SWS2 Threat Landscape

Page content

Threat Landscape

  • collection of threats
  • threat actors
  • observed trends

tracking the threat landscape

  • know the threat agents and their capabilities
  • know used weapons and tatics
  • know exising threats
  • know most relevant threats
  • know emerging threats and actors

Why?

  • know your enemy - prepare for current and emerging threats
  • provides motivation for investments in security controls

Definition by ENISA1

The ENISA Threat Landscape provides an overview of threats, together with current and emerging trends. It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends.

Important Elements

Threat Actors

  • State Actors, cyber criminals, insiders
  • Attributes
    • Motivation(financial, ideological, …)
    • Skill and ressources(low, medium, high)
    • Organization (individual, collective, …)
    • Tactics

Threats

  • Threat Type and description (ransomeware, phishing, insider threat, …)
  • Targeted Assets (users in home office, websites of online Casinos, CISOs, …)
  • Attack Vectors
    • What are procedures/tools/methods used?
    • Often split in different phases (cyber killchain)

Threat Actors

Nation States

  • Main Targets: State/Military Secrets, threaten critical infrastructure(water, electricity, …)
  • almost unlimited ressources
  • long term, novel and highly sophisticated attacks
  • use Advanced persisted threats
  • supply chain attacks
  • zero-day vuln. research and usage
  • hack-and-leak (information warfare/public opinion)
  • compromise industrial control systems (i.e. Stuxnet)

Cybercrime Actor (Hacker for Hire)

  • vulnerability research
  • exploitation
  • malware development
  • technical command an control platforms
  • operation management
  • training and support
  • offer:
    • Access-as-a-Service
    • Ransomeware-as-a-Service
    • Phishing-as-a-Service
  • Clients are often Governments(plausible deniability), but not always
  • Cyber espionage

Hacktivist

  • individual or loosly organized groups (e.g. wikileaks, Anonymous, etc.)
  • often ideological motivated
  • Activity is hard to predict, as it’s often driven by events (local, political)
  • uses illegal tactics
  • DDOS Attacks
  • Defacements - modify the look of websites
  • Leak stolen sensitive data
  • movements in the domain of environmental protection, anti-war, anti-discrimination

Script Kiddies

  • uses someone elses code/tools without understanding much
  • might still cause quite a bit of damage
  • *-as-a-Service might make them more effective

Insider Actor

  • Challenge: They have legitimate Access to Systems
    they know protections in place
  • Important to identify unhappy employees
  • spot knowledge gaps (prevent phishing attacks, viruses, etc.)
  • monitor unusual activities and limit access
  • unintentional threats (e.g. lax handling of security procedures)
  • intentional threas (e.g. steal or leak sensitive information)

Cyber Terrorist

  • disruption attacks to cause panic
  • no significant attacks so far
  • might become a bigger issue in the future
  • no commonly accepted definition
  • line between hacktivist and cyber terrorist depends on perspective

knowing threats

basis to draw a roadmap with security aspects that need to be addresse in the future

  • CEO/CIO etc.: are there developments that change risks relevant to the business
  • CISO:
    • Focus of security traings / awareness trainings ?
    • New security controls needed?
    • Need to modify existing security controls?
  • Security operations expert:
    • Need to modify existing security controls?
    • Need to search for new patterns and evidence?
    • What are indicators of a threat/attack vector?

Threat Taxonomy

  • Classification of threat types at various level of detail
  • not one but many taxonomy proposals:
    • Open Threat Taxonomy
    • ENISA Threat Taxonomy
    • NIST Threat Taxonomy
    • Taxonomy of Operational Cyber Security Risks
    • The Cambridge Risk Framework
  • all have their pros and cons

Threat Reports

Threat reports are published once or multiple times a year. They help making strategical/tactical decision.

  • ENISA Threat Landscape Report
  • Fortinet Threat Landscape Report
  • Bitdefender Threat Debrief
  • Proofpoint Threat Report
  • McAfee Enterprise Advanced Threat Research

Short Term information

  • News articles (Heise Security, DarkReading, KrebsOnSecurity, …)
  • Security Mailing Lists, Mailing list of Vendors building security Hard- and Software
  • Threat intelligence service providers
    • advisories from Computer Emergency Response Teams (CERTS)
    • threat information feed from open Threat Exchange platform OTX
  • Web pages with real-time information, McAfee MVISION Insights
  • Threat Intelligence Platforms
    • Machine readable information (Rule updates for IDS/IPS)
    • Aggregation and correlation of threat data from threat ingelligence service providers

Advanced persistant Threat

  • Use of advanced technologies and techniques
    • Penetrate existing defences
    • Operators develop more advanced tools if required
    • Multiple targeting methods, tools, and techniques to reach a target and maintain access to it
  • Persistant
    • Maintain long-term access
    • Keep trying until target is breached
      Wait for suitable vulnerability to perform lateral movement
    • Hides from detection until it attains its objective
  • Threat
    • Coordinated human actions, not mindless and automated pieces of code
    • Operators have a specific objective, are skilled, motivated, organized and well-funded

Definition of an APT can vary. Often people talk actually about Advanced Targeted Attackes (ATA)

In avarage an APT stays undetected for 243 Days after initial breach

Cyber Killchain

Preparation and execution of a typical attack follows the Cyber Kill Chain

  • developed by Lockheed Martin
  • Model identifies what adversaries must complete in order to achieve their ojbective
  • Intrusion-centric - does not easily fit all types of attacks
  • Attack is only successful if all steps are successful
  • Defenders can try to disrupt the chanin at any step
  • It’s a Tool to think about suitable defensive measures for the different steps/stages of an attack

Steps

  1. Reconnaissance
    Gather information on the target
  2. Weaponization
    Use an exploit and create malicious payload
  3. Delivery
    deliver payload to victim (email, usb-stick, website, etc)
  4. Exploitation
    Exploitation of a vulnerability to automatically execute the deliverd payload
    (only relevant if an exploit is used)
  5. Installation
    installation of malware(only relevant if malware is used)
  6. Command and Control
    • create a C&C channel to operate internal assets remotely
    • this step is relatively generic, not only when malware is installed
  7. Action on objectives
    • steps to achieve the actual goals inside victims network
    • this step can take months and many steps to achieve the actual goal

Most relevants threats in recent years

  1. ENISA (European Union Agency for Cybersecurity)
    Used to be called European Network and Information Security Agency ↩︎