Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security SY0-601 Exam: Basics of Threat Actors, Vectors, and Intelligence Sources
Source: https://www.fatskills.com/comptia-security-certification/chapter/comptia-security-sy0-601-exam-basics-of-threat-actors-vectors-and-intelligence-sources

CompTIA Security SY0-601 Exam: Basics of Threat Actors, Vectors, and Intelligence Sources

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~20 min read

Objective: Explain different threat actors, vectors, and intelligence sources.

Topics:
- advanced persistent threat (APT)
- threat actor
- threat vector
- threat actor attribute
- threat intelligence source
- open-source intelligence (OSINT)
- dark web
- indicator of compromise (IOC)
- automated indicator sharing (AIS)
- Structured Threat Information eXpression (STIX)
- Trusted Automated eXchange of Indicator Information (TAXII)

When examining attacks, threats, and vulnerabilities, understanding threat actors is important. Specifically, a threat actor is an individual, a group, or an entity that contributes to an incident—or, more simply, a person or an entity that executes a given threat. This is not a difficult concept, but it is often overlooked, particularly when deciding how to balance an organization’s security against its capabilities. For example, the security mechanisms that protect your personal vehicle differ significantly from those that guard an armored truck. You might lock your doors when you leave your car, but of course, someone could still quite easily break in to it. The threat to your car likely comes from a casual passerby looking for spare change or belongings you have left behind. The armored truck, on the other hand, faces a different kind of threat actor because it transports valuables and large sums of money.
This guide discusses the types of threat actors and their common attributes, as well as threat intelligence sources and other research sources. Understanding these components enables organizations to make better decisions regarding risk and manage their vulnerabilities. You should be able to explain these threat actors, threat vectors, and information sources.

Threat Actor Attributes
When examining various threat actors, you must consider their attributes. Organizations that do so can build better threat profiles and classification systems to deploy more relevant and proactive defenses. Common threat actor attributes include the following:
- Relationship: Threats can be internal or external to an organization, and they might even come from a partner.
- Motive: Some incidents are accidental, but others are driven by financial gain or ideological differences.
- Intent: A threat could be malicious, with the aim to destroy data or steal information or tangible property.
- Capability: Several components must be considered here, including technical ability, financial means, access, political and social support, and persistence.

The relationship of a threat actor is most easily characterized as either internal or external. Script kiddies, hacktivists, organized crime, and nation-state actors are all examples of external threat actors. Internal threat actors work on the inside; for example, they might be system administrators or end users.
When examining threat actor capability, you must consider the level of sophistication and both the available resources and funds. For example, some threat actors operate as businesses, with well-established roles, responsibilities, and governance. Their capabilities are often enhanced by their technical resources and access to money for funding operations.

Note
When considering threat types and attributes, you might find it helpful to think about common personal situations. For example, consider your reasons for locking your personal belongings in a vehicle. What threat actors are you mitigating against? What are their attributes? How does a casual passerby differ from someone who has the tools and knowledge of a locksmith?

With insiders and end users there may not be a motive or any intention of causing harm. While this is a threat to be concerned with, the actions are often accidental. Other times, threat actors have a specific malicious or competitive intent. Of course, motives can vary in these cases. Consider a competitive threat. The motive could be a desire to gain a competitive advantage through espionage or malicious destruction to the business. Financial gain is another common motive that can include directly extorting money from victims through ransomware or stealing data to sell in a criminal ecosystem for subsequent attacks. Threat actors also can be driven by ideological and political motives.
Assessing threat actors begins with identifying their relationship to the organization—internal or external.

Threat Actor Types
Depending on the particular threat, a threat actor can be an individual, a group, or an entity that acts to perpetrate a particular scenario. The following sections look at the most common threat actors:

- Script kiddies
- Insiders
- Hacktivists
- Criminal syndicates
- Competitors
- Nation-state actors

Notice that these threat actor types relate to threats from humans, not the environment. For example, the threat of a flood in a data center might stem from an impending hurricane, not from a particular individual or entity.

Generally speaking, throughout the media, threat actors are called hackers. The term hacker, however, can also be used for someone who isn’t inherently bad or doesn’t have malicious intent. Fundamentally, a security hacker is someone who uses his or her knowledge of and skills with computer system hardware, software, networks, and systems to break them down, tamper, or gain unauthorized access. Hackers may be unauthorized, authorized or semi-authorized. In the security industry, the color of the hat worn is a metaphor used in the past to traditionaly describe the type of hacker:
- Black hat (unathorized): This category is used to describe hackers involved with criminal activities or malicious intent. Black hat hackers may have a wide range of skills.
- White hat (authorized): White hat hackers, also known as ethical hackers, use their powers for good. They are much like the Jedi Knights from Star Wars, fighting the dark side. White hat hackers are often hired as penetration testers with permission to “attack” or test system security.
- Gray hat (semi-authorized): Gray naturally falls somewhere in the middle of black and white. These hackers can be a complicated group to positively identify, but generally they don’t have malicious intent, although they often run afoul of ethical standards and principles. Often, they don’t have permissions to attack a system but stop after discovering a vulnerability and try not to exploit it.
As you review the threat actors in the following sections, keep in mind that organizations need to consider how these different actors could be interrelated. For example, a terrorist group works much like hacktivists: The terrorists are driven by ideology, and hacktivists operate within the framework of organized crime. Or those involved in organized crime might exploit script kiddies within their ecosystem to distance themselves while achieving specific goals. Similarly, some nation-states might have close ties to organized crime. Finally, keep in mind that any of these threat actors can be further enabled through the compromise of an insider.

Script Kiddies
Script kiddies do not have to possess great talent. Even with few skills, they can run exploits that others have developed. Usually script kiddies cannot write sophisticated code; they might not even know how to program. Still, script kiddies can undoubtedly have a huge negative impact on an organization. What makes them particularly dangerous is that they are often unaware themselves of the potential consequences of their actions. Of course, because they lack sophisticated skill, script kiddies often cannot adequately cover their tracks. Tracing their attacks is thus easier than tracing the attacks of more sophisticated threat actors.
Script kiddies might lack sophistication and financial means, but they are empowered by the number of readily available exploits and information available to them. They are often associated with website defacement attacks, but they have also been known to use DoS attacks to take down websites and even to plant Trojans and remote access tools within an organization.

Insiders
Attacks are often assumed to come from malicious outside hackers, but insider threats lead to many breaches. In many cases, insiders are employees who have the right intentions but either are unaware of an organization’s security policy or simply ignore it. A common example is a well-intentioned employee who uses a personal web-based email account to send home sensitive files to work on later in the evening. In doing so, the employee sends these sensitive files in unencrypted form outside the organizational network. In another common scenario, a user brings in a USB thumb drive that has—unbeknownst to the user—been infected with malware. Proper training and education are key to preventing such nonmalicious insider threats.
Deliberate malicious insider threats also can be attack sources. These threats are typically motivated by financial gain, sabotage, and theft to gain competitive advantage. Consider the case of ex-National Security Agency (NSA) contractor Edward Snowden. Formerly an insider, Snowden circulated various documents and secrets about the NSA’s surveillance program. Protecting against malicious insiders is a daunting and difficult task, but organizations must have policies in place to help identify risky personnel (for example, employees who have been terminated). Perhaps most importantly, organizations need mechanisms for proactively monitoring network and system activities.

Insider threat actors can be malicious, as in the case of a disgruntled employee, or simply careless.

Hacktivists
Hacktivism can have a positive or negative connotation, just as the word hack does, depending on how it is used. In the case of threat actors, hacktivism involves using digital tools for malicious intent, based on political, social, or ideological reasoning. Hacktivists often are perceived as doing good because of their motives. For example, in early 2017, the group Anonymous took down thousands of sites related to child porn. This might be seen as a form of vigilantism, or at least a way of targeting illegal activity. On the other hand, an animal-rights hacktivist group could target an organization that launches a perfectly legal line of fur coats.

Criminal Syndicates
Criminal syndicates and organized crime tend to follow the money, so it should come as no surprise that organized crime is involved in networking systems today. The U.S. Organized Crime Control Act of 1970 states that organized crime “is a highly sophisticated, diversified, and widespread activity that annually drains billions of dollars from America’s economy by unlawful conduct and the illegal use of force, fraud, and corruption.” Clearly, this threat actor is sophisticated and has adequate financial means. In fact, organized crime itself has established its own complete economy, including a system within the underworld that affects information security. The Organized Crime Control Act identifies that funding comes from such illegal activities as gambling, loan sharking, property theft, distribution of drugs, and other forms of social exploitation. Organized criminals have simply adapted to become organized cybercriminals.
The challenges of defeating organized crime are the same today as they have been for decades, particularly given the vast resources and ecosystem involved. Consider a street-level drug dealer, part of the criminal ecosystem yet with no real connection to the organized crime network. More relevant are money mules, who are often recruited online and tasked with helping to either knowingly or unknowingly launder money.

Competitors
Competitors are generally expected to compete fairly and legally, but they do not always do so. Anticompetitive practices and industrial espionage are not new. However, the rise of the Internet and interconnected networking systems has given malicious competition a new channel of opportunity. For example, a competitor might seek to launch a DoS attack that keeps an organization from conducting business and potentially drives business to the competitor because of the downtime. Often, however, competitive threat actors are looking for information to gain an edge or even to pilfer trade secrets and other intellectual property.

State Actors
A state actor is arguably the most sophisticated threat actor with the most resources.
Nation-state threat actors are government sponsored, although those ties might not always be acknowledged. This threat actor is not necessarily relevant only to government organizations: Foreign companies are often targets as well. For example, corporations might possess intellectual property that another foreign entity can use to advance its goals and objectives. This type of threat actor is also patient and targets a wide attack surface that might include partner and even customer organizations. In 2011, RSA Security, a provider of two-factor authentication tokens, was hacked. Circumstances indicated that the attack was likely targeting at least one of the company’s large customers, defense contractor Lockheed Martin. Naturally, a foreign nation could gain valuable resources and intellectual property from such a contractor.
State actor attacks have become more prevalent in recent years. Stuxnet, discovered in 2010, highlighted the sophistication and threat of nation-state attacks. This costly and highly sophisticated computer worm (see “Social Engineering Techniques”) is believed to be a cyberweapon that the United States and Israel allegedly developed to intentionally cause damage to Iran’s nuclear facilities.
Advanced persistent threats (APTs) are often associated with nation-state threat actors. The name alone suggests sophistication. These certainly are not “smash and grab” attacks; rather, they are generally described as “low and slow.” The goal of an APT is usually to infiltrate a network and remain inside, undetected. Such access often provides a more strategic target or defined objective, including the capability to exfiltrate information over a long period of time.
The assets or goals of an organization relate to and influence the threat actor types that present the most significant risk.

Vectors
Now that you understand the different types of threat actors, you need to be familiar with the path they take to execute attacks. These paths are known as attack vectors, and understanding them is important to doing proper risk analysis and to better understanding countermeasures that may be required for defense. The following are attack vectors that hackers commonly use in order to uncover vulnerabilities and try to exploit systems:
- Direct access
- Wireless
- Removable media
- Cloud
- Email
- Improper usage
- Equipment damage, loss, or theft
- Supply chain

As you become familiar with these vectors, think about each one and how an attacker could use it to try to attack systems. A great exercise is to think about your own personal circumstances. Many households today have multiple devices connected to the Internet.

Who has physical access to your systems? Do you have wireless home networking that extends outside the house or perhaps Bluetooth- or NFC-enabled devices? Have you borrowed removable media such as jump drives that you plug into your systems? What online applications and services do you use (for example, file conversion, file storage, collaboration, video conferencing)? How many phishing attempts do you get in your personal email (or your junk-mail folder)? Do you have young children or other family members who are not very computer savvy or do not understand the risks? What if your home succumbed to flooding, fire, or a burglary?

Finally, even the supply chain attack vector can be applied to these examples. Consider the wireless access point, video camera, or smart assistant–enabled device you purchased online. Anyone from the manufacturer to the online store from which you purchased it to the mail carrier and anyone in between in theory has had opportunity to compromise that system before it arrived in your hands.
The criticality of these vectors varies. If you live alone, for example, perhaps you won’t be so concerned about improper usage. If you have no reason to believe you are under government surveillance, perhaps the supply-chain vector doesn’t concern you.  Many factors must be considered together. For example, perhaps the impact of an attack would be minor if you are only protecting a collection of humorous memes; on the other hand, if you had worked hard on a book manuscript, you might be more concerned about protecting your assets.

Threat Intelligence and Research Sources
Organizations today increasingly rely on threat intelligence data. This valuable data can be fed into systems and models to help organizations understand their overall risk. Further, this data is core to modern organizational security operations centers (SOCs). The data is used both for preventive and response measures.
This section explores a number of sources of threat intelligence, many of which are open and available to the public. This section provides a number of links for you to explorer further. Open-source intelligence (OSINT) is the term used for such information that is available for collection from publicly available information sources. On the other hand, some threat intelligence and research sources are closed-source, or proprietary; typically organizations can subscribe to these commercial solutions for a cost. Often this threat intelligence encompasses the security solutions provided by the commercial entity. Symantec, for example, offers one of the world’s largest civilian threat intelligence networks. The intelligence includes telemetry data from billions of devices and sensors around the world.

Sharing Centers
Some organization, as they uncover threats—perhaps even realized against their own environments—choose not to share the data they’ve collected. However, the sharing of threat intelligence has increased over the years. This has been evident particularly across public and private commercial sectors, where governments, universities, health care, and commercial companies have collaborated together to share threat intelligence especially around specific types of threats. For example, protecting critical infrastructure is important to governments, and commercial organizations often manufacture, provide, and run much of the infrastructure. Such collaborations require public/private information sharing, and sharing centers have sprung up.
The U.S. government’s Information Sharing and Analysis Organizations (ISAOs) was an initiative to promote threat information sharing across different industry sectors. Prior to that, Information Sharing and Analysis Centers (ISACs) were established to promote industry-specific sharing of threat intelligence. The first ISAC established was meant to enable private and public groups involved in critical infrastructure to share best practices and threat intelligence. Today, the National Council of ISACs has more than 20 member ISACs in multiple industries, such as automotive, aviation, elections infrastructure, and real estate.

Open-Source Intelligence
Recall that open-source intelligence (OSINT) is the term given to information available for collection from publicly available information sources. OSINT is available from varying sources and, of course, the Internet provides a treasure trove of such information. While OSINT provides a valuable resource to help identify and understand threats and how vulnerabilities are being exploited, it can also be used for malicious purposes. Attackers may use OSINT to advance their attacks as well as identify and explore their targets.
A number of popular OSINT sources are used to collect data through the use of threat intelligence platforms, which aggregate and correlate data from across various feeds. Predictive analysis can be used to combine this data with machine learning and statistical techniques to identify patterns to make predictions. OSINT sources can also be used ad hoc, without a platform or further active intelligence.

The following are some of the most common OSINT sources:
- Vulnerability databases:
These databases provide data for publicly known vulnerabilities known as common vulnerabilities and exposures (CVEs). The following are three examples of databases that provide such information:
- MITRE: https://cve.mitre.org
- CVE Details: https://cvedetails.com
- VulnDB: https://vulndb.cyberriskanalytics.com

- Adversary Tactics, Techniques, and Procedures (TTP): MITRE ATT&CK provides attack methods and activities associated with specific threat actors; its huge knowledge base is based upon real-world observations. See https://attack.mitre.org.
- Dark web: The dark web can’t be accessed the same way as regular websites but requires the use of special software that provides secure communications. Yes, this is often where attackers live and where operations of questionable legal status occur. Anyone can access the dark web, though, and many third parties provide dark web monitoring and intelligence services for a cost.
- Indicators of compromise (IOC): Indicators of compromise (IOCs) provide evidence or components that point to security breaches or events. IOCs can include items such as malware signatures, IP addresses, domain names, and file hash values, for example.

- Automated indicator sharing (AIS): Automated indicator sharing (AIS) is an initiative of the U.S. Department of Homeland Security (DHS) that enables the exchange of cybersecurity threat indicators. AIS uses two important standards:
- Structured Threat Information eXpression (STIX): Structured Threat Information eXpression (STIX) is a standardized and structured language that represents threat information in a flexible, automatable, and easy-to-use manner.
- Trusted Automated eXchange of Indicator Information (TAXII): Trusted Automated eXchange of Indicator Information (TAXII) is a specification for machine-to-machine communication that enables organizations to share security information with others as desired.
- Threat maps: Many threat maps are freely available from commercial software vendors. These maps provide a real-time look at cyberattacks occurring around the globe. The Kaspersky cyberthreat map provides an amazing visual look at different attacks, including reconnaissance, malware attacks, intrusions, and botnet activity. To take a look, see https://cybermap.kaspersky.com. Figure 5.1 shows an example of the information this site provides.


An example of an interactive threat map

- File/code repositories: Software developers are increasingly using online code repositories (repos) such as GitHub for the private management of code or for collaboration with other developers regardless of location and to share code. Many of these repositories are publicly available. These repos provide opportunities to obtain not just open-source code but code specific to threat research and information gathering.

Be familiar with these OSINT sources. Specifically, you need to know the acronyms TTP, IOC, and AIS, as they tie into other security processes and solutions.

Other publicly accessible sources that are particularly useful for further research include the following:
- Television
- Newspapers and magazines
- Professional publications
- Academic publications
- Photos
- Geospatial information
- Vendor websites
- Conferences
- Requests for comments (RFCs)
- Social media

In addition, certain tools and applications aggregate OSINT data or provide specific utilities for extracting it. Many resources are also readily available online. As a simple example, consider personal and professional social media web applications. An attacker can easily do reconnaissance and gather information on employees in an organization from these easily available online sites.
Despite the fact that threat actors use OSINT to discover data that helps them more easily attack a target, OSINT remains a valuable resource for organizations to defend against such attacks and also to identify and prioritize potential threat actors.
Understanding threat actors’ motives, capabilities, and possible actions is particularly valuable. Organizations launching a new product, sponsoring an event, or penetrating a new foreign market, for example, can use OSINT to mitigate risk by identifying potentially new threat actors and associated attributes. Without prioritizing the threats, organizations run the risk of suffering one of the main drawbacks of OSINT: information overload.
Do not confuse open-source intelligence with open-source software. OSINT refers to overtly gathered intelligence.

Quiz:
1. How do relationship and capability pertain to understanding specific threat actors? A. They indicate the likelihood of vulnerabilities being discovered. B. They are characteristics associated with building a threat profile. C. They describe attributes that apply equally to all threats. D. They are the two most important attributes when analyzing threat actors.
2. With which of the following is a “low and slow” attack most associated? A. APT B. Ransomware C. OSINT D. Script kiddies
3. Which one of the following best describes an ISAC? A. A private information security database for attack countermeasures B. A standardized language for the exchange of cybersecurity threat indicators C. A center or group that promotes threat information sharing within a specific sector D. A specification for machine-to-machine communications to share security information
4. Which threat actor is considered the most sophisticated and has the most resources? A. Unathorized hacker B. Authorized hacker C. Semi-authorized hacker D. State actor
5. You are analyzing pieces of forensic data found in log entries to identify malicious activities. Which of the following is a collection of evidence or components that points to a security breach or event? A. Indicators of compromise B. Automatic indicator sharing C. Requests for comments D. Adversary tactics, techniques, and procedures


Answer 1: B. Relationship and capability are characteristics that can be attributed to threat actors. Other common attributes are motive and intent. Answer A is incorrect because these do not pertain to the discovery of vulnerabilities. Answer C is incorrect because attributes vary, depending on the specific threat actor. Answer D is incorrect because threat actors and overall risk are unique to each organization.
Answer 2: A. An advanced persistent threat (APT) is a “low and slow” style of attack executed to infiltrate a network and remain inside while going undetected. Answer B is incorrect because ransomware is obvious and sends a clear message to the end user in an attempt to extort compensation from the victim. Answer C is incorrect. OSINT stands for open-source intelligence, which is the term given to information available for collection from publicly available sources. Answer D is incorrect because script kiddies, unlike APTs, are usually not sophisticated in their methods and are usually easily detected.
Answer 3: C. Information Sharing and Analysis Centers (ISACs) promote industry-specific sharing of threat intelligence. Answer A is incorrect. Answer B is also incorrect as it describes Structured Threat Information eXpression (STIX). Answer D is incorrect as this describes Trusted Automated eXchange of Indicator Information (TAXII).
Answer 4: D. A state actor is arguably the most sophisticated threat actor with the most resources. Answers A, B, and C are incorrect. Unathorized hacker (black hat) describes malicious hackers who may be involved with criminal activities and have a wide range of skill. An authorized hacker (white hat), also known as an ethical hacker, uses his or her powers for good. A semi-authorized hacker (gray hat) falls somewhere in the middle of unathorized and authorized hackers; they don’t typically have malicious intent but often run afoul of ethical standards and principles.
Answer 5: A. The best answer here is indicators of compromise (IOC), which provide evidence or components that point to a security breach or event. IOCs can include items such as malware signatures, IP addresses, domain names, and file hash values. Answer B is incorrect. Automated indicator sharing (AIS) is an initiative from the U.S. DHS that enables the exchange of cybersecurity threat indicators. Answer C is incorrect. A request for comments (RFC) is a type of document that describes behaviors, methods, research, or innovations that have to do with technologies and the working of the Internet and systems connected to the Internet. Answer D in incorrect. Adversary tactics, techniques, and procedures (TTP) provide attack methods and activities associated with specific threat actors.



ADVERTISEMENT