Lesson 2 Threat Actors and Threat Intelligence
CERT's main motivators for malicious insider threats: ----, ----, and ----
sabotage, financial gain, and business advantage.
AI
science of creating machine systems that can stimulate or demonstrate a similar general intelligence capability to humans.
Public/private information sharing centers
sector specific resources (information sharing and analysis centers - ISACs) for companies and agencies working in critical industries.
Attack Vendor
the person or thing that poses the threat.
Three primary research forms undertaken by security solutions providers/academics:
Behavioral Threat Research, Reputational Threat Intelligence, Threat data
Threat
the potential for someone or something to exploit a vulnerability and breach security
Threat intelligence platforms and feeds are supplied as 1 of 3 different commercial models
Closed/Proprietary, Public/private information sharing centers, Open Source Intelligence
the attacker sends malicious file attachment via email/other communication that allows attachments.
Email attack vendor
restricting access so that only a few known endpoints, protocols/ports, and services/methods are permitted.
Minimizing the attack surface
To assess ----, you identify ---- and then evaluate the likelihood of it being exploited by a ___ and the impact that a successful exploit would have.
Risk, vulnerability, threat
"----" known threats such as Trojans, botnets, etc. can be scanned via 'signature-based scanning.'
Static
TTPS Acronym
Tactics techniques and procedures
Other sources of best practice advice and new research:
academic journals, conferences, requests for comments (published by the W3C), social media
State Actors
acting on behalf of a governmental body, their goals are primarily espionage and strategic advantage but occasionally economic gain and pride.
An Indicator of Compromise (IOC)
residual sign that an asset or network has been successfully attacked or is continuing to be attacked.
Malicious insider
a current or former employee, contractor, or business partner who has/had authorized access to an organization's network system, or data and intentionally exceeded or misused that access in a manner that negatively affected the CIA triad of the organization's information/info systems
Dark Net
a network established as an overlay to the internet infrastructure by software such as TOR, freenet, or I2P that acts to anonymise usage and prevent a 3rd party from knowing about the existence of the network/analyze the activity taking place over the network.
Automated Indicator Sharing (AIS)
a service offered by DHS for companies to participate in threat intelligence sharing.
Zero day
a software vulnerability unknown to those who should be interested in its mitigation. Once the software vendor/organization becomes aware of the attack, thus starts 1-day, 2-day, etc.
Capability
a threat actor's ability to craft novel exploit techniques and tools.
An unintentional/inadvertent insider threat
a vector for an external actor or separate - malicious - internal actor to exploit rather than a threat actor in its own right.
Vulnerability
a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. (Improperly configured hardware/software, insecure password usage, inadequate physical security)
Attack Surface
all points at which a malicious threat actor could try to exploit a vulnerability
Threat Map
an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform
Hacker
an individual who has the skills to gain access to computer systems through unauthorized or unapproved means
threat forecasting
anticipate a particular attack and possibly identify the threat actor before the attack is fully realized
Deep Web
any part of the world wide web that is not indexed by a search engine (ie. requires registration, blocks search indexing, pages using nonstandard DNS)
Remote and Wireless attack vendor
attacker either obtains credentials for remote access or wireless connection to the network OR cracks security protocols for authentication. An attacker can also spoof a trusted resource like an access point to perform credential harvesting.
Cloud attack vendor
attacker finds an account, service, or host with weak credentials to gain access to a cloud network OR try to attack the cloud service provider directly.
White Hat
authorized hacker who always seeks authorization to perform penetration testing of private servers
Tactic
campaign strategy and approach
Predictive Analysis
can inform risk assessment by giving more accurate, qualified measurements of the likelihood and impact of breach-type events
Cybercrime Syndicate
can operate across the internet from different jurisdictions than its victim, increasing difficulty of prosecution. Typical activities are financial fraud and extortion.
Open Source Intelligence (OSINT)
companies that operate threat intelligence services publically, earning income from consultancy rather than their platform/research effort.
Threat Data
computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.
Removable Media attack vendor
conceals malware on a USB drive/memory card and tricks employees into connecting the media to a PC. laptop, etc.
Threat Research
counterintelligence gathering effort in which security companies and researchers attempt to discover TTPS
Attack Vector
the path that a threat actor uses to gain access to a secure system.
Structured Threat Information EXpression
describes standard terminology for IOCs and ways of indicating relationships between them.
Technique
generalized attack vectors
A Tactic, technique or procedure (TTP)
generalized statement of adversary behavior.
Hacktivist Group
hackers working together and using cyber weapons to promote a political agenda.
file/code repository
holds signatures of known malware code.
Primary sources of threat intelligence
honeynets, dark web
A threat may be ---- or ----
intentional or unintentional
Reputational Threat Intelligence
lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based indicators.
Common Vulnerabilities and Exposures
lists of vulnerabilities, operated by MITRE
Analyzing behaviors of threat actors involves identifying ---, ---, and ---.
location, intent and capability
Web and social media attack vendor
malware can be concealed in files attached to posts/presented as downloads OR an attacker may compromise a site so that it infects vulnerable browsers.
Behavioral Threat Research
narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
Advanced Persistent Threat (APT)
ongoing ability of an adversary to compromise network security - to obtain and maintain access - using a variety of tools and techniques.
Direct access attack vendor
physical or local attack.
One of the goals of using AI-backed threat intelligence is to perform ---- ----, or threat forecasting - anticipate a particular attack and possibly identify the threat actor before the attack is fully realized
predictive analysis
Trusted Automated EXchange of Indicator Information (TAXII)
provides a means for transmitting CTI data between servers and clients
Supply Chain attack vendor
rather than attack a target directly, the attack is aimed at a company in the target's supply chain
Threat data can be packaged as feeds that integrate with a ------- platform - typically described as ------- data
security information and event management (SIEM), cyber threat intelligence (CTI)
Gray Hat
semi-authorized hacker might try to find vulnerabilities they find. May seek voluntary compensation (bug bounties) but will not extort.
Dark Web
sites, content, and services accessible only over the darknet.
Script Kiddie
someone who uses hacker tools without understanding how they work or being able to craft new attacks. May have no specific target or reasonable goal other than gaining attention/proving technical abilities.
Procedures
specific intrusion tools and methods
Artificial Neural Network
structure that facilitates the machine learning process.
Threats can be characterized as ---- or ---- (ie targeted vs. opportunistic)
structured, unstructured
Motivation
the attacker's reason for perpetrating the attack.
Risk
the likelihood and impact/consequence of a threat actor exploiting a vulnerability
The person or thing that poses the threat is called a ---- or ----
threat actor, threat agent
Closed/Proprietary
threat research and CTI data available only as a paid subscription. They will make the most valuable research available early to platform subscribers in the form of blogs, white papers, webinars.
Internal Threat (aka Insider)
threat that has been granted permissions on the system (ie. employee, contractors, business partners).
External Threat
threat that has no account or authorized access to the target system. Typically infiltrates using malware and/or social engineering.
Black Hat
unauthorized hacker usually associated with illegal or malicious system intrusions.
Name some common IoCs
unauthorized software/files, suspicious emails, suspicious registry and file system changes, excessive bandwidth usage, rogue hardware, service disruption/defacement, suspicious/unauthorized account usage
Shadow IT
users purchase or introduce computer hardware/software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process.
Machine Learning
uses algorithms to parse input data and then develop strategies for using that data. Can modify the algorithm it uses to parse data and develop strategies, gradual improving the decision-making process.
Security assessments must identify ways in which their systems could be attacks, these assessments involve ----, ----, and ----.
vulnerabilities, threats and risk
Intent
what an attacker hopes to achieve from the attack.