Threat Actors and Threat Intelligence

# Threat Actor Types and Attack Vectors [[Principles of Security]] IMPACT x LIKELYHOOD = RISK ![[Pasted image 20230626084401.png]] Vulnerability -> weakness or flaw that can be exploited Threat -> ## Attributes of Threat Actors - known threats vs adversary behaviours - Internal/external - Intent/motivation - Maliciously targeted vs opportunistic - accidental/unintentional - Level of sophistication - Resources/funding - Adversary capability levels - [APTs](https://www.mandiant.com/resources/insights/apt-groups) ## Hackers, Script Kiddies, and Hacktivists - White hat -> seeks permission - Grey hat -> may not seek permission, but doesn't use exploit (bug bounties) - Black hat -> exploits maliciously - Script kiddies -> not super technical, they use pre existing scripts - Hacktivists -> for some kind of movement ## Criminal Syndicates and Competitors - Criminal Syndicates - Operate across legal jurisdictions - motivated by criminal profit - can be very well resourced and funded - Competitors - Cyber espionage - Combine with insider threat ## Insider Threat Actors - Malicious insider threat - Has or had had authorized access - Employees, contractors, and partners - Sabotage, financial gain, business advantage - Unintentional insider threat - weak policies and procedures - weak adherence to policies and procedures - lack of training/security awareness - shadow IT ## Attack Surface and Vectors - Attack surface - Points where an attacker can discover/exploit vulnerabilities in a network or application - Installing more stuff makes your surface larger, so generally you want just what you need and nothing more - Vectors - Direct access - Removable media - Email - Remote and wireless - Supply Chain - Web and social media - cloud # Threat Intelligence Sources ## Threat Research Sources ![[Pasted image 20230626094432.png]] ## Threat Intelligence Providers - narrative analysis and commentary - Repuation/threat data feeds - cyber threat intelligence (CTI) - Platforms and feeds - Closed-propietary - vendor websites - Public/private information sharing centers - OSINT sources - OSINT and reconnaissance and monitoring ![[Pasted image 20230626094712.png]] ## Other Threat Intelligence Research Sources - Academic journals - Conferences - Request for comments (RFC) - Social Media ## Tactics, Techniques, and Procedures and Indicators of Compromise - Tactics, Techniques and Procedures **(TTPs)** - Generalized statement of adversary behaviour - Campaign strategy and approach (tactics) - Generalized attack vectors (techniques) - Specific intrusion tools and methods (procedures) - Indicator of compromise **(IoC)** - Specific evidence of intrusion - Individual data points - Correlation of system and threat data - AI-backed analysis - Indicator of attack **(IoA)** ## Threat Data Feeds - Structured Threat Information exchange **(STIX)** - Language of how the threat is communicated/expressed - trusted Automated Exchange of Indicator Information **(TAXII)** - How the STIX are transmitted - Automated indicator Sharing **(AIS)** - Threat maps - File/code repos - Vulnerability databases and feeds ## Artificial Intelligence and Predictive Analysis - Correlation between security intelligence/event monitoring and threat data - AI and machine learning - Expert systems - Artificial neural networks (ANN) - Inputs, outputs, and feedback - Objectives and error states - Predictive analysis - Threat forecasting - Monitor "chatter"