Chapter 1 - 02 - Define Threat Actors_Agents_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Module Exam 212-82 Flow Define Threats Sources Define Threat Actors/ Agents Define Malware and its Types @ Define Vulnerabilities Understand Different Types of Vulnerabilities Copyright © by EC L. All Rights Reserved. Reproduction i Strictly Prohibited Define Threat Actors/Agents A security professional must know different types of threat actors/agents to understand the attacker’s perspective in hacking attempts. This section helps understand the different types of threat actors. Further, this section discusses the attributes of threat actors and threat vectors. Module 01 Page 11 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Threat Actors/Agents & R & Black Hats White Hats Gray Hats Hachoas Individuals with ; they resort to malicious or destructive Individuals who use their professed hacking skills for defensive purposes and are also known Individuals who work both and at various times activities and are also known as crackers A Suicide Script Kiddies Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail An unskilled hacker who compromises a system by as security terms or any were developed analysts other kind of punishment by real hackers , and software that Threat Actors/Agents (Cont’d) Individuals with a wide range of skills who are motivated by religious or political beliefs to create the fear through the large-scale disruption of computer networks 1' / \ Sfah;Sz::soxed Individuals employed by the government to penetrate and gain top-secret information from, and damage the information systems of other governments Individuals who promote a political agenda by hacking, especially by using hacking to deface or disable website Hacker Teams A consortium of skilled hackers having their own resources and funding. They work together in synergy for researching the state-of- the-art technologies Industrial Spies Module 01 Page 12 Individuals who perform corporate espionage by illegally spying on competitor organizations and focus on stealing information suchas blueprintsand formulas Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Threat Actors/Agents?—?C'J—ont’d') Insider Criminal Syndicates ' Organized Hackers Any employee (trusted person) who Groups of individuals that are Miscreants or hardened has access to critical assets of an organization. They use privileged access to violate rules or intentionally cause harm to the involved in organized, planned, and prolonged criminal activities. They illegally embezzle money by performing sophisticated cyber- criminals who use rented devices or botnets to perform various cyber-attacks to pilfer money from victims organization’s information system attacks L ANl Rights Reserved. Reproduction is Strictly Prohibited Threat Actors/Agents Threat actors usually fall into one of the following categories, according to their activities: = Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers. = White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the system owner. = Gray Hats: Gray hats are the individuals who work various times. Gray hats might help hackers to find network and, at the same time, help vendors hardware) by checking limitations and making them both offensively and defensively at various vulnerabilities in a system or to improve products (software or more secure. = Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a “cause” and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions. = Script Kiddies: Script kiddies are unskilled scripts, tools, and software developed quantity, rather than the quality, of the specific target or goal in performing the hackers who compromise systems by running by real hackers. They usually focus on the attacks that they initiate. They do not have a attack and simply aim to gain popularity or prove their technical skills. Module 01 Page 13 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities = Exam 212-82 Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills who are motivated by religious or political beliefs to create the fear of large-scale disruption of computer networks. = State-Sponsored Hackers: State-sponsored hackers are skilled individuals having expertise in hacking and are employed by the government to penetrate, gain top-secret information from, and damage the information systems of other government or military organizations. The main aim of these threat actors is to detect vulnerabilities in and exploit a nation’s infrastructure and gather intelligence or sensitive information. = Hacktivist: Hacktivism is a form of activism in which hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both online and offline arenas. They promote a political agenda especially by using hacking to deface or disable websites. In some incidents, hacktivists may also obtain and reveal confidential information to the public. Common hacktivist targets include government agencies, financial institutions, multinational corporations, and any other entity that they perceive as a threat. Irrespective of hacktivists’ intentions, the gaining of unauthorized access is a crime. = Hacker Teams: A hacker team is a consortium of skilled hackers having their own resources and funding. They work together in synergy for researching state-of-the-art technologies. These threat actors can also detect vulnerabilities, develop advanced tools, and execute attacks with proper planning. * Industrial Spies: Industrial spies are individuals who perform corporate espionage by illegally spying on competitor organizations. They focus on stealing critical information such as blueprints, formulas, product designs, and trade secrets. These threat actors use advanced persistent threats (APTs) to penetrate a network and can also stay undetected for years. In some cases, they may use social engineering techniques to steal sensitive information such as development plans and marketing strategies of the target company, which can result in financial loss to that company. * Insiders: An insider is any employee (trusted person) who has access to critical assets of an organization. An insider threat involves the use of privileged access to violate rules or intentionally cause harm to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. Generally, insider threats arise from disgruntled employees, terminated employees, and undertrained staff members. = Criminal Syndicates: Criminal syndicates are groups of individuals or communities that are involved in organized, planned, and prolonged criminal activities. They exploit victims from distinct jurisdictions on the Internet, making them difficult to locate. The main aim of these threat actors is to illegally embezzle money by performing sophisticated cyber-attacks and money-laundering activities. = Organized Hackers: Organized hackers are a group of hackers working together in criminal activities. Such groups are well organized in a hierarchical structure consisting Module 01 Page 14 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 of leaders and workers. The group can also have multiple layers of management. These hackers are miscreants or hardened criminals who do not use their own devices; rather, they use rented devices or botnets and crimeware services to perform various cyberattacks to pilfer money from victims and sell their information to the highest bidder. They can also swindle intellectual property, trade secrets, and marketing plans; covertly penetrate the target network; and remain undetected for long periods. Module 01 Page 15 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Attributes of Threat Actors Internal © @ Trusted insiders who have permission and authorized access to the organization’s network, systems, and physical resources External Outsiderswho do not have any authorized access to the organization’s network and systemsincluding physical resources Level of sophistication Highly sophisticated threat actorsare more successful in attacksthan less sophisticated threatactors Resources/funding © Determineshow a threatactor supports an attack financially or with the required software and equipment @) Intent/motivation Highly motivatedactorsare more likely to launch an attack; the intent of an attack can be connected to political or personal goals of the attacker Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited Attributes of Threat Actors The complexity of evolving cyber security threats has alerted organizations to the importance of identifying and analyzing the behavior of threat actors. The attributes of threat actors such as their location, intent/motivation, and level of sophistication allows security professionals to analyze their behavior. Internal: Internal actors are trusted insiders who have permission and authorized access to the organization’s network, systems, and physical resources. Internal threat actors include internal employees, any third party associated with the organization, or even business partners in some scenarios. External: External actors are outsiders who do not have authorized access to the organization’s network and systems including physical resources. Such actors use social engineering techniques or malware to enter the target network or systems. Level of sophistication: The sophistication level is a crucial factor determining the risk of a threat actor. Highly sophisticated threat actors are more successful in attacks than less sophisticated threat actors. Resources/funding: This attribute determines the way a threat actor supports an attack financially or with the required software and equipment. Criminal groups and nationstate actors have relatively large budgets and can perform persistent attacks for longer time periods. Intent/motivation: This is a key attribute for the success of an attack. Highly motivated actors are more likely to launch an attack than less motivated actors, who may prepare for an attack but never launch it. The intent of an attack can be connected to political or personal goals of the attacker. Module 01 Page 16 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Threat Vectors Exam 212-82 A threat vector is a medium through which an attacker gains access to a system by exploiting identified vulnerabilities ®e©00 Direct access Removable media Wireless Email ©60-606 Threat vectors used by malicious actors Cloud Ransomware/malware Supply chain Business partners L All Rights Reserved. Reproduction is Strictly Prohibited Threat Vectors A threat vector is a medium through which an attacker gains access to a system by exploiting identified vulnerabilities. It is the path that attackers take to enter an organization’s network. Threat vectors can be exploited by numerous entities such as disgruntled employees, malicious hackers, and potential competitors to gain access to the systems of an organization and thereby disrupt services, access sensitive information, or steal technology. Discussed below are some of the important threat vectors used by malicious actors. = Direct access: Through direct access, the attacker gains physical access to the target system and performs malicious activities, which include modifications to the operating system and the installation of various types of programs such as keyloggers and software worms. Attackers can also download large amounts of data into backup media or portable devices. = Removable media: Devices such as USB drives, phones, and printers can become a threat vector when plugged into an organization’s system or network. These devices might contain malware that run automatically on the host system to steal or corrupt critical files. Detecting and preventing data leakage through removable media can be difficult. = Wireless: A corporate device implementing an unsecured wireless hotspot can be compromised along with the internal network. Attackers may use tools to crack the authentication credentials of a corporate wireless network or spoof a trusted access point to gain access to the target network. = Email: Attackers use email as a vector to perform various phishing malicious attachments to compromise the target. Attackers attempt Module 01 Page 17 attacks with to trick the Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 employees of an organization to click on malicious links and attachments that are sent through emails to infect their system with malware or to gather sensitive information. = Cloud: Attackers inject malware into cloud resources to gain access to user information. They can add a service implementation module to SaaS, PaaS, or a virtual machine instance to deceive a cloud system. The user’s requests will then be redirected to the attacker’'s module or instance, which initiates the execution of malicious code. Alternatively, attackers find user accounts with weak credentials and exploit them to gain access to the target cloud services/data. = Ransomware/malware: the target system to Attackers can take advantage of unpatched vulnerabilities in inject ransomware. Furthermore, including Trojans, adware, and file-less malware infiltrate the target organization. can various types be employed of malware by attackers to = Supply chain: Using this threat vector, the attacker attempts to compromise the target by exploiting vulnerabilities in the resources supplied by a third-party vendor. The attacker takes advantage of these vulnerabilities to introduce malicious payloads and bypass endpoint security devices/solutions. = Business partners: Third-party organizations can emerge as a threat vector to an organization. Attackers can use supply-chain attacks to gain access to the customers’ information. Organizations must introduce cybersecurity best practices and demonstrate mutual transparency to mitigate this risk. Module 01 Page 18 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.