Threat Actors

Question 1

Threat actor motivations:

Answer 1

 Data Exfiltration
 Blackmail
 Espionage
 Service Disruption
 Financial Gain,
 Philosophical/Political Beliefs
 Ethical Reasons
 Revenge
 Disruption/Chaos
 War

Question 2

Threat Actor Attributes

Answer 2

 Internal vs. External Threat Actors
 Differences in resources and funding
 Level of sophistication

Question 3

Types of Threat Actors

Answer 3

1: Unskilled Attackers
 Limited technical expertise, use readily available tools

2: Hacktivists
 Driven by political, social, or environmental ideologies

3: Organized Crime
 Execute cyberattacks for financial gain (e.g., ransomware, identity theft)

4: Nation-state Actor
 Highly skilled attackers sponsored by governments for cyber espionage or warfare

5: Insider Threats
 Security threats originating from within the organization

Question 4

Shadow IT

Answer 4

IT systems, devices, software, or services managed without explicit organizational approval

Question 5

Threat Vectors and Attack Surfaces

Answer 5

 Image-based
 File-based
 Voice Calls
 Removable Devices
 Unsecured Networks

Question 6

Deception and Disruption Technologies

Answer 6

1: Honeypots
 Decoy systems to attract and deceive attackers

2: Honeynets
 Network of decoy systems for observing complex attacks

3: Honeyfiles
 Decoy files to detect unauthorized access or data breaches

4: Honeytokens
o Fake data to alert administrators when accessed or used

Question 7

Threat Actors Intent

Answer 7

Specific objective or goal that a threat actor is aiming to achieve through their attack

Question 8

Threat Actor Motivation

Answer 8

Underlying reasons or driving forces that pushes a threat actor to carry out their attack

Question 9

Different motivations behind threat actors

Answer 9

1: Data Exfiltration
 Unauthorized transfer of data from a computer

2: Financial Gain
 Achieved through various means, such as ransomware attacks, or through banking trojans that allow them to steal financial information in order to gain unauthorized access into the victims’ bank accounts

3: Blackmail
 Attacker obtains sensitive or compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met

4: Service Disruption
 Some threat actors aim to disrupt the services of various organizations, either to cause chaos, make a political statement, or to demand a ransom

5: Philosophical or Political Beliefs
 Attacks that are conducted due to the philosophical or political beliefs of the attackers is known as hacktivism
 Common motivation for a specific type of threat actor known as a hacktivist

6: Ethical Reasons
 Contrary to malicious threat actors, ethical hackers, also known as Authorized hackers, are motivated by a desire to improve security

7: Revenge
 It can also be a motivation for a threat actor that wants to target an entity that they believe has wronged them in some way

8: Disruption or Chaos
 Creating and spreading malware to launching sophisticated cyberattacks against the critical infrastructure in a populated city

9: Espionage
 Spying on individuals, organizations, or nations to gather sensitive or classified information

10: War
 Cyber warfare can be used to disrupt a country’s infrastructure, compromise its national security, and to cause economic damage

Question 10

2 Most Basic Attributes of a Threat Actor

Answer 10

1: Internal Threat Actors
 Individuals or entities within an organization who pose a threat to its security

2: External Threat Actors
 Individuals or groups outside an organization who attempt to breach its cybersecurity defenses

Question 11

In the world of cybersecurity, we usually classify the lowest skilled threat actors as “script kiddies”. What is ‘script kiddie’:

Answer 11

 Individual with limited technical knowledge
 use pre-made software or scripts to exploit computer systems and networks

Question 12

How do these unskilled attackers cause damage?

Answer 12

 One way is to launch a DDoS attack
 An unskilled attacker can simply enter in the IP address of the system they want to target, and then click a button to launch an attacker against that target

Question 13

Hacktivist

Answer 13

Individuals or groups that use their technical skills to promote a cause or drive social change instead of for personal gain

Question 14

To accomplish their objectives, hacktivists use a wide range of techniques to achieve their goals

Answer 14

1: Website Defacement
 Form of electronic graffiti and is usually treated as an act of vandalism

2: Distributed Denial of Service (DDoS) Attacks
 Attempting to overwhelm the victim’s systems or networks so that they cannot be accessed by the organization’s legitimate users

3: Doxing
 Involves the public release of private information about an individual or organization

3: Leaking of Sensitive Data
o Releasing sensitive data to the public at large over the internet
o Hacktivists are primarily motivated by their ideological beliefs rather than trying to achieve financial gains

Question 15

Criminal groups will engage in a variety of illicit activities to generate revenue for their members

Answer 15

 Data Breaches
 Identity Theft
 Online Fraud
 Ransomware Attacks

Question 16

Nation-state Actor

Answer 16

o Groups or individuals that are sponsored by a government to conduct cyber operations against other nations, organizations, or individuals

o Sometimes, these threat actors attempt what is known as a false flag attack

Question 17

False Flag Attack

Answer 17

Attack that is orchestrated in such a way that it appears to originate from a different source or group than the actual perpetrators, with the intent to mislead investigators and attribute the attack to someone else

Question 18

Nation-state actors possess advanced technical skills and extensive resources, and they are capable of conducting complex, coordinated cyber operations that employ a variety of techniques such as:

Answer 18

 Creating custom malware
 Using zero-day exploits
 Becoming an advanced persistent threats

Question 19

What motivates a nation-state actor?

Answer 19

 Term that used to be used synonymously with a nation-state actor because of their long-term persistence and stealth

 A prolonged and targeted cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period while trying to steal data or monitor network activities rather than cause immediate damage

 These advanced persistent threats are often sponsored by a nation-state or its proxies, like organized cybercrime groups

Question 20

Insider Threats

Answer 20

o Cybersecurity threats that originate from within the organization
 Will have varying levels of capabilities

Question 21

Insider threats can take various forms

Answer 21

 Data Theft
 Sabotage
 Misuse of access privileges

Question 22

To mitigate the risk of an insider threat being successful, organizations should implement the following

Answer 22

 Zero-trust architecture
 Employ robust access controls
 Conduct regular audits
 Provide effective employee security awareness programs

Question 23

Shadow IT

Answer 23

Use of information technology systems, devices, software, applications, and services without explicit organizational approval

IT-related projects that are managed outside of, and without the knowledge of, the IT department

Question 24

Why does Shadow IT exist?

Answer 24

An organization’s security posture is actually set too high or is too complex for business operations to occur without be negatively affected

Question 25

Threat Vector / Attack Surface

Answer 25

Threat Vector o Means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action Attack Surface  Encompasses all the various points where an unauthorized user can try to enter data to or extract data from an environment Think of threat vector as the "how" of an attack, whereas the attack surface is the "where" of the attack

Question 26

Threat vector / attack surface can be minimised by:

Answer 26

 Restricting Access * Removing unnecessary software o Disabling unused protocols

Question 27

Several different threat vectors that could be used to attack your enterprise networks

Answer 27

1: Messages  Message-based threat vectors include threats delivered via email, simple message service (SMS text messaging), or other forms of instant messaging  Phishing campaigns are commonly used as part of a message-based threat vector when an attacker impersonates a trusted entity to trick its victims into revealing their sensitive information to the attacker 2: Images  Image-based threat vectors involve the embedding of malicious code inside of an image file by the threat actor 3: Files  The files, often disguised as legitimate documents or software, can be transferred as email attachments, through file-sharing services, or hosted on a malicious website 4: Voice Calls  Vhishing  Use of voice calls to trick victims into revealing their sensitive information to an attacker 5: Removable Devices o One common technique used with removable devices is known as baiting Baiting  Attacker might leave a malware-infected USB drive in a location where their target might find it, such as in the parking lot or the lobby of the targeted organization 6: Unsecure Networks  Unsecure networks includes wireless, wired, and Bluetooth networks that lack the appropriate security measures to protect these networks  If wireless networks are not properly secured, unauthorized individuals can intercept the wireless communications or gain access to the network  Wired networks tend to be more secure than their wireless networks, but they are still not immune to threats  Physical access to the network infrastructure can lead to various attacks  MAC Address Cloning  VLAN Hopping  By exploiting vulnerabilities in the Bluetooth protocol, an attacker can carry out their attacks using techniques like the BlueBorne or BlueSmack exploits 6: BlueBorne  Set of vulnerabilities in Bluetooth technology that can allow an attacker to take over devices, spread malware, or even establish an on-path attack to intercept communications without any user interaction 7: BlueSmack o Type of Denial of Service attack that targets Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a target device

Question 28

One of the most effective ways to learn from the different threat actors that are attacking your network is to set up and utilize deception and disruption technologies:

Answer 28

1: Tactics, Techniques, and Procedures (TTPs)  Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors 2: Deceptive and Disruption Technologies  Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats 3: Honeypots  Decoy system or network set up to attract potential hackers 4: Honeynets  Network of honeypots to create a more complex system that is designed to mimic an entire network of systems - Servers - Routers - Switches 5: Honeyfiles  Decoy file placed within a system to lure in potential attackers 6: Honeytokens o Piece of data or a resource that has no legitimate value or use but is monitored for access or use

Question 29

Some disruption technologies and strategies to help secure our enterprise networks are:

Answer 29

1: Bogus DNS entries Fake Domain Name System entries introduced into your system's DNS server 2: Creating decoy directories  Fake folders and files placed within a system's storage 3: Dynamic page generation  Effective against automated scraping tools or bots trying to index or steal content from your organization's website 4: Use of port triggering to hide services Port Triggering  Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected 5: Spoofing fake telemetry data  When a system detects a network scan is being attempted by an attacker, it can be configured to respond by sending out fake telemetry or network data