Security + Study Guide Lesson 2

You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of indicator information (TAXII) protocol as a means of transmitting CTI data between Servers and Clients

You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost

For critical infrastructure providers, threat data sharing via an information sharing and analysis center (ISAC) is likely to be the best option

Which type of threat actor is primarily motivated by the desire for social change>

Hacktivist

Your CEO wants to know if the company's threat intelligence platform makes effective use of OSINT. What is OSINT?

Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available

You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, Email, Remote and wireless, web and social media, cloud

Removable media and supply chain

Which of the following would be assessed by likelihood and impact: Vulnerability, Threat, or Risk?

Risk: To assess likelihood and impact you must identify both the vulnerability and the threat posed by a potential exploit

Open Source Intelligence (OSINT)

Some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort

Direct access

This is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device for example

Sophisticated threat actors

Will make use of multiple vectors. They are likely to plan a multi-stage campaign, rather than a single "smash and grab" type of raid

malicious insider

a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceed or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems

Tactic, technique, procedure (TTP)

a generalized statement of adversary behavior. TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures)

unintentional or inadvertent insider threat

a vector for an external actor, or a separate malicious internal actor to exploit, rather than a threat actor in its own right

Vulnerability

a weakness that could be triggered accidentally or exploited intentionally to cause a security breach

Attack surface

all the points at which a malicious threat actor could try to exploit a vulnerability

White hat hacker

always seeks authorization to perform penetration testing of private and proprietary systems

Threat Map

an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform

Insider Threat

arises from an actor who has been identified by the organization and granted some sort of access

white hat hacker

authorized

criminal syndicate

can operate across the internet from different jurisdictions than its victim, increasing the complexity of prosecution

Advanced Persistent Threat (APT)

coined to understand the behavior underpinning modern types of cyber adversaries

Threat data

computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators

Example of vulnerability

delays in applying and testing software and firmware patches

indicators

describe how to recognize what those actions might look like

TTPs

describe what and how an adversary acts

Hacker

describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means

Structured Threat Information eXpression (STIX)

describes standard terminology for locs and ways of indicating relationships between them

intent

describes what an attacker hopes to achieve from the attack

Example of vulnerability

design flaws in software or operating systems, such as unchecked user input

The goals of state actors are primarily

espionage and strategic advantage, but is not unknown for countries

Cyber Threat Intelligence (CTI) data

feeds that integrate with a security information and event management platform (SIEM)

state actors

have been implicated in many attacks, particularly on energy and health network systems

File code repository

holds signatures of known malware code

Example of vulnerability

improperly configured or installed hardware or software

Public/Private Information Sharing Centers

in many critical industries, information sharing and analysis centers (ISACs) have been set up to share threat intelligence and promote best practice. These are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets , or aviation. Where there is no coverage by an ISAC, local industry groups and associations may come together to provide mutual support

Example of vulnerability

inadequate physical security

Example of vulnerability

insecure password usage

Reputational threat intelligence

lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware

Web and social media

malware may be concealed in files attached to posts or presented as downloads. An attacker may also be able to compromise a site so that it automatically infects vulnerable browser software (a drive by download). Social media may also be used more subtly, to reinforce a social engineering campaign and drive the adoption of trojans

Cloud

many companies now run part or all of their network services via internet- accessible clouds. The attacker only needs to find one account, service or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system

hacktivists

might attempt to obtain and release confidential information to the public domain, perform denial of service (Dos) attacks, or deface websites

script kiddie attacks

might have no specific target or any reasonable goal other than gaining attention or proving technical abilities

gray hat hacker

might seek voluntary compensation of some sort (a bug bounty), but will not use an exploit as extortion

Example of vulnerability

misuse of software or communication protocols

malicious external threat

must infiltrate the security system using malware and/or social engineering

Behavioral threat research

narrative commentary describing examples of attacks and TTPs gathered through primary research sources

internal/insider threat actor

one that has been granted permissions on the system

external threat actor or agent

one that has no account or authorized access to the target system

Common Vulnerabilities and Exposures (CVE)

operated by Mitre Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software

Example of vulnerability

poorly designed network architecture

Vendor websites

proprietary threat intelligence is not always provided at cost. All types of security, hardware, and software vendors make huge amounts of threat research available via their websites as a general benefit to their customers. One example is Microsoft's security intelligence blog

Trusted Automated eXchange of Indicator Information (TAXII)

provides a means for transmitting CTI data between servers and clients

supply chain

rather than attack the target directly, a threat actor may seek ways to infiltrate it via companies in its supply chain. One high-profile example of this is the target data breach, which was made via the company's HVAC supplier

capability

refers to a threat actor's ability to craft novel exploit techniques and tools

APT

refers to the ongoing ability of an adversary to compromise network security to obtain and maintain access using a variety of tools and techniques

Dark web

sites, content, and services accessible only over a dark net. While there are dark web search engines, many sites are hidden from them. Access to a dark web site via its URL is often only available via "word of mouth" bulletin boards

script kiddies

someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks

Which three types of threat actors are most likely to have high levels of funding?

state actors, criminal syndicates, and competitors

Removable media

the attacker conceals malware on a USB thumb drive or memory card and tries to trick employees into connecting the media to a PC, laptop, or smartphone. For some exploits, simply connecting the media may be sufficient to run the malware in many cases, the attacker may need the employee to open a file in a vulnerable application or run a setup program

Remote and Wireless

the attacker either obtains credentials for remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network

Email

the attacker sends malicious file attachment via email, or via any other communications system that allows attachments. The attacker needs to use social engineering techniques to persuade or trick the user into opening the attachment

motivation

the attacker's reason for perpetrating the attack

Risk

the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. To assess risk, you identify a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have

attack vector

the path or tool used by a malicious threat actor

Attack vector

the path that a threat actor uses to gain access to a secure system

threat actor or threat agent

the person or thing that poses the threat

Threat

the potential for someone or something to exploit a vulnerability and breach security. It may be intentional or unintentional

AI

the science of creating machine systems that can simulate or demonstrate a similar general intelligence capability to humans

Closed/Proprietary

the threat research and CTI data is made available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform

Shadow IT

users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit

hacktivist group

uses cyber weapons to promote a political agenda

True or False? Nation state actors primarily only pose a risk to other states

False- nation state actors have targeted commercial interests for theft, espionage, and extortion

You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a days consultancy to patch the vulnerability. How should you categorize this threat?

This is either gray hat (semi-authorized) hacking or black hat (non-authorized) hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classed as gray hat

Dark net

a network established as an overlay to internet infrastructure by software, such as the onion router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance uses multiple layers of encryption and relays between nodes to achieve this anonymity

Indicator of compromise (IOC)

a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. An IOC is evidence of TTP

Automated Indicator Sharing (AIS)

a service offered by the department of homeland security (DHS) for companies to participate in the threat intelligence sharing

gray hat hacker

semi-authorized, might try to find vulnerabilities in a product or network without seeking the approval of the owner; but they might not try to exploit any vulnerabilities they find

black hat hacker

unauthorized

Example of vulnerability

untested software and firmware patches

Machine learning (ML)

uses algorithms to parse input data and then develop strategies for using that data, such as identifying an object as a type, working out the best next move in a game, and so on