2.1.2 Threat Agents Overview
Breach the system
A breach is the penetration of system defenses. It is often achieved by using information gathered by through reconnaissance.
Competitor
A competitor threat actor carries out attacks on behalf of an organization and targets competing companies. For example, a payment processing company could hire someone to carry out a DDoS attack on a competing payment processing company to force users to choose the attacker's product. The motive behind such attacks include financial gain, competitor defamation, or stealing industry secrets.
Which of the following is the BEST definition of the term hacker?
A general term used to describe any individual who uses their technical knowledge to gain unauthorized access to an organization.
Hacktivist
A hacktivist is any individual whose attacks are politically motivated. Instead of seeking financial gain, hacktivists are looking to defame; shed light on; or cripple an organization or government. Often times, hacktivists work alone. Occasionally, they create unified groups of like-minded hackers. For example, the website wikileaks.org is a repository of leaked government secrets, some of which have been obtain by hacktivists.
Nation state
A nation state is the most organized, well-funded, and dangerous type of threat actor. There are two primary motives for nation state attacks (also called state-sponsored attacks). Obtaining information - some attacks seek to obtain sensitive information, such as government secrets. These attacks usually target organizations that have government contracts or the government systems themselves. Attacks motivated by information gathering are considered a type of APT, because the goal is to remain in the system undetected. Crippling systems - some attacks seek to cripple the target's network or infrastructure. For example, an attack could target a city's power grid or water system. In 2010, a malicious computer worm called Stuxnet was discovered. The worm was designed to target industrial centrifuges used by the Iranian nuclear program. Stuxnet is thought to be a state-sponsored attack because its code was so large and complex that it would have required huge amounts of funding and resources to create. Nation states use many attack vectors and unknown exploits. Defending against them involves building a comprehensive security approach that uses all aspects of threat prevention and protection.
Script kiddie
A script kiddie is an individual who carries out an attack by using scripts or programs written by more advanced hackers. Script kiddies typically lack the skills and sophistication of legitimate hackers. Script kiddies are usually motivated by the chance to impress their friends or garner attention in the hacking community. Because script kiddies lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defending against script kiddies involves keeping systems up-to-date and using standard security practices.
White hat
A skilled hacker who uses knowledge and skills only for defensive purposes. A white hat hacker obtains explicit permission to interact a system or systems. These are the ethical hackers.
Use technical approaches
A technical approach to obtaining information includes using software or utilities to find vulnerabilities in a system. Methods often used by hackers are: Port scan Ping sweep
Exploit vulnerabilities
An exploitation takes advantage of known vulnerabilities in software and systems. Once a vulnerability has been exploited, an attacker can often: Steal information Deny services Crash systems Modify/alter information
Insider
An insider is any individual who has authorized access to an organization and either intentionally or unintentionally carries out an attack. The most common type of insider is a full-time employee; however, other inside actors include customers, janitors, security guards, and even former employees. Possible motives for an insider threat actor can include: Disgruntlement with an employer Bribery by a competitor Personal financial gain Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them. Require mandatory vacations. Create and follow onboarding and off-boarding procedures. Employ the principal of least privilege. Have appropriate physical security controls in place. Require security awareness training that is tailored for the role of the employee (role-based awareness training). Typical roles include: Data owner System administrator System owner User Privileged user Executive user Sometimes an employee can become an insider threat actor without knowing it. This is known as an unintentional insider threat actor. Proper security training can help protect against unintentional insider threat actors.
Organized Crime
An organized crime threat actor consists of a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last several months, are well-funded, and are extremely sophisticated. A common tactic used by organized crime is a targeted phishing campaign. Once access is gained, the group will either steal data and threaten to release it, or use ransomware to hold data hostage. Due to the level of sophistication and amount of funding, attacks from organized crime groups are extremely hard to protect against. In many cases, it's simply a matter of time until a data breach occurs or ransomware takes hold. Because of this, many companies that need immediate access to their data (such as hospitals and financial institutions) stockpile digital currency in case of an attack. Specific protections against organized crime threat actors include: Proper user security training Implementing email filtering systems Properly secure and stored data backups In July 2017, an organized crime group hacked HBO's network and stole a purported 1.5 terabytes of data. The group then demanded HBO pay it a hefty ransom in bitcoins, or it would release the data to the public.
Open-source intelligence (OSINT)
Before carrying out an attack, a threat actor typically gathers open-source intelligence (OSINT) about the target. OSINT is information that is readily available to the public and doesn't require any type of malicious activity to obtain. Sources of OSINT include the following: Media (newspapers, magazines, advertisements) Internet (websites, blogs, social media) Public government data (public reports, hearings, press conferences, speeches) Professional and academic publications (journals, academic papers, dissertations)
Create a backdoor
Creating a backdoor is an alternative method of accessing an application or operating system for troubleshooting. Hackers often create backdoors to exploit a system without being detected.
Variety
Defensive layers should incorporate a variety of methods. Implementing multiple layers of the same defense does not provide adequate protection against attacks.
Escalate privileges
Escalating privileges is a primary objective of an attacker. Once an attacker has breached the system, obtaining higher privileges allows the attacker to access more information and gain greater control within the system.
Which of the following threat actors seeks to defame, shed light on, or cripple an organization or government?
Hacktivist
The IT manager in your organization proposes taking steps to deflect a potential threat actor. The proposal includes the following: Create and follow onboarding and off-boarding procedures. Employ the principal of least privilege. Have appropriate physical security controls in place. Which type of threat actor do these steps guard against?
Insider
An employee stealing company data could be an example of which kind of threat actor?
Internal threat
Internal vs. external
Internal threat agents are authorized individuals that carry out an attack by exploiting their inherent privileges. This category includes employees (both current and former), janitors, security guards, and even customers. External threat agents are individuals or groups that attack a network from the outside and seek to gain unauthorized access to data.
A script kiddie is a threat actor who lacks knowledge and sophistication. Script kiddie attacks often seek to exploit well-known vulnerabilities in systems. What is the BEST defense against script kiddie attacks?
Keep systems up to date and use standard security practices.
Layering
Layering involves implementing multiple security strategies to protect the same asset. Defense in depth or security in depth is based on the premise that no single layer is completely effective in securing assets. The most secure system/network has many layers of security and eliminates single points of failure.
A hacker scans hundreds of IP addresses randomly on the internet until they find an exploitable target. What kind of attack is this?
Opportunistic Attack
Randomness
Randomness in security is the constant change in personal habits and passwords to prevent predictable behavior.
In which phase of an attack does the attacker gather information about the target?
Reconnaissance
Perform reconnaissance
Reconnaissance is the process of gathering information about an organization, including: System hardware information Network configuration Individual user information
Simplicity
Security measures should provide protection, but not be so complex that it is difficult to understand and use them.
Use social engineering
Social engineering is the process of manipulating others into providing sensitive information. Social engineering tactics include: Intimidation Sympathy
Stage computers
Staging a computer involves preparing it to perform additional tasks in the attack, such as installing software designed to attack other systems. This is an optional step.
Match the general attack strategy on the left with the appropriate description on the right. (Each attack strategy may be used once, more than once, or not all.) Drag Reconnaissance Breaching Escalating privileges Staging Exploitation Drop Stealing information Preparing a computer to perform additional tasks in the attack. Crashing systems. Gathering system hardware information. Penetrating system defenses to gain unauthorized access. Configuring additional rights to do more than breach the system.
Stealing information - Exploitation Preparing a computer to perform additional tasks in the attack. - Staging Crashing systems. - Exploitation Gathering system hardware information. - Reconnaissance Penetrating system defenses to gain unauthorized access. - Breaching Configuring additional rights to do more than breach the system. - Escalating privileges
Match the general defense methodology on the left with the appropriate description on the right. (Each methodology may be used once, more than once, or not all.) Drag Layering Principle of least privilege Variety Randomness Simplicity Drop The constant change in personal habits and passwords to prevent anticipated events and exploitation. Diversifying layers of defense. Giving users only the access they need to do their job and nothing more. Implementing multiple security measures to protect the same asset. Eliminating single points of failure. Giving groups only the access they need to do their job and nothing more.
The constant change in personal habits and passwords to prevent anticipated events and exploitation. - Randomness Diversifying layers of defense. - Variety Giving users only the access they need to do their job and nothing more. - Principle of least privilege Implementing multiple security measures to protect the same asset. - Layering Eliminating single points of failure. - Layering Giving groups only the access they need to do their job and nothing more. - Principle of least privilege
Persistent vs. non-persistent
The goal of persistent threats is to gain access to a network and retain access undetected. With this type of threat, attackers go to great lengths to hide their tracks and presence in the network. The goal of non-persistent threats is to get into a system and steal information. The attack is usually a one-time event. The attacker typically doesn't care if the attack is noticed. An advanced persistent threat (APT) is a type of persistent threat carried out by a nation state. An APT has the goal of continually stealing information without being detected. The tactics used are much more advanced than a traditional persistent threat.
Gray hat
The gray hat hacker falls in the middle of the white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.
Principle of least privilege
The principle of least privilege states that users or groups are given only the access they need to do their jobs and nothing more. When assigning privileges, be aware that it is often easier to give a user more access when it is needed than to take away privileges that have already been granted.
Hacker
The term hacker is a catch-all term used to describe any individual who uses technical knowledge to gain unauthorized access to an organization.
Black hat
This hacker is also very skilled, but uses knowledge and skills for illegal or malicious purposes. A black hat is also known as a cracker. They are highly unethical.
Which of the following is the BEST example of the principle of least privilege?
Wanda has been given access to the files that she needs for her job.