1.5 - Threat Actors and Vectors

Question 1

Define a Threat Actor.

Answer 1

The entity responsible for an event that has an impact on the safety of another entity.

Question 2

Define Advanced Persistent Threat (APT).

Answer 2

When an attacker has made there way onto a network without being detected. I can take several months to detect them.

Question 3

Define Insiders as a threat actor.

Answer 3

Individuals who have access to the network whether they are employees or contractors. Their attacks may not be as sophisticated, but they have insider knowledge and can focus down vulnerable systems.

Question 4

Define Nation States as a threat actor.

Answer 4

Governments. They may try to damage other nations or organizations for their gain. They have massive resources and can do constant attacks. They are often an Advanced Persistent Threat (APT).

Question 5

Define a Hacktivist as a threat actor.

Answer 5

A hacker who has a social or political agenda. Funding is often limited.

Question 6

Define Script Kiddies as a threat actor.

Answer 6

Someone who runs pre-made scripts without any knowledge of what’s really happening. They can be internal or external. They often do not have funding.

Question 7

Define Organized Crime as a threat actor.

Answer 7

Professional criminals who are motivated by money to hack. They can often hire the best to do the hacking. The crime is often very organized.

Question 8

Define a Hacker as a threat actor.

Answer 8

An individual who is an expert with technology. Hackers can be authorized to work within a network for the better. Some are malicious for personal gain. Some hackers might be semi-authorized. They might find vulnerabilities without any intention of using them.

Question 9

Define a Shadow IT as a threat actor.

Answer 9

Individuals or a group within an organization that start acting as an IT unit in order to get around roadblocks that the IT unit might have set up to prevent security issues. They can be a good thing, but they are most often not because they can waste time and money, lead to security risks and compliance issues, and make the organization more dysfunctional.

Question 10

Define Competitors as a threat actor.

Answer 10

Other organizations competing with your organization. They could hack in an attempt to get an edge. They can steal customer lists, shut down competitors during an event, corrupt manufacturing databases, or take financial information.

Question 11

Define an Attack Vector.

Answer 11

A method used by an attacker to gain access or infect the target.

Question 12

Define Direct Access Attack Vectors.

Answer 12

An attacker physically attacks a system. They can plug in a key logger or modify an OS. They can do a DoS by just unplugging the PC or server.

Question 13

List some ways that an attacker could attack a Wireless network.

Answer 13

1) Default login Credentials
2) Rogue Access Point
3) Evil Twin
4) Wireless security protocol vulnerabilities

Question 14

List some ways that an attacker could attack Email.

Answer 14

1) Phishing attacks
2) Deliver malware to user via message
3) Social Engineering

Question 15

List some ways that an attacker could attack a Supply Chain.

Answer 15

1) Tamper with the underlying infrastructure
2) Gain access to a network using a vendor
3) Malware can modify the manufacturing process
4) Counterfeit networking equipment

Question 16

List some ways that an attacker could attack Social Media.

Answer 16

1) Personal information ( where you are and when)
Geolocation
2) User Profiling to get security answers to questions
3) Other people might be able to give information
about you

Question 17

List some ways that an attacker could attack using Removable media.

Answer 17

1) Get around the firewall (USB)
2) Malicious software on USB flash drives (air gap and
industrial networks)
3) USB devices can act as keyboards
4) Data exfiltration - Take Terabytes of data with no
bandwidth used

Question 18

List some ways that an attacker could attack the Cloud.

Answer 18

1) Publicly-facing application and services
2) Security misconfigurations
3) Brute force attacks or Phish users of the cloud
service
4) Orchestrations attacks
Make the cloud build new application instances
5) Denial of service
Disable the cloud services for everyone

Question 19

Define Threat Intelligence.

Answer 19

Researching threats through several resources. Decisions should be made based on the intelligence gathered.

Question 20

Define Open-source intelligence (OSINT).

Answer 20

Information on threats that is open-source. This can be found in social media or discussion groups, government data, and commercial data.

Question 21

Define Closed/proprietary intelligence.

Answer 21

Information on threats that is on sale. They may provide threat analytics, correlation across different data sources, or constant threat monitoring.

Question 22

Define Vulnerability databases.

Answer 22

Databases with data compiled from researchers who are trying to find vulnerabilities.

Ex.
1) Common Vulnerabilities and Exposure (CVE)
A community managed list of vulnerabilities
2) U.S. National Vulnerability Database (NVD)
A summary of CVEs
Provides additional details over the CVE list
including Patch availability and severity scoring

Question 23

Explain how different entities might share threat intelligence.

Answer 23

1) Public threat intelligence
Federal government might declassify information
2) Private threat intelligence
Private companies have extensive resources to
share
3) Cyber Threat Alliance (CTA)
Members upload specifically formatted threat int.
CTA scores each submission and validates across
other submissions
Other members can extract the validated data

Question 24

Define Automated indicator sharing (AIS).

Answer 24

A quick way to share threat intelligence. The standard way to share important threat data.

Structured Threat Information eXpression (STIX)
Describes cyber threat information
Includes motivations, abilities, capabilities, and
response information
Trusted Automated eXchange of Indicator Information (TAXII)
Securely shares STIX data

Question 25

Define dark web intelligence.

Answer 25

Information about threats gathered over the dark web. You can find hacking groups and services including: activities, tools and techniques, credit card sales, and accounts and passwords.

You can monitor forums for company and executive names.

Question 26

Define Indicators of Compromise (IOC).

Answer 26

An even that indicates an intrusion. The indicators can include an unusual amount of network activity, change to file hash values, irregular international traffic, changes to DNS data, uncommon login patterns, or spikes of read requests to certain files.

Question 27

Explain what predictive analysis includes.

Answer 27

1) Analyze large amounts of data very quickly
Find suspicious patterns
Big data used for cybersecurity
2) Identify behaviors
DNS queries, traffic patterns, and location data
3) Creates a forecast for potential for potential
attacks
4) Often combines machine learning

Question 28

What do threat maps do?

Answer 28

They identify attacks and trends through a worldwide perspective.

Question 29

What are some ways to use file/code repositories to gain intelligence?

Answer 29

1) See what the hackers are building
2) See what code is accidentally being released

Question 30

List some places you can research threats.

Answer 30

1) Vendor or manufacturer sites
2) CVE Data Feeds
3) National Vulnerability Database
4) Conferences
5) RFC
6) Local industry group
7) Social Media

Question 31

Define Tactics, techniques, and procedures (TTP).

Answer 31

A way of understanding the methods that attackers attempt to get on the network. Can include information on targeted victims, infrastructure used by attackers, or outbreak of a particular malware variant on a service type.