Lesson 2: Explaining Threat Actors and Threat Intelligence
vulnerabilities, threats, risks
security assessments include ___________________, _______________, and _______________
vulnerability + threat
= risk
threat
the potential for someone or something to exploit a vulnerability and breach security
automated indicator sharing
is a service offerred by the department of homeland security for companies to participate in threat intelligence sharing
RFCs
is published when a new technology is accepted as a web standard
motivation
is the attackers reason for conducting the attack
artificial intelligence
is the science of creating machine systems that can simulate or demonstrate a similar general intelligence capability to humans
hacktivist
a _____________ group like anonymous uses cyber weapons to promote a political agenda
code repository
a __________________ such as virustotal.com holds signatures of known malware code, are derived from live customer systems and files that have been uploaded by subscribers
threat research
is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques and procedures of modern cyber adversaries
vendor websites
a model in which all types of security hardware and software vendors make huge amounts of threat research available via their websites as a benefit to customers
closed/proprietary
a model in which the threat research and CTI data is made available as part of a paid subscription to a commercial threat intelligence platform
information sharing and analysis centers
a model referring to centers set up to share threat intelligence and promote best practice, these are sector specific resources for companies and agencies working in critical industries
open source intelligence
a model where some companies operate their threat intelligence services on an open source basis, earning income from consultancy rather than directly from the platform or research effort
dark net
a network established as an overlay to internet infrastructure by software such as TOR, freenet, or I2P that acts to anonymize usage and prevent a third party from knowing about the existence of the network
vulnerability
a weakness that could be triggered accidentally or exploited intentionally to cause a security breach
academic journals
results from academic researchers and not for profit trade bodies and associations, such as IEEE, are published in journals
attack vector
an _____________ is the path that a threat actor uses to gain access to a secure system
IOC
an ______________ is evidence of a TTP
internal
an _________________ threat actor is one that has been granted permissions on the system
external
an _________________ threat actor is one that has no account or authorized access to the target system
attack surface
an __________________ is all the points at which a malicious threat actor could try to exploit a vulnerability
threat map
an animated graphic showing the source, target, and type of attacks that have been detected by the CTI platform
web/social media
an attack vector referring to malware that may be in a site or in social engineering campaigns
remote/wireless
an attack vector referring to when the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication
removable media
an attack vector referring to where an attacker conceals malware on a USB thumb drive or memory card
an attack vector that includes phishing
direct access
an attack vector that refers to a type of physical/local attack using things like an unlocked work station, a boot disk, or theft
supply chain
an attack vector that refers to the attacker compromising a supplier to the company
cloud
an attack vector that refers to when the attacker targets the accounts used to develop services in the cloud or manage cloud systems
deep web
any part of the web not indexed by a search engine
insider threat
arises from an actor who has been identified by the organization and granted some sort of access
IOC
can be definite and objectively identifiable, but often they can only be described with confidence via the correlation of many data points
predictive analysis
can inform risk assessment by giving more accurate, quantified measurement of the likelihood and impact of breach type events
threat data
computer data that can correlate events observed on customers own networks and logs with known TTP and threat actor indicators
tactic, technique or procedure
is a generalized statement of adversary behavior, categorizes behaviors in terms of campaign strategy and approach, generalized attack vectors, and specific intrusion tools and methods
indicator of compromise
is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked
hacker
describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means
intent
describes what an attacker hopes to achieve from the attack
location, intent, capability
dynamic analysis involves identifying the attributes of threat actors in terms of ________________, _______________, and _________________
knowledge base
early types of AI use if-then rules to draw inferences from a limited data set, called a ____________________
reputational threat intelligence
lists of IPs and domains associated with malicious behavior, plus signatures of known file based malware
CVEs
lists of vulnerabilities are stored in databases such as _____________, operated by MITRE
threat
may be intentional or unintentional
behavioral threat research
narrative commentary describing examples of attacks and TTPs gathered through primary research sources
predictive analysis
one of the goals of AI backed threat intelligence is to perform ____________________ which means that the system can anticipate a particular type of attack and possibly the identity of the threat actor before the attack is fully realized
structured threat information eXpression
part of the OASIS CTI framework that describes standard terminology for IOCs and ways of indicating relationships between them
threat actor
person or thing that poses a threat is called a:
capability
refers to a threat actors ability to craft novel exploit techniques and tools
advanced persistent threats
refers to the ongoing ability of an adversary to compromise network security - to obtain and maintain access - using a variety of tools and techniques
dark web
sites, content and services accessible only a dark net
script kiddie
someone who uses hacker tools without understanding how they work or having the capability to craft new attacks
OASIS
the _____________ CTI framework is designed to provide a format for this type of automated feed so that orgs can share CTI
state actors
the goals of _________________ are usually espionage and strategic advantage
risk
the likelihood and impact of a threat actor exploiting a vulnerability
attack vector
the path or tool used by a malicious threat actor can be referred to as a:
artificial neural network
the structure that facilitates the machine learning process is referred to as ____________________
cyber threat intelligence
threat data can be packaged as feeds that integrate with a security information and event management system (SIEM) platform, these feeds are called _______________________
artificial intelligence
to produce actionable intelligence, threat data must be correlated with observed data from customer networks, this analysis is often powered by _____________ features of the SIEM
machine learning
uses algorithms to parse input data and then develop strategies for using that data, such as identifying an object as a type, working out the best next move
channel
when transmitting CTI, the data is pushed to subscribers in a _________________
collection
when transmitting CTI, the data is requested by the client, called a ______________
threat data feed
when you use a cyber threat intelligence platform, you subscribe to a __________________
trusted automated eXchange of indicator information
where STIX provides the syntax of describing the OASIS CTI framework, _________________________ protocol provides a means for transmitting CTI data between servers and clients
shadow IT
where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through the procurement and security analysis process