2.1 Compare and contrast common threat actors and motivations

🟠 Threat Actors

● Nation-state → Government-sponsored entities targeting other nations for political, economic, or military purposes.

● Unskilled Attacker → Individuals with limited technical expertise or resources attempting to exploit vulnerabilities.

● Hacktivist → Individuals or groups motivated by political or social causes, engaging in cyberattacks to promote their agenda.

● Insider Threat → Current or former employees, contractors, or partners with insider access to systems and data, posing a risk to security.

● Organized Crime → Groups engaged in illegal activities, including cybercrime, for financial gain.

● Shadow IT → Unauthorized IT systems or services implemented within an organization without official approval or oversight.

🟠 Attributes of Actors

● Internal/External → Whether the threat actor operates from within the target organization or externally.

● Resources/Funding → The level of financial and technological resources available to the threat actor.

● Level of Sophistication/Capability → The technical expertise and sophistication of the threat actor’s tactics, techniques, and procedures (TTPs).

🟠 Motivations

● Data Exfiltration → Stealing sensitive data for espionage, financial gain, or sabotage.

● Espionage → Gathering intelligence or intellectual property for political, economic, or military advantage.

● Service Disruption → Interrupting or disabling critical services to cause operational disruptions.

● Blackmail → Coercing victims by threatening to expose sensitive information or disrupt operations.

● Financial Gain → Monetizing stolen data, conducting ransomware attacks, or engaging in cybercrime for profit.

● Philosophical/Political Beliefs → Acting in alignment with ideological or political agendas.

● Ethical → Conducting security research or penetration testing with permission to identify vulnerabilities and improve defenses.

● Revenge → Retaliating against individuals, organizations, or entities perceived as adversaries.

● Disruption/Chaos → Creating chaos or confusion for strategic or ideological reasons.

● War → Engaging in cyber warfare to achieve political, economic, or military objectives.

2.2 Explain common threat vectors and attack surfaces

🟠 Attack Vectors

● Message-based

🔹 Email → Using email communication to deliver malicious content or phishing attempts.

🔹 Short Message Service (SMS) → Sending malicious messages via text messaging.

🔹 Instant Messaging (IM) → Exploiting vulnerabilities in instant messaging platforms to deliver malware or scams.

● Image-based → Leveraging image files containing hidden malware or exploiting vulnerabilities in image processing software.

● File-based → Delivering malicious payloads through file attachments, such as infected documents or executables.

● Voice Call → Exploiting vulnerabilities in voice communication systems to deliver scams or phishing attempts.

● Removable Device → Infecting systems through the use of infected USB drives or external storage devices.

🟠 Vulnerable Software

● Client-based vs. Agentless → Exploiting vulnerabilities in client software or agentless systems to gain unauthorized access or deliver malware.

● Unsupported Systems and Applications → Targeting systems or applications that no longer receive security updates or patches.

🟠 Unsecure Networks

● Wireless → Exploiting vulnerabilities in wireless network protocols to intercept communications or gain unauthorized access.

● Wired → Eavesdropping or conducting man-in-the-middle attacks on wired network connections.

● Bluetooth → Exploiting vulnerabilities in Bluetooth connections to gain unauthorized access or deliver malware.

● Open Service Ports → Targeting open ports on networked devices to exploit known vulnerabilities or gain unauthorized access.

● Default Credentials → Exploiting devices or systems with default login credentials that have not been changed.

🟠 Supply Chain

● Managed Service Providers (MSPs) → Exploiting vulnerabilities in services provided by third-party managed service providers.

● Vendors → Targeting vulnerabilities in software or hardware provided by vendors.

● Suppliers → Exploiting vulnerabilities in components or services provided by suppliers.

🟠 Human Vectors/Social Engineering

● Phishing → Sending fraudulent emails or messages to trick individuals into revealing sensitive information or performing actions.

● Vishing → Using voice communication to deceive individuals into divulging sensitive information.

● Smishing → Sending deceptive text messages to trick individuals into revealing information or downloading malware.

● Misinformation/Disinformation → Spreading false or misleading information to manipulate individuals or organizations.

● Impersonation → Pretending to be someone else to deceive individuals or gain unauthorized access.

● Business Email Compromise → Targeting employees with fraudulent emails to trick them into transferring funds or sensitive information.

● Pretexting → Creating a false pretext or scenario to manipulate individuals into revealing information or performing actions.

● Watering Hole → Compromising websites frequented by target individuals or organizations to deliver malware or conduct attacks.

● Brand Impersonation → Impersonating reputable brands or organizations to deceive individuals into taking actions.

● Typosquatting → Registering domain names similar to legitimate ones to deceive users into visiting malicious websites.

2.3 Explain various types of vulnerabilities

🟠 Application

● Memory Injection → Exploiting vulnerabilities to inject malicious code into a running process’s memory space.

● Buffer Overflow → Overwriting adjacent memory locations to execute malicious code or crash the application.

● Race Conditions → Exploiting vulnerabilities related to timing issues in code execution:

🔹 Time-of-Check (TOC) → Exploiting the time gap between checking a condition and acting on it.

🔹 Time-of-Use (TOU) → Exploiting changes in system state between the time of validation and the time of use.

● Malicious Update → Distributing updates or patches that contain malicious code or backdoors.

🟠 Operating System (OS)-Based

● Exploiting vulnerabilities in the operating system to gain unauthorized access or disrupt operations.

🟠 Web-Based

● Structured Query Language Injection (SQLi) → Exploiting vulnerabilities in web applications to execute malicious SQL queries.

● Cross-Site Scripting (XSS) → Injecting malicious scripts into web pages viewed by other users.

🟠 Hardware

● Firmware → Exploiting vulnerabilities in device firmware to gain unauthorized access or control.

● End-of-Life → Exploiting vulnerabilities in devices or systems that are no longer supported by the manufacturer.

● Legacy → Exploiting vulnerabilities in older hardware or software that is still in use.

🟠 Virtualization

● Virtual Machine (VM) Escape → Exploiting vulnerabilities in virtualization software to break out of a virtual machine and access the host system.

● Resource Reuse → Exploiting shared resources in virtualized environments to gain unauthorized access or disrupt operations.

🟠 Cloud-Specific

● Exploiting vulnerabilities in cloud services or infrastructure to gain unauthorized access or disrupt operations.

🟠 Supply Chain

● Service Provider → Exploiting vulnerabilities in services provided by third-party vendors or service providers.

● Hardware Provider → Exploiting vulnerabilities in hardware components provided by suppliers.

● Software Provider → Exploiting vulnerabilities in software provided by third-party vendors or service providers.

🟠 Cryptographic

● Exploiting weaknesses or vulnerabilities in cryptographic protocols or implementations.

🟠 Misconfiguration

● Exploiting misconfigured settings or permissions to gain unauthorized access or disrupt operations.

🟠 Mobile Device

● Side Loading → Installing applications from unofficial or untrusted sources, which may contain malware.

● Jailbreaking → Removing software restrictions imposed by the manufacturer to gain access to unauthorized features or apps.

● Zero-Day → Exploiting vulnerabilities that are unknown to the software vendor or have not yet been patched.

2.4 Given a scenario, analyze indicators of malicious activity

🟠 Malware Attacks

● Ransomware → Malicious software that encrypts files or systems and demands payment for decryption.

● Trojan → Malware disguised as legitimate software, which performs unauthorized actions when executed.

● Worm → Self-replicating malware that spreads across networks and devices without user intervention.

● Spyware → Software designed to secretly gather user information or monitor activities without consent.

● Bloatware → Unwanted software that consumes system resources and may display intrusive advertisements.

● Virus → Malicious code that attaches itself to legitimate programs and spreads when those programs are executed.

● Keylogger → Software or hardware that records keystrokes, often used to capture sensitive information like passwords.

● Logic Bomb → Malicious code that executes a harmful action when specific conditions are met.

● Rootkit → Malware that grants unauthorized access to a computer system and conceals its presence from users and security software.

🟠 Physical Attacks

● Brute Force → Attempting to gain access to a system or account by systematically trying all possible passwords or encryption keys.

● Radio Frequency Identification (RFID) Cloning → Copying RFID tags to gain unauthorized access to secure areas or systems.

● Environmental → Physical damage or disruption caused by factors such as fire, water, or extreme temperatures.

🟠 Network Attacks

● Distributed Denial-of-Service (DDoS):

🔹 Amplified → Exploiting vulnerabilities to amplify the volume of traffic used in a DDoS attack.

🔹 Reflected → Spoofing the source IP address to redirect and amplify traffic towards a target.

● Domain Name System (DNS) Attacks → Disrupting or manipulating DNS services to redirect traffic or disrupt network operations.

● Wireless → Exploiting vulnerabilities in wireless networks or devices to gain unauthorized access or disrupt operations.

● On-Path → Intercepting and modifying network traffic between two parties to eavesdrop or manipulate data.

● Credential Replay → Capturing and reusing authentication credentials to gain unauthorized access to systems or services.

● Malicious Code → Executing unauthorized commands or actions on a target system.

🟠 Application Attacks

● Injection → Inserting malicious code or commands into an application to exploit vulnerabilities.

● Buffer Overflow → Writing data beyond the allocated memory buffer, potentially allowing attackers to execute arbitrary code.

● Replay → Capturing and replaying valid data packets to gain unauthorized access or perform malicious actions.

● Privilege Escalation → Exploiting vulnerabilities to gain elevated privileges and access restricted resources.

● Forgery → Creating and using falsified data or credentials to impersonate a legitimate user or system.

● Directory Traversal → Exploiting insufficient input validation to access files and directories outside of the intended directory structure.

🟠 Cryptographic Attacks

● Downgrade → Forcing a system to use weaker cryptographic protocols or algorithms to exploit vulnerabilities.

● Collision → Finding two different inputs that produce the same hash value, potentially leading to unauthorized actions.

● Birthday → Exploiting the mathematical probability of two different inputs producing the same hash value.

🟠 Password Attacks

● Spraying → Attempting to gain unauthorized access by using a small number of commonly used passwords against multiple accounts.

● Brute Force → Attempting to guess passwords by systematically trying all possible combinations until the correct one is found.

🟠 Indicators

● Indications or signs of potential security incidents, breaches, or abnormal activities within a system or network.

● Account lockout.

● Concurrent session usage.

● Blocked content.

● Impossible travel.

● Resource consumption.

● Resource inaccessibility.

● Out-of-cycle logging.

● Published/documented.

● Missing logs.

2.5 Explain the purpose of mitigation techniques used to secure the enterprise

🟠 Segmentation

● Involves dividing a network or system into smaller, isolated segments to enhance security by controlling access and limiting the impact of security incidents.

🟠 Access Control

● Access Control List (ACL) → List of permissions attached to an object that specifies which users or system processes are granted access to it and what operations they are allowed to perform.

● Permissions → Rights granted to users, groups, or processes that define their access levels to system resources.

● Application Allow List → A list of approved applications that are allowed to execute within an environment, reducing the risk of unauthorized or malicious software.

🟠 Isolation

● Separating critical systems or sensitive data from other parts of the network or environment to contain potential threats and limit their impact.

🟠 Patching

● Regularly applying software updates, patches, or fixes to address known vulnerabilities and improve system security.

🟠 Encryption

● Converting data into a secure form to prevent unauthorized access, especially during transmission or while stored on a device or server.

🟠 Monitoring

● Continuous surveillance of systems, networks, or applications to detect and respond to security threats or suspicious activities.

🟠 Least Privilege

● Principle of restricting access rights for users, accounts, or processes to only those necessary to perform their job functions.

🟠 Configuration Enforcement

● Ensuring that system configurations comply with security policies, standards, or best practices to minimize vulnerabilities.

🟠 Decommissioning

● Process of securely removing or shutting down systems, applications, or services that are no longer needed to prevent them from being exploited.

🟠 Hardening Techniques

● Methods to enhance the security of systems or networks by reducing their attack surface and minimizing potential vulnerabilities.

● Encryption → Protecting data by encoding it in a secure format.

● Installation of Endpoint Protection → Deploying security software on endpoints to detect and prevent malware infections.

● Host-based Firewall → Software-based firewall installed on individual hosts to control incoming and outgoing network traffic.

● Host-based Intrusion Prevention System (HIPS) → Security software that monitors and analyzes host system activities to detect and prevent intrusions.

● Disabling Ports/Protocols → Closing unused network ports or disabling unnecessary network protocols to reduce potential entry points for attackers.

● Default Password Changes → Replacing default passwords with strong, unique passwords to prevent unauthorized access.

● Removal of Unnecessary Software → Removing or disabling unnecessary software or services to minimize the attack surface and reduce potential vulnerabilities.