Chapter 19 Β· Flashcards

Threat Actors Flashcards

Click each card to reveal the answer.

0 / 16 flipped
What is the primary motivation of a nation-state threat actor?
Espionage, sabotage, and intellectual property theft β€” strategic national interests. NOT primarily financial. They want intelligence on military, diplomatic, and industrial targets. APT groups are patient, sophisticated, and operate with nation-state resources and near-unlimited time horizons.
What three words define an APT (Advanced Persistent Threat)?
Advanced: uses sophisticated, often custom tools and zero-day exploits β€” plus living-off-the-land techniques to evade detection. Persistent: maintains access for months or years, survives partial remediation. Threat: deliberate, targeted, goal-driven attack β€” not opportunistic internet scanning.
What motivates a hacktivist?
Political, ideological, or social causes β€” using cyberattacks as a form of protest or activism. NOT financial gain. Goals: disrupt visible operations (DDoS), embarrass organizations (data leaks), make a public statement (defacement). Targets chosen by ideology, not business value. Example: Anonymous (Operation Payback, Operation Tunisia).
What is organized crime's primary motivation in cyberattacks?
Financial gain. They run professionalized operations β€” ransomware-as-a-service with developers, testers, negotiators, and money launderers. Modern groups have full org charts. They avoid targets that would trigger aggressive government responses. Double extortion (encrypt AND threaten to publish) is standard practice.
What makes insider threats uniquely dangerous compared to external threats?
Insiders already have authorized access β€” they bypass perimeter security entirely. They know the systems, processes, and where valuable data lives. Traditional defenses (firewalls, IDS) don't flag authorized access as anomalous. Behavioral monitoring and least privilege are the key defenses β€” perimeter controls are irrelevant once the attacker is already inside with credentials.
What is the difference between a malicious insider and a negligent insider?
Malicious insider: intentionally misuses authorized access to cause harm β€” data theft, sabotage, fraud. Negligent insider: unintentionally causes security incidents through carelessness β€” phishing clicks, misconfiguration, lost devices. Both are insider threats. Statistically, negligent insiders cause more incidents β€” but malicious insiders cause more targeted damage.
Why are unskilled attackers dangerous despite low technical skill?
They use automated tools that can scan and exploit thousands of systems simultaneously. Unpatched vulnerabilities don't care who exploits them β€” a Metasploit module in unskilled hands compromises the same unpatched system as a nation-state operator. Volume and speed make them a real risk to any organization with exposed, unpatched systems. Organizations with unpatched internet-facing systems are the "low hanging fruit" β€” opportunism at scale is genuine risk.
What is Shadow IT and why is it a security risk?
Technology (apps, cloud services, devices) deployed by employees without IT knowledge or approval. Risk: IT cannot secure what it doesn't know about. Shadow IT systems lack patching, monitoring, access controls, and DLP coverage β€” creating unmonitored attack surface. Risk exists even when completely well-intentioned: an employee syncing work files to personal Dropbox creates real data exposure.
What are TTPs in threat intelligence?
Tactics, Techniques, and Procedures β€” the behavioral profile of a threat actor. Tactics: high-level goals (initial access, persistence, exfiltration). Techniques: specific methods to achieve each tactic. Procedures: exact implementation details unique to the actor. TTPs are used to attribute attacks to specific groups, detect threats in progress, and predict future attack behavior.
What is MITRE ATT&CK?
A knowledge base of real-world adversary TTPs organized by tactic (columns) and technique (rows). Based on observed real-world attacks, not theoretical scenarios. Used for threat modeling, detection gap analysis, red team exercises, and security control prioritization. Allows security teams to map their detection capabilities against known attacker behaviors and identify gaps.
What is "living off the land" (LOTL) and why do APTs use it?
Using built-in OS tools (PowerShell, WMI, certutil, PsExec, scheduled tasks) for attack activities rather than deploying custom malware. APTs use LOTL to blend in with legitimate system administration activity, evade signature-based AV and EDR that looks for known-malicious files, and avoid leaving malware artifacts on disk that forensic tools would find.
What is attribution in threat intelligence, and why is it difficult?
Identifying who conducted a cyberattack β€” which group or nation-state is responsible. Difficult because: (1) attackers use VPNs, Tor, and compromised intermediary systems to hide origin. (2) False flag operations deliberately mimic other groups' TTPs. (3) Tools are shared or leaked across different groups. (4) Nation-states deliberately create attribution ambiguity. High-confidence attribution requires multiple independent intelligence sources.
What is the typical dwell time of an APT vs. an opportunistic criminal attack?
APT dwell time: months to years β€” SolarWinds went undetected for 9+ months; the average APT dwell time before discovery has historically been over 200 days. Opportunistic criminal (ransomware): hours to a few days after initial access before deploying payload. Longer APT dwell time means more data exfiltrated, more backdoors planted, and much harder remediation.
Which threat actor type is most likely responsible for ransomware?
Organized crime. Ransomware-as-a-service is their primary business model β€” affiliates deploy ransomware using centrally-developed kits, splitting ransom payments with developers. Groups like Conti, REvil, LockBit operated as businesses. Exception: nation-states occasionally use ransomware as cover or for disruption (NotPetya by Sandworm was wiper malware disguised as ransomware, not financially motivated).
What controls are most effective specifically against insider threats?
(1) Least privilege β€” users access only what their role requires. (2) Separation of duties β€” no single person controls critical processes end-to-end. (3) User and Entity Behavior Analytics (UEBA) β€” detects anomalous access patterns (bulk downloads, off-hours access, access outside normal role). (4) Data Loss Prevention (DLP) β€” monitors and blocks unauthorized data movement to external destinations.
What distinguishes a nation-state's target selection from a script kiddie's?
Nation-states: deliberate, strategic target selection based on intelligence value β€” specific organizations, specific data types. Patient reconnaissance before attacking. They will spend months to reach one specific target. Script kiddies: opportunistic β€” automated tools scan the internet for any vulnerable system regardless of who it belongs to. Any unpatched target is equally valid. Industry and importance are irrelevant to script kiddies.