a company’s logos and formatting to make a phishing message or pharming website a compelling fake.
Define ‘Disinformation’
Refers to a purposeful motivation to deceive.
Define ‘Misinformatoin’
Refers to repeating false claims or rumors without the intention to deceive.
Define a ‘watering hole attack’
Attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites to infect the targets once they interact with the resource.
Define a ‘Whaling’ attack
Spear-phishing attack directed at high-level executives where attackers masquerade as legitimate, known and trusted entities and encourage a victim to share highly sensitive information or to send a wire transfer to a fraudulent account.
