Objective 1.5 - Threat Actors, Vectors, and Intelligence Sources

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

Insider threats

Legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident - like giving up or losing passwords, or leaving them ON the computer which leaves the door open for hackers

State actors

Term used to describe Nation-States when they interact on the world stage implementing their foreign policies.

Hacktivists

Hackers who are driven by a cause like social change, political agendas, or terrorism

Script Kiddies

Inexperienced, usually young hackers who use programs that others have developed to attack computer and network systems and deface Web sites.

Criminal Syndicates

Threat actors who have moved from traditional criminal activities to more rewarding and less risky online attacks.

Hackers

Experts in technology who use their knowledge to break into computers and computer networks, either for profit or just motivated by the challenge

Authorized Hackers

An ethical hacker who has good intentions and many times find problems to help find a resolution for them.

Unauthorized Hackers

Malicious, violates security for personal gain (Black Hat)

Semi-authorized hackers

a hacker who finds a vulnerability and doesn't use it against the victim

Shadow IT

The information systems and solutions built and deployed by departments other than the information systems department. In many cases, the information systems department may not even be aware of these efforts.

Resources/funding (attributes of actors)

APTs, and nation states have a penchant for long-term attacks, which requires this which only major organizations or government can manage over time.

Intent/motivation (attributes of actors)

This can be simple or multifold in nature. A script kiddie is just trying to make a technique work. A more skilled threat actor is usually pursuing a specific objective, such as trying to make a point as a hacktivist. At the top of the intent pyramid is the APT threat actor, whose intent or motivation is at least threefold.

Wireless Attack Vectors

An attack vector that is based on wireless networks and has many different openings, including:

Default login credentials

Rogue access point

Evil twin

Protocol vulnerabilities

Email attack vectors

One of the biggest and most successful known attack vectors because everyone has one. A form of communication that is commonly attacked and contains things such as:

Phishing attacks

Delivering malware to the user

Social engineering attacks

Supply Chain Attack Vector

Tampers with underlying infrastructure (gaining access to a network using a vendor, using malware to modify a process, using counterfeit equipment to install backdoors and implement substandard performance/availability)

Social Media Attack Vectors

An attack vector based on popular social platforms that allow attackers to utilize personal information you publish and make available, such as where you are or vacation pictures.

Removable Media Attack Vector

The attacker conceals malware on a USB thumb drive or memory card and tries to trick employees into connecting the media to a PC, laptop, or smartphone.

Cloud attack vectors

Publicly facing applications and services are commonly misconfigured and mistakes are made all the time which can be abused. This attack vector allows attackers to do things such as phish users of the cloud service, brute force attack the service, or make the cloud build new application instances to cause a DoS and waste money.

Open-Source Intelligence (OSINT)

Information that is readily available to the public and doesn't require any type of malicious activity to obtain.

Closed/proprietary threat intelligence source

Software code or security research that remains in the ownership of the developer and may only be used under permitted license conditions.

Vulnerability databases

Common source of threat intelligence, researchers find vulnerabilities and upload them here because everyone needs to know about them.

Examples of this are:

CVE (Common vulnerabilities and exposures)

U.S. National Vulnerability Database (NVD)

Public/Private information sharing centers

A public/private threat intelligence that you can share high-detail vulnerability information, companies like Cyber Threat Alliance lets members specifically upload about particular threats

Dark web intelligence

Involves the monitoring of forums, hacking groups and services on overlay networks that use the internet (specific software and configurations are required to access these sites)

Indicators of compromise

evidence that a cyberattack is happening or has happened

Automated Indicator Sharing (AIS)

system that enables the sharing of attack indicators between the US government and the private sector as soon as the treat is verified

Structured Threat Information eXchange (STIX)

Standards to prevent cyber-attack. Developed by MITRE as a format to help distribute cyber threat intelligence. Defines methods of attack and is divided into 18 domain objects such as attack patterns, campaigns, and courses of action.

Trusted Automated eXchange of Indicator Information (TAXII)

an open standard that defines a set of services and message exchanges used to share information

Predictive Analysis

attempt to predict what attackers will do next and how to thwart their attacks

Threat Maps

(Threat Intelligence Sources)

provide a visual representation of active threats

File/code repositories

See what hackers are using to build their attacks, GitHub, private code can often be released public which is then used by hackers

Vendor Websites

(Research Sources)

good source for reliable information on a vendor's products. This is especially true related to any vulnerabilities and patches used to fix them.

Vulnerability feeds

Cybersecurity data feeds include that provide information on the latest vulnerabilities.

Request for Comments (RFC)

how standards and protocols are defined and published for all to see on the IETF website.