Seen the film Extraction? Cyvally chooses a cyber action thriller, so you may be thinking Why Cyvally is linking an action thriller film genre to cyber security. Anyway, that’s one of the perks of being a cybersecurity enthusiast: everything gets your hearts beat loud for the passion. Now, get back to the movie, the movie, Amir Asif serves as the threat actor, a violent crime lord aiming to expand his criminal empire. Amir Asif kidnaps Ovi Mahajan Jr.(The Asset), in order to further his plan of ascertaining control over Ovi Mahajan Sr. (Intent/Motivation). With this evil purpose, Amir Asif creates various methods to achieve his goal and power by using the armed rebel groups, ambushes, and violent means.Now, remember Nik Khan and her team? They gather information from multiple intelligence sources to assist Tyler in rescuing Ovi Mahajan Jr. They use informants with connections to criminal groups, and get insider knowledge that helped them understood the motivations, strategies, and vulnerabilities of the threat actors. They also used surveillance devices and cameras to collect real-time information, to understand the threat actors’ movements, operations, and identify hidden patterns. Unfortunately, Nik Khan and her team suffer losses due to insufficient research. Tyler Rake, our cybersecurity hero is helped in the successful support of the asset by a valuable information from the Nik Khan, our colleague. In Extraction 2, you will witness it that not only does Tyler survives, but also that he overcomes the mission.

Back to the real deal!!!
In this post, we will look at different Threat Actors, Vectors, and Intelligence Sources.

Sit Back and enjoy the Ride!!!

Basic Terms

Vulnerability: is a weakness that, when exploited, can result in a security breach.

Threat: the possibility of someone or something exploiting a vulnerability and breaching security. It can be purposeful or unintentional.

Risk: the possibility and impact of a threat actor exploiting a vulnerability is known as risk.

Risk = Likelihood × Impact

Threat actor: the person or entity that poses a potential threat to the security of systems, networks, or data.

Capability: is the ability of a threat actor to create fresh exploit methodologies and tools

Various Actors and Threats

Nation-state actors: include entities or groups that are supported by the government that exploit cyberspace for their wealth, military, or political objectives. Control of intelligence gathering is a primary aim of state actors for spying and strategic gain. It is commonly an Advanced Persistent Threat (APT), as They are long-lasting and are designed to gain persistent access to networks or systems for data theft or espionage.

Script kiddies/Unskilled: Individuals with little or no technical skills who conduct attacks using already existing hacking tools and scripts. They may not have a specified target or any other objective that makes sense besides grabbing attention or showcasing their technical skills.

Hacktivists: threat actors that are motivated by a belief in the social or political causes. They pursue the objective of exposing the existing corrupt layers, propagating the most preferred ideologies, or destabilizing them, these individuals may hit organizations or governments

Insider Threats: type of threat actor within an organization that has authorized access to the system and results in intentional or unintentional misuse of their privileges.

Organized crime: involves professional criminals, motivated by money, who are usually external entities and highly sophisticated, with a structured organization and supported by substantial capital to fund their efforts.

Shadow IT: this is the use of unapproved technology or applications within a company that is not under the control of IT departments

Criminal syndicates: threat actor that engages in computer fraud and hacking for Financial gain. The complexity of prosecuting is heightened by the possibility that a criminal syndicate operates online from countries other than those of its victim.

Competitors: competitors can try to get unlawful access to confidential information, trade secrets, or sensitive data.

Hackers: An individual with the knowledge to access computer systems by unauthorized methods.

• Authorized/ white hat: a hacker working for a security consultancy or conducting authorized penetration testing.

• Unauthorized/ black hat: a malicious hacker acting without authorization.

• Semi-authorized/Gray hat: a hacker with limited authorization. They have no hostile motive, and might look for security holes, but won't take advantage of it. They are paid for discovering the vulnerabilities (like a bug bounty).

Attributes of Actors

Internal/external: External actors may be referred to as intruders that may be hackers, criminal gangs, or state sponsors while internal actors are employees, contractors, or any external partner with legitimate access to the organization's systems.

Level of sophistication/capability: This attribute captures the technical awareness and capacity of a threat actor.

Resources/funding: The power that actors have as well as the amount of money that they can lay their hands on greatly defines their capabilities and the operational level of their activities. Cybercriminals such as state-sponsored actors and organized crime groups often have several advantages such as financial backing, access to modern technologies, as well as knowledge obtained from relevant fields.

Intent/motivation: This is the aim that an attacker has in place once they decide to launch an attack.

Attack Vectors

The attack vector is how threat actors can infiltrate the system.

Direct access: It is having physical access/control of a system, which enables an attacker to directly compromise its target. e.g. corrupting the configuration of the hardware, or attempting to use a boot disk to install a virus.

Wireless: This entails establishing unauthorized control by exploiting loopholes in wireless networks or devices. e.g. Wi-Fi eavesdropping, spoofing, or brute-forcing of passwords for wireless networks.

Email: entails sending a malicious file attachment through email.

Supply chain: involves targeting the hardware or software supply chain to introduce infected components into networks or systems. This might involve intrusive modifications or creating backdoors

Social media: involves using social media platforms to promote malicious content, conduct social engineering attacks on people or organizations, or obtain information against them.

Removable media: entails the introduction of malware or the extraction of data from systems using external storage media. Attackers may send infected removable media to their target PCs or use auto-run options to run malicious malware.

Cloud: entails using infrastructure or cloud-based service vulnerabilities to their advantage. E.g. breaking into cloud accounts without authorization, stealing data, or taking advantage of vulnerabilities in cloud-based apps.

Attack Motivations

Data exfiltration: Data Exfiltration involves the unauthorized transfer of data from a computer, often conducted by nation-states, organized crime, insiders, and unskilled attackers for espionage, financial gain, or opportunistic purposes.

Espionage: involves nation-states and organized crime groups, it is the act of spying on nations, persons, or organizations to obtain sensitive information for strategic or competitive advantage.

Service disruption: Service disruption occurs when actors such as hacktivists, nation-states, and inexperienced attackers attempt to interrupt the services of organizations to cause havoc, make political criticism, or demand ransom.

Blackmail: Blackmail occurs when actors, such as organized crime groups and insider threats gather sensitive or incriminating information and use it to extort money or accomplish personal gain by threatening to reveal the information unless demands are granted

Financial gain: This is commonly achieved by organized crime to exploit cyber attacks, such as ransomware and banking trojans, to make money by collecting financial information and gaining access to victims' bank accounts.

Philosophical/political beliefs: Hacktivists, nation-states, and sometimes inexperienced attackers carry out cyberattacks motivated by their intellectual or political ideas.

Ethical: Ethical hackers (white-hats) do permitted security testing to improve and strengthen corporate defenses, driven by a desire to improve security rather than engage in malicious behavior.

Revenge: Insider threats, hacktivists, and nation-states launch revenge-driven cyber attacks against entities they believe have mistreated them, seeking payback.

Disruption/chaos: Nation-states, hacktivists, and inexperienced attackers seek disruption and disorder that cause instabilities, distribute malware, or target vital systems.

War: Nation-states utilize cyber warfare to disrupt or damage a rival country's infrastructure, economy, or security, to compromise national security, and to cause economic hardship

Threat intelligence sources

Cyber Threat Intelligence (CTI) is the process of gathering, analyzing, and disseminating data concerning new threats and their sources. Professionals can improve their comprehension of attacks and successfully reduce risks by actively participating in CTI. The following are sources of gathering information.

Open-source intelligence (OSINT): information obtained from publicly available sources, such as news articles, social media, and forums.

Closed/proprietary: Intelligence is obtained from private enterprises, security vendors, or government authorities. Extensive threat research is conducted and collated, and the results are made available as a paid subscription.

Vulnerability Databases: Vulnerability databases contain information on known software and system weaknesses and on the hardware ones too. There is a list known as the Common Vulnerabilities and Exposures (CVE) that has been developed as a common list for the development of specific identifiers. The United States Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) support the U. S National Vulnerability Database (NVD), which provides CVE, its details, patch, and its severity, besides other data.

Public/private information-sharing centers: promote the exchange of threat intelligence between organizations, government institutions, and security professionals. Participants share useful ideas, threat indicators, and mitigation techniques. an example is the Cyber Threat Alliance(CTA)

Dark Web: This is like a mysterious part of the World Wide Web that contains illicit business. To that end, it can help to establish threat intelligence by tracking activity in underground forums, markets, and even communication channels of cybercriminals.

Indicators of compromise: A reference to an indication that an asset or network is compromised or has been hacked or is being hacked. These can be IP addresses, domain names; the hash values of files that might have been infected; or behavioral activity identified during an attack.

Automated Indicator Sharing (AIS): AIS frameworks automate the sharing of important threat data or information between organizations. AIS is based on the STIX and TAXII standards and protocols.

• Structured Threat Information eXpression (STIX): is a standardized language for describing cyber threat information, it includes motivations, abilities, capabilities, and response information. it describes standard terminology for IoCs and ways of indicating relationships between them

• TrustedAutomated eXchange of Intelligence Information (TAXII): protocol provides a means for transmitting CTI data between servers and clients.

Predictive analysis: forecasts potential future threats using historical data, statistical modeling, and machine learning algorithms. It enables enterprises to predict and defend against emerging threats.

Threat maps: are graphical displays that indicate the geographical distribution and levels of cyber threats experienced in different countries internationally. They help in mapping out the high-risk zones and in interpreting the new risk sight. This option focused on constructing an animated map that would depict the threat sources in near real-time. is an animation of a graph depicting the source, target, and the different kinds of attacks identified by a particular CTI platform

File/code repositories: Signatures of known malware code are stored in a file/code repository. The code samples are taken from live customer systems and (in the case of public repositories) files uploaded by subscribers

Research sources

Vendor websites: The official websites of technology vendors contain product information such as release notes, security advisories, and patches. This helps researchers to stay up to date on the newest vulnerabilities and patches for a specific technology.

Vulnerability feeds: these are data sources with information about newly identified vulnerabilities in software, systems, or networks. An example is CVE data feeds that provide descriptions, severity ratings(CVSS), and mitigation solutions for vulnerabilities that have been detected.

Conferences: Various institutions host and sponsor security conferences, which allow for presentations on the most recent threats and technologies.

Academic journals: Academic researchers and non-profit trade groups and associations, such as the IEEE, publish their findings in journals as papers. These papers are often available only through subscription.

Request for Comments (RFC): when a new technology is accepted as a web standard, it is published as an RFC by the W3C. They give technical information, standards, and best practices for new technologies

Local industry groups: Professional associations and user groups, for example, bring together professionals working in the field. They host events, webinars, and forums where participants can discuss industry challenges and share experiences

Social media: Twitter and LinkedIn are other common media used in sharing of cybersecurity knowledge. Whenever researchers or any professionals or related organizations obtain new information or publish new research results, they announce it on these platforms.

Threat feeds: Threat feeds are sources of information on current cyber threats, IOCs, malware signatures, or malicious behavior patterns. These feeds collect information from a variety of sources, including security companies, security research teams, and threat intelligence systems to get Signatures and pattern-matching rules to identify specific threat

Adversary tactics, techniques, and procedures (TTP): Historical cyber-attacks and adversary acts are examined using TTPs.TTPs divide behaviors into three categories: campaign strategy and approach (tactics), generalized attack vectors (techniques), and particular intrusion tools and methods (procedures).

“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”

Dr. Larry Ponemon

5.6 Review Questions