1.5 Threat Actors, Vectors, Intelligence Sources

Question 1

Actor:

• Inside the organization
• Low sophistication but high institutional knowledge
• Extensive resources

Answer 1

Insiders

Question 2

Actor

• Governmental
• High sophistication
• Militaristic
• APT

Answer 2

Nation States

Question 3

Actor:

• Has a strong purpose for social change or agenda
• Can be sophisticated
• Limited funding

Answer 3

Hacktivists

Question 4

Actor:

• Uses pre-made scripts without any technical knowledge
• No sophistication or funding
• Often do it for the fun of it

Answer 4

Script Kiddies

Question 5

Actor:

• High sophistication
• Money motivated
• Highly illegal activities
• Highly organized

Answer 5

Organized Crime

Question 6

Actor:

• experts with technology
• Can be authorized or unauthorized to perform activities

Answer 6

Hacker

Question 7

Actor:

• Rogue team that circumvents IT department
• Unencumbered and can make quick progress
• Often leads to wasted time and money, security risks, and compliance issues

Answer 7

Shadow IT

Question 8

This is used to describe the general pathways that an attacker can access a system or send an attack.

Answer 8

Attack vector

Question 9

Vector:

• When an attacker is able to access a system directly via hardware

Answer 9

Direct access

Question 10

Vector:

• Often easily accessed by poor configuration such as default admin credentials or rogue access points

Answer 10

Wireless

Question 11

Vector:

• Most commonly exploited as it is the most successful
• Usually involves phishing attacks

Answer 11

Email

Question 12

Vector:

• Compromise of vendor’s system which in turn creates a vulnerability for your organization

Answer 12

Supply Chain

Question 13

Vector:

• Vector commonly used to gather personal data to be used in other attacks
• Uses web applications such as Facebook and Twitter

Answer 13

Social Media

Question 14

Vector:

• Physical level attack vector that involves USB drives, external hard drives, and CDs

Answer 14

Removable media

Question 15

The process of researching threats and threat actors

Answer 15

threat intelligence

Question 16

This type of information is publicly available and provides a good foundational start. Includes intelligence from the internet, Gov’t agencies, and commercial data.

Answer 16

Open Source Intelligence (OSINT)

Question 17

• This type of intelligence is generally compiled and owned by a private party
• Can often be purchased
• Can provide Constant threat monitoring

Answer 17

Closed/Proprietary Intel

Question 18

• Community managed list of vulnerabilities
• Sponsored by the US Dept. Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA)

Answer 18

Common Vulnerabilities and Exposures (CVE)

Question 19

What is the US National Vulnerability Database and what does it provide over the CVE listings?

Answer 19

Summary of CVEs

Additional details such as patch availablity and severity scoring

Question 20

Information sharing centers provide a source of real-time, high quality cyber threat information. What is one example of an information sharing center?

Answer 20

Cyber Threat Alliance (CTA)

Question 21

This is the method used by the security community to standardize and share important threat data.

Answer 21

Automated indicator sharing (AIS)

Question 22

The “language” and syntax of AIS data that describes the cyber threat info and includes motivations, abilities, capabilities, and response info.

Answer 22

Structured Threat Information eXpression (STIX)

Question 23

The method used for securely sharing STIX data.

Answer 23

Trusted Automated eXchange of Indicator Information (TAXII)

Question 24

This source of intelligence is an overlay network that uses the internet but is not indexable by search engines. Houses a number of hacking groups and services.

Answer 24

Dark Web

Question 25

Events that indicate an intrution. These come with high confidence.

Answer 25

Indicator of Compromise (IOC)

Question 26

Name a few indicators of compromise on a network or system

Answer 26

• Unusually high network traffic
• Changes to file hash values
• Irregular internation traffic
• Changes to DNS traffic
• Uncommon login patterns
• Spikes in read requests of certain files

Question 27

This is a method for using big data in cybersecurity with the goal of identifying suspicious patterns and behaviours. Often combined with machine learning

Answer 27

Predictive analysis

Question 28

Used to identify attacks and trends from a worldwide perspective

Created from real attack data

Answer 28

Threat maps

Question 29

This resource allows you to see what hackers are building as well as developers who may accidentally release private code to early revealing vulnerabilities and flaws. Can includes sites such as Github.

Answer 29

File/code repositories

Question 30

This is the process of getting to know your enemy when it comes to cybersecurity

Answer 30

Threat research

Question 31

Where might you be able to find problems and vulnerabilities regarding a specific piece of software?

Answer 31

Vendor websites

Question 32

This threat resource is a form of automated vulnerability notification that may include the National Vulnerability Database (NVD), CVE datafeeds, or a number of third-party feeds.

Answer 32

Vulnerability feeds

Question 33

What are the benefits of attending conferences in terms of threat intelligence?

Answer 33

• Meet researchers and learn new methods of intelligence gathering and new technologies
• Get stories from the trenches
• Forge alliances

Question 34

This intelligence resource provides cutting edge security anaylysis from academic professionals which often involves extremely detailed breakdowns of the information.

Answer 34

Academic journals

Question 35

This threat resource is generally a way to track and formalize a set of standards to be published on the internet for anyone to use.

Answer 35

Request for commends (RFC)

Question 36

This type of threat resource involves the gathering of local peers, particularly in the same industry as your own, who share a geographical presence

Answer 36

Local industry groups

Question 37

What you are looking for when performing threat research. Involves determing how the attackers are gaining access and what they are doing once they are in.

Answer 37

TTP (Tactics, Techniques, and procedures)