Lesson 2 Threat Actors and Threat Intel Flashcards
Vulnerability
A weakness in a system that can be exploited
Threat
actors willing to exploit a vulnerability
risk
impact and likelihood of vulnerability being exploited by a threat
attributes of threat actors
known threat vs adversary behaviors
can be internal not just external to local network
intentions can be malicious, opportunistic, accidental, or unintentional
levels of sophistication depends on resources, funding, capability levels
Type of hackers
Lone hacker - white vs black hats vs grey hats
Scipt kiddies - unprofessional, just using scripts, etc, not sophisticated
Hacktivists - usually politically or socially motivated to make a statement
State Actors
State backed, military/secret, and highly sophisticated
Advanced Persistent Threat (APT) - ability to access and stay connected to a network without authorization
Done for espionage and strategic advantage
deniability - able to cover tracks during attack
False flag operations - diversions, other minor attacks or overwhelm a system to cover real operations
Criminal Syndicates
Operate across legal jurisdictions
Threat Actors out to make money/profit
Well funded and resourced
Competitors
Cyber espionage to gain advantage over
Gain financial info on competitors
Can combine with insider threat
Insider Threat
Malicious
- has or had authorized access
- employees, contractors, partners
- motivated by sabotage, financial gain, business advantage
Unintentional
- weak policies and procedures
- weak adherence to policies and procedures
- lack of training/security awareness
- shadow IT
attack surface
points where an attacker can discover/exploit vulnerabilities to access a network or application
attack vectors
parts of a system which can be exploited to gain access to a network direct access removable media email remote and wireless supply chain web and social media cloud
Threat research sources
Counter intelligence
Threats, Techniques, and Procedures (TTP)
Threat Research Sources
Threat Intelligence Providers
narrative analysis and commentary
Reputation/threat data feeds - cyber threat intelligence (CTI)
Platforms and feeds
-closed/proprietary
-vendor websites
-public/private information sharing centers
-open source intelligence (OSINT) threat data sources
OSINT as reconnaissance and monitoring
TTP
Tactics, Techniques and Procedures are a generalized statement of adversary behavior (of known attacks)
tactics - campaign strategy and approach
techniques - generalized attack vectors
procedures - specific intrusion tools and methods
Threat Data feeds
STIX - structured threat info exchange - uses xml for description of attack TAXII - transport method using STIX AIS - Automated Indicator of Sharing Threat maps file/code repos Vulnerability DBs and feeds