02- Explaining Threat Actors and Threat Intelligence

1
Outlines

2.1- Explain Threat Actor Types and Attack Vectors

2.2- Explain Threat Intelligence Sources

Security+ (SY0-601) © netriders.academy 2

.1- Explain Threat Actor Types and Attack Vectors
2- Explain Threat Intelligence Sources

Security+ (SY0-601) © netriders.academy 3

VULNERABILITY, THREAT, AND RISK
• As part of security assessment and monitoring, security teams must identify
ways in which their systems could be attacked.
• These assessments involve vulnerabilities, threats, and risk.

Security+ (SY0-601) © netriders.academy 4

VULNERABILITY, THREAT, AND RISK (cont.)
• Vulnerability
✓is a weakness that could be triggered accidentally or exploited intentionally to cause
a security breach.
✓Examples of vulnerabilities include:
➢ Improperly configured or installed hardware or software
➢ Delays in applying and testing software and firmware patches
➢ Untested software and firmware patches
➢ The misuse of software or communication protocols
➢ Poorly designed network architecture
➢ Insecure password usage

Security+ (SY0-601) © netriders.academy 5

VULNERABILITY, THREAT, AND RISK (cont.)
• Threat
✓is the potential for someone or something to exploit a vulnerability and breach
security.
✓A threat may be intentional or unintentional.
✓The person or thing that poses the threat is called a threat actor or threat agent.
✓The path or tool used by a malicious threat actor can be referred to as the attack
vector.

• Risk
✓is the likelihood and impact (or consequence) of a threat actor exploiting a
vulnerability.
✓To assess risk, you identify a vulnerability and then evaluate the likelihood of it being
exploited by a threat and the impact that a successful exploit would have.
Security+ (SY0-601) © netriders.academy 6
ATTRIBUTES OF THREAT ACTORS
• Internal/External
✓An external threat actor or agent is one that has no account or authorized access to
the target system.
✓A malicious external threat must infiltrate the security system using malware and/or
social engineering.
✓Note that an external actor may perpetrate an attack remotely or on-premises (by
breaking into the company's headquarters, for instance).
✓It is the threat actor that is defined as external, rather than the attack method.
✓Conversely, an internal (or insider) threat actor is one that has been granted
permissions on the system.
✓This typically means an employee, but insider threat can also arise from contractors
and business partners.

Security+ (SY0-601) © netriders.academy 7

ATTRIBUTES OF THREAT ACTORS (cont.)

• Intent/Motivation
✓Intent describes what an attacker hopes to achieve from the attack, while
motivation is the attacker's reason for perpetrating the attack.
✓A malicious threat actor could be motivated by greed, curiosity, or some sort of
grievance, for instance.
✓The intent could be to vandalize and disrupt a system or to steal something.
✓Malicious intents and motivations can be contrasted with accidental or unintentional
threat actors and agents.
✓Unintentional threat actors represents accidents, oversights, and other mistakes.

Security+ (SY0-601) © netriders.academy 8

CATEGORIES OF THREAT ACTORS
• To fully assess intent and capability, it is helpful to identify different categories of
threat actors.
• Hackers
✓Hacker describes an individual who has the skills to gain access to computer systems
through unauthorized or unapproved means.
✓Originally, hacker was a neutral term for a user who excelled at computer
programming and computer system administration.
✓Hacking into a system was a sign of technical skill and creativity.
✓The terms black hat (unauthorized) and white hat (authorized) are used to
distinguish these motivations.

Security+ (SY0-601) © netriders.academy 9

CATEGORIES OF THREAT ACTORS (cont.)
• Hackers (cont.)
✓Of course, between black and white lie some shades of gray.
✓A Gray hat hacker (semi-authorized) might try to find vulnerabilities in a product or
network without seeking the approval of the owner; but they might not try to exploit
any vulnerabilities they find.
✓A gray hat might seek voluntary compensation of some sort (a bug bounty), but will
not use an exploit as extortion.
✓A white hat hacker always seeks authorization to perform penetration testing of
private and proprietary systems.

Security+ (SY0-601) © netriders.academy 10

CATEGORIES OF THREAT ACTORS (cont.)
• Script Kiddies
✓A script kiddie is someone who uses hacker tools without necessarily understanding
how they work or having the ability to craft new attacks.
✓Script kiddie attacks might have no specific target or any reasonable goal other than
gaining attention or proving technical abilities.

Security+ (SY0-601) © netriders.academy 11

CATEGORIES OF THREAT ACTORS (cont.)
• Hacker Teams and Hacktivists
✓The historical image of a hacker is that of a loner, acting as an individual with few
resources or funding.
✓While any such "lone hacker" remains a threat that must be accounted for, threat
actors are now likely to work as part of some sort of team or group.
✓The collaborative team effort means that these types of threat actors are able to
develop sophisticated tools and novel strategies.
✓A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons
to promote a political agenda.
✓Hacktivists might attempt to obtain and release confidential information to the
public domain, perform denial of service (DoS) attacks, or deface websites.

Security+ (SY0-601) © netriders.academy 12

ATE ACTORS AND ADVANCED PERSISTENT THREATS
• Most nation states have developed cybersecurity expertise and will use cyber
weapons to achieve both military and commercial goals.
• The term Advanced Persistent Threat (APT) was coined to understand the
behavior underpinning modern types of cyber adversaries.
• Rather than think in terms of systems being infected with a virus or Trojan, an
APT refers to the ongoing ability of an adversary to compromise network
security—to obtain and maintain access—using a variety of tools and techniques.
• State actors have been implicated in many attacks, particularly on energy and
health network systems.
• The goals of state actors are primarily espionage and strategic advantage, but it is
not unknown for countries—North Korea being a good example—to target
companies purely for commercial gain.

Security+ (SY0-601) © netriders.academy 13

ATTACK VECTORS
• An Attack Vector is the path that a threat actor uses to gain access to a secure
system.
• In the majority of cases, gaining access means being able to run malicious code
on the target.
✓Direct access—this is a type of physical or local attack, The threat actor could
exploit an unlocked workstation, use a boot disk to try to install malicious tools,
or steal a device, for example.
✓Removable media—the attacker conceals malware on a USB thumb drive or
memory card and tries to trick employees into connecting the media to a PC,
laptop, or smartphone, For some exploits, simply connecting the media may be
sufficient to run the malware, In many cases, the attacker may need the
employee to open a file in a vulnerable application or run a setup program.

Security+ (SY0-601) © netriders.academy 14

ATTACK VECTORS (cont.)
✓Email—the attacker sends a malicious file attachment via email, or via any other
communications system that allows attachments, The attacker needs to use social
engineering techniques to persuade or trick the user into opening the
attachment.
✓Remote and wireless—the attacker either obtains credentials for a remote access
or wireless connection to the network or cracks the security protocols used for
authentication, Alternatively, the attacker spoofs a trusted resource, such as an
access point, and uses it to perform credential harvesting and then uses the
stolen account details to access the network.

Security+ (SY0-601) © netriders.academy 15

ATTACK VECTORS (cont.)
✓Web and social media—malware may be concealed in files attached to posts or
presented as downloads, An attacker may also be able to compromise a site so
that it automatically infects vulnerable browser software (a drive-by download).
✓ Cloud—many companies now run part or all of their network services via
Internet-accessible clouds, The attacker only needs to find one account, service,
or host with weak credentials to gain access, The attacker is likely to target the
accounts used to develop services in the cloud or manage cloud systems,They
may also try to attack the cloud service provider (CSP) as a way of accessing the
victim system.

Security+ (SY0-601) © netriders.academy 16

2.1- Explain Threat Actor Types and Attack Vectors
2.2- Explain Threat Intelligence Sources

Security+ (SY0-601) © netriders.academy 17

THREAT RESEARCH SOURCES
• Threat research is a counterintelligence gathering effort in which security
companies and researchers attempt to discover the tactics, techniques, and
procedures (TTPs) of modern cyber adversaries.
• There are many companies and academic institutions engaged in primary
cybersecurity research.
• Security solution providers with firewall and anti-malware platforms derive a lot
of data from their own customers' networks.
• As they assist customers with cybersecurity operations, they are able to analyze
and publicize TTPs and their indicators.
• These organizations also operate honeynets to try to observe how hackers
interact with vulnerable systems.

Security+ (SY0-601) © netriders.academy 18

THREAT RESEARCH SOURCES (cont.)
• Another primary source of threat intelligence is the dark web.
• The deep web is any part of the World Wide Web that is not indexed by a search
engine.
• This includes pages that require registration, pages that block search indexing,
unlinked pages, pages using nonstandard DNS, and content encoded in a
nonstandard manner.
• Within the deep web, are areas that are deliberately concealed from "regular"
browser access.

Security+ (SY0-601) © netriders.academy 19

THREAT RESEARCH SOURCES (cont.)

Security+ (SY0-601) © netriders.academy 20

THREAT RESEARCH SOURCES (cont.)
• Dark net—a network established as an overlay to Internet infrastructure by
software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize
usage and prevent a third party from knowing about the existence of the network
or analyzing any activity taking place over the network, Onion routing, for
instance, uses multiple layers of encryption and relays between nodes to achieve
this anonymity.
• Dark web—sites, content, and services accessible only over a dark net, While
there are dark web search engines, many sites are hidden from them, Access to a
dark web site via its URL is often only available via "word of mouth" bulletin
boards.

Security+ (SY0-601) © netriders.academy 21

THREAT INTELLIGENCE PROVIDERS
• Threat intelligence platforms and feeds are supplied as one of three different
commercial models:
✓Closed/proprietary—the threat research is made available as a paid subscription
to a commercial threat intelligence platform.
• The security solution provider will also make the most valuable research available
early to platform subscribers in the form of blogs, white papers, and webinars.
Some examples of such platforms include:
➢ IBM X-Force Exchange (exchange.xforce.ibmcloud.com)
➢ FireEye (fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-
subscriptions.html)
➢ Recorded Future (recordedfuture.com/solutions/threat-intelligence-feeds)

Security+ (SY0-601) © netriders.academy 22

THREAT INTELLIGENCE PROVIDERS (cont.)

Security+ (SY0-601) © netriders.academy 23

THREAT INTELLIGENCE PROVIDERS (cont.)
✓Vendor websites—proprietary threat intelligence is not always provided at cost.
• All types of security, hardware, and software vendors make huge amounts of
threat research available via their websites as a general benefit to their
customers.
• One example is Microsoft's Security Intelligence blog
(microsoft.com/security/blog/microsoft-security-intelligence).

Security+ (SY0-601) © netriders.academy 24

THREAT INTELLIGENCE PROVIDERS (cont.)
✓Public/private information sharing centers—in many critical industries, have been
set up to share threat intelligence and promote best practice
(nationalisacs.org/member-isacs).
• These are sector-specific resources for companies and agencies working in critical
industries, such as power supply, financial markets, or aviation. Where there is no
coverage by an ISAC, local industry groups and associations may come together to
provide mutual support.

Security+ (SY0-601) © netriders.academy 25

THREAT INTELLIGENCE PROVIDERS (cont.)
✓Open source intelligence (OSINT)—some companies operate threat intelligence
services on an open-source basis, earning income from consultancy rather than
directly from the platform or research effort.
• Some examples include:
➢ AT&T Security, previously Alien Vault Open Threat Exchange (OTX) (otx.alienvault.com)
➢ Malware Information Sharing Project (MISP) (misp-project.org/feeds)
➢ Spamhaus (spamhaus.org/organization)
➢ VirusTotal (virustotal.com)

Security+ (SY0-601) © netriders.academy

26