Characteristics of cyber security threat actor types
- Internal / External
- Level of sophistication / Capability
- Resources / Funding
- Intent / Motivation
The motivations of attackers
- Black-hat
- White-hat
- Gray-hat
Different types of threat actors
Script kiddies - hack for reputation, proving their skill
- Many of them
- Unfocused
- Lack of skill
- Lack of resources (both time and money) - many work alone
- External
Hacktivists
- The measures that deter others might not deter them
- Hack for a higher purpose
- The skills vary
- The resources vary - many work alone
- External, sometimes internal
Criminal syndicates
- Financial gain - solely!
- Tend to stay in shadows
- The skills are moderate to highly skilled
- Tend to have more resources
Advanced persistent threats
- Espionage, intellectual property, economic assets
- High skill - advanced techniques, not just tools, attacks are persistent, zero-days
- Significant resources
Insiders
- Employees wage an attack against an organization, leaks
- Activist goals, financial gain
- Any skill level
- Usually work alone
- Varying resources
Competitors
- Corporate espionage
- Will often use disgruntled employee
Zero-day attacks
Zero-days are security issues that have zero days passed since the threat has been known. APT-s often conduct their own research and get zero-days.
Shadow IT
The situation is when people search and get the tools unapproved from the organization for the purpose of being more productive. This means the business means are not being met by the enterprise IT team.
Threat vectors
Email and social media
- Most commonly exploited
- Easy to exploit
- Phishing, spam
- Can be executed towards many targets
Direct access
- Go to publicly accessible places (lobby, toilettes) and execute the attack
- Find unsecured network device, terminal, or server
Wireless networks
* Can be accessed from the parking lot
Removable media
* Drop cheap devices and wait for them to be plugged in
Cloud
* Attackers scan for publicly accessible cloud resources
Third-party risks
* Supply chain
About Threat data and intelligence
- Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment
- Open source threat intelligence is threat intelligence that is acquired from publicly available sources
- Proprietary and Closed-Source Intelligence
- Threat maps provide a geographic view of threat intelligence - not reliable
Assessing Threat Intelligence
- Is it timely? A feed that is operating on delay can cause you to miss a threat, or to react after the threat is no longer relevant.
- Is the information accurate? Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct?
- Is the information relevant? If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.
STIX
- Structured Threat Information eXpression (STIX) is an XML language
- STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools
TAXII
- Trusted Automated eXchange of Indicator Information (TAXII)
- intended to allow cyber threat information to be communicated at the application layer via HTTPS
TTPs
- Adversary tactics, techniques, and procedures (TTPs)
OpenIOC
- Open Indicators of Compromise (OpenIOC) format
* Similar to STIX
