reflection
Explaining Threat Actors and Threat Intelligence
Lesson 2
1
Explain Threat Actor Types and Attack Vectors
Topic 2A
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
1.5 Explain different threat actors, vectors and intelligence sources
Syllabus Objectives Covered
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Vulnerability, Threat, and Risk
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Attributes of Threat Actors
Known threats versus adversary behaviors
Internal/external
Intent/motivation
Maliciously targeted versus opportunistic
Accidental/unintentional
Level of sophistication
Resources/funding
Adversary capability levels
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Hackers, Script Kiddies, and Hacktivists
The “Lone Hacker”
White hats versus black hats versus gray hats
Authorized versus non-authorized versus semi-authorized
Script kiddies
Hacker teams and hacktivists
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
State Actors and Advanced Persistent Threats
State-backed groups
Attached to military/secret services
Highly sophisticated
Advanced Persistent Threat (APT)
Espionage and strategic advantage
Deniability
False flag operations
Screenshot used with permission from fireeye.com.
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Criminal Syndicates and Competitors
Criminal syndicates
Operate across legal jurisdictions
Motivated by criminal profit
Can be very well resourced and funded
Competitors
Cyber espionage
Combine with insider threat
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
8
Insider Threat Actors
Malicious insider threat
Has or has had authorized access
Employees, contractors, partners
Sabotage, financial gain, business advantage
Unintentional insider threat
Weak policies and procedures
Weak adherence to policies and procedures
Lack of training/security awareness
Shadow IT
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
9
Attack Surface and Vectors
Attack surface
Points where an attacker can discover/exploit vulnerabilities in a network or application
Vectors
Direct access
Removable media
Remote and wireless
Supply chain
Web and social media
Cloud
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
10
Threat Actor Types and Attack Vectors
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Review Activity
Explain Threat Intelligence Sources
Topic 2B
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
12
1.5 Explain different threat actors, vectors and intelligence sources
Syllabus Objectives Covered
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Threat Research Sources
Counterintelligence
Tactics, techniques, and procedures (TTPs)
Threat research sources
Academic research
Analysis of attacks on customer systems
Honeypots/honeynets
Dark nets and the dark web
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
14
Threat Intelligence Providers
Narrative analysis and commentary
Reputation/threat data feeds—cyber threat intelligence (CTI)
Platforms and feeds
Closed/proprietary
Vendor websites
Public/private information sharing centers
Open source intelligence (OSINT) threat data sources
OSINT as reconnaissance and monitoring
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
15
Academic journals
Conferences
Request for Comments (RFC)
Social media
Other Threat Intelligence Research Sources
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
16
Tactics, Techniques, and Procedures and Indicators of Compromise
Tactics, Techniques, and Procedures (TTPs)
Generalized statement of adversary behavior
Campaign strategy and approach (tactics)
Generalized attack vectors (techniques)
Specific intrusion tools and methods (procedures)
Indicator of compromise (IoC)
Specific evidence of intrusion
Individual data points
Correlation of system and threat data
AI-backed analysis
Indicator of attack (IoA)
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Threat Data Feeds
Structured Threat Information exchange (STIX)
Trusted Automated Exchange of Indicator Information (TAXII)
Automated Indicator Sharing (AIS)
Threat maps
File/code repositories
Vulnerability databases and feeds
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Icon images © Copyright 2016 Bret Jordan. Licensed under the Creative Commons Attribution-ShareAlike (CC BY-SA) License, Version 4.0. (freetaxii.github.io/stix2-icons.html.
18
Correlation between security intelligence/event monitoring and threat data
Artificial intelligence (AI) and machine learning (ML)
Expert systems
Artificial neural networks (ANN)
Inputs, outputs, and feedback
Objectives and error states
Predictive analysis
Threat forecasting
Monitor “chatter”
Artificial Intelligence and Predictive Analysis
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
19
Threat Intelligence Sources
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Review Activity
Summary
Lesson 2
CompTIA Security+ Lesson 2 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
21