1.5 Threat Actors, Vectors, and Intelligence Source

Threat Actors

Individuals, groups, or entities that engage in various cyber activities, either for malicious or non-malicious purposes. These actors can be categorized based on their motivations, skills, and objectives.

Insiders are individuals within an organization who have privileged access to systems and data. They can be current or former employees, contractors, or business partners.

Nation-state actors are government-sponsored entities that conduct cyber espionage, cyberwarfare, cyberterrorism on behalf of a nation or a state.

Hacktivists are individuals or groups who use hacking skills to promote social or political causes often by defacing websites, disrupting online services, or leaking sensitive information.

Hackers are individuals with advanced technical skills who may engage in hacking activities for various purposes, including security research, ethical hacking (white hat), or malicious activities (black hat).

Script kiddies are individuals with limited technical skills who use pre-written scripts and tools to launch attacks. Script kiddies lack in-depth understanding of the underlying technology. They often don't understand the logic of the systems, but they use tools to exploit them.

Organized crime groups engage in cybercriminal activities, such as financial fraud, ransomware attacks, identity theft, and the sale of stolen data.

Shadow IT refers to employees or departments within an organization that use unauthorized software or cloud services for work-related tasks, often bypassing official IT policies and controls.

Competitors of a business or organization may engage in cyber activities to gain a competitive advantage.

Attack Vectors

Attack vectors are the paths or methods that cyber attackers use to gain unauthorized access to computer systems, networks, or data with the intention of exploiting vulnerabilities and carrying out malicious activities.

Wireless attack vectors allow adversaries to compromise wireless networks and gain unauthorized access to network resources. - default login credentials - modify the access point configuration - rogue access point - less secure entry point to the network - evil twin - attackers collects authentication details (on-path attacks)

Removable media attack vectors - keyloggers, malicious software on USB flash drive

Threat Intelligence

Threat intelligence is information that helps organizations understand and mitigate cybersecurity threats effectively. It involves collecting, analyzing, and disseminating data about current and emerging cyber threats, vulnerabilities, and attack techniques.

Open Source Intelligence (OSINT) means publicly available information from sources like blogs, forums, social media, and news articles that may contain details about threats and vulnerabilities.

Vulnerability databases are repositories of information about known vulnerabilities. Security professionals, researches, and organizations use these databases to stay informed about threats and vulnerabilities. - Common Vulnerabilities and Exposures (CVE) - U.S. National Vulnerability Database (NVD) Public/private information-sharing centers provides public threat intelligence data. These information-sharing centers often contains classified information. - cyber threat alliance (CTA) members upload threat intelligence data then share across different people. CTA scores each submission and validates across other submissions.

Automated indicators sharing aims to enhance cybersecurity collaboration and situational awareness by automating the exchange of threat indicators. There are some standardized protocols and formats for sharing threat intel data such as TAXII and STIX. Darkweb intelligence | Indicators of Compromise (IoC) | Predictive analysis | Threat maps

Threat Research

The primary goal of threat research is to enhance an organization's cybersecurity posture by providing actionable insights and intelligence to detect, mitigate, and prevent cyber threats effectively.

Here are some of the ways adversaries can research threats; - vendor website - conferences - vulnerability feeds - academic journals - social media | local industry groups - request for comments (RFC)

TTP (techniques, tactics, and procedures) describes the behavior of a threat actor and a structured framework for executing a cyberattack. Tactics represent the "why" of an attack technique and the reason for performing an action. Techniques represent "how" an adversary achieves a tactical goal by performing an action.

Threat feeds - U.S. Department of Homeland Security - U.S. Federal Bureau of Investigation - SANS Internet Storm Center - VirusTotal Intelligence - Google and Facebook correlation