Threats

Threat actors, threat vectors, and social engineering

Types of threat actors

Nation-state / Advanced Persistent Threats, unskilled attackers / script kiddies, hacktivists, organized crime, insider threats, and shadow IT.

What defines a Nation-state / Advanced Persistent Threat (APT)?

Carry out sophisticated attacks against foreign countries or organizations for national interests.

Nation-state / APT: Skill level/sophistication; funding/resources; access; motivation

High; high; external; national interests, espionage, disruption, war

What defines a hacktivist?

A person who hacks to further a social or political cause, often conducting actions like website defacement, information leaks, or DoS attacks.

Hacktivist: Skill level/sophistication; funding/resources; access; motivation

Moderate; moderate; external; disruption, ethics/philosophy, politics

What defines unskilled attackers / script kiddies?

Low-skilled individuals who use existing tools created by others to exploit vulnerabilities but lack a deeper understanding and knowledge.

Unskilled Attacker / Script Kiddie: Skill level/sophistication; funding/resources; access; motivation

Low; low; external; disruption, prestige

What defines organized cybercrime groups?

They engage in hacking to support their criminal enterprises and use sophisticated methods, such as ransomware-as-a-service, to exploit victims for financial gain.

Why is cybercrime gaining popularity?

Ability to operate from different countries, making prosecution more complex

What is Ransomware as a Service?

A form of attack perpetrated by organized crime groups who will carry out a ransomware attack on a target organization on someone's behalf and split the proceeds

Organized Cybercriminals: Skill level/sophistication; funding/resources; access; motivation

High; high; external; money

What defines an insider threat?

Originates from within an organization, due to either malicious intent or incompetence.

Insider Threat: Skill level/sophistication; funding/resources; access; motivation

Moderate; low; internal; disruption, revenge, blackmail

What defines Shadow IT?

The installation and use of IT systems or software without the IT department's permission, which can undermine security policies and practices.

Shadow IT: Skill level/sophistication; funding/resources; access; motivation

Low/moderate; low; internal; prestige

What are social engineering techniques?

Methods used to manipulate individuals into divulging confidential information, often through message-based attacks or voice phishing.

What are file-based attacks?

Attacks that involve malware introduced through a file or email attachment, including fileless malware which does not remain on the system after execution.

What is steganography?

Data hidden within images. Can be malicious code or sensitive info for exfiltration.

What risks are associated with removable media?

Removable media can be used to exfiltrate data or introduce malware into systems while compromising air-gapped systems.

How can vulnerable software compromise security?

Software may have security flaws that need monitoring and patching; unpatched vulnerabilities or backdoor inclusions can expose the organization to attacks.

What is agentless scanning?

A method of scanning for unsupported systems or applications on a network using a network service to scan for hosts and query software installed on those hosts

What is client-based/agent-based scanning?

A method of scanning for unsupported systems or applications on a network using a software agent on endpoint systems to scan software and report back to a central server

What are the risks of unsupported systems and applications?

They are not identified, verified as safe, or monitored for updates and patches

What is a risk in a wired network?

Active network ports within facility, especially those in public or obscure areas

What is a risk in a wireless network?

Lack of wireless security, use of insecure protocols, or transmitting beyond the confines of the facility

What are risks when using Bluetooth?

Enabled when not needed, unmonitored connections

How should ports be secured?

All unnecessary ports on a host or firewall should be closed and all services that use those ports should be disabled. Data passing through any open ports should be monitored for malicious activity.

What are supply chain attacks?

Cyberattacks targeting less secure systems within a supply chain instead of directly attacking the main target organization.

What does the supply chain consist of?

Managed Service Providers (MSPs), vendors, suppliers

What is the risk of not changing default credentials?

They can be easily exploited by attackers to gain unauthorized access.

What is phishing?

A digital communication tactic designed to trick individuals into providing personal information by posing as a legitimate source.

What is spear phishing?

Targeting specific users because of their level of authorization

What is whaling?

Phishing that targets the "big fish" (like CEO)

What is vishing?

Using phishing techniques over voice calls

What is smishing?

Using phishing techniques over SMS/text message

What is impersonation in the context of cyber threats?

An attacker pretends to be someone trustworthy to solicit sensitive information from the target.

What is brand impersonation?

An attacker pretends to represent a company or sends out messages claiming to work with a company

What is pretexting?

An attacker creates a fake backstory to manipulate a user into compromising their or their organization's interests.

What is misinformation/disinformation in the context of cyber attacks?

Providing false or misleading info to a potential victim to sway their line of thinking or trick them into doing something

What is a watering hole attack?

A strategy where an attacker infects a legitimate website that is frequently visited by the target group with malicious code.

What is typosquatting?

Buying a domain similar to a popular, trusted site to catch victims who mistype a URL or click on it because the link appears similar