1.0 Attacks, Threats, and Vulnerabilities
1.5 Threat Actors, Vectors, and Intelligence Sources
Actors and Threats - Entity responsible for an event that has an impact on the safety of another entity.
Advanced Persistent Threat (APT) - Stays in your network until removed, can act as reconnaissance for a larger attack.
Insider Threats - Potential employee, contractor, or vendor is a threat actor.
State Actors - Nation state, governmental threat actor.
Hacktivists - Threat actors with a goal or (political) purpose as motive.
Script Kiddies - Outside threat actor who uses many simple scripts until they find one that lets them into a network.
Criminal Syndicates - Professional organized groups of threat actors.
Hackers - Broadly, a person who is good with technology
Authorized - Hired to find network weaknesses and vulnerabilities, has permission.
Unauthorized - Malicious, looking to cause harm.
Semi-authorized - Researcher-type, looks for vulnerabilities and network access without direct permission, but does not act on them if found.
Shadow IT - Those within an organization that fulfill their own IT needs outside the purview of the property IT processes and procedures.
Competitors - Threat actors from an outside organization that you share a market with.
Attributes of Actors
Internal - Threat from within the organization.
External - Threat from outside of the organization.
Level of Sophistication/Capacity - Complexity/severity potential of the attack.
Resources/Funding - Sophisticated attacks often require higher costs.
Intent/Motivation - Goal of the attack.
Vectors
Direct Access - Physical Access
Wireless - Through a shared wireless network or rogue access point
Email - Malicious links/phishing
Supply Chain - Trusted 3rd party is compromised
Social Media - Malicious links and scams/phishing, unintended employee over-sharing
Removable Media - Auto-run code from hot-swappable media (USB drives, CDs, disks)
Cloud - Manipulated or malicious cloud-based applications
Threat Intelligence Sources - Places to get data
Open-Source Intelligence (OSINT) - Public data
Closed/Proprietary - Payed for data
Vulnerability Databases - Compiled information from multiple sources on vulnerabilities
Public/Private Info Sharing Centers - Organizations that collect and disseminate data
Dark Web - Black market data
Indicators of Compromise - DNS queries/network traffic, location data, Identify attack and reverse engineer
Automated Indicator Sharing (AIS) - Automated process to share security data between organizations.
Structured Threat Information eXpression (STIX) - Standard format for shared security data, contains info such as motive, ability, capability, and response info.
Trusted Automated eXchange of Intelligence Info (TAXII) - Security Data transfer protocol
Predictive Analysis - Using real-time data to try to identify compromise.
Threat Maps - Visual representation of where the attacks may be from and going.
File/Code Repositories - Databases of code shared between developers.
Research Sources
Vendor Websites - Vendor discovered/published data
Vulnerability Feeds - Government and private org provided vulnerability databases
Conferences - Convention, you can learn new research from presenters
Academic Journals - Peer-reviewed published research
Request For Comments (RFC) - Published by ISOC, often written by engineers on known issues/standards, best practices, and experimental and historical practices
Local Industry Groups - Geographically local meet-up
Social media - Groups often post to social media, keyword monitoring, public conversations
Threat Feeds - Automated threat feed sourced from multiple organizations
Adversary Tactics, Techniques, and Procedures (TTP) - What are threat actors doing to get access, what is their typical goal when in a network, where do they spend most of their time, which attack vectors do they like to use.