Security+ SY0-701 - Chapter 2

CompTIA Security+ Study Guide Exam SY0-701

Internal vs. External, Level of Sophistication/Capability, Resources/Funding, Intent/Motivation

Categories to consider when classifying cybersecurity threats.

White-Hat Hacker

Authorized attacker who seeks to discover security vulnerabilities with the intent of correcting them.

Black-Hat Hacker

Unauthorized attacker who seeks to defeat security controls and compromise the confidentiality, integrity, or availability of information systems for their own purposes.

Grey-Hat Hacker

Semi-authorized attacker who acts without proper authorization, but does so with the intent of informing their targets of any security vulnerabilities.

Unskilled, Hacktivist, Organized Crime, Nation-State, Insider Threat

Types of threat actors.

Script Kiddie

Unskilled attacker who relies almost entirely on automated tools.

Hacktivist

Attacker who uses hacking techniques to accomplish some activist goal.

Organized Criminal

Attacker who uses hacking techniques for illegal financial gain.

Acronym: APT

Advanced Persistent Threat

APT

Nation-state attacker who uses advanced techniques to repeatedly attempt to compromise a system.

Insider Threat

Employee, contractor, vendor, or other individual with authorized access to information systems who uses that access to wage an attack against their organization.

Shadow IT

Phenomenon where individuals and groups within an organization seek out their own technology solutions.

Data Exfiltration, Espionage, Service Disruption, Blackmail, Financial Gain, Personal Beliefs, Ethical, Revenge, Chaos, Geopolitical Conflict

Attacker motivations.

Data Exfiltration

Attack motivated by the desire to obtain sensitive or proprietary information.

Espionage

Attack motivated by organizations seeking to steal secret information from other organizations.

Service Disruption

Attack seeking to take down or interrupt critical systems or networks.

Blackmail

Attack seeking to extort money or other concessions from victims by threatening to release sensitive information or launch further attacks.

Financial Gain

Attack motivated by the desire to make money through theft or fraud.

Personal Beliefs

Attack motivated by ideological or political reasons, promoting a particular cause or ideology.

Ethical

Attack motivated by the desire to expose vulnerabilities and improve security.

Revenge

Attack motivated by the desire to get even with an individual or organization by embarrassing them or exacting some other form of retribution against them.

Chaos

Attack motivated by the desire to cause chaos and disrupt normal operations.

Geopolitical Conflict

Attack that attempts to disrupt military operations and change the outcome of an armed conflict.

Attack Surface

A system, application, or service that contains an exploitable vulnerability.

Threat Vector

The means that threat actors use to obtain access.

Email

One of the most commonly exploited threat vectors.

Email, SMS, Instant Messaging, Phone/Voice

Attack surfaces exploited by threat actors to carry out phishing attacks.

Acronym: MSP

Managed Service Provider

Supply Chain

Sophisticated attack that involves targeting an organization’s hardware providers, software providers, or service providers.

Threat Intelligence

Set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

Predictive Analysis

The application of threat intelligence to identify likely risks to the organization.

Acronym: OSINT

Open Source Intelligence

OSINT

Open source intelligence that can be gathered from publicly available sources.

Threat Feed

Source of intelligence that is intended to provide up-to-date details about in a way that an organization can leverage.

Acronym: CVE

Common Vulnerabilities and Exposures

IP Addresses, Hostnames, Domains, Email Addresses, URLs, File Hashes, File Paths, CVE Record Numbers

Information commonly found in a threat feed.

Vulnerability Database

A collection of CVEs intended to help direct an organizations defensive efforts, and provide valuable insight into the types of exploits being discovered by researchers.

Acronym: IoC

Indicators of Compromise

Ioc

Telltale signs that an attack has taken place, such as file signature, log patterns, or other evidence left behind.

File/Code Repositories

Common residence for lists of IoC.

Senki.org, Open Threat Exchange, MISP Threat Sharing Project, Threatfeeds.io

Examples of open source threat intelligence.

The Dark Web

A network run over standard internet connections, but using multiple layers of encryption to provide anonymous communication.

Closed-Source Intelligence

A proprietary collection of threat information and/or research.

Timeliness, Accuracy, Relevance

Common factors to consider when assessing threat intelligence.

Confidence Score

A tool used to summarize threat intelligence based on how trustworthy it is.

Acronym: STIX

Structured Threat Information eXpression

STIX

An XML language that defines domain objects such as attack patterns, malware, threat actors, and tools; and relates them to each other as either a “relationship” or “sighting” object.

Acronym: OASIS

Organization for the Advancement of Structured Information Standards

OASIS

The international nonprofit consortium that maintains STIX, along with many other projects related to information formatting.

Acronym: TAXII

Trusted Automated eXchange of Intelligence Information

TAXII

A companion to STIX, intended to allow cyber-threat information to be communicated at the application layer via HTTPS.

Acronym: ISAC

Information Sharing and Analysis Center

ISAC

A threat intelligence community aimed at helping infrastructure owners and operators help share threat information and provide tools and assistance to their members.

Acronym: TTP

Tactics, Techniques, and Procedures