1.2.1 Cyber-security Adversaries
Attackers come in different forms. Some of the ways they might differ are:
- internal vs external attackers
- Their level of sophistication
- Access to resources
Attackers range all the way from a a fairly unskilled lone wolf attacker, whose out for the thrill of breaking into systems, all the way up to secretive government agencies with access to almost unlimited human and financial resources.
These are unskilled attackers who reuse hacking tools developed by others.
These use hacking tools to advance political and social agendas.
Organised crime groups are believed to be behind some ransomware attacks and other types of cyber extortion. They may possess advanced technical skills and then use them primarily for financial gain.
Competitors may target a business seeking to obtain proprietary information that would give them a business advantage. This type of corporate espionage isn’t limited to the business world either. For example, the St. Louis Cardinals baseball team was severely punished in 2017 for conducting a hacking attack against the Houston Astros in an effort by a former scouting director to steal crucial player scouting information.
Nation-states are among the most advanced attackers, often sponsoring advanced persistent threat, or APT groups, consisting of hundreds or thousands of highly skilled and well funded individuals. APT groups often are military units or have military training. They employ extremely advanced tools and are very difficult to detect.
1.2.2 Preventing Insider Threats
The most dangerous threats exist within the walls of the enterprise. The most costly and dangerous attacks are often perpetrated by trusted individuals (EG: disgruntled IT staff going rogue…). Current and former employees, contractors and other insiders may exploit their privileged access to the systems to steal money, information or just cause havoc. These are known as insider threats. More than half of all organisations that experienced a security breach fell victim to an insider attack.
Insiders conducting attacks often plan these attacks in advance and there may be signs, such as them visiting hacking websites from their work computer.
You can prevent against insider attacks by using common human resources practices. these include
- background checks to uncover past history of legal issues
- following the principle of least privilege that says a user should only have the minimum permissions necessary to perform their job functions
- Disabling accounts when an employee leaves
- regularly changing admin passwords
1.2.3 Threat Intelligence
Broadly defined, threat intelligence consist of the set of activities that an organisation undertakes to educate itself about changes in the cyber-security threat landscape, an integrate information about changing threats into its cybersecurity operations.
There is a ton of information available online about cybersecurity threats. Every security professional should take the time to remain current on the field. Gathering information from freely available public sources is known as open-source intelligence. Some of the more common sources of open-source intelligence include security websites, the general news media, social media, government-sponsored cybersecurity analysis centres, and security research organisations.