Lesson 2: Explaining Threat Actors and Threat Intelligence

Criminal Syndicate

A criminal syndicate can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and extortion.

Tactic, Technique, or Procedure (TTP)

A tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior.

A company technician goes on vacation. While the technician is away, a critical patch released for Windows servers is not applied. According to the National Institute of Standards and Technology (NIST), what does the delay in applying the patch create on the server? A. Control B. Risk C. Threat D. Vulnerability

D. Vulnerability NIST defines vulnerability as a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. In addition to delays in applying patches, other examples of vulnerabilities include improperly installed hardware, untested software, and inadequate physical security.

Hackers

Hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. - Black hat hacker is unauthorized -White hat hacker is authorized - Gray hat hacker (semi-authorized) might try to find vulnerabilities in a product or network without seeking the approval of the owner; but they might not try to exploit any vulnerabilities they find.

File/Code Repositories

Holds signatures of known malware code. The code samples derive from live customer systems and (for public repositories) files that have been uploaded by subscribers.

Risk

Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. To assess risk, you identify a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.

Script Kiddies

Someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.

Structured Threat Information eXpression (STIX)

The Structured Threat Information eXpression (STIX) part of the framework describes standard terminology for IoCs and ways of indicating relationships between them. Designed to provide a format for this type of automated feed so that organizations can share CTI.

Hacker Teams and Hacktivists

Today, threat actors are now likely to work as part of some sort of team or group. The collaborative team effort means that these types of threat actors are able to develop sophisticated tools and novel strategies. A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

Vulnerability

Vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, untested software and firmware patches, the misuse of software or communication protocols, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems, such as unchecked user input.

Trusted Automated eXchange of Indicator Information (TAXII)

Where STIX provides the syntax for describing CTI, the Trusted Automated eXchange of Indicator Information (TAXII) protocol provides a means for transmitting CTI data between servers and clients.

A security engineer investigates a recent system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector? A. Threat B. Vulnerability C. Risk D. Exploit

A. Threat A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector.

An unknowing user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department's sanction. Identify the type of threat that is a result of this user's action. A. Unintentional insider threat B. Malicious insider threat C. Intentional attack vector D. External threat with insider knowledge

A. Unintentional insider threat Anyone who has or had authorized access to an organization's network, system, or data is considered an insider threat. Installing unauthorized software is negligent, but the user is an unintentional attack vector.

AI and Machine Learning

AI is the science of creating machine systems that can simulate or demonstrate a similar general intelligence capability to humans. Machine learning (ML) uses algorithms to parse input data and then develop strategies for using that data, such as identifying an object as a type, working out the best next move in a game, and so on. Machine learning can modify the algorithms it uses to parse data and develop strategies. It can make gradual improvements in the decision-making processes. The structure that facilitates this learning process is referred to as an artificial neural network (ANN). Saves time and money

Attack Vector

An attack vector is the path that a threat actor uses to gain access to a secure system. In the majority of cases, gaining access means being able to run malicious code on the target. - Direct Access - Removable Media (USB Thumb Drive) - Email - Remote and Wireless - Supply Chain - Web and Social Media - Cloud

Internal/External Threat Actor

An external threat actor or agent is one that has no account or authorized access to the target system. It is the threat actor that is defined as external, rather than the attack method. An internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners.

An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing? A. Open Source Intelligence (OSINT) B. An Information Sharing and Analysis Center (ISAC) C. A vendor website, such as Microsoft's Security Intelligence blog D. A closed or proprietary threat intelligence platform

B. ISAC ISACs are set up to share industry-specific threat intelligence and best practices in critical sectors, such as the aviation industry.

When exploring the deep web, a user will need which of the following to find a specific and hidden dark web site? A. The Onion Router (TOR) B. Dark web search engine C. A specific URL or ip D. Open Source Intelligence (OSINT)

C. A specific URL or ip Access to deep web sites, especially those hidden from search engines, are accessed via the website's URL. These are often only available via "word of mouth" bulletin boards.

A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol? A. Structured Threat Information eXpression (STIX) B. Automated Indicator Sharing (AIS) C. Trusted Automated eXchange of Indicator Information (TAXII) D. A code repository protocol

C. TAXII The TAXII protocol provides a means for transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII.

Advanced Persistent Threat (APT)

The term Advanced Persistent Threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or Trojan, an APT refers to the ongoing ability of an adversary to compromise network security—to obtain and maintain access—using a variety of tools and techniques.

Threat Intelligence Platforms

- Closed/proprietary—the threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. - Vendor websites: proprietary threat intelligence is not always provided at cost. All types of security, hardware, and software vendors make huge amounts of threat research available via their websites as a general benefit to their customers. - Public/private information sharing centers: in many critical industries, Information Sharing and Analysis Centers (ISACs) have been set up to share threat intelligence and promote best practice (nationalisacs.org/member-isacs). These are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. - Open source intelligence (OSINT): some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort. - Academic Journals - Conferences - Request for Comments (RFC) - Social Media

Which of the following is mostly considered an insider threat? (Select all that apply.) A. Former employee B. Contractor C. Customer D. White hat hacker

A and B, Former employees and Contractor Anyone who has or had authorized access to an organization's network, system, or data is considered an insider threat. In this example, a former employee and a contractor fit the criteria.

A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company's website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequent. The contractor visits the bar and learns details of the company's security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice? (Select all that apply.) A. Open Source Intelligence (OSINT) B. Scanning C. Social engineering D. Persistence

A and C, OSINT and Social Engineering Social engineering was used at the restaurant by learning about the vacant positions and the shortfall in information security. OSINT refers to using web search tools and social media to obtain information about the target. The contractor used this technique by identifying employees and the local restaurant they go to after work.

Insider Threat

An actor who has been identified by the organization and granted some sort of access. Insider threats can be categorized as unintentional. An unintentional or inadvertent insider threat is a vector for an external actor, or a separate—malicious—internal actor to exploit, rather than a threat actor in its own right. Unintentional threats usually arise from lack of awareness or from carelessness, such as users demonstrating poor password management. -Shadow IT: Purchasing or introducing computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit.

Indicator of Compromise (IoC)

An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Put another way, an IoC is evidence of a TTP. -Unauthorized software and files -Suspicious emails -Suspicious registry and file system changes -Unknown port and protocol usage -Excessive bandwidth usage -Rogue hardware -Service disruption and defacement -Suspicious or unauthorized account usage An IoC can be definite and objectively identifiable, like a malware signature, but often IoCs can only be described with confidence via the correlation of many data points. Because these IoCs are often identified through patterns of anomalous activity rather than single events, they can be open to interpretation and therefore slow to diagnose.

Threat Map

Animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform.

Vulnerability Databases and Feeds

Another source of threat intelligence is identifying vulnerabilities in OS, software application, and firmware code. Security researchers look for vulnerabilities, often for the reward of bug bounties offered by the vendor. Lists of vulnerabilities are stored in databases such as Common Vulnerabilities and Exposures (CVE), operated by Mitre (cve.mitre.org). Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software.

Automated Indicator Sharing (AIS)

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols.

One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile? (Select all that apply.) A. Education B. Socioeconomic status C. Intent D. Motivation

C and D, Intent and Motivation From the choices provided, the two most critical factors to profile for a threat actor are intent and motivation. Greed, curiosity, or grievance may motivate an attacker.

What is Open Source Intelligence (OSINT)? A. Obtaining information, physical access to premises, or even access to a user account through the art of persuasion B. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources C. Using web search tools and social media to obtain information about the target D. Using software tools to obtain information about a host or network topology

C. Using web search tools and social media to obtain information about the target OSINT is using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.

Predictive Analysis

Identifying the signs of a past attack or the presence of live attack tools on a network quickly is valuable. However, one of the goals of using AI-backed threat intelligence is to perform predictive analysis, or threat forecasting. This means that the system can anticipate a particular type of attack and possibly the identity of the threat actor before the attack is fully realized. Concrete threat forecasting is not a proven capability of any commercial threat intelligence platform at the time of writing. However, predictive analysis can inform risk assessment by giving more accurate, quantified measurements of the likelihood and impact (cost) of breach-type events.

Intent and Motivation

Intent describes what an attacker hopes to achieve from the attack. Motivation is the attacker's reason for perpetrating the attack.

Attack Surface

The attack surface is all the points at which a malicious threat actor could try to exploit a vulnerability. To evaluate the attack surface, you need to consider the type of threat actor. The attack surface for an external actor is (or should be) far smaller than that for an insider threat.

State Actors

The goals of state actors are primarily espionage and strategic advantage, but it is not unknown for countries—North Korea being a good example—to target companies purely for commercial gain. State actors have been implicated in many attacks, particularly on energy and health network systems.

Threat Intelligence Providers

The outputs from the primary research undertaken by security solutions providers and academics can take three main forms: - Behavioral threat research - Reputational threat intelligence (lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware) - Threat (CTI) data: computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Threat

Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector. Threats can be characterized as structured or unstructured (or targeted versus opportunistic) depending on the degree to which your own organization is targeted specifically.

Level of Sophistication, Capability, Resources, and Funding

You must also consider the sophistication and level of resources/funding that different adversaries might possess. Capability refers to a threat actor's ability to craft novel exploit techniques and tools. Capability is only funded through a substantial budget. Sophisticated threat actor groups need to be able to acquire resources, such as customized attack tools and skilled strategists, designers, coders, hackers, and social engineers. The most capable threat actor groups receive funding from nation states and criminal syndicates.