CompTIA Security+ (SY0-701) Section 3.pdf
Transcript
CompTIA Security+ (SY0-701) (Study Notes) Threat Actors Objectives: ● 1.2 - Summarize fundamental security concepts ● 2.1 - Compare and contrast common threat actors and motivations ● 2.2 - Explain common threat vectors and attack surfaces ● Threat Actors ○ Threat Actor Motivations ■ Data Exfiltra...
CompTIA Security+ (SY0-701) (Study Notes) Threat Actors Objectives: ● 1.2 - Summarize fundamental security concepts ● 2.1 - Compare and contrast common threat actors and motivations ● 2.2 - Explain common threat vectors and attack surfaces ● Threat Actors ○ Threat Actor Motivations ■ Data Exfiltration ■ Blackmail ■ Espionage ■ Service Disruption ■ Financial Gain, ■ Philosophical/Political Beliefs ■ Ethical Reasons ■ Revenge ■ Disruption/Chaos ■ War ○ Threat Actor Attributes ■ Internal vs. External Threat Actors ■ Differences in resources and funding ■ Level of sophistication ○ Types of Threat Actors ■ Unskilled Attackers ● Limited technical expertise, use readily available tools 19 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ Hacktivists ● Driven by political, social, or environmental ideologies ■ Organized Crime ● Execute cyberattacks for financial gain (e.g., ransomware, identity theft) ■ Nation-state Actor ● Highly skilled attackers sponsored by governments for cyber espionage or warfare ■ Insider Threats ● Security threats originating from within the organization ○ Shadow IT ■ IT systems, devices, software, or services managed without explicit organizational approval ○ Threat Vectors and Attack Surfaces ■ Message-based ■ Image-based ■ File-based ■ Voice Calls ■ Removable Devices ■ Unsecured Networks ○ Deception and Disruption Technologies ■ Honeypots ● Decoy systems to attract and deceive attackers ■ Honeynets ● Network of decoy systems for observing complex attacks ■ Honeyfiles ● Decoy files to detect unauthorized access or data breaches 20 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ Honeytokens ● Fake data to alert administrators when accessed or used ● Threat Actor Motivations ○ There is a difference between the intent of the attack and the motivation that fuels that attack ■ Threat Actors Intent ● Specific objective or goal that a threat actor is aiming to achieve through their attack ■ Threat Actors Motivation ● Underlying reasons or driving forces that pushes a threat actor to carry out their attack ○ Different motivations behind threat actors ■ Data Exfiltration ● Unauthorized transfer of data from a computer ■ Financial Gain ● Achieved through various means, such as ransomware attacks, or through banking trojans that allow them to steal financial information in order to gain unauthorized access into the victims' bank accounts ■ Blackmail ● Attacker obtains sensitive or compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met ■ Service Disruption ● Some threat actors aim to disrupt the services of various organizations, either to cause chaos, make a political statement, or to demand a ransom 21 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ Philosophical or Political Beliefs ● Attacks that are conducted due to the philosophical or political beliefs of the attackers is known as hacktivism ● Common motivation for a specific type of threat actor known as a hacktivist ■ Ethical Reasons ● Contrary to malicious threat actors, ethical hackers, also known as Authorized hackers, are motivated by a desire to improve security ■ Revenge ● It can also be a motivation for a threat actor that wants to target an entity that they believe has wronged them in some way ■ Disruption or Chaos ● Creating and spreading malware to launching sophisticated cyberattacks against the critical infrastructure in a populated city ■ Espionage ● Spying on individuals, organizations, or nations to gather sensitive or classified information ■ War ● Cyber warfare can be used to disrupt a country's infrastructure, compromise its national security, and to cause economic damage ● Threat Actor Attributes ○ 2 Most Basic Attributes of a Threat Actor ■ Internal Threat Actors ● Individuals or entities within an organization who pose a threat to its security 22 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ External Threat Actors ● Individuals or groups outside an organization who attempt to breach its cybersecurity defenses ○ Resources and funding available to the specific threat actor ■ Tools, skills, and personnel at the disposal of a given threat actor ○ Level of sophistication and capability of the specific threat actor ■ Refers to their technical skill, the complexity of the tools and techniques they use, and their ability to evade detection and countermeasures ■ In the world of cybersecurity, we usually classify the lowest skilled threat actors as "script kiddies" ● Script Kiddie ○ Individual with limited technical knowledge ○ use pre-made software or scripts to exploit computer systems and networks ■ Nation-state actors, Advanced Persistent Threats and others have high levels of sophistication and capabilities and possess advanced technical skills ● Use sophisticated tools and techniques ● Unskilled Attackers ○ Unskilled Attacker (Script Kiddie) ■ Individual who lacks the technical knowledge to develop their own hacking tools or exploits ■ These low-skilled threat actors need to rely on scripts and programs that have been developed by others ○ How do these unskilled attackers cause damage? ■ One way is to launch a DDoS attack 23 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ An unskilled attacker can simply enter in the IP address of the system they want to target, and then click a button to launch an attacker against that target ● Hacktivists ○ Hacktivists ■ Individuals or groups that use their technical skills to promote a cause or drive social change instead of for personal gain ○ Hacktivism ■ Activities in which the use of hacking and other cyber techniques is used to promote or advance a political or social cause ○ To accomplish their objectives, hacktivists use a wide range of techniques to achieve their goals ■ Website Defacement ● Form of electronic graffiti and is usually treated as an act of vandalism ■ Distributed Denial of Service (DDoS) Attacks ● Attempting to overwhelm the victim's systems or networks so that they cannot be accessed by the organization's legitimate users ■ Doxing ● Involves the public release of private information about an individual or organization ■ Leaking of Sensitive Data ● Releasing sensitive data to the public at large over the internet ○ Hacktivists are primarily motivated by their ideological beliefs rather than trying to achieve financial gains 24 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ○ Most well-known hacktivist groups is known as “Anonymous” ■ Anonymous ● Loosely affiliated collective that has been involved in numerous high-profile attacks over the years for targeting organizations that they perceive as acting unethically or against the public interest at large ● Organized Crime ○ Organized cybercrime groups are groups or syndicates that have banded together to conduct criminal activities in the digital world ■ Sophisticated and well structured ■ Use resources and technical skills for illicit gain ○ In terms of their technical capabilities, organized crime groups possess a very high level of technical capability and they often employ advanced hacking techniques and tools ■ Custom Malware ■ Ransomware ■ Sophisticated Phishing Campaigns ○ These criminal groups will engage in a variety of illicit activities to generate revenue for their members ■ Data Breaches ■ Identity Theft ■ Online Fraud ■ Ransomware Attacks ○ Unlike hacktivists or nation state actors, organized cybercrime groups are not typically driven by ideological or political objectives ■ These groups may be hired by other entities, including governments, to conduct cyber operations and attacks on their behalf 25 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ Money, not other motivations is the objective of their attacks even if the attack takes place in the political sphere ● Nation-state Actor ○ Nation-state Actor ■ Groups or individuals that are sponsored by a government to conduct cyber operations against other nations, organizations, or individuals ○ Sometimes, these threat actors attempt what is known as a false flag attack ■ False Flag Attack ● Attack that is orchestrated in such a way that it appears to originate from a different source or group than the actual perpetrators, with the intent to mislead investigators and attribute the attack to someone else ○ Nation-state actors possess advanced technical skills and extensive resources, and they are capable of conducting complex, coordinated cyber operations that employ a variety of techniques such as ■ Creating custom malware ■ Using zero-day exploits ■ Becoming an advanced persistent threats ○ Advanced Persistent Threat (APT) ■ Term that used to be used synonymously with a nation-state actor because of their long-term persistence and stealth ■ A prolonged and targeted cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period while trying to steal data or monitor network activities rather than cause immediate damage ■ These advanced persistent threats are often sponsored by a nation-state or its proxies, like organized cybercrime groups 26 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ○ What motivates a nation-state actor? ■ Nation-state actors are motivated to achieve their long-term strategic goals, and they are not seeking financial gain ● Insider Threats ○ Insider Threats ■ Cybersecurity threats that originate from within the organization ■ Will have varying levels of capabilities ○ Insider threats can take various forms ■ Data Theft ■ Sabotage ■ Misuse of access privileges ○ Each insider threat is driven by different motivations ■ Some are driven by financial gain and they want to profit from the sale of sensitive organizational data to others ■ Some may be motivated by revenge and are aiming to harm the organization due to some kind of perceived wrong levied against the insider ■ Some may take actions as a result of carelessness or a lack of awareness of cybersecurity best practices ○ Remember ■ Insider threat refers to the potential risk posed by individuals within an organization who have access to sensitive information and systems, and who may misuse this access for malicious or unintended purposes ■ To mitigate the risk of an insider threat being successful, organizations should implement the following ● Zero-trust architecture 27 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ● Employ robust access controls ● Conduct regular audits ● Provide effective employee security awareness programs ● Shadow IT ○ Shadow IT ■ Use of information technology systems, devices, software, applications, and services without explicit organizational approval ■ IT-related projects that are managed outside of, and without the knowledge of, the IT department ○ Why does Shadow IT exist? ■ An organization's security posture is actually set too high or is too complex for business operations to occur without be negatively affected ○ Bring Your Own Devices (BYOD) ■ Involves the use of personal devices for work purposes ● Threat Vectors and Attack Surfaces ○ Threat Vector ■ Means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action ○ Attack Surface ■ Encompasses all the various points where an unauthorized user can try to enter data to or extract data from an environment ■ Can be minimized by ● Restricting Access 28 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ● Removing unnecessary software ● Disabling unused protocols ○ Think of threat vector as the "how" of an attack, whereas the attack surface is the "where" of the attack ○ Several different threat vectors that could be used to attack your enterprise networks ■ Messages ● Message-based threat vectors include threats delivered via email, simple message service (SMS text messaging), or other forms of instant messaging ● Phishing campaigns are commonly used as part of a message-based threat vector when an attacker impersonates a trusted entity to trick its victims into revealing their sensitive information to the attacker ■ Images ● Image-based threat vectors involve the embedding of malicious code inside of an image file by the threat actor ■ Files ● The files, often disguised as legitimate documents or software, can be transferred as email attachments, through file-sharing services, or hosted on a malicious website ■ Voice Calls ● Vhishing ○ Use of voice calls to trick victims into revealing their sensitive information to an attacker 29 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ Removable Devices ● One common technique used with removable devices is known as baiting ○ Baiting ■ Attacker might leave a malware-infected USB drive in a location where their target might find it, such as in the parking lot or the lobby of the targeted organization ■ Unsecure Networks ● Unsecure networks includes wireless, wired, and Bluetooth networks that lack the appropriate security measures to protect these networks ● If wireless networks are not properly secured, unauthorized individuals can intercept the wireless communications or gain access to the network ● Wired networks tend to be more secure than their wireless networks, but they are still not immune to threats ○ Physical access to the network infrastructure can lead to various attacks ■ MAC Address Cloning ■ VLAN Hopping ● By exploiting vulnerabilities in the Bluetooth protocol, an attacker can carry out their attacks using techniques like the BlueBorne or BlueSmack exploits ○ BlueBorne ■ Set of vulnerabilities in Bluetooth technology that can allow an attacker to take over devices, spread malware, or even establish an on-path attack to intercept communications without any user interaction 30 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ○ BlueSmack ■ Type of Denial of Service attack that targets Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a target device ● Outsmarting Threat Actors ○ One of the most effective ways to learn from the different threat actors that are attacking your network is to set up and utilize deception and disruption technologies ○ Tactics, Techniques, and Procedures (TTPs) ■ Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors ○ Deceptive and Disruption Technologies ■ Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats ■ Honeypots ● Decoy system or network set up to attract potential hackers ■ Honeynets ● Network of honeypots to create a more complex system that is designed to mimic an entire network of systems ○ Servers ○ Routers ○ Switches ■ Honeyfiles ● Decoy file placed within a system to lure in potential attackers 31 https://www.DionTraining.com CompTIA Security+ (SY0-701) (Study Notes) ■ Honeytokens ● Piece of data or a resource that has no legitimate value or use but is monitored for access or use ○ Some disruption technologies and strategies to help secure our enterprise networks ■ Bogus DNS entries ● Fake Domain Name System entries introduced into your system's DNS server ■ Creating decoy directories ● Fake folders and files placed within a system's storage ■ Dynamic page generation ● Effective against automated scraping tools or bots trying to index or steal content from your organization's website ■ Use of port triggering to hide services ● Port Triggering ○ Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected ■ Spoofing fake telemetry data ● When a system detects a network scan is being attempted by an attacker, it can be configured to respond by sending out fake telemetry or network data 32 https://www.DionTraining.com
