Threat Actors
Which threat actors are attacking is one of the fundamental questions that incident response attempts to answer when an attack is occurring. In order to answer this question, there are certain threat actors that we should know about. These include script kiddies, hacktivists, cyber criminals, nation state actors, and insider threats. The threats involved include defacement of websites, ransomware, DDoS attacks, and many others.
Script Kiddies
Script kiddies go more for bragging rights than anything and can use scripts that someone else has written. They are typically less sophisticated and have a low monetary value. An example would be a teenager that starts a DDoS attack using free tools or pre-existing scripts. Script kiddies are often low paid and are doing it for respect or bragging rights in the hacker subculture.
Hacktivists
These threat actors are more politically motivated and might do it for social or ideological reasons. The hacktivists are somewhat skilled but will more likely expose corruption, protest or make a political statement. Hacktivists could do something like website defacement or leak corporate data to the public.
Cybercriminals
These threat actors are more in it for the money with direct financial gain in mind. They may attack more illegally and tie themselves to organized crime. This could be something more like ransomware or phishing campaigns to get credit card information. There are also attacks that include individuals that turn to hacking for financial gain.
Nation State Actors
The Nation State Actors are usually the most well-funded. They may attack other groups or organizations and attack more for espionage or geopolitical reasons. These are highly structured and government-backed groups. There are some nation states that get a good portion of their government funds by sponsoring hacking groups like North Korea.
Insider Threats
Insider Threats are where the attack comes from within a group or organization. These are more rooted in sabotage or revenge. The insider threats could be current or disgruntled employees or contractors that have more data about the company network and may use this knowledge for personal gain.
Conclusion
While threat actors are out there, knowing which way they are attacking is something that will remain a question for incident response. The threat actors seem to evolve just like the technology that they are using evolves. These threats can be mitigated and the knowledge of them should help you in your IT journey. With threat actors, you can study them by using the MITRE ATT&CK framework. Study well and be a lifelong learner.
Social Engineering Attacks
There are many types of attacks and social engineering attacks are most common. These include phishing, pretexting, baiting, quid pro quo, tailgating, and dumpster diving. The commonly used phishing techniques include phishing, spear phishing, whaling, vishing and smishing. When using these techniques an attacker can do business email comprise attacks which is more of a secondary type of social engineering attack.
Some of the best defenses for social engineering attacks are a layered approach with Verification, Technology and Policy. For the verification domain, trust but verify, be skeptical of any urgency and watch out for red flags. In the technology domain, use things like Multifactor Authentication (MFA), email filtering and endpoint protection. Using the principle of least privilege, awareness training and clear reporting channels are done for the Policy domain.
Phishing
By using mass phishing, the attacker tries to get sensitive information about the victims. When spear phishing, an attacker tries to target specific individuals like a middle manager while whaling is a phishing technique to target the CEO or other C-Suite officers. Vishing attacks are phishing attempts by voice messages or by phone with smishing there is an attack by text messages.
Social Engineering
Pretexting is a social engineering technique to get a sense of trust from the attacker, and the victim is tricked into revealing sensitive information. Baiting is where there is something that is for free if they tell the attacker their information. Quid pro quo or something for something is an attack where the attacker gives a service or benefit for information.
Physical Attacks
Tailgating or piggybacking is where an unauthorized person enters areas where they follow behind someone that has access. Another physical social engineering attack is dumpster diving where an attacker gains information that comes from a dumpster. In order to prevent tailgating and piggybacking there are some things that can deter these attacks which are mantraps or card access and security guards.
Conclusion
The types of attacks that occur with social engineering are mainly done by phishing and some other kind of social engineering attack. This information is something that needs to be learned so that as a defender you can understand attacks as they happen and quickly respond to them. Working with social engineering attacks has been something to learn from the CCST Cybersecurity exam that I have currently.
There are more social engineering attacks that are used more in types of phishing attacks, but they are easier to understand with things like vishing that is over voice and smishing is over text messages. Doing the CCST Cybersecurity has prepared me in my cybersecurity knowledge by being tested on these social engineering attacks.
Attack Attribution Models
There are three attack attribution models. These are the Cyber Kill Chain, MITRE ATT&CK Matrix, and the Diamond Model. The Cyber Kill Chain is Lockheed Martin’s seven steps of a cyber-attack model. The MITRE ATT&CK Matrix is a knowledge base designed to categorize adversary tactics, techniques and procedures. The TTP’s are a way to categorize the type of attack, the attack patterns and how malicious actors use them to commit crimes.
Along with the Cyber Kill Chain and the MITRE ATT&CK Matrix the Diamond Model is a way to analyze events according to the relationship between the adversary, capability, infrastructure, and victim. These are the main three attack attribution models. The CCST Cybersecurity exam covers these and other cybersecurity concepts. In the Diamond Model, there are some individual events that happen in an attack which are analyzed by the relationships between events and attributing them to certain adversaries.
Cyber Kill Chain
The Cyber Kill Chain has seven steps in the process. These are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Reconnaissance is where the attacker gets information about a target network and looks for vulnerabilities. The Weaponization step is where the attacker makes an exploit for the Delivery step which is next.
The trigger is used in the Exploitation step to trigger the exploit and move into the Installation step that includes planting the backdoor. The Command-and-Control step is next that allows for a way to exfiltrate data and remotely control the device. The last step is the Actions on Objectives step which is where there are objectives being met.
MITRE ATT&CK Matrix and Diamond Model
The MITRE ATT&CK Matrix is something that is tested on the CCST Cybersecurity exam by application. This is essentially the identifying organizational defense and weaknesses in addition to attack attribution and understanding how a red team or a blue team interprets the attacks. The Diamond Model goes over the adversary, the how, the what, and the target of the attack.
Conclusion
These attack attribution models are something that the CCST Cybersecurity goes over in the Incident Handling domain. The three models are covered in some detail, but the exam covers the basics of these models. Further study is needed if you want to go for additional certifications or job skills. I do have the CCST Cybersecurity certification and will be doing the CCNA Cybersecurity exam later this year.
Azure Virtual Networks are used in conjunction with Network Security Groups to effectively handle the networking side of Azure which is a Microsoft cloud solution. The NSGs are more like the firewalls where they allow or deny traffic based on rules for that subnet or specific IP address. Azure VNets on the other hand are something that groups resources into essentially blocks of cloud application services that can be interconnected.
Azure Virtual Networks (VNets)
Azure VNets are a type of grouping in Azure to segment parts of your network and assign IP addresses. These VNets can allow for VNet peering or even connect to an on-premises network through a VPN. It is a fundamental building block of Azure Networks that allows for private, secure, and public networks. VNets also allow for segmentation through subnets and can allow for assignment of IP addresses.
Allowing for Hybrid Connectivity ensures that a VPN or ExpressRoute can connect on-premises data centers. VNets also allow for VNet peering to connect networks with a scalable solution for complex topologies. You can also use Azure Virtual Network Manager to oversee networks at scale in a cross-subscription manner. VNets are different than the subnets and are more like VLANs in computer networking.
Azure Network Security Groups (NSGs)
The Network Security Groups in Azure allow for the filtering of a VNet when it is in place to allow or deny a specific IP or a group of IP addresses. They can work with route tables to do things like flow control. There are also capabilities like allowing or denying access to certain ports or protocols in addition to subnets and specific IP addresses.
Having some capabilities of a layer 3 and 4 firewall helps NSGs attach to subnets or Network Interface Cards (NICs) in Azure. Attaching them to subnets is more in line with best practices and allows for more simplicity of management. If the NSG is attached to a subnet it will be effective via inheritance for that subnet associated with the NSG.
Conclusion
Understanding more about VNets and NSGs will allow you to know more about the security side of Azure. For me this understanding is more of an extension of the SC-900 that I have and delves into more of the networking side of Azure which is the AZ-700 training materials. In order to truly understand something, you need to learn it and teach someone else the material.