Cyber security 360
Threats
What is a cyber security threat
A cyber threat is an activity intended to compromise the security of an information system by altering the availability , integrity , or confidentiality of a system or the information it contains, or to disrupt digital life in general. The cyber threat environment is the online space where cyber threat actors conduct malicious cyber threat activity. It includes the networks, devices, and processes that are connected to the Internet and can be targeted by cyber threat actors, as well as the methods threat actors use to target those systems.
Cyber threat actors
Cyber threat actors
These are groups or individuals who, with malicious intent, aim to exploit weaknesses in an information system or exploit its operators to gain unauthorised access to or otherwise affect victims’ data, devices, systems, and networks, including the authenticity of the information that flows to and from them. The globalised nature of the Internet allows threat actors to be physically located anywhere in the world and still affect the security of information systems in the UK.
Types of cyber threat actors and their motivationsCyber threat actors can be categorizsd by their motivations and, to a degree, by their sophistication. Threat actors value access to devices and networks for different reasons, such as siphoning processing power, exfiltrating or manipulating information, degrading the network’s performance and extorting the owner. Some threat actors conduct threat activity against specific individuals or organisations, while others opportunistically target vulnerable systems. In general, each category of cyber threat actor has a primary motivation.
Threat Actor Sophistication
Cyber threat actors are not equal in terms of capability and sophistication. They have a range of resources, training, and support for their activities. Cyber threat actors may operate on their own or as part of a larger organisation (i.e., a nation-state intelligence program or organised crime group). Sometimes, sophisticated actors use readily available tools and techniques because they can still be effective for a given task and/or make it difficult for defenders to attribute the activity—for example, by leveraging the commercial security tools used by security researchers.
Advanced persistent threats (APT) refer to threat actors in the top tier of sophistication and skill. APTs are capable of using advanced techniques to conduct complex and protracted campaigns in the pursuit of their goals. This designator is usually reserved for nation-states or very proficient organised crime groups.
State-sponsored cyber threat actors operating on behalf of nation-states primarily use cyber threat activity to advance their geopolitical objectives. They are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination. Nation-states without developed cyber programs can use commercial cyber tools and the growing global pool of talent to enable sophisticated cyber threat activity. Some nation-states also have operational relationships with private sector entities and organised criminals.
The activities of state-sponsored cyber threat actors may include espionage against governments, organisations, and individuals; prepositioning on or disrupting critical systems; influencing and shaping public discourse; or building networks of compromised devices to enable further cyber threat activity. State-sponsored cyber threat actors may also pursue financially motivated threat activity.
Cybercriminals are primarily financially motivated and vary widely in sophistication. Organised crime groups often have planning and support functions in addition to specialised technical capabilities that can affect a large number of victims. Illegal online markets for cyber tools and services have made cybercrime more accessible and allowed cybercriminals to conduct more complex and sophisticated campaigns.
Hacktivists carry out ideologically motivated cyber threat activity and are generally lower sophistication than state-sponsored cyber threat actors or organised cybercriminals. These actors, alongside terrorist groups and thrill-seekers, often rely on widely available tools that require little technical skill to deploy. Their actions often have no lasting effect on their targets beyond reputation, however, at times these actors have been able to inflict physical and financial damages on their targets.
Insider threats are individuals working within their organisation who are particularly dangerous because of their access to internal networks that are protected by security perimeters. Insider threats are often disgruntled employees, and may be associated with any of the other listed types of threat actors.
These are groups or individuals who, with malicious intent, aim to exploit weaknesses in an information system or exploit its operators to gain unauthorised access to or otherwise affect victims’ data, devices, systems, and networks, including the authenticity of the information that flows to and from them. The globalised nature of the Internet allows threat actors to be physically located anywhere in the world and still affect the security of information systems in the UK.
Types of cyber threat actors and their motivationsCyber threat actors can be categorizsd by their motivations and, to a degree, by their sophistication. Threat actors value access to devices and networks for different reasons, such as siphoning processing power, exfiltrating or manipulating information, degrading the network’s performance and extorting the owner. Some threat actors conduct threat activity against specific individuals or organisations, while others opportunistically target vulnerable systems. In general, each category of cyber threat actor has a primary motivation.
Threat Actor Sophistication
Cyber threat actors are not equal in terms of capability and sophistication. They have a range of resources, training, and support for their activities. Cyber threat actors may operate on their own or as part of a larger organisation (i.e., a nation-state intelligence program or organised crime group). Sometimes, sophisticated actors use readily available tools and techniques because they can still be effective for a given task and/or make it difficult for defenders to attribute the activity—for example, by leveraging the commercial security tools used by security researchers.
Advanced persistent threats (APT) refer to threat actors in the top tier of sophistication and skill. APTs are capable of using advanced techniques to conduct complex and protracted campaigns in the pursuit of their goals. This designator is usually reserved for nation-states or very proficient organised crime groups.
State-sponsored cyber threat actors operating on behalf of nation-states primarily use cyber threat activity to advance their geopolitical objectives. They are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination. Nation-states without developed cyber programs can use commercial cyber tools and the growing global pool of talent to enable sophisticated cyber threat activity. Some nation-states also have operational relationships with private sector entities and organised criminals.
The activities of state-sponsored cyber threat actors may include espionage against governments, organisations, and individuals; prepositioning on or disrupting critical systems; influencing and shaping public discourse; or building networks of compromised devices to enable further cyber threat activity. State-sponsored cyber threat actors may also pursue financially motivated threat activity.
Cybercriminals are primarily financially motivated and vary widely in sophistication. Organised crime groups often have planning and support functions in addition to specialised technical capabilities that can affect a large number of victims. Illegal online markets for cyber tools and services have made cybercrime more accessible and allowed cybercriminals to conduct more complex and sophisticated campaigns.
Hacktivists carry out ideologically motivated cyber threat activity and are generally lower sophistication than state-sponsored cyber threat actors or organised cybercriminals. These actors, alongside terrorist groups and thrill-seekers, often rely on widely available tools that require little technical skill to deploy. Their actions often have no lasting effect on their targets beyond reputation, however, at times these actors have been able to inflict physical and financial damages on their targets.
Insider threats are individuals working within their organisation who are particularly dangerous because of their access to internal networks that are protected by security perimeters. Insider threats are often disgruntled employees, and may be associated with any of the other listed types of threat actors.
Shape Divider - Style triangle_asymmetrical
Cyber threat surface
The cyber threat surface refers to all information systems and services a cyber threat actor may exploit in trying to compromise an individual, organiSation, or network. It includes all Internet-exposed endpoints, including networks, personal computers, mobile devices, Internet of Things (IoT) devices, and servers, in addition to processes that communicate with or rely on information systems connected to the Internet. Individual threat surface is also informed by the amount of personal information shared with online vendors and services; the broader an individual shares their personal and financial details, the more vulnerable their information becomes to theft or exposure via a data breach. The larger the cyber threat surface of an individual, organization, or network, the more difficult it is to secure.
The number of endpoints connected to the Internet increases significantly every year, driven by increased deployment of Internet of Things (IoT) and industrial IoT (IIoT) devices.Footnote1 Connected consumer and medical devices such as home security systems, cars, and pacemakers are becoming more common, as is connected operational technology (OT), the hardware and software integrated into devices used to monitor and cause changes in the physical world.
Services, devices, and data can all be targeted by cyber threat actors to gain initial access into an environment. Supply chains increasingly include digital information transfer in addition to the movement of physical goods. Since 2020, more organisations have adopted technologies such as cloud-based software, infrastructure, and platform “as-a-service” products to increase their efficiency in a hybrid work environment, with some employees working from home and others on site. Managed service arrangements often include elevated access for suppliers into their clients’ networks. The trust and information flow between organizations provides threat actors an indirect means of compromising their intended targets by first compromising a third-party.
The number of endpoints connected to the Internet increases significantly every year, driven by increased deployment of Internet of Things (IoT) and industrial IoT (IIoT) devices.Footnote1 Connected consumer and medical devices such as home security systems, cars, and pacemakers are becoming more common, as is connected operational technology (OT), the hardware and software integrated into devices used to monitor and cause changes in the physical world.
Services, devices, and data can all be targeted by cyber threat actors to gain initial access into an environment. Supply chains increasingly include digital information transfer in addition to the movement of physical goods. Since 2020, more organisations have adopted technologies such as cloud-based software, infrastructure, and platform “as-a-service” products to increase their efficiency in a hybrid work environment, with some employees working from home and others on site. Managed service arrangements often include elevated access for suppliers into their clients’ networks. The trust and information flow between organizations provides threat actors an indirect means of compromising their intended targets by first compromising a third-party.
Shape Divider - Style triangle
The following is a non-exhaustive list of common tools and techniques that are used by threat actors.
|
A bot, also known as a zombie, is an Internet-connected device (e.g., computers, mobile, and IoT devices) that is infected with malware without the owner’s awareness and is remotely controlled by a threat actor to perform a specific malicious task. A botnet is a grouping of these compromised devices that are coordinated by a threat actor. Botnets typically expand by scanning the online environment and finding vulnerable devices that can provide computing power and additional capacity. Botnets are used for a multitude of purposes, such as to conduct distributed denial of service (DDoS ), spread ransomware and malware, conduct ad fraud campaigns, send spam, divert traffic, steal data, and manipulate, amplify, and/or suppress social media and web platform content in order to impact public discourse. Denial of service (DoS) refers to any activity that makes a service (e.g., website, server, network, IoT device) unavailable for use by legitimate users, or that delays system operations and functions. |
A backdoor is a point of entry into a user’s system or computer that bypasses traditional access and authentication measures. Once threat actors have this remote access, they can steal information, install malware, or control the device’s processes and procedures. Backdoors can be a product of malware or other malicious cyber activity, but are also often deliberately and non-maliciously created for troubleshooting, software updates, or system maintenance. Threat actors can use these legitimate backdoors for malicious purposes. |
Shape Divider - Style tilt_opacity
A distributed denial of service attack, or DDoS, is a DoS attack that originates from several machines at once. These machines can be controlled by a group of threat actors working together or be part of a botnet acting under the direction of a single threat actor. DDoS are more powerful and make it more difficult to identify the true source of the attack.
Exploits and exploit kits:An exploit is malicious code that takes advantage of an unpatched vulnerability. An exploit kit is a collection of multiple exploits that affect unsecure software applications. Each exploit kit is customised to search for specific vulnerabilities and execute the corresponding exploit for the vulnerability it finds. If a user visits a website hosting an exploit kit, the exploit kit will test its repository of exploits against the software applications on the user’s device and deploy the exploit that fits the user’s vulnerability.
Code injection is when threat actors introduce malicious code into a computer program by taking advantage of a flaw in a program’s functionality instructions or in the way it interprets data input. Two common code injection techniques are cross-site scripting (XSS) and Structured Query Language (SQL) injection.
Exploits and exploit kits:An exploit is malicious code that takes advantage of an unpatched vulnerability. An exploit kit is a collection of multiple exploits that affect unsecure software applications. Each exploit kit is customised to search for specific vulnerabilities and execute the corresponding exploit for the vulnerability it finds. If a user visits a website hosting an exploit kit, the exploit kit will test its repository of exploits against the software applications on the user’s device and deploy the exploit that fits the user’s vulnerability.
Code injection is when threat actors introduce malicious code into a computer program by taking advantage of a flaw in a program’s functionality instructions or in the way it interprets data input. Two common code injection techniques are cross-site scripting (XSS) and Structured Query Language (SQL) injection.
- XSS is a code injection method whereby a threat actor injects and executes malicious code within a web application by bypassing the mechanisms that validate input. The malicious code is executed in the browser of users accessing the exploited web application. Code injected by XSS may either be a one-time execution or used to enable further malicious activity.
- SQL injection retrieves or modifies the contents of an SQL database by entering code into web forms that are meant to receive input for or query SQL databases. These databases may hold personally identifiable or other sensitive information.
|
Flooding attacks are the most common form of DoS , where the threat actor repeatedly sends requests to connect to the target server but does not complete the connections. These incomplete connections occupy and consume all available server resources. As a result, the server cannot respond to legitimate traffic and connection attempts.
|
Crash attacks are less common than flooding attacks, and refer to when threat actors exploit a vulnerability to crash a system, thus denying access to it.
|
A zero-day vulnerability is a vulnerability that is not yet known by the vendor, and therefore has not been mitigated by a patch. A zero-day exploit is an attack directed at a zero-day vulnerability. Once a patch is developed, the vulnerability is no longer considered a zero-day.
|
|
Living-off-the-land is when threat actors use only the tools available through the victim systems’ legitimate processes to conduct malicious cyber activity, rather than deploying malware. Cyber threat actors use pre-existing system tools to blend into the normal operations of a victims’ device or network and avoid detection.
|
Malware, short for “malicious software”, refers to any software or code designed to infiltrate or damage a computer system. “Payload” refers to the actions malicious software takes once inside a victim’s system or network (e.g., ransomware encrypting files or the installation of system backdoors that enable remote access).
|
Adware is short for “advertising software”. Adware may infect a computer by being downloaded as part of another program or through web-based drive-by exploits. Its main objective is to generate revenue by delivering tailored online advertisements. Browser-based and application-based adware tracks and gathers user and device information, including location data and browsing history. Adware can lead to exploitation of security settings, users, and systems.
|
Beacons are signals sent by malware that attempt to connect to a cyber threat actor’s command and control infrastructure once it has successfully infiltrated the target environment. Beacons let the threat actor know that they have successfully compromised the system and allows them to send additional commands to the malware.
|
|
Cryptojacking is when a threat actor covertly exploits a victim’s device (e.g., computers, mobile, and IoT devices) for the unauthorized mining of cryptocurrency. In order to increase efficiency (e.g., revenue) a threat actor can leverage a botnet of compromised devices. Such malware is typically delivered by visiting a compromised website, installing an application, or through phishing. Cryptomining or cryptocurrency mining is when software programs leverage computing resources to generate or “mine” a cryptocurrency, an activity that rewards the miner with a small fraction of the mined cryptocurrency as a fee for the mining service.
|
Ransomware is malicious software that restricts access to or operation of a computer or device, restoring it following payment. Threat actors often accomplish this through encryption , although they may also employ any number of methods of extortion, such as DDoS, threatening partners and clients, and/or threatening to release sensitive information. Ransomware is typically installed using a trojan or a worm deployed via phishing or by visiting a compromised website.
Some cybercriminals engage in big game hunting (BGH) ransomware campaigns, where they focus their activities against large organizations like critical infrastructure providers, governments, and large enterprises, that cannot tolerate sustained disruptions to their networks and are willing to pay large ransoms to quickly restore their operations. |
A rootkit is a malicious application designed to provide a threat actor with “root” or administrative privileged access to software and systems on a user’s device. A rootkit provides full control, including the ability to modify software used to detect malware.
|
|
Spyware is malicious software used to track a user’s digital actions and information with or without the user’s knowledge or consent. Spyware can be used for many activities, including keystroke logging, accessing the microphone and webcam, monitoring user activity and surfing habits, and capturing usernames and passwords. Spyware used to facilitate intimate partner violence, abuse, or harassment is referred to as stalkerware.
|
A trojan is a malicious program disguised as or embedded within legitimate software.
|
A virus is an executable and replicable program that inserts its own code into legitimate programs with the objective of damaging the host computer (i.e., deleting files and programs, corrupting storage and operating systems).
|
A wiper is malware designed to completely wipe the hard drive of infected devices. Wipers may pose as ransomware to obfuscate the intent of the malware and make attribution more difficult.
|
|
A worm is a computer program that independently self- replicates and spreads to other computers to drain a system’s resources. Just like a virus , a worm can propagate code that can damage its host (e.g. deleting files, sending documents via email, or taking up bandwidth).
|
Password cracking refers to techniques that allow cyber threat actors to directly access an account by guessing or decrypting the password.
|
Brute force cracking uses an exhaustive number of randomly generated passwords to attempt to guess the correct password and obtain access to the account. Brute force password cracking is the least efficient method, especially against complex passwords.
|
Credential stuffing is when lists of compromised username and password pairs are used to gain unauthorized access to online accounts. Cyber threat actors use these lists to conduct large-scale automated login requests, hoping that one of the compromised pairs will match an existing account on the site and give them access.
|
|
Dictionary attacks take advantage of comprehensive lists of words and commonly used passwords, often including common misspelling of words and various permutations that account for password complexity requirements.
|
Person-in-the-middle (PITM) is a technique by which a threat actor intercepts a communication between two parties, such as a victim and a web server, without the victim’s knowledge. The victim is under the illusion that they are communicating directly and securely with a website. PITM enables threat actors to monitor communications, reroute traffic, alter information, deliver malware, and acquire personally identifiable or other sensitive information. PITM can be achieved via several techniques such as phishing, pharming, typo-squatting, Wi-Fi eavesdropping, and SSL hijacking.
|
Secure Sockets Layer (SSL) hijacking is a technique by which a threat actor intercepts and redirects an unsecure connection between a victim and a server trying to establish a secure connection. The threat actor is then able to provide a secure connection instead of the intended website, which enables them to intercept and compromise the communication without the victim’s knowledge (see person-in-the- middle above). SSL hijacking is not about breaking the security provided by SSL, but rather, it inserts a compromised bridge between the non-encrypted and encrypted part of a communication.
|
|
Wi-Fi eavesdropping is when a threat actor installs what looks like a legitimate Wi-Fi access point in a public area. Once users connect to such an access point, often referred to as a malicious hotspot or a rogue access point, they fall victim to person-in-the-middle (PITM). Alternatively, threat actors may be able to intercept unencrypted web traffic on unsecured public Wi-Fi networks. Such activity allows a threat actor to monitor communications and to acquire personally identifiable or other sensitive information.
|
Reconnaissance, or recon, refers to activities conducted by a threat actor to obtain information and identify vulnerabilities to facilitate future compromise(s). Opportunistic threat actors may scan the Internet for hosts with unsecured vulnerabilities and target them. When a target is selected, the threat actor may conduct additional research on their target including open-source searches on their business, employees, and infrastructure. More direct techniques include probing the target with malicious Internet traffic or using social engineering to extract information.
|
Social engineering is the practice of obtaining sensitive information by manipulating legitimate users, often using the telephone or Internet. Social engineering techniques may attempt to deceive the target into sending payment to an account controlled by the threat actor or collect information to enable further threat activity.
|
|
Phishing is a common method by which threat actors disguise themselves as a trustworthy entity with the intent to lure a large number of recipients into providing information, such as login credentials, banking information, and other personally identifiable information. Phishing is an example of a social engineering technique and is mainly conducted through email spoofing and text messages. Users become victims when they open malicious attachments or click on embedded links.
|
Spoofing is the act of masking or forging a website, email address, or phone number to appear as if it originates from a trusted source. After receiving a phishing message, the victim can be enticed into giving away personal, financial, or other sensitive information or clicking on a link or attachment, which can infect a device with malware.
|
Spear-phishing occurs when a cyber threat actor sends a personally tailored phishing message to a more precisely selected set of recipients or even a single recipient. Spear-phishing relies on social engineering, using details that are believable to the victim as originating from a trusted source. Whaling refers to spear-phishing targeted at senior executives or other high-profile recipients with privileged access and authorities.
|
|
Business email compromise (BEC) is one of the most common and costly social engineering schemes targeting organisations. BEC involves emails designed to trick an employee in the target organisation into directly transferring funds to cyber threat actors. To achieve this, cyber threat actors often impersonate high-level executives or trusted third parties.
|
Web-based exploits aim to compromise users when they browse, or attempt to browse, to specific webpages. They function by compromising or impersonating a website that victims wish to visit, compromising the victim themselves, or exploiting vulnerabilities in the systems that direct users to the correct webpage.
|
A drive-by exploit refers to malicious code that a cyber threat actor has placed on a website without the website host’s knowledge; the malicious code attempts to compromise the devices of any user who visits the website.
|
Formjacking is when cybercriminals inject malicious code into a webpage form, such as a payment page, to compromise it and steal credit card details and other information that is entered by users on these pages.
|
|
Pharming is a technique used to redirect traffic from a legitimate website to a malicious one. This deception can be achieved by modifying the user’s system settings or by exploiting vulnerabilities in the domain name system (DNS) server software, which is responsible for resolving URLs into IP addresses. Contrary to typo-squatting (see below), where a user mistypes a website address and is redirected to an illegitimate website, pharming can redirect a user who properly types the URL. At a quick glance, the illegitimate website may appear to be the legitimate website and can be used to deliver malware and acquire personally identifiable or other sensitive information.
|
Typo-squatting is a technique by which a threat actor registers domain names that have very similar spelling to and can be easily confused with a legitimate domain address. Typo-squatting is also known as URL hijacking and enables a threat actor to redirect a user who incorrectly typed a website address to an alternative look-alike domain under the actor’s control. The new domain can then deliver malware and acquire personally identifiable or other sensitive information. Luring a victim to a hijacked URL can also be achieved through phishing techniques.
|
A watering hole is a website compromised with an exploit and frequented by individuals specifically targeted by a cyber threat actor.
|