CySA+ Lesson 2C: Threat Modeling & Hunting

CySA+ 2C: Utilize threat modeling and hunting methodologies Threat Modeling Adversary Capability and Attack Surface Multiple frameworks have been established in order to assist in the analysis of information systems. When trying to quantify a risk you may want to ask: How can an attack be performed? What could the potential impact be on the CIA triad? How likely is the risk to be realised? What mitigation strategies are already in place? Threat Modeling Threat modeling is designed to help identify the main risks and Tactics, Techniques, and Procedures that a system may be subjected to by evaluating a system from the perspective of the attacker and from the perspective of the defenders. This will help to assess risks against corporate networks and business systems or specific targets The results of threat modeling assessments can be used to identify which security monitoring and detection systems should be used. Adversary Capability One of the primary stages of threat modeling is identifying where threats are coming from. Determining the type or classification of threats and their ability to effectively target your systems is called “Adversary Capability” MITRE identifies the following levels of capability: Acquired and augmented: Uses commodity malware and existing tools and techniques only. Developed: These threats can identify and exploit a zero day Advanced: Can exploit supply chains to introduce vulnerabilities in proprietary and open source products and plan campaigns that exploit suppliers and service providers Integrated: Can additionally use non-cyber tools, such as political or military assets. Total attack surface This represents all of the points within your network that an attacker could interact with in order to potentially compromise it. Determining the attack surface of your network is extremely important and can be done by taking inventory of your assets deployed in the network, as well as identifying all processes that those assets support Attack vector This is the specific means by which the attacker exploits a vulnerability on the attack surface. MITRE identifies three principal categories of attack vector: Cyber: Use of a hardware or software IT system. Some examples of cyberattack vectors include email or social media messaging, USB storage, compromised user account, open network application port, rogue device, and so on. Human—Use of social engineering to perpetrate an attack through coercion, impersonation, or force. Note that attackers may use cyber interfaces to human attack vectors, such as email or social media. Physical: Gaining local access to premises in order to effect an intrusion or denial of service attack. Threat likelihood Threat likelihood is the probability that an attack will be realised. You can determine the likelihood of a threat by using the following methods Discovering the threat's motivation. What does an attacker stand to gain from conducting an attack? Conducting a trend analysis to identify emerging adversary capabilities and attack vectors. How effective are these attacks, and how have they been exploited before? Determining the threat's annual rate of occurrence (ARO). How often does the threat successfully affect other enterprises? Determining impact means calculating the dollar cost of the threat in terms of disrupted business workflows, data breach, fines and contract penalties, and loss of reputation and customer confidence. Proactive threat hunting Unlike reactive threat hunting, which begins its process as a result of an attack that has already occured, proactive threat hunting utilized threat research done beforehand to discover whether there is evidence of TTPs present within a system or network. Proactive threat hunting can be done by using Open source intelligence that can be found through trusted mediums online or through exchanging information with other organizations. This helps with improving detection capabilities since analysts can practice their vulnerability management skills before an attack occurs. The threats discovered via proactive threat hunting can also help incorporate signature based detection service providers with new sources to incorporate into their systems If threat hunting identifies attack vectors that were previously unknown this can help analysts reduce the attack surface area and block attack vectors. Proactive Threat Hunting cont. Proactive threat hunting is done with an “assume breach” mindset. This means that the analyst approaches their hunt with the acknowledgement that a breach could have already occurred within their network and that they must discover it, or how it could have potentially occurred. Assume Breach will help focus on addressing gaps in Detection of attack and penetration Response to attack and penetration Recovery from data leakage, tampering or compromise Prevention of future attacks and penetration. OSINT Open Source Intelligence (OSINT) is publicly available information and tools for aggregating and searching said information. Some sources of OSINT include: Publicly available information such as IP addresses of an organization's DNS servers, names, email addresses, phone numbers, physical addresses. Some of this easily accessible data can then be used to discover additional information about an individual or organization. Social media sites like facebook, linkedin can be used to mine for an organization's information. Depending on how much an employee shares about the company they work in you can discover a lot of information. HTML code: the HTML code of an organization's web page can provide information such as IP information names of web servers, operating system versions, file paths and even the names of developers Metadata: attackers can use metadata to identify information that a person doesn't think could be used to help identify further information about them.

CySA+ Lesson 2C: Threat Modeling & Hunting

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue