Section 3: Threat Actors

Question 1

Threat Actor

Answer 1

An individual or entity responsible for incidents that impact security and data protection.

Question 2

Threat Actor Attributes

Answer 2

Specific characteristics or properties that define and differentiate various threat actors from one another.

Unskilled Attackers, Hacktivists, Organized Crime, Nation-state Actors, Insider Threats.

Question 3

Unskilled Attackers

Answer 3

Individuals with limited technical expertise who use readily available tools like downloaded scripts or exploits to carry out attacks.

Question 4

Hacktivists

Answer 4

Cyber attackers who carry out their activities driven by political, social, or environmental ideologies who often want to draw attention to a specific cause.

Question 5

Organized Crime

Answer 5

Well-structured groups that execute cyberattacks for financial gain, usually through methods like ransomware, identity theft, or credit card fraud.

Question 6

Nation-state Actors

Answer 6

Highly skilled attackers that are sponsored by governments to carry out cyber espionage, sabotage, or cyber warfare against other nation states or specific targets in a variety industries.

Question 7

Insider Threats

Data Theft, Sabotage, Misuse of Access Privileges.

Answer 7

Security threats that originate from within the organization.

1) Driven by financial gain (profit from the sale of sensitive organization data) 2) Motivated by revenge and harm the organization. 3) Result of carelessness or a lack of awareness of cybersecurity best practices by one of the organization’s users.

Question 8

Shadow IT

The use of information technology.

Use of Personal Devices for Work Purposes, Installation of Unapproved Software, Use of Cloud Services that Have not Been Approved by the Organization.

Answer 8

IT systems, devices, software, applications, and services that are managed and utilized without explicit organizational approval.

USB Drive, External Hard Drive, Keyboard, Wired Mouse, Network Adapter.

Message-based, Image-based, File-based, Voice Calls, Removable Devices, Use of Unsecured Networks. HoneyPots, HoneyNets, HoneyFiles, HoneyTokens.

Question 9

Honeypots

Gathering information about the attacker’s methods, motives, and TTPs.

Honeypots can be used against insider threats to detect internal fraud, snooping, and malpractice.

Answer 9

Decoy systems or servers designed to attract and deceive potential attackers, simulating real-world IT assets to study their techniques.

To install a honeypot in a enterprise network, place it within a screened subnet or isolated segment that is easily accessed by potential attackers.

Question 10

Honeynets

Controlled Environment. Logs all activites.

The attacker could use to learn how production systems are configured.

Answer 10

Creates an entire network of decoy systems to observe complex, multi-stage attacks.

Question 11

Honeyfiles

Enumerating the attacker’s network.

Word-processing documents, Spreadsheets, Presentation files, Images, Database files, Executables. Embedded with unique identifiers or watermarks to help track the file if it is stolen or copied and are usually placed under loose or less strict defenses that files that contain actual sensitive data they have.

Answer 11

Decoy files placed within systems to detect unauthorized access or data breaches.

Question 12

Honeytokens

Fake user account, a bogus URL, or a dummy database record.

Useful for detecting insider threats. Using bogus DNS entries, Creating decoy directories, Generating dynamic page, Using port triggering, Spoofing fake telemetry data.

Answer 12

Fake pieces of data, like a fabricated user credential inserted into databases or systems to alert administrators when they are accessed or used.

Question 13

Bogus DNS

Answer 13

Fake DNS entries introducted into a system’s DNS server.

Question 14

Decoy Directories

Answer 14

Fake folders and files placed within a system’s storage.

Question 15

Dynamic Page Generation

Answer 15

Used in websites to present ever-changing content to web crawlers to confuse and slow down the threat actor.

Question 16

Port Triggering

Answer 16

Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected.

Question 18

Threat Actor Motivations

Data Exfiltration, Blackmail, Espionage, Service Disruption, Financial Gain, Philosophical or Political Beliefs, Ethical Reasons, Revenge, Disruption or Chaos, War.

Answer 18

Intent behind an attack and the motivation that fuels that attack.

Question 19

Data Exfiltration

Answer 19

The unauthorized transfer of data from a computer.

Selling it on the dark web, Using it for identity theft, Leveraging it for a competitive advantage.

Question 20

Financial Gain

Answer 20

One of the most common motivations for cybercriminals

Ransomware Attacks, Banking Trojans.

Question 21

Blackmail

Answer 21

The attacker obtains sensitive or compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met.

Question 22

Service Disruption

Answer 22

Often achieved by conducting a Distributed Denial of Service (DDoS) attack to overwhelm a network, service, or server with excessive amounts of traffic so that it becomes unavailable to its normal users.

Question 23

Philosophical or Political Beliefs

Answer 23

Individuals or groups use hacking to promote a political agenda, social change, or to protest against organizations they perceive as unethical.

Question 24

Ethical Reasons

Answer 24

Ethical hackers, also known as Authorized hackers, are motivated by a desire to improve security.

Question 25

Revenge

Answer 25

An employee who is disgruntled, or one who has recently been fired or laid off, might want to harm their current or former employer by causing a data breach, disrupting services, or leaking sensitive information.

Question 26

Disruption or Chaos

Answer 26

These actors, often referred to as Unauthorized hackers, engage in malicious activities for the thrill of it, to challenge their skills or simply to cause harm.

Question 27

Espionage

Answer 27

Involves spying on individuals, organizations, or nations to gather sensitive or classified information.

Question 28

War

Answer 28

Cyberattacks have increasingly become a tool for nations to attack each other both on and off the battlefield.

Question 29

Threat Actor Attributes

Internal vs. External, Resources and Funding, Level of sophistication and capability.

Answer 29

Internal vs. External, Resources and Funding, Level of sophistication and capability.

Question 30

Internal Threat Actors

Answer 30

Individuals or entites within an organization who pose a threat to its security.

Question 31

External Threat Actors

Answer 31

Individuals or groups outside an organization who attempt to breach its cybersecurity defenses.

Question 32

Resources and Funding

Answer 32

Refers to the tools, skills and personnel at the disposal of a given threat actor.

Question 33

Level of sophistication and capability

Answer 33

Refers to their technical skill, the complexity of the tools and techniques they use, and their ability to evade detection and countermeasures.

Question 34

Unskilled Attacker

Script Kiddie

Answer 34

An individual who lacks the technical knowledge to develop their own hacking tools or exploits.

Question 35

Website Defacement

electronic graffiti

Answer 35

Electronic graffiti, usually treated as an act of vandalism.

Question 36

Distributed Denial of Service Attack (DDoS)

Answer 36

Attempting to overwhelm the victim’s systems or networks so they cannot be accessed by the organization’s legitmate users.

Question 37

Doxxing

Answer 37

Public release of private information about an individual or organization such as their name, home addres, phone number, or email in hopes that someone will take the real-world actions against the victim.

Stealing and releasing sensitive data.

Question 38

Organized Cyber Crime Groups

Data Breaches, Identity Theft, Online Fraud, Ransomware Attacks.

Answer 38

Sophiscated and well-structured entities that leverage resources and technical skills for illicit gain.

Cryptocurriences, Dark Web, Cellular Collection Devices.

FIN7: Sophisicated cybercrime syndicate that has been linked to numerous high-profile data breaches. Carbanak: Sophisticated cybercrime syndicae that has stolen over $1 billion from various banks around the world.

Question 39

Nation-State Actors

Answer 39

Groups that are sponsored by a government to conduct cyber operations aganist other nations, organizations, or individuals.

Question 40

False Flag Attack

Answer 40

Attack that is orchestrated in such a way that it appears to originate from a different source or group.

Creating Custom Malware, Using Zero-day Exploits, Becoming an Advanced Persistent Threat.

Question 41

Advanced Persistent Threat (APT)

Prolonged and targeted cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period of time while trying to steal data or monitor network activites.

Answer 41

Term that used to be used synonymously with a nation-state actor because of their long-term persistance and stealth.

Gathering Intelligence, Disrupting Critical Infrastructure, Influencing Political Processes.

Question 42

Stuxnet Worm

Answer 42

Sophisticated piece of malware that was designed to sabotage the Iranian government’s nuclear program.

Question 43

Threat Vector

Answer 43

The means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action.

Question 44

Attack Surface

This represents the sum of all potential vulnerabilites and entry points that an attacker could exploit. Messages, Images, Files, Voice Calls, Removable Devices, Unsecure Networks.

Answer 44

Ecompasses all the various points where an unauthorized user can try to enter data to extract data from an environment.

Restricting Access, Removing Unnecessary Software, Disabling Unused Protocols.

Question 45

BlueBorne

Answer 45

Set of vulnerabilties in Bluetooth technology that can allow an attacker to take over devices or spread malware.

Question 46

BlueSmack

Answer 46

Type of Denial of Service attack that targets Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protcol packet to a target device.

Question 47

Tactics, Techniques, and Procedures (TTPs)

Answer 47

Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors.

Question 48

Deceptive and Disruption Technologies

Answer 48

Designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats.