Explore

1.5 Explain different threat actors, vectors, and intelligence sources

Cybersecurity professionals seeking to safeguard the confidentiality, integrity, and availability of their organization's assets must have a strong understanding of the threat environment to develop appropriate defensive mechanisms.

Makiel [Muh-Keel]

Last edited 877 days ago by Makiel [Muh-Keel].

Actors and Threats

Hacker Hats

White-hat hackers

Also known as authorized attackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat attackers may either be employees of the organization or contractors hired to engage in penetration testing.

Black-hat Hackers

Also known as unauthorized attackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized, purposes.

Gray-hat hackers

Also known as semi-authorized attackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities.

Script Kiddies

Script Kiddie is a derogatory term for people who use hacking techniques but have limited skills.

Often such attackers may rely almost entirely on automated tools they download from the Internet. These attackers often have little knowledge of how their attacks actually work, and they are simply seeking out convenient targets of opportunity.

Script Kiddies are still a threat regardless of how remedial their hacking skills are.

This is due to how easily available simplistic hacking tools are, and how simple it is to automate DoS Attacks, create viruses, trojan horses, or even distribute ransomware.

They don’t discriminate. They often just search for and discover vulnerable victims without even knowing the identity of their target.

They may attack your network simply because it is there; No real ulterior motive besides making target practice.

Hactivists

Hacktivists use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or a hacktivist might attack a network due to some political issue.

They believe they are motivated by the greater good, even if their activity violates the law.

Because they believe that they are engaged in a just crusade, they will, at least in some instances, risk getting caught to accomplish their goals.

They may even view being caught as a badge of honor and a sacrifice for their cause.

Large groups will always have more time and other resources than a lone attacker.

Due to their distributed and anonymous nature, it is difficult to identify, investigate, and prosecute participants in their hacking activities.

The capture of one member is unlikely to compromise the identities of other members.

Whistleblowers

Internal government employees who release confidential information.

Edward Snowden is a former contractor with the U.S. National Security Agency who shared a large cache of sensitive government documents with journalists.

Snowden's actions provided unprecedented insight into the digital intelligence gathering capabilities of the United States and its allies.

⁠

Criminal Syndicates

Organized Crime Syndicates don’t care about acting for political causes and they don’t care about showing the world how great their skills are; They care about one thing and one thing only: The Almighty Dollar $.

There are a variety of cybercrime categories, including the following:

Cyber-dependent crime: including ransomware, data compromise, distributed denial-of-service (DDoS) attacks, website defacement, and attacks against critical infrastructure

Child sexual exploitation: including child pornography, abuse, and solicitation Payment fraud, including credit card fraud and business email compromises

Dark web activity: including the sale of illegal goods and services

Terrorism support: including facilitating the actions of terrorist groups online

Cross-cutting crime factors: including social engineering, money mules, and the criminal abuse of cryptocurrencies

Organized crime tends to have attackers who range from moderately skilled to highly skilled.

They understand it takes money to make money, so they’re willing to spend cash if the ROI is great enough.

⁠

Advanced Persistent Threats (APTs)

APTs are security organizations that are backed or created by a nation to carry out cyber attacks. Although their patriotic ties are never explicitly stated or claimed by their home country, they’re certainly being significantly funded by them.

Their attacks and tools are highly advanced and persistent. Meaning, they deploy constant advanced cyber attacks on a target until the goal is achieved.

A nation has the labor force, time, and money to finance ongoing, sophisticated attacks.

⁠

Insider Threats

Insider Threats occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization.

These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes.

They already have some access to your network and some level of knowledge. Depending on the insider's job role, they might have significant access and knowledge.

They know what to hit, how to hit, and any internal protective security measures you may have.

Could be an of the following:

An employee who was passed on a promotion

Vendor who doesn’t agree with the direction of the company.

VP motivated by financial gain.

Preventative Measures

Behavioral assessments are a powerful tool in identifying insider attacks.

Cybersecurity teams should work with human resources partners to identify insiders exhibiting unusual behavior and intervene before the situation escalates.

Shadow IT

Shadow IT occurs when employees purchase technology services that aren't approved by the organization in order to become more productive.

When individuals and groups seek out their own technology solutions.

An issue because this puts sensitive company information in the hands of unknown and unapproved third-party software and technology.

⁠

Competitors

Competitors may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.

This may include theft of customer information, stealing proprietary software, identifying confidential product development plans, or gaining access to any other information that would benefit the competitor.

Competitors will sometimes use a disgruntled insider to get information from your company.

They may also seek out insider information available for purchase on the dark web, a shadowy anonymous network often engaging in illicit activity

Some dark web markets are advertising that they wish to buy confidential data from corporate insiders.

This provides a ready resource for competitors to purchase your company's information on the dark web.

⁠

Attributes of Threat Actors

Cybersecurity threat actors differ significantly in their skills, capabilities, resources, and motivation.

Protecting your organization's information and systems requires a solid understanding of the nature of these different threats so that you may develop a set of security controls that comprehensively protects your organization against their occurrence.

Internal vs. External We most often think about the threat actors who exist outside our organizations: competitors, criminals, and the curious. However, some of the most dangerous threats come from within our own environments

Level of Sophistication/Capability Threat actors vary greatly in their level of cybersecurity sophistication and capability

Resources/Funding They vary in the resources available to them. Highly organized attackers sponsored by criminal syndicates or national governments often have virtually limitless resources, whereas less organized attackers may simply be hobbyists working in their spare time.

Intent/Motivation Attackers also vary in their motivation and intent. The script kiddie may be simply out for the thrill of the attack, whereas competitors may be engaged in highly targeted corporate espionage. Nation-states seek to achieve political objectives; criminal syndicates often focus on direct financial gain.

Threat Vectors.

Threat Vectors are the ways attackers gain access to sensitive information from an organization’s network.

Email

Email is one of the most commonly exploited threat vectors. Phishing messages, spam messages, and other email-borne attacks are a simple way to gain access to an organization's network.

Very easy medium to amplify and distribute; “Throw your net as wide as possible.”

Generally only need to succeed one time to launch a broader attack.

Even if 99.9% of users ignore a phishing message, the attacker needs the login credentials of a single user to begin their attack.

Social Media

Attackers might directly target users on social media, or they might use social media in an effort to harvest information about users that may be used in another type of attack.

Becoming the new ‘main’ vector of cyber threats due to how broad, personal, and comprehensive it is.

⁠

Direct Access

Bold attackers may seek to gain direct access to an organization's network by physically entering the organization's facilities.

One of the most common ways they do this is by entering public areas of a facility, such as a lobby, customer store, or other easily accessible location and sitting and working on their laptops, which are surreptitiously connected to unsecured network jacks on the wall.

Attackers who gain physical access to a facility may be able to find an unsecured computer terminal, network device, or other system.

If an attacker can touch it, they can compromise it!

Want to print your doc?
This is not the way.

Try clicking the ··· in the right corner or using a keyboard shortcut (

CtrlP

) instead.