Chapter 02 - Cybersecurity Threat Landscape PDF
Document Details
Uploaded by Deleted User
CompTIA
Tags
Related
- Certified Cybersecurity Technician Exam 212-82 PDF
- Certified Cybersecurity Technician Information Security Threats and Vulnerabilities PDF
- Certified Cybersecurity Technician Module 01 PDF
- Securing Computers27 PDF
- 21 Compare and Contrast Common Cyberthreat Actors (PDF)
- Mod 01 Introduction to Security PDF
Summary
This chapter provides an overview of cybersecurity threats and vulnerabilities. It covers common threat actors and their motivations, explains different threat vectors and attack surfaces, and details various types of vulnerabilities. It also touches on zero-day attacks and insider threats.
Full Transcript
Chapter 2 Cybersecurity Threat Landscape THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE: Domain 2.0: Threats, Vulnerabilities, and Mitigations 2.1. Compare and contrast common threat actors and motivations. Threat actors (Nation-state, Unskilled attacker, Hac...
Chapter 2 Cybersecurity Threat Landscape THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE: Domain 2.0: Threats, Vulnerabilities, and Mitigations 2.1. Compare and contrast common threat actors and motivations. Threat actors (Nation-state, Unskilled attacker, Hacktivist, Insider threat, Organized crime, Shadow IT) Attributes of actors (Internal/external, Resources/funding, Level of sophistication/capability) Motivations (Data exfiltration, Espionage, Service disruption, Blackmail, Financial gain, Philosophical/political beliefs, Ethical, Revenge, Disruption/chaos, War) 2.2. Explain common threat vectors and attack surfaces. Message-based (Email, Short Message Service (SMS), Instant messaging (IM)) Image-based File-based Voice call Removable device Vulnerable software (Client-based vs. agentless) Unsupported systems and applications Unsecure networks (Wireless, Wired, Bluetooth) Open service ports Default credentials Supply chain (Managed service providers (MSPs), Vendors, Suppliers) 2.3. Explain various types of vulnerabilities. Supply chain (Service provider, Hardware provider, Software provider) Zero-day Domain 4.0: Security Operations 4.3. Explain various activities associated with vulnerability management. Identification methods (Threat feed, Open-source intelligence (OSINT), Proprietary/third-party, Information-sharing organization, Dark web) Cybersecurity threats have become increasingly sophisticated and diverse over the past few decades. An environment that was once populated by lone hobbyists is now shared by skilled technologists, organized criminal syndicates, and even government-sponsored attackers, all seeking to exploit the digital domain to achieve their own objectives. Cybersecurity professionals seeking to safeguard the confidentiality, integrity, and availability of their organization's assets must have a strong understanding of the threat environment to develop appropriate defensive mechanisms. In the first part of this chapter, you will learn about the modern cybersecurity threat environment, including the major types of threat and the characteristics that differentiate them. In the sections that follow, you will learn how to build your own organization's threat intelligence capability to stay current as the threat environment evolves. Exploring Cybersecurity Threats Cybersecurity threat actors differ significantly in their skills, capabilities, resources, and motivation. Protecting your organization's information and systems requires a solid understanding of the nature of these different threats so that you may develop a set of security controls that comprehensively protects your organization against their occurrence. Classifying Cybersecurity Threats Before we explore specific types of threat actors, let's examine the characteristics that differentiate the types of cybersecurity threat actors. Understanding our adversary is crucial to defending against them. Exam Note The threat characteristics in the section below are the characteristics specifically mentioned in the CompTIA SY0-701 Security+ exam objectives. If you face questions about threat actor attributes on the exam, remember that every exam question ties back to a specific exam objective and the answer is most likely either found on this list or directly related to one of these attributes. Internal vs. External We most often think about the threat actors who exist outside our organizations: competitors, criminals, and the curious. However, some of the most dangerous threats come from within our own environments. We'll discuss the insider threat later in this chapter. Level of Sophistication/Capability Threat actors vary greatly in their level of cybersecurity sophistication and capability. As we explore different types of threat actors in this chapter, we'll discuss how they range from the unsophisticated/unskilled attacker simply running code borrowed from others to the advanced persistent threat (APT) actor exploiting vulnerabilities discovered in their own research labs and unknown to the security community. Resources/Funding Just as threat actors vary in their sophistication, they also vary in the resources available to them. Highly organized attackers sponsored by organized crime or national governments often have virtually limitless resources, whereas less organized attackers may simply be hobbyists working in their spare time. Intent/Motivation Attackers also vary in their motivation and intent. The unskilled attacker may be simply out for the thrill of the attack, whereas competitors may be engaged in highly targeted corporate espionage. Nation-states seek to achieve political objectives; organized crime often focuses on direct financial gain. As we work through this chapter, we'll explore different types of threat actors. As we do so, take some time to reflect back on these characteristics. In addition, you may wish to reference them when you hear news of current cybersecurity attacks in the media and other sources. Dissect those stories and analyze the threat actors involved. If the attack came from an unknown source, think about the characteristics that are most likely associated with the attacker. These can be important clues during a cybersecurity investigation. For example, a ransomware attack seeking payment from the victim is more likely associated with a organized crime seeking financial gain than a competitor engaged in corporate espionage. The Hats Hackers Wear The cybersecurity community uses a shorthand lingo to refer to the motivations of attackers, describing them as having different-colored hats. The origins of this approach date back to old Western films, where the “good guys” wore white hats and the “bad guys” wore black hats to help distinguish them in the film. Cybersecurity professionals have adopted this approach to describe different types of cybersecurity adversaries: Authorized attackers, also known as white-hat hackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat hackers may either be employees of the organization or contractors hired to engage in penetration testing. Unauthorized attackers, also known as black-hat hackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized purposes. Semi-authorized attackers, also known as gray-hat hackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities. It's important to understand that simply having good intent does not make gray-hat hacking legal or ethical. The techniques used by gray-hat attackers can still be punished as criminal offenses. Threat Actors Now that we have a set of attributes that we can use to discuss the different types of threat actors, let's explore the most common types that security professionals encounter in their work. Exam Note In addition to being the types of threat actors most commonly found in cybersecurity work, the attackers discussed in this section are also those found in the CompTIA SY0-701 exam objectives. Be certain that you understand the differences between unskilled attackers; hacktivists; organized crime; advanced persistent threats (APTs), including nation- state actors; and shadow IT. Unskilled Attackers The term script kiddie is a derogatory term for unskilled attackers who use hacking techniques but have limited skills. Often such attackers may rely almost entirely on automated tools they download from the Internet. These attackers often have little knowledge of how their attacks actually work, and they are simply seeking out convenient targets of opportunity. You might think that with their relatively low skill level, unskilled attackers are not a real security threat. However, that isn't the case for two important reasons. First, simplistic hacking tools are freely available on the Internet. If you're vulnerable to them, anyone can easily find tools to automate denial-of-service (DoS) attacks, create viruses, make a Trojan horse, or even distribute ransomware as a service. Personal technical skills are no longer a barrier to attacking a network. Second, unskilled attackers are plentiful and unfocused in their work. Although the nature of your business might not find you in the crosshairs of a sophisticated military- sponsored attack, unskilled attackers are much less discriminating in their target selection. They often just search for and discover vulnerable victims without even knowing the identity of their target. They might root around in files and systems and only discover who they've penetrated after their attack succeeds. In general, the motivations of unskilled attackers revolve around trying to prove their skill. In other words, they may attack your network simply because it is there. Secondary school and university networks are common targets of unskilled attackers attacks because many of these attackers are school-aged individuals. Fortunately, the number of unskilled attackers is often offset by their lack of skill and lack of resources. These individuals tend to be rather young, they work alone, and they have very few resources. And by resources, we mean time as well as money. An unskilled attacker normally can't attack your network 24 hours a day. They usually have to work a job, go to school, and attend to other life functions. Hacktivists Hacktivists use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or a hacktivist might attack a network due to some political issue. The defining characteristic of hacktivists is that they believe they are motivated by the greater good, even if their activity violates the law. Their activist motivation means that measures that might deter other attackers will be less likely to deter a hacktivist. Because they believe that they are engaged in a just crusade, they will, at least in some instances, risk getting caught to accomplish their goals. They may even view being caught as a badge of honor and a sacrifice for their cause. The skill levels of hacktivists vary widely. Some are only unskilled attackers, whereas others are quite skilled, having honed their craft over the years. In fact, some cybersecurity researchers believe that some hacktivists are actually employed as cybersecurity professionals as their “day job” and perform hacktivist attacks in their spare time. Highly skilled hacktivists pose a significant danger to their targets. The resources of hacktivists also vary somewhat. Many are working alone and have very limited resources. However, some are part of organized efforts. The hacking group Anonymous, who uses the logo seen in Figure 2.1, is the most well-known hacktivist group. They collectively decide their agenda and their targets. Over the years, Anonymous has waged cyberattacks against targets as diverse as the Church of Scientology, PayPal, Visa and Mastercard, Westboro Baptist Church, and even government agencies. This type of anonymous collective of attackers can prove quite powerful. Large groups will always have more time and other resources than a lone attacker. Due to their distributed and anonymous nature, it is difficult to identify, investigate, and prosecute participants in their hacking activities. The group lacks a hierarchical structure, and the capture of one member is unlikely to compromise the identities of other members. FIGURE 2.1 Logo of the hacktivist group Anonymous Hacktivists tend to be external attackers, but in some cases, internal employees who disagree strongly with their company's policies engage in hacktivism. In those instances, it is more likely that the hacktivist will attack the company by releasing confidential information. Government employees and self-styled whistleblowers fit this pattern of activity, seeking to bring what they consider unethical government actions to the attention of the public. For example, many people consider Edward Snowden a hacktivist. In 2013, Snowden, a former contractor with the U.S. National Security Agency, shared a large cache of sensitive government documents with journalists. Snowden's actions provided unprecedented insight into the digital intelligence gathering capabilities of the United States and its allies. Organized Crime Organized crime appears in any case where there is money to be made, and cybercrime is no exception. The ranks of cybercriminals include links to traditional organized crime families in the United States, outlaw gangs, the Russian mafia, and even criminal groups organized specifically for the purpose of engaging in cybercrime. The common thread among these groups is motive and intent. The motive is simply illegal financial gain. Organized criminal syndicates do not normally embrace political issues or causes, and they are not trying to demonstrate their skills. In fact, they would often prefer to remain in the shadows, drawing as little attention to themselves as possible. They simply want to generate as much illegal profit as they possibly can. In their 2021 Internet Organized Crime Threat Assessment (IOCTA), the European Union Agency for Law Enforcement Cooperation (EUROPOL) found that organized crime groups were active in a variety of cybercrime categories, including the following: Cyber-dependent crime, including ransomware, data compromise, distributed denial-of-service (DDoS) attacks, website defacement, and attacks against critical infrastructure Child sexual abuse material, including child pornography, abuse, and solicitation Online fraud, including credit card fraud and business email compromises Dark web activity, including the sale of illegal goods and services Cross-cutting crime factors, including social engineering, money mules, and the criminal abuse of cryptocurrencies Organized crime tends to have attackers who range from moderately skilled to highly skilled. It is rare for unskilled attackers to be involved in these crimes, and if they are, they tend to be caught rather quickly. The other defining factor is that organized crime groups tend to have more resources, both in terms of time and money, than do hacktivists or unskilled attackers. They often embrace the idea that “it takes money to make money” and are willing to invest in their criminal enterprises in the hopes of yielding a significant return on their investments. Nation-State Attackers In recent years, a great deal of attention has been given to nation-state attackers hacking into either foreign governments or corporations. The term advanced persistent threats (APTs) describes a series of attacks that they first traced to sources connected to the Chinese military. In subsequent years, the security community discovered similar organizations linked to the government of virtually every technologically advanced country. The term APT tells you a great deal about the attacks themselves. First, they use advanced techniques, not simply tools downloaded from the Internet. Second, the attacks are persistent, occurring over a significant period of time. In some cases, the attacks continue for years as attackers patiently stalk their targets, awaiting the right opportunity to strike. The APT attacks that Mandiant reported are emblematic of nation-state attacks. They tend to be characterized by highly skilled attackers with significant resources. A nation has the labor force, time, and money to finance ongoing, sophisticated attacks. The motive can be political or economic. In some cases, the attack is done for traditional espionage goals: to gather information about the target's defense capabilities. In other cases, the attack might be targeting intellectual property or other economic assets. Zero-Day Attacks APT attackers often conduct their own security vulnerability research in an attempt to discover vulnerabilities that are not known to other attackers or cybersecurity teams. After they uncover a vulnerability, they do not disclose it but rather store it in a vulnerability repository for later use. Attacks that exploit these vulnerabilities are known as zero-day attacks. Zero-day attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them. APT actors who exploit zero-day vulnerabilities are often able to easily compromise their targets. Stuxnet is one of the most well-known examples of an APT attack. The Stuxnet attack, traced to the U.S. and Israeli governments, exploited zero-day vulnerabilities to compromise the control networks at an Iranian uranium enrichment facility. Insider Threat Insider attacks occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization. These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes. An insider might be of any skill level. They could be an unskilled attacker or very technically skilled. Insiders may also have differing motivations behind their attacks. Some are motivated by certain activist goals, whereas others are motivated by financial gain. Still others may simply be upset that they were passed over for a promotion or slighted in some other manner. An insider will usually be working alone and have limited financial resources and time. However, the fact that they are insiders gives them an automatic advantage. They already have some access to your network and some level of knowledge. Depending on the insider's job role, they might have significant access and knowledge. Behavioral assessments are a powerful tool in identifying insider attacks. Cybersecurity teams should work with human resources partners to identify insiders exhibiting unusual behavior and intervene before the situation escalates. The Threat of Shadow IT Dedicated employees often seek to achieve their goals and objectives through whatever means allows them to do so. Sometimes, this involves purchasing technology services that aren't approved by the organization. For example, when file sharing and synchronization services first came on the market, many employees turned to personal Dropbox accounts to sync work content between their business and personal devices. They did not do this with any malicious intent. On the contrary, they were trying to benefit the business by being more productive. This situation, where individuals and groups seek out their own technology solutions, is a phenomenon known as shadow IT. Shadow IT poses a risk to the organization because it puts sensitive information in the hands of vendors outside of the organization's control. Cybersecurity teams should remain vigilant for shadow IT adoption and remember that the presence of shadow IT in an organization means that business needs are not being met by the enterprise IT team. Consulting with shadow IT users often identifies acceptable alternatives that both meet business needs and satisfy security requirements. Competitors Competitors may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage. This may include theft of customer information, stealing proprietary software, identifying confidential product development plans, or gaining access to any other information that would benefit the competitor. In some cases, competitors will use a disgruntled insider to get information from your company. They may also seek out insider information available for purchase on the dark web, a shadowy anonymous network often engaging in illicit activity. Figure 2.2 shows an actual dark web market with corporate information for sale. FIGURE 2.2 Dark web market These markets don't care how they get the information; their only concern is selling it. In some cases, hackers break into a network and then sell the information to a dark web market. In other cases, insiders sell confidential information on the dark web. In fact, some dark web markets are advertising that they wish to buy confidential data from corporate insiders. This provides a ready resource for competitors to purchase your company's information on the dark web. Your organization may want to consider other specific threat actors based on your threat models and profile, so you should not consider this a complete list. You should conduct periodic organizational threat assessments to determine what types of threat actors are most likely to target your organization, and why. Attacker Motivations You've already read a few examples of how different threat actors may have different motivations. For example, hacktivists are generally motivated by political beliefs, whereas organized crime may be motivated by financial gain. Let's take a look at some of the primary motivations behind cyberattacks: Data exfiltration attacks are motivated by the desire to obtain sensitive or proprietary information, such as customer data or intellectual property. Espionage attacks are motivated by organizations seeking to steal secret information from other organizations. This may come in the form of nation-states attacking each other or corporate espionage. Service disruption attacks seek to take down or interrupt critical systems or networks, such as banking systems or health-care networks. Blackmail attacks seek to extort money or other concessions from victims by threatening to release sensitive information or launch further attacks. Financial gain attacks are motivated by the desire to make money through theft or fraud. Organized crime is generally motivated by financial gain, as are other types of attackers. Philosophical/political belief attacks are motivated by ideological or political reasons, such as promoting a particular cause or ideology. Hacktivists are generally motivated by philosophical or political beliefs. Ethical attacks, or white-hat hacking, are motivated by a desire to expose vulnerabilities and improve security. These attacks are often carried out by security researchers or ethical hackers with the permission of the organization being tested. Revenge attacks are motivated by a desire to get even with an individual or organization by embarrassing them or exacting some other form of retribution against them. Disruption/chaos attacks are motivated by a desire to cause chaos and disrupt normal operations. War may also be a motivation for cyberattacks. Military units and civilian groups may use hacking in an attempt to disrupt military operations and change the outcome of an armed conflict. Understanding the motivations of attackers can help you understand what they might target and how to defend your organization against them. Exam Note It is very likely you will be asked to compare and contrast the various threat actors on the exam. You should know the attributes and motivations behind each. Threat Vectors and Attack Surfaces Threat actors targeting an organization need some means to gain access to that organization's information or systems. First, they must discover an attack surface. This is a system, application, or service that contains a vulnerability that they might exploit. Then, they must obtain access by exploiting one of those vulnerabilities using a threat vector. Threat vectors are the means that threat actors use to obtain access. One of the goals of security professionals is to reduce the size and complexity of the attack surface through effective security measures and risk mitigation strategies. Message-Based Threat Vectors Email is one of the most commonly exploited threat vectors. Phishing messages, spam messages, and other email-borne attacks are simple ways to gain access to an organization's network. These attacks are easy to execute and can be launched against many users simultaneously. The benefit for the attacker is that they generally need to succeed only one time to launch a broader attack. Even if 99.9 percent of users ignore a phishing message, the attacker needs the login credentials of only a single user to begin their attack. Message-based attacks may also be carried out through other communications mechanisms, such as by sending text messages through Short Message Service (SMS) or instant messaging (IM) applications. Voice calls may also be used to conduct vishing (voice phishing) attacks. Social media may be used as a threat vector in similar ways. Attackers might directly target users on social media, or they might use social media in an effort to harvest information about users that may be used in another type of attack. We will discuss these attacks in Chapter 4, “Social Engineering and Password Attacks.” Wired Networks Bold attackers may seek to gain direct access to an organization's wired network by physically entering the organization's facilities. One of the most common ways they do this is by entering public areas of a facility, such as a lobby, customer store, or other easily accessible location and sitting and working on their laptops, which are surreptitiously connected to unsecured network jacks on the wall. Alternatively, attackers who gain physical access to a facility may be able to find an unsecured computer terminal, network device, or other system. Security professionals must assume that an attacker who is able to physically touch a component will be able to compromise that device and use it for malicious purposes. This highlights the importance of physical security, which we will discuss in detail in Chapter 9, “Resilience and Physical Security.” Wireless Networks Wireless networks offer an even easier path onto an organization's network. Attackers don't need to gain physical access to the network or your facilities if they are able to sit in the parking lot and access your organization's wireless network. Bluetooth-enabled devices may be configured without security settings that prevent unauthorized connections. Unsecured or poorly secured wireless networks pose a significant security risk. We'll discuss the security of wireless networks in Chapter 13, “Wireless and Mobile Security.” Systems Individual systems may also serve as threat vectors depending on how they are configured and the software installed on them. The operating system configuration may expose open service ports that are not necessary to meet business needs or that allow the use of well-known default credentials that were never changed. Software installed on a system may contain known or undetected vulnerabilities. Organizations may be using legacy applications or systems that are no longer supported by their vendor. Any of these vulnerabilities could be used as a threat vector by an attacker seeking to gain a foothold on a system. We'll discuss securing endpoint systems in Chapter 11, “Endpoint Security.” Files and Images Individual files, including images, may also be threat vectors. An attacker may create a file that contains embedded malicious code and then trick a user into opening that file, activating the malware infection. These malicious files may be sent by email, stored on a file server, or placed in any other location where an unsuspecting user might be tempted to open it. Removable Devices Attackers also commonly use removable media, such as USB drives, to spread malware and launch their attacks. An attacker might distribute inexpensive USB sticks in parking lots, airports, or other public areas, hoping that someone will find the device and plug it into their computer, curious to see what it contains. As soon as that happens, the device triggers a malware infection that silently compromises the finder's computer and places it under the control of the attacker. We discuss the security of endpoint devices, including control over the use of removable media, in Chapter 11. Cloud Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords. Organizations must include the cloud services that they use as an important component of their security program. The vulnerabilities facing organizations operating in cloud environments bear similarities to those found in on-premises environments, but the controls often differ. We discuss secure cloud operations in Chapter 10, “Cloud and Virtualization Security.” Supply Chain Sophisticated attackers may attempt to interfere with an organization's IT supply chain, including hardware providers, software providers, and service providers. Attacking an organization's vendors and suppliers provides an indirect mechanism to attack the organization itself. Attackers may gain access to hardware devices at the manufacturer or while the devices are in transit from the manufacturer to the end user. Tampering with a device before the end user receives it allows attackers to insert backdoors that grant them control of the device once the customer installs it on their network. This type of third-party risk is difficult to anticipate and address. Supply chain attackers may also target software providers, inserting vulnerabilities into software before it is released or deploying backdoors in software through official update and patching mechanisms. Attackers who infiltrate managed service providers (MSPs) may be able to use their access to the MSP network to leverage access that the MSP has to its customer's systems and networks. Other issues may also arise in the supply chain, particularly if a vendor fails to continue to support a system that the organization depends on, fails to provide required system integrations, or fails to provide adequate security for outsourced code development or data storage. Strong vendor management practices can identify these issues quickly as they arise and allow the organization to address the risks appropriately. Exam Note Be ready to identify and explain the common threat vectors and attack surfaces. Threat Data and Intelligence Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment. Building a threat intelligence program is a crucial part of any organization's approach to cybersecurity. If you're not familiar with current threats, you won't be able to build appropriate defenses to protect your organization against those threats. Threat intelligence information can also be used for predictive analysis to identify likely risks to the organization. There are many sources of threat intelligence, ranging from open source intelligence (OSINT) that you can gather from publicly available sources, to commercial services that provide proprietary or closed-source intelligence information. An increasing number of products and services have the ability to consume threat feed data, allowing you to leverage it throughout your infrastructure and systems. Regardless of their source, threat feeds are intended to provide up-to-date detail about threats in a way that your organization can leverage. Threat feeds often include technical details about threats, such as IP addresses, hostnames and domains, email addresses, URLs, file hashes, file paths, Common Vulnerabilities and Exposures (CVE) record numbers, and other details about a threat. Additional information is often included to help make the information relevant and understandable, including details of what may make your organization a target or vulnerable to the threat, descriptions of threat actors, and even details of their motivations and methodologies. Vulnerability databases are also an essential part of an organization's threat intelligence program. Reports of vulnerabilities certainly help direct an organization's defensive efforts, but they also provide valuable insight into the types of exploits being discovered by researchers. Threat intelligence sources may also provide indicators of compromise (IoCs). These are the telltale signs that an attack has taken place and may include file signatures, log patterns, and other evidence left behind by attackers. IoCs may also be found in file and code repositories that offer threat intelligence information. Open Source Intelligence Open source threat intelligence is threat intelligence that is acquired from publicly available sources. Many organizations have recognized how useful open sharing of threat information can be, and open source threat intelligence has become broadly available. In fact, now the challenge is often around deciding what threat intelligence sources to use, ensuring that they are reliable and up-to-date, and leveraging them well. A number of sites maintain extensive lists of open source threat information sources: Senki.org provides a list: www.senki.org/operators-security-toolkit/open-source- threat-intelligence-feeds The Open Threat Exchange operated by AT&T is part of a global community of security professionals and threat researchers: https://cybersecurity.att.com/open- threat-exchange The MISP Threat Sharing project, www.misp-project.org/feeds, provides standardized threat feeds from many sources, with community-driven collections. Threatfeeds.io hosts a list of open source threat intelligence feeds, with details of when they were added and modified, who maintains them, and other useful information: https://threatfeeds.io In addition to open source and community threat data sources, there are many government and public sources of threat intelligence data. For example, Figure 2.3 shows an alert listing from the Cybersecurity & Infrastructure Security Agency (CISA) website. FIGURE 2.3 Alert listing from the CISA website Government sites: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) site: www.cisa.gov The U.S. Department of Defense Cyber Crime Center site: www.dc3.mil The CISA's Automated Indicator Sharing (AIS) program, www.cisa.gov/topics/cyber-threats-and-advisories/information- sharing/automated-indicator-sharing-ais, and their Information Sharing and Analysis Organizations program, www.cisa.gov/information-sharing-and-analysis- organizations-isaos Many countries provide their own cybersecurity sites, like the Australian Signals Directorate's Cyber Security Centre: www.cyber.gov.au. You should become familiar with major intelligence providers, worldwide and for each country you operate in or work with. Vendor websites: Microsoft's threat intelligence blog: www.microsoft.com/en- us/security/blog/topic/threat-intelligence Cisco Security Advisories site (https://sec.cloudapps.cisco.com/security/center/publicationListing.x https://sec.cloudapps.cisco.com/security/center/publicationListing.x) includes an experts' blog with threat research information, as well as the Cisco Talos reputation lookup tool, https://talosintelligence.com Public sources: The SANS Internet Storm Center: https://isc.sans.org VirusShare contains details about malware uploaded to VirusTotal: https://virusshare.com The Spamhaus Project focuses on blocklists, including spam via the Spamhaus Block List (SBL), hijacked and compromised computers on the Exploits Block List (XBL), the Policy Block List (PBL), the Domain Block List (DBL), the Don't Route or Peer lists (DROP) listing netblocks that you may not want to allow traffic from, and a variety of other information: www.spamhaus.org These are just a small portion of the open source intelligence resources available to security practitioners, but they give you a good idea of what is available. Exploring the Dark Web The dark web is a network run over standard Internet connections but using multiple layers of encryption to provide anonymous communication. Hackers often use sites on the dark web to share information and sell credentials and other data stolen during their attacks. Threat intelligence teams should familiarize themselves with the dark web and include searches of dark web marketplaces for credentials belonging to their organizations or its clients. The sudden appearance of credentials on dark web marketplaces likely indicates that a successful attack took place and requires further investigation. You can access the dark web using the Tor browser. You'll find more information on the Tor browser at the Tor Project website: www.torproject.org. Proprietary and Closed-Source Intelligence Commercial security vendors, government organizations, and other security-centric organizations also create and make use of proprietary, or closed-source intelligence. They do their own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their threat feeds. There are a number of reasons that proprietary threat intelligence may be used. The organization may want to keep their threat data secret, they may want to sell or license it and their methods and sources are their trade secrets, or they may not want to take the chance of the threat actors knowing about the data they are gathering. Commercial closed-source intelligence is often part of a service offering, which can be a compelling resource for security professionals. The sheer amount of data available via open source threat intelligence feeds can be overwhelming for many organizations. Combing through threat feeds to identify relevant threats, and then ensuring that they are both well defined and applied appropriately for your organization, can require massive amounts of effort. Validating threat data can be difficult in many cases, and once you are done making sure you have quality threat data, you still have to do something with it! When a Threat Feed Fails The authors of this book learned a lesson about up-to-date threat feeds a number of years ago after working with an IDS and IPS vendor. The vendor promised up-to- date feeds and signatures for current issues, but they tended to run behind other vendors in the marketplace. In one case, a critical Microsoft vulnerability was announced, and exploit code was available and in active use within less than 48 hours. Despite repeated queries, the vendor did not provide detection rules for over two weeks. Unfortunately, manual creation of rules on this vendor's platform did not work well, resulting in exposure of systems that should have been protected. It is critical that you have reliable, up-to-date feeds to avoid situations like this. You may want to have multiple feeds that you can check against each other—often one feed may be faster or release information sooner, so multiple good-quality, reliable feeds can be a big help! Threat maps provide a geographic view of threat intelligence. Many security vendors offer high-level maps that provide real-time insight into the cybersecurity threat landscape. For example, Check Point offers the public the threat map shown in Figure 2.4 at https://threatmap.checkpoint.com. Organizations may also use threat mapping information to gain insight into the sources of attacks aimed directly at their networks. However, threat map information viewed skeptically because geographic attribution is notoriously unreliable. Attackers often relay their attacks through cloud services and other compromised networks, hiding their true geographic location from threat analysis tools. FIGURE 2.4 Check Point Cyber Threat Map Assessing Threat Intelligence Regardless of the source of your threat intelligence information, you need to assess it. A number of common factors come into play when you assess a threat intelligence source or a specific threat intelligence notification. 1. Is it timely? A feed that is operating on delay can cause you to miss a threat, or to react after the threat is no longer relevant. 2. Is the information accurate? Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct? 3. Is the information relevant? If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization. One way to summarize the threat intelligence assessment data is via a confidence score. Confidence scores allow organizations to filter and use threat intelligence based on how much trust they can give it. That doesn't mean that lower confidence information isn't useful; in fact, a lot of threat intelligence starts with a lower confidence score, and that score increases as the information solidifies and as additional sources of information confirm it or are able to do a full analysis. Low confidence threat information shouldn't be completely ignored, but it also shouldn't be relied on to make important decisions without taking the low confidence score into account. Assessing the Confidence Level of Your Intelligence Many threat feeds will include a confidence rating, along with a descriptive scale. For example, one approach uses six levels of confidence: Confirmed (90–100) uses independent sources or direct analysis to prove that the threat is real. Probable (70–89) relies on logical inference but does not directly confirm the threat. Possible (50–69) is used when some information agrees with the analysis, but the assessment is not confirmed. Doubtful (30–49) is assigned when the assessment is possible but not the most likely option, or the assessment cannot be proven or disproven by the information that is available. Improbable (2–29) means that the assessment is possible but is not the most logical option, or it is refuted by other information that is available. Discredited (1) is used when the assessment has been confirmed to be inaccurate or incorrect. Your organization may use a different scale: 1–5, 1–10, and High/Medium/Low scales are all commonly used to allow threat intelligence users to quickly assess the quality of the assessment and its underlying data. Threat Indicator Management and Exchange Managing threat information at any scale requires standardization and tooling to allow the threat information to be processed and used in automated ways. Indicator management can be much easier with a defined set of terms. That's where structured markup languages like STIX and OpenIOC come in. Structured Threat Information eXpression (STIX) is an XML language originally sponsored by the U.S. Department of Homeland Security. In its current version, STIX 2.1 defines 18 STIX Domain Objects, including things like attack patterns, identities, malware, threat actors, and tools. These objects are then related to each other by one of two STIX Relationship Objects: either as a relationship or as a sighting. A STIX JSON description of a threat actor might read as follows: { "type": "threat-actor", "created": "2019-10-20T19:17:05.000Z", "modified": "2019-10-21T12:22:20.000Z", "labels": [ "crime-syndicate"], "name": "Evil Maid, Inc", "description": "Threat actors with access to hotel rooms", "aliases": ["Local USB threats"], "goals": ["Gain physical access to devices", "Acquire data"], "sophistication": "intermediate", "resource:level": "government", "primary_motivation": "organizational-gain" } Fields like sophistication and resource level use defined vocabulary options to allow STIX users to consistently use the data as part of automated and manual systems. Using a single threat feed can leave you in the dark! Many organizations leverage multiple threat feeds to get the most up-to-date information. Thread feed combinations can also be challenging since the feeds may not use the same format, classification model, or other elements. You can work around this by finding sources that already combine multiple feeds or by finding feeds that use the same description frameworks, like STIX. Since its creation, STIX has been handed off to the Organization for the Advancement of Structured Information Standards (OASIS), an international nonprofit consortium that maintains many other projects related to information formatting, including XML and HTML. A companion to STIX is the Trusted Automated eXchange of Intelligence Information (TAXII) protocol. TAXII is intended to allow cyber-threat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange. You can read more about both STIX and TAXII in detail at the OASIS GitHub documentation site: https://oasis-open.github.io/cti- documentation. Information Sharing Organizations In addition to threat intelligence vendors and resources, threat intelligence communities have been created to share threat information. In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help infrastructure owners and operators share threat information and provide tools and assistance to their members. The National Council of ISACs lists the sector-based ISACs at www.nationalisacs.org/member-isacs-3. The ISAC concept was introduced in 1998, as part of Presidential Decision Directive-63 (PDD-63), which asked critical infrastructure sectors to establish organizations to share information about threats and vulnerabilities. ISACs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threats. Most ISACs operate 24/7, providing ISAC members in their sector with incident response and threat analysis. In addition to ISACs, there are specific U.S. agencies or department partners for each critical infrastructure area. A list breaking them down by sector can be found at www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical- infrastructure-sectors. Outside the United States, government bodies and agencies with similar responsibilities exist in many countries. The UK National Protective Security Authority (www.npsa.gov.uk) is tasked with providing threat information, resources, and guidance to industry and academia, as well as to other parts of the UK government and law enforcement. Conducting Your Own Research As a security professional, you should continue to conduct your own research into emerging cybersecurity threats. Here are sources you might consult as you build your threat research toolkit: Vendor security information websites. Vulnerability and threat feeds from vendors, government agencies, and private organizations. Academic journals and technical publications, such as Internet Request for Comments (RFC) documents. RFC documents are particularly informative because they contain the detailed technical specifications for Internet protocols. Professional conferences and local industry group meetings. Social media accounts of prominent security professionals. As you reference these sources, keep a particular eye out for information on adversary tactics, techniques, and procedures (TTPs). Learning more about the ways that attackers function allows you to improve your own threat intelligence program. Summary Cybersecurity professionals must have a strong working understanding of the threat landscape in order to assess the risks facing their organizations and the controls required to mitigate those risks. Cybersecurity threats may be classified based on their internal or external status, their level of sophistication and capability, their resources and funding, and their intent and motivation. Threat actors take many forms, ranging from relatively unsophisticated/unskilled attackers who are simply seeking the thrill of a successful hack to advanced nation-state actors who use cyberattacks as a military weapon to achieve political advantage. Hacktivists, organized crime, competitors, and other threat actors may all target the same organizations for different reasons. Cyberattacks come through a variety of threat vectors. The most common vectors include email and social media; other attacks may come through direct physical access, supply chain exploits, network-based attacks, and other vectors. Organizations should build robust threat intelligence programs to help them stay abreast of emerging threats and adapt their controls to function in a changing environment.