Lesson 2: Explaining Threat Actors and Threat Intelligence

vulnerabilities, threats, risks

security assessments include ___________________, _______________, and _______________

vulnerability + threat

= risk

threat

the potential for someone or something to exploit a vulnerability and breach security

automated indicator sharing

is a service offerred by the department of homeland security for companies to participate in threat intelligence sharing

RFCs

is published when a new technology is accepted as a web standard

motivation

is the attackers reason for conducting the attack

artificial intelligence

is the science of creating machine systems that can simulate or demonstrate a similar general intelligence capability to humans

hacktivist

a _____________ group like anonymous uses cyber weapons to promote a political agenda

code repository

a __________________ such as virustotal.com holds signatures of known malware code, are derived from live customer systems and files that have been uploaded by subscribers

threat research

is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques and procedures of modern cyber adversaries

vendor websites

a model in which all types of security hardware and software vendors make huge amounts of threat research available via their websites as a benefit to customers

closed/proprietary

a model in which the threat research and CTI data is made available as part of a paid subscription to a commercial threat intelligence platform

information sharing and analysis centers

a model referring to centers set up to share threat intelligence and promote best practice, these are sector specific resources for companies and agencies working in critical industries

open source intelligence

a model where some companies operate their threat intelligence services on an open source basis, earning income from consultancy rather than directly from the platform or research effort

dark net

a network established as an overlay to internet infrastructure by software such as TOR, freenet, or I2P that acts to anonymize usage and prevent a third party from knowing about the existence of the network

vulnerability

a weakness that could be triggered accidentally or exploited intentionally to cause a security breach

academic journals

results from academic researchers and not for profit trade bodies and associations, such as IEEE, are published in journals

attack vector

an _____________ is the path that a threat actor uses to gain access to a secure system

IOC

an ______________ is evidence of a TTP

internal

an _________________ threat actor is one that has been granted permissions on the system

external

an _________________ threat actor is one that has no account or authorized access to the target system

attack surface

an __________________ is all the points at which a malicious threat actor could try to exploit a vulnerability

threat map

an animated graphic showing the source, target, and type of attacks that have been detected by the CTI platform

web/social media

an attack vector referring to malware that may be in a site or in social engineering campaigns

remote/wireless

an attack vector referring to when the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication

removable media

an attack vector referring to where an attacker conceals malware on a USB thumb drive or memory card

email

an attack vector that includes phishing

direct access

an attack vector that refers to a type of physical/local attack using things like an unlocked work station, a boot disk, or theft

supply chain

an attack vector that refers to the attacker compromising a supplier to the company

cloud

an attack vector that refers to when the attacker targets the accounts used to develop services in the cloud or manage cloud systems

deep web

any part of the web not indexed by a search engine

insider threat

arises from an actor who has been identified by the organization and granted some sort of access

IOC

can be definite and objectively identifiable, but often they can only be described with confidence via the correlation of many data points

predictive analysis

can inform risk assessment by giving more accurate, quantified measurement of the likelihood and impact of breach type events

threat data

computer data that can correlate events observed on customers own networks and logs with known TTP and threat actor indicators

tactic, technique or procedure

is a generalized statement of adversary behavior, categorizes behaviors in terms of campaign strategy and approach, generalized attack vectors, and specific intrusion tools and methods

indicator of compromise

is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked

hacker

describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means

intent

describes what an attacker hopes to achieve from the attack

location, intent, capability

dynamic analysis involves identifying the attributes of threat actors in terms of ________________, _______________, and _________________

knowledge base

early types of AI use if-then rules to draw inferences from a limited data set, called a ____________________

reputational threat intelligence

lists of IPs and domains associated with malicious behavior, plus signatures of known file based malware

CVEs

lists of vulnerabilities are stored in databases such as _____________, operated by MITRE

threat

may be intentional or unintentional

behavioral threat research

narrative commentary describing examples of attacks and TTPs gathered through primary research sources

predictive analysis

one of the goals of AI backed threat intelligence is to perform ____________________ which means that the system can anticipate a particular type of attack and possibly the identity of the threat actor before the attack is fully realized

structured threat information eXpression

part of the OASIS CTI framework that describes standard terminology for IOCs and ways of indicating relationships between them

threat actor

person or thing that poses a threat is called a:

capability

refers to a threat actors ability to craft novel exploit techniques and tools

advanced persistent threats

refers to the ongoing ability of an adversary to compromise network security - to obtain and maintain access - using a variety of tools and techniques

dark web

sites, content and services accessible only a dark net

script kiddie

someone who uses hacker tools without understanding how they work or having the capability to craft new attacks

OASIS

the _____________ CTI framework is designed to provide a format for this type of automated feed so that orgs can share CTI

state actors

the goals of _________________ are usually espionage and strategic advantage

risk

the likelihood and impact of a threat actor exploiting a vulnerability

attack vector

the path or tool used by a malicious threat actor can be referred to as a:

artificial neural network

the structure that facilitates the machine learning process is referred to as ____________________

cyber threat intelligence

threat data can be packaged as feeds that integrate with a security information and event management system (SIEM) platform, these feeds are called _______________________

artificial intelligence

to produce actionable intelligence, threat data must be correlated with observed data from customer networks, this analysis is often powered by _____________ features of the SIEM

machine learning

uses algorithms to parse input data and then develop strategies for using that data, such as identifying an object as a type, working out the best next move

channel

when transmitting CTI, the data is pushed to subscribers in a _________________

collection

when transmitting CTI, the data is requested by the client, called a ______________

threat data feed

when you use a cyber threat intelligence platform, you subscribe to a __________________

trusted automated eXchange of indicator information

where STIX provides the syntax of describing the OASIS CTI framework, _________________________ protocol provides a means for transmitting CTI data between servers and clients

shadow IT

where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through the procurement and security analysis process