Studied by 0 people
Looks like no one added any tags here yet for you.
Nation-state
These threat actors often have the support of governments. Their activities, including cyber espionage, are typically motivated by strategic or political reasons. They have the advanced capabilities, significant resources, and strategic motivations to carry out the sophisticated, long-term attack the financial institution discovered.
Hacker
Not necessarily a threat actor but they have the skills to gain access to computer systems through unauthorized or unapproved means. The term is sometimes associated with illegal or malicious system intrusion.
Unskilled Attacker
Definition: A hacker with little technical knowledge who relies on pre-made tools or scripts to launch attacks.
Example: A beginner hacker uses a phishing kit downloaded online to steal login credentials.
Hacktivist
A threat actor that uses cyber weapons to promote a political agenda. They can attempt to obtain and release confidential information to the public domain, perform denial-of-service (DoS) attacks, or deface websites.
Insider threat
Threat actors that are employees who harbor grievances or perpetrate fraud a potential risk posed by individuals with inside information about the company's security practices, data, and computer systems.. For example, an insider threat might plan and execute a campaign to modify invoices and divert funds.
Organized Crime
Definition: Cybercriminal groups that operate like businesses, often engaging in ransomware attacks, fraud, and identity theft for financial gain.
Example: A cyber gang deploys ransomware on hospital networks and demands payment to unlock patient records.
Shadow IT
refers to hardware, software, and services used within an organization without explicit approval from the IT department
Internal Threats
A security risk that comes from within an organization, such as employees or contractors.
Example: A disgruntled employee leaks confidential files to a competitor.
External Threat
A security risk from outside the organization, such as hackers or nation-states.
Example: A hacker group launches a DDoS attack against a company’s website.
Resources/funding
Definition: The money, tools, and infrastructure available to a threat actor to conduct attacks.
Example: A nation-state attacker has government funding to develop advanced malware for espionage.
Level of sophistication/capability
consider an adversaries' sophistication and level of resources and funding. A targeted attack might use highly sophisticated tools backed by a budget that can allocate physical and human resources.
Opportunistic
attack might launch without much sophistication or funding, simply by using tools widely available on the Internet.
Data exfiltration
Definition: The unauthorized transfer of sensitive data from a system.
Example: A hacker steals customer credit card information from an online store and sells it on the dark web.
Espionage
characterized by stealthy, long-term breaches, aims at acquiring secret information, often for strategic advantage. The intruders' focus on the proprietary designs and their ability to remain undetected aligns with this motivation.
Service disruption
Definition: Any event that prevents a system, application, or network from functioning properly.
Example: A DDoS attack floods a company’s website with traffic, making it unreachable for customers.
Blackmail
Definition: Threatening to release sensitive data or take harmful action unless demands are met.
Example: A hacker steals private emails from a CEO and demands money to keep them secret.
Financial gain
involves monetary gain through methods such as blackmail, extortion, or fraud, the primary goal in this scenario is acquiring proprietary information, not explicit financial gain.
Philosophical/political beliefs
typically involve strategic objectives to bring about change or achieve specific goals, often at a societal or governance level, moral.
Ethical
Definition: Security professionals who use hacking techniques legally to find and fix vulnerabilities.
Example: A company hires an ethical hacker to test its security before a cybercriminal can exploit weaknesses.
Revenge
typically involve a disgruntled individual seeking retaliation. This scenario does not provide evidence of a personal grievance or individual retaliation.
Disruption/chaos
disrupt for its own sake, often as an act of vandalism or to sow chaos.
War
Definition: Cyberattacks launched by one country against another to cause disruption or gain intelligence.
Example: A nation-state hacks into a rival country’s power grid, causing blackouts.
Email-Based Attacks (Phishing)
Definition: Cyberattacks that use fraudulent emails to trick users into revealing sensitive information or downloading malware.
Example: A hacker sends an email pretending to be a bank, asking the recipient to click a fake login link to steal their credentials.
Short Message Service (SMS)
Definition: Social engineering attacks that use fake text messages to deceive users into taking harmful actions.
Example: A scammer sends a text message claiming to be from a delivery company, with a fake tracking link that installs malware.
Instant messaging (IM)
Definition: Cyber threats targeting messaging apps like WhatsApp, Telegram, or Slack to spread malware or steal data.
Example: A hacker sends a malicious link through WhatsApp, tricking users into downloading spyware onto their phones.
Image-basedDefinition: Cyberattacks that exploit vulnerabilities in files like PDFs, Word documents, or spreadsheets.
Example: A victim opens an infected PDF, allowing a hacker to install spyware on their computer.
Definition: Attacks that hide malicious code within images.
Example: A phishing email contains an infected image, and when clicked, it installs malware.
File-based
Definition: Cyberattacks that exploit vulnerabilities in files like PDFs, Word documents, or spreadsheets.
Example: A victim opens an infected PDF, allowing a hacker to install spyware on their computer.
Voice Call Attacks (Vishing)
Definition: Social engineering attacks conducted over the phone to trick people into giving up sensitive information.
Example: A scammer calls a bank employee, pretending to be the IT department and asking for login credentials.
Removable Device Threats
Definition: Cyber risks associated with USB drives, external hard drives, and other portable storage devices.
Example: A hacker leaves infected USB drives in a company parking lot, hoping employees plug them into work computers.
Client-Based Security (Agent-Based)
Definition: Requires installing a software agent on a device to provide security features such as monitoring, threat detection, and enforcement.
Example: A company installs endpoint protection software on employee laptops to detect malware in real-time.
Agentless Security
Definition: Provides security without requiring software installation on the end device, often working through network-based scanning or cloud integration.
Example: A cloud security service monitors all devices accessing a network without installing software on each one.
Wireless/Cloud Network Vector Attack
attack targets cloud-based services by exploiting vulnerabilities or misconfigurations to gain unauthorized access but does not include transmitting malicious files to a user's device.
Wired Network Vector Attack
a threat actor gains access to the site. He attaches an unauthorized device to a physical network port, permitting the device to communicate with other hosts.
Bluetooth Network Attack
the threat actor exploits vulnerabilities or misconfigurations in the Bluetooth protocol to transmit a malicious file to a user's device.
Open service ports
Definition: Network ports that are left open and accessible, potentially exposing a system to unauthorized access or attacks.
Example: A company leaves port 3389 (Remote Desktop Protocol) open, allowing hackers to attempt brute-force attacks on remote connections.
Default credentials
Definition: Pre-set usernames and passwords that come with devices or software, which attackers can easily guess or find online.
Example: A router still uses the factory-set "admin/admin" login, making it vulnerable to unauthorized access.
Managed service providers (MSPs)
Definition: Third-party companies that remotely manage IT services, such as security, networking, and cloud computing, for businesses.
Example: A small business hires an MSP to handle its cybersecurity, ensuring firewalls and antivirus software stay updated.
Vendors
Definition: Companies or individuals that sell products or services to an organization, often including software, hardware, or cloud solutions.
Example: A company purchases antivirus software from a security vendor to protect employee computers.
Suppliers
Definition: Businesses that provide raw materials, hardware, or components needed for a company's operations.
Example: A computer manufacturer relies on a supplier for processors used in its laptops.
Supply Chain Attack
involves a threat actor seeking methods to infiltrate a company in its supply chain.
Phishing
Definition: A cyberattack where attackers send fake emails or messages pretending to be from a trusted source to steal sensitive information.
Example: A hacker sends an email pretending to be from a bank, asking the recipient to enter their password on a fake website.
Spear Phishing
a phishing scam where the attacker has some information that is more likely to fool an individual target by the attack.
Whaling (Targeted Phishing)
a type of spear phishing attack explicitly directed against the upper levels of management in an organization.
Vishing
a phishing attack conducted through a voice channel, such as a phone call or VOIP
Smishing
a phishing technique that uses simple message service (SMS) text communications as the attack vector. The text message may include a link to a fake website asking a user to log in.
SPIM
spam (or mass unsolicited messages) over instant messaging or Internet messaging services.
Misinformation/disinformation
False or misleading information shared unintentionally.
Disinformation: False information deliberately spread to deceive people.
Example: A hacker spreads fake news about a company's data breach to damage its reputation.
Impersonation
Definition: When an attacker pretends to be someone else to gain trust and trick victims into revealing information or taking action.
Example: A scammer calls an employee, pretending to be IT support and asking for login credentials.
Business email compromise
Definition: A targeted phishing attack where cybercriminals impersonate company executives or vendors to trick employees into transferring money or sensitive data.
Example: A hacker spoofs the CEO’s email and requests the finance department to wire money to a fraudulent account.
Pretexting
a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext.
Watering hole
a social engineering technique where the attacker identifies a popular and frequently visited website used by the target group and compromises that website with exploit code. Their computers become infected when target group members visit the website, and the attacker can then use this foothold to penetrate the organization's systems.
Brand impersonation
committing resources to accurately duplicate a company's logos and formatting to make a phishing message or pharming website a visually compelling fake, associated with pharming
Pharming
Redirecting users from legitimate websites to malicious ones by corrupting the victim's computer's name resolution process. It is not specific to targeting a group of individuals.
Typosquatting
registers domains like legitimate ones, making users believe they're accessing a trusted site. The attacker creates a hijacked subdomain using the primary domain of a trusted cloud provider. Employees may fall victim to this attack if they overlook minor differences.
Memory injection
refers to a security flaw where an attacker can introduce or inject malicious code into a running application's process memory.
Buffer overflow
occurs when an application receives more data than it can process, which can cause the application to crash or allow an attacker to execute arbitrary code, the attacker passes data that deliberately flood a temporary memory space.
Race conditions
Application race condition vulnerabilities refer to software flaws associated with the timing or order of events within a software program
Time-of-check (TOC) (RACE CONDITION)
Refers to the moment when a system checks a condition or a state (e.g., verifying user permissions or file access).
Example: A program checks if a user has permission to access a file.
Time-of-use (TOU)
RACE CONDITION
Refers to the moment when the system acts based on the result of the check (e.g., granting or denying access).
Example: The program opens the file after confirming the user's permission
TOC/TOU Vulnerability
A TOC/TOU vulnerability occurs when there's a time gap between the "check" and the "use," during which an attacker can manipulate the system or change the state.
Example Attack Scenario:
A program checks if a file is safe to open (TOC).
Before the file is used (TOU), an attacker swaps the file with a malicious one
Malicious update
an update that appears legitimate but contains harmful code, often used by cyber criminals to distribute malware or execute a cyber attack.
Structured Query Language injection (SQLi)
Definition: A type of attack where an attacker injects malicious SQL code into a web application’s database query to manipulate or steal data.
Example: A hacker enters '; DROP TABLE users; -- into a website’s login form, which deletes the user database if the input is not properly secured.
Cross-site scripting (XSS)
Definition: An attack where an attacker injects malicious scripts into a trusted website, which then executes in a victim’s browser, allowing data theft or unauthorized actions.
Example: A hacker posts a malicious JavaScript snippet in a website's comment section, which steals login cookies when other users view the page.
Firmware
instances where processors inside the computer allow malicious programs to steal data during processing.
End-of-life
(EOL) system vulnerability includes instances where a specific product or version of a product that the manufacturer or vendor publicly declares as no longer supported.
Legacy
typically describe outdated software methods, technology, computer systems, or application programs with continued use despite known shortcomings.
Virtual machine (VM) escape
when an attacker with access to a VM breaks out of this isolated environment and gains access to the host system or other VMs running on the same host.
Resource reuse
Definition:
Resource reuse occurs when system components, such as memory, storage, or hardware, are not properly cleared or reset before being reassigned. This can lead to security risks, such as data leaks or unauthorized access.
Example:
A cloud provider fails to wipe virtual machine storage before reassigning it to a new customer, potentially exposing the previous user's sensitive data.
Secure deallocation
takes any residual data in a resource (memory, disk space, etc.) and cleans or overwrites it before reuse, preventing potential data leakage.
Service Provider
Definition: A company that offers IT, cloud, or network services to businesses and consumers.
Example: AWS (Amazon Web Services) provides cloud computing services to companies for hosting websites and applications.
Hardware provider
Definition: A company that supplies physical devices such as servers, computers, or networking equipment.
Example: Dell manufactures and sells laptops, desktops, and enterprise servers.
Software provider
Definition: A company that develops and distributes software applications for businesses or consumers.
Example: Microsoft provides the Windows operating system and Office productivity tools.
Side Loading
Definition: Installing applications from unofficial sources instead of the official app store.
Example: A user downloads an app from an unverified website, which secretly installs malware.
Zero-Day
Definition: A newly discovered software vulnerability that has no fix yet, making it a prime target for cyberattacks.
Example: A hacker exploits a zero-day vulnerability in a web browser before the software vendor releases a patch.
Jailbreaking
Definition: Removing software restrictions on a device to install unauthorized apps and modifications.
Example: A user jailbreaks their iPhone to install apps not available in the App Store, increasing security risks.
Ransomware
a type of malware that tries to extort money from the victim by making the victim’s computer or data files unavailable, demanding payment before making them available again.
Trojan
malware concealed within an installer package for software that appears legitimate. They misrepresent themselves to appear useful, routine, or interesting to persuade a victim to install them This type of malware does not seek consent for installation and actively operates secretly.
Worm
one of the first types of malware that spreads without any authorization from the user. An executable code of another process conceals a worm.
Spyware
malware that can perform adware-like tracking, but it also monitors local application activity, takes screenshots, and activates recording devices, such as a microphone or webcam.
Bloatware
refers to unwanted software that comes preinstalled on a system or bundled with other software, occupying memory and processing resources and potentially leading to system slowdowns.
Virus
malware that reproduces itself, needing to be executed, typically exhibit more destructive behaviors, such as file corruption or data theft.
Logic bomb
a string of code embedded in a software system or computer program that remains dormant until triggered by a specific logical event.
Keylogger
A keylogger is a type of malware or hardware device that records every keystroke a user types on a keyboard, often used to steal login credentials, credit card numbers, or other sensitive information.
Example:
A hacker installs a software keylogger on a victim’s computer, capturing their bank login credentials and using them to access the account.
Rootkit
Definition: A type of stealthy malware that hides deep in a system to give attackers remote access while avoiding detection.
Example: A hacker installs a rootkit on a victim’s computer, allowing them to steal files and monitor activities without being noticed.
Radio frequency identification (RFID) cloning
Definition: Copying data from an RFID-based access card or key fob to create a duplicate for unauthorized entry.
Example: An attacker uses an RFID scanner near an employee’s badge to clone it and gain access to a restricted area.
Environmental
Definition: Physical threats caused by environmental factors like heat, fire, flooding, or power failures.
Example: A server room without proper cooling overheats, causing a system crash and data loss.
Amplified DDoS Attack
Definition: A DDoS attack where attackers use small requests to trigger massive responses from a network, overwhelming the target.
Example: A hacker sends small DNS queries that result in large responses, overwhelming a victim’s server.
Reflected DDoS Attack
Definition: A DDoS attack that tricks legitimate servers into sending large amounts of traffic to a victim’s IP address.
Example: A hacker spoofs a victim’s IP and sends multiple requests to unsecured servers, causing them to flood the victim’s network with replies.
Domain Name System (DNS) Attacks
Definition: Exploiting weaknesses in DNS to redirect users to malicious sites or disrupt services.
Example: An attacker poisons a DNS server, causing users who try to visit a bank's website to be redirected to a phishing site instead.
Wireless Attacks
Definition: Attacks targeting Wi-Fi networks to intercept or manipulate data.
Example: A hacker sets up a fake Wi-Fi hotspot at a coffee shop to steal user credentials.
On-Path Attacks (Man-in-the-Middle, MITM)
Definition: An attacker intercepts communication between two parties to steal or alter data.
Example: A hacker eavesdrops on a public Wi-Fi network, capturing login credentials sent over an unencrypted connection.
Credential Replay Attack
Definition: An attacker intercepts and reuses login credentials to gain unauthorized access.
Example: A hacker steals a session token from a user’s browser and reuses it to log into their bank account.
Malicious code
Definition: Any form of malware designed to harm, exploit, or disrupt systems.
Example: A phishing email tricks users into downloading a trojan virus that steals their passwords.
Injection
a application attack that involve sending untrusted data to an interpreter as part of a command or query. This data tricks the interpreter into executing unintended commands, potentially allowing unauthorized access or data retrieval.
Buffer overflow
occurs when a program writes more data into a memory buffer than it can hold, causing the excess data to overwrite adjacent memory. Attackers exploit this vulnerability to execute malicious code or crash a system
Example:
A hacker inputs a long string of characters into a website's login form, exceeding the expected limit and overwriting memory to gain unauthorized system access.
Replay
a application attack that involve the malicious repetition or delayed transmission of valid data.
Privilege escalation
Definition: When an attacker gains higher access rights than they are supposed to have.
Example: A hacker exploits a system vulnerability to elevate their account from a regular user to an administrator.
Forgery (Session or Identity Forgery)
Definition: Creating fake data, credentials, or requests to impersonate a legitimate user or system.
Example: An attacker spoofs an employee’s email to request a fraudulent wire transfer.
Directory Traversal
Definition: A web attack where an attacker accesses restricted files by navigating outside the intended directory.
Example: A hacker inputs “../../etc/passwd” into a website URL to access system files.
Downgrade
cryptographic attack, involves forcing a system to abandon its high-security mode and revert to a less secure state.
