Actors and Threats
Hacker Hats
White-hat hackers
Also known as authorized attackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat attackers may either be employees of the organization or contractors hired to engage in penetration testing. Black-hat Hackers
Also known as unauthorized attackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized, purposes. Gray-hat hackers
Also known as semi-authorized attackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities.
Script Kiddies
Script Kiddie is a derogatory term for people who use hacking techniques but have limited skills.
Often such attackers may rely almost entirely on automated tools they download from the Internet. These attackers often have little knowledge of how their attacks actually work, and they are simply seeking out convenient targets of opportunity. Script Kiddies are still a threat regardless of how remedial their hacking skills are. This is due to how easily available simplistic hacking tools are, and how simple it is to automate DoS Attacks, create viruses, trojan horses, or even distribute ransomware. They don’t discriminate. They often just search for and discover vulnerable victims without even knowing the identity of their target. They may attack your network simply because it is there; No real ulterior motive besides making target practice.
Hactivists
Hacktivists use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or a hacktivist might attack a network due to some political issue.
They believe they are motivated by the greater good, even if their activity violates the law. Because they believe that they are engaged in a just crusade, they will, at least in some instances, risk getting caught to accomplish their goals. They may even view being caught as a badge of honor and a sacrifice for their cause. Large groups will always have more time and other resources than a lone attacker. Due to their distributed and anonymous nature, it is difficult to identify, investigate, and prosecute participants in their hacking activities. The capture of one member is unlikely to compromise the identities of other members. Whistleblowers
Internal government employees who release confidential information. Edward Snowden is a former contractor with the U.S. National Security Agency who shared a large cache of sensitive government documents with journalists. Snowden's actions provided unprecedented insight into the digital intelligence gathering capabilities of the United States and its allies.
Criminal Syndicates
Organized Crime Syndicates don’t care about acting for political causes and they don’t care about showing the world how great their skills are; They care about one thing and one thing only: The Almighty Dollar $.
There are a variety of cybercrime categories, including the following:
Cyber-dependent crime: including ransomware, data compromise, distributed denial-of-service (DDoS) attacks, website defacement, and attacks against critical infrastructure Child sexual exploitation: including child pornography, abuse, and solicitation
Payment fraud, including credit card fraud and business email compromises Dark web activity: including the sale of illegal goods and services Terrorism support: including facilitating the actions of terrorist groups online Cross-cutting crime factors: including social engineering, money mules, and the criminal abuse of cryptocurrencies Organized crime tends to have attackers who range from moderately skilled to highly skilled.
They understand it takes money to make money, so they’re willing to spend cash if the ROI is great enough.
Advanced Persistent Threats (APTs)
APTs are security organizations that are backed or created by a nation to carry out cyber attacks. Although their patriotic ties are never explicitly stated or claimed by their home country, they’re certainly being significantly funded by them.
Their attacks and tools are highly advanced and persistent. Meaning, they deploy constant advanced cyber attacks on a target until the goal is achieved. A nation has the labor force, time, and money to finance ongoing, sophisticated attacks.
Insider Threats
Insider Threats occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization.
These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes. They already have some access to your network and some level of knowledge. Depending on the insider's job role, they might have significant access and knowledge. They know what to hit, how to hit, and any internal protective security measures you may have. Could be an of the following: An employee who was passed on a promotion Vendor who doesn’t agree with the direction of the company. VP motivated by financial gain. Behavioral assessments are a powerful tool in identifying insider attacks. Cybersecurity teams should work with human resources partners to identify insiders exhibiting unusual behavior and intervene before the situation escalates.
Shadow IT
Shadow IT occurs when employees purchase technology services that aren't approved by the organization in order to become more productive.
When individuals and groups seek out their own technology solutions. An issue because this puts sensitive company information in the hands of unknown and unapproved third-party software and technology.
Competitors
Competitors may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.
This may include theft of customer information, stealing proprietary software, identifying confidential product development plans, or gaining access to any other information that would benefit the competitor. Competitors will sometimes use a disgruntled insider to get information from your company. They may also seek out insider information available for purchase on the dark web, a shadowy anonymous network often engaging in illicit activity Some dark web markets are advertising that they wish to buy confidential data from corporate insiders. This provides a ready resource for competitors to purchase your company's information on the dark web.
Attributes of Threat Actors
Cybersecurity threat actors differ significantly in their skills, capabilities, resources, and motivation.
Protecting your organization's information and systems requires a solid understanding of the nature of these different threats so that you may develop a set of security controls that comprehensively protects your organization against their occurrence.
Internal vs. External
We most often think about the threat actors who exist outside our organizations: competitors, criminals, and the curious. However, some of the most dangerous threats come from within our own environments Level of Sophistication/Capability
Threat actors vary greatly in their level of cybersecurity sophistication and capability Resources/Funding
They vary in the resources available to them. Highly organized attackers sponsored by criminal syndicates or national governments often have virtually limitless resources, whereas less organized attackers may simply be hobbyists working in their spare time. Intent/Motivation
Attackers also vary in their motivation and intent. The script kiddie may be simply out for the thrill of the attack, whereas competitors may be engaged in highly targeted corporate espionage. Nation-states seek to achieve political objectives; criminal syndicates often focus on direct financial gain.
Threat Vectors.
Threat Vectors are the ways attackers gain access to sensitive information from an organization’s network.
Email
Email is one of the most commonly exploited threat vectors. Phishing messages, spam messages, and other email-borne attacks are a simple way to gain access to an organization's network. Very easy medium to amplify and distribute; “Throw your net as wide as possible.” Generally only need to succeed one time to launch a broader attack. Even if 99.9% of users ignore a phishing message, the attacker needs the login credentials of a single user to begin their attack. Social Media
Attackers might directly target users on social media, or they might use social media in an effort to harvest information about users that may be used in another type of attack. Becoming the new ‘main’ vector of cyber threats due to how broad, personal, and comprehensive it is. Direct Access
Bold attackers may seek to gain direct access to an organization's network by physically entering the organization's facilities. One of the most common ways they do this is by entering public areas of a facility, such as a lobby, customer store, or other easily accessible location and sitting and working on their laptops, which are surreptitiously connected to unsecured network jacks on the wall. Attackers who gain physical access to a facility may be able to find an unsecured computer terminal, network device, or other system. If an attacker can touch it, they can compromise it! Wireless Networks
Wireless Networks offer an even easier path onto an organization's network. Attackers don't need to gain physical access to the network or your facilities if they are able to sit in the parking lot and access your organization's wireless network. Unsecured or poorly secured wireless networks pose a significant security risk.
Supply Chain
Sophisticated attackers may attempt to interfere with an organization's IT Supply Chain, gaining access to devices at the manufacturer or while the devices are in transit from the manufacturer to the end user.
Tampering with a device before the end user receives it allows attackers to insert backdoors that grant them control of the device once the customer installs it on their network. This type of third-party risk is difficult to anticipate and address.
Cloud
Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords.
Organizations must include the cloud services that they use as an important component of their security program.
Removable Media
Attackers also commonly use Removable Media, such as USB drives, to spread malware and launch their attacks.
An attacker might distribute inexpensive USB sticks in parking lots, airports, or other public areas, hoping that someone will find the device and plug it into their computer, curious to see what it contains. As soon as that happens, the device triggers a malware infection that silently compromises the finder's computer and places it under the control of the attacker.
Threat Intelligence Sources
Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.
Building a threat intelligence program is a crucial part of any organization's approach to cybersecurity. If you're not familiar with current threats, you won't be able to build appropriate defenses to protect your organization against those threats. Vulnerability Databases are also an essential part of an organization's threat intelligence program. Reports of vulnerabilities certainly help direct an organization's defensive efforts, but they also provide valuable insight into the types of exploit being discovered by researchers.
Open source threat intelligence
Open Source Threat Intelligence is threat intelligence that is acquired from publicly available sources.
Many organizations have recognized how useful open sharing of threat information can be, and open source threat intelligence has become broadly available. Now the challenge is often around deciding what threat intelligence sources to use, ensuring that they are reliable and up-to-date, and leveraging them well. A number of sites maintain extensive lists of open source threat information sources: Senki.org provides a list: The Open Threat Exchange operated by AT&T is part of a global community of security professionals and threat researchers: The MISP Threat Sharing project, www.misp-project.org/feeds, provides standardized threat feeds from many sources, with community-driven collections. Threatfeeds.io hosts a list of open source threat intelligence feeds, with details of when they were added and modified, who maintains them, and other useful information: The SANS Internet Storm Center: isc.sans.org VirusShare contains details about malware uploaded to VirusTotal:
Using the Dark Web
The Dark Web is a network run over standard Internet connections but using multiple layers of encryption to provide anonymous communication. Hackers often use sites on the dark web to share information and sell credentials and other data stolen during their attacks.
Threat intelligence teams should familiarize themselves with the dark web and include searches of dark web marketplaces for credentials belonging to their organizations or its clients. The sudden appearance of credentials on dark web marketplaces likely indicates that a successful attack took place and requires further investigation.
Predictive Analysis
Branch of advanced analytics that makes predictions about future outcomes using historical data combined with statistical modeling, data mining techniques and machine learning.
Analyzing large amount of data very quickly in order to find suspicious malware patterns or behavior. Used to see the storm before it comes; Creates a forecast before an attack and acts as a warning system. It identifies behaviors: DNS queries, Traffic patterns, packets, location data, etc. Often combined with Machine Learning and AI to make increasingly more accurate predictions.
Proprietary and Closed-Source Intelligence
Commercial security vendors, government organizations, and other security-centric organizations also create and make use of Proprietary, or Closed-Source Intelligence.
They do their own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their own threat feeds. The organization may want to keep their threat data secret, they may want to sell or license it and their methods and sources are their trade secrets, or they may not want to take the chance of the threat actors knowing about the data they are gathering You may want to have multiple feeds that you can check against each other—often one feed may be faster or release information sooner, so multiple good-quality, reliable feeds can be a big help! Threat maps provide a geographic view of threat intelligence. Many security vendors offer high-level maps that provide real-time insight into the cybersecurity threat landscape.
Publix/Private Information sharing centers
Threat intelligence communities have been created to share threat information.
In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help infrastructure owners and operators share threat information and provide tools and assistance to their members. ISACs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threats. Most ISACs operate 24/7, providing ISAC members in their sector with incident response and threat analysis. The National Council of ISACs lists the sector-based ISACs at Specific U.S. agencies or department partners for each critical infrastructure area can be found below. The UK Centre for the Protection of National Infrastructure is
Indicators Of Compromise
Indicators Of Compromise are the telltale signs that an attack has taken place and may include file signatures, log patterns, and other evidence left behind by attackers.
IoCs may also be found in file and code repositories that offer threat intelligence information.
Threat Indicator Management and Exchange
Managing threat information at any scale requires standardization and tooling to allow the threat information to be processed and used in automated ways.
The Threat Industry needs a faster, automated way to share information.
Processing, filtering, and managing the threat indicators can be a smooth process if a predefined set of terms is created.
Structured Threat Information eXpression (STIX) is an XML language originally sponsored by the U.S. Department of Homeland Security. In its current version, STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. These objects are then related to each other by one of two STIX relationship object models: either as a relationship or a sighting A companion to STIX is the Trusted Automated eXchange of Indicator Information (TAXII) protocol. TAXII is intended to allow cyber threat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange.
File/Code Repositories
File Repositories are a great way to stay on the front line for what’s being built in the industry.
Code repositories are centralized locations for the storage and management of application source code.
The main purpose of a code repository is to store the source files used in software development in a centralized location that allows for secure storage and the coordination of changes among multiple developers. Dangerous in the sense that someone’s private code can be accidently posted publicly, or even worse, their login information hacked. See GitHub below.
Threat Research Sources
Threat Research is a perpetual, never ending process. You’ll need to constantly sift through information from different resources to stay on top of things.
As a security professional, you should continue to conduct your own research into emerging cybersecurity threats. Here are some sources you can use:
Vendors and Websites
Great place to learn about vulnerabilities in hardware, operating systems, and applications. They’re normally the first to know about any vulnerability within their ecosystem, and they normally will let their customers or users know ASAP. Vulnerability Feeds
Vulnerability Feeds will send notifications (email, text, or website) when relevant critical vulnerabilities are found. Using other company vulnerability feeds in conjunction with yours always helps. Using a vulnerability management system allows you to keep track of the latest vulnerabilities, identify vulnerabilities specific to your environment, and create an immediate notification system when one is found. Conferences
Conferences can be an early warning for things to come. Learn the latest vulnerabilities that are in the wild. A great way to gather up-to-date intelligence and trends that are occurring in the industry. You can get a first hand account from people who have gone through these attacks, and what blue team methods they used to mitigate the damage. Also a great place to meet interesting people and form professional connections. Academic Journals
Getting very detailed information about attack type written by industry experts and which types of security technologies are better than others. Tears apart the latest malware in detail and what makes it tick. Great place to learn more about the gears and grinds of what happens behind the scenes for security technologies. RFC (Request For Comments)
Refers to a standard or a method of doing a particular task. Formal way to track and list a number of standards in security. Provides a detailed analysis of different types of threats. Includes experimental documents for security threats. Local Industry Groups
See your local meetings with your security peers.
Social Media
Hackers are very open about vulnerabilities on social media. Use keyword searches for vulnerabilities as well. Search ‘CVE, or ‘Bug Bounty’ on reddit or twitter. People will openly discuss and have conversations about these threats as well.
Threat Feeds
Automated threat feeds with notifications about relevant critical vulnerabilities is a must.
Adversary Tactics, Techniques, and Procedures.
Techniques, tactics, and methods attackers are using to infiltrate your network. What are the attackers doing and how are they doing it? Know thy enemy and you will know thyself. You need to proactively look for threats because firewalls and threat signatures can’t catch everything. Attack methods vary based on what industry is being targeted. Focus your defense on what TTP is most relevant.
1.5 Explain different threat actors, vectors, and intelligence sources
