Cybersecurity Lesson 2: Threat Types

Questions and Answers

Which of the following is NOT a common motivation for threat actors?

• Chaotic motivations
• Environmental motivations (correct)
• Political motivations
• Financial motivations

What is a common tactic used by nation-state actors to gain an advantage?

• Using open-source intelligence to gather information
• Launching phishing attacks to steal financial data
• Deploying ransomware to disrupt critical infrastructure
• Exploiting vulnerabilities in software to gain remote access and exfiltrate data (correct)

What is the main characteristic that differentiates a 'lone hacker' from a 'script kiddie'?

• Access to resources
• Level of technical expertise (correct)
• Experience
• Motivation

Which of the following is a unique characteristic of an Advanced Persistent Threat (APT)?

The ability to remain undetected for extended periods (D)

What is the difference between an internal and external threat?

Internal threats originate from within an organization, while external threats originate from outside the organization. (B)

How do 'hacktivists' differ from 'lone hackers'?

Hacktivists are motivated by political or social causes, while 'lone hackers' are motivated by personal gain. (A)

Which of the following is NOT a common strategy employed by threat actors?

Physical destruction (A)

What is the primary goal of a 'whistleblower' as a threat actor?

To expose illegal or unethical activities within an organization. (D)

What is one primary motivation for organized crime to engage in cyber activities?

To generate financial profits (D)

What is considered a 'shadow IT' threat within an organization?

The use of personal devices for work purposes without proper security oversight (C)

What is the primary difference between a malicious internal threat and an unintentional insider threat?

The intent and knowledge of the threat actor regarding their actions (B)

Which of the following is NOT a potential motivation for a threat actor?

Service disruption (A)

Which type of actor would be most likely to use a combination of cyber espionage and disinformation tactics?

Competitors (C)

What is the main characteristic that defines the attack surface of an organization?

The points where an attacker can discover or exploit vulnerabilities within the organization (C)

Which of these is NOT a category of threat vector?

User interface (C)

What is the primary reason why organizations face challenges in patching vulnerable software?

The complexity and time-consuming nature of patching processes (B)

What social engineering technique involves impersonating someone else to gain access to information or systems?

Impersonation (C)

What social engineering technique involves exploiting situations where identity proofing is difficult?

Pretexting (A)

What type of social engineering attack primarily targets individuals within specific organizations?

Business email compromise (A)

Which of the following is NOT a passive social engineering technique?

Vishing (C)

What type of attack involves compromising a third-party site that the target frequently visits?

Watering hole attack (C)

Which of the following social engineering tactics involves using text messages to deceive users?

SMiShing (B)

Which social engineering technique involves creating convincing fake messages and websites to impersonate a brand or organization?

Brand impersonation and disinformation (C)

Which of the following is NOT a common social engineering tactic used in a business email compromise attack?

Creating fake websites that look like legitimate ones (C)

What is the primary characteristic of a 'Lure-based Vector' attack?

Offering enticing content to trick the victim into action (C)

Which of the following is NOT a common network vector for attackers?

Sending a malicious email with a phishing link (D)

Which of the following is a key aspect of a supply chain attack surface?

Exploiting vulnerabilities in the design, manufacturing, or distribution process (C)

What is the difference between 'remote' and 'local' exploit techniques in the context of network vectors?

Remote techniques exploit vulnerabilities from a distance, while local techniques require direct physical access to the target system. (A)

What is the key difference between a 'Trojan Horse' malware and a document file with a malicious macro?

A Trojan Horse masks as a legitimate program, while a malicious macro is hidden within a document. (A)

Which of the following BEST describes the role of 'default credentials' in network security?

They are often used by attackers to gain unauthorized access to devices. (D)

What is the main function of a 'vulnerability scanner' in a network security context?

To proactively identify security vulnerabilities in software and systems. (A)

Which of these is NOT a common method for malicious actors to deliver malware through 'message-based vectors'?

Exploiting vulnerabilities in the network infrastructure to spread malware. (A)

Flashcards

Organized Crime

Criminal groups operating across legal jurisdictions motivated by profit.

Competitors in Cybersecurity

Actors engaging in cyber espionage, disinformation, and insider threats.

Malicious Internal Threat

Authorized individuals who exploit access for sabotage or gain.

Unintentional Insider Threat

Individuals who pose risk due to ignorance or poor practices.

Threat Actor Attributes

Characteristics defining threat actors, including sophistication and motivation.

Attack Surface

All points in an organization where vulnerabilities can be exploited.

Threat Vectors

Methods used by attackers to exploit vulnerabilities in systems.

Vulnerable Software

Software that contains faults and is difficult to patch or support.

Threat Actor

An individual or group that poses a potential threat by exploiting vulnerabilities.

Internal Threat

Threats originating from individuals within an organization who have authorized access.

High Capability Actors

Threat actors who possess advanced skills to develop new attacks, often with significant resources.

Opportunistic Attack

An attack that targets vulnerabilities as they arise, often without a specific agenda.

Script Kiddies

Unskilled hackers who use existing tools to launch attacks without understanding the underlying technology.

Advanced Persistent Threat (APT)

A prolonged and targeted cyberattack where an attacker gains access to a network and remains undetected.

Financial Motivation

A reason for cybercrime that involves monetary gain, such as through blackmail or fraud.

Hacktivist

An individual or group that uses hacking to promote political agendas or social change.

Agentless

Characteristic of automated vulnerability scanners that do not require installation agents.

Network Vectors

Techniques for exploiting vulnerabilities through network access, including local and remote methods.

Lure-based Vectors

Techniques that entice targets into exposing themselves, like using bait or malicious files.

Supply Chain Attack Surface

The entire process from design to distribution that can be exploited by attackers.

Default Credentials

Factory-set usernames and passwords that are easily exploitable if not changed.

Trojan Horse Malware

Malicious software disguised as legitimate software, tricking users into execution.

Message-based Vectors

Methods of exploitation using communication channels like email or social media.

Open Service Port

Network ports that are accessible and can be exploited if not properly secured.

Social Engineering

Manipulating people to divulge confidential information or perform actions that compromise security.

Impersonation

Pretending to be someone else to gain information or access.

Pretexting

Creating a scenario to obtain information by exploiting trust in identity.

Phishing

Tricking a target into using a malicious resource by masquerading as a legitimate source.

Vishing

Phishing conducted over voice communication, often via phone calls.

SMiShing

Phishing attacks executed through SMS text messaging.

Typosquatting

Creating similar domain names to mislead users to a malicious site.

Business Email Compromise

Targeted attack that involves phishing specific individuals to impersonate trusted contacts.

Study Notes

Lesson 2: Comparing Threat Types

• This lesson covers different threat actors, their attributes, motivations, and associated attack vectors and surfaces.
• Objectives include comparing and contrasting threat actor attributes and motivations, as well as explaining common threat vectors and attack surfaces.
• A vulnerability, threat, and risk model explains how these factors relate to risk calculation.

Topic 2A: Threat Actors

• Threat actors can be categorized in many ways. Known threats and adversary behaviors differ, as do internal/external threats.
• Internal threats already have authorized access. The attribute of the threat actor, not the attack location, is key.
• Sophistication levels influence tools used. Low-capability actors use readily available tools, while high-capability actors can develop new attacks for political or military assets.

Motivations of Threat Actors

• Threat actors can be motivated by malicious intent (targeted attacks) or opportunism (opportunistic attacks). Accidental/unintentional actions are also possibilities.
• Strategies include service disruption, data exfiltration, and disinformation.
• Motivations include chaotic actions (e.g., vandalism), financial gain (e.g., blackmail, extortion, and fraud), and political motivations (e.g., whistleblowers, campaigns, nation-state actors).

Hackers and Hacktivists

• "Lone Hacker" types include white hats (ethical hackers) and black hats (malicious hackers).
• Categories exist for authorized vs. non-authorized attackers.
• Unskilled attackers may use "script kiddie" tactics.

Nation-State Actors and Advanced Persistent Threats (APTs)

• Nation-state actors, attached to military/secret services, have a high capability level.
• APTs are known for espionage and strategic advantage, with deniability and false flag operations as common methods.

Organized Crime and Competitors

• Organized crime often operates across legal jurisdictions and is motivated by criminal profit.
• They can be well-resourced and funded.
• Cyber espionage and disinformation are common activities; competitors can combine with insider threats.

Internal Threat Actors

• Malicious insiders have authorized access and can cause sabotage, financial loss, or business advantage.
• Unintentional insider threats stem from weak policies/procedures, lack of training, or shadow IT.

Topic 2B: Attack Surface

• Attack surfaces are areas where attackers can discover and exploit vulnerabilities in physical, network, application, and human systems.
• Attack surfaces can span broad organization scopes or be narrowed to a single system.
• High-capability actors can expand attack surfaces by developing novel attack vectors.

Vulnerable Software Vectors

• Vulnerabilities in software (faulty code/design issues or delayed patching) are common attack entry points.
• Unsupported systems and applications often lack updates/security patches.
• Client-based vs. agent-based vulnerability scanners have different functionalities.

Network Vectors

• Exploits can target remote or local network systems.
• Lack of confidentiality, integrity, and availability can create weaknesses.
• Physical (wired) and wireless network access, cloud services, Bluetooth, default credentials, and open ports are common vulnerabilities in networks.

Lure-based Vectors

• Lure-based vectors entice victims into opening malicious files (executable files, Trojan horses), clicking links in documents (macro/scripting files), or opening image files.

Message-based Vectors

• Attack vectors such as email, SMS, IM, web/social media, and voice calls can all be used to spread malicious content.

Supply Chain Attack Surface

• Supply chain attack surfaces encompass the entire process of designing, manufacturing, and distributing goods and services.
• Procurement management, suppliers, vendors, and business partners impact the overall complexity of supply chains.
• Effective defense strategies must account for the potential for threat actors to leverage supply chain access points

Review Activity: Attack Surface (Summary)

• Attack vectors and attack surfaces must be considered for all these topics

Review Activity: Threat Actors (Summary)

• Identifying different threat actors, their attributes, and motivations is essential to develop an effective security strategy.

Topic 2C: Social Engineering

• "Hacking the human" is a core social engineering principle.
• Purposes of social engineering include reconnaissance, eliciting information, and gaining unauthorized access.

Human Vectors

• Social engineering techniques can be used to persuade targets to take actions, such as opening malicious files.
• Tactics include contact with help desks and gaining access to premises and installing monitoring devices.

Impersonation and Pretexting

• Impersonation aims to pretend to be someone else, employing persuasion techniques.
• Pretexting exploits situations where identity verification is not robust or to gain additional information.

Phishing and Pharming

• Phishing techniques trick users into entering credentials on fraudulent websites.
• Phishing takes advantage of trusted communications and websites.
• Vishing and SMiShing use voice calls and text messages to conduct phishing schemes respectively.
• Pharming redirects users to fake websites via DNS spoofing.

Typosquatting

• Typosquatting makes phishing messages more convincing by creating look-alike or similar websites to trusted websites.
• This is frequently done through email spoofing practices, including from field confusion tactics.

Business Email Compromise

• Targets are often specific individuals within a company.
• Posing as colleagues, business partners, or vendors creates trust and enables the threat actor to gain entry.
• Brand impersonation, disinformation, and watering hole attacks leverage fake websites and correspondence.

Review Activity: Social Engineering (Summary)

• Social engineering techniques are used to exploit human vulnerabilities, focusing on impersonation, pretexting, phishing, and pharming to manipulate users into divulging information or executing malicious tasks.
• These techniques may include typosquatting and business email compromise.

Lab Activity (Multiple)

• Lab activities are designed for practical application, such as finding open service ports and using tools to demonstrate social engineering techniques.