Threat Complexity (38.1.12)
The threat landscape has continued expand not only in the number of vectors, but also in their complexity.
An advanced persistent threat (APT) is a continuous attack that uses elaborate espionage tactics involving multiple actors and/or sophisticated malware to gain access to the target’s network. Attackers remain undetected for a long period of time, with potentially devastating consequences. APTs typically target governments and high-level organizations and are usually well-orchestrated and well-funded.
As the name suggests, algorithm attacks take advantage of algorithms in a piece of legitimate software to generate unintended behaviors. For example, algorithms used to track and report how much energy a computer consumes can be used to select targets or trigger false alerts. They can also disable a computer by forcing it to use up all its RAM or by overworking its central processing unit (CPU).
Backdoors and Rootkits (38.1.13)
Cybercriminals also use many different types of malicious software to carry out their attacks.
Backdoors
Backdoor programs, such as Netbus and Back Orifice, are used by cybercriminals to gain unauthorized access to systems by bypassing the normal authentication procedures.
Cybercriminals typically have authorized users unknowingly run a remote administrative tool (RAT) program on their computer that installs a backdoor. The backdoor gives the criminal administrative control over a target computer. Backdoors grant cybercriminals continued access to a system, even if the organization has fixed the original vulnerability used to attack the system.
Rootkits
This malware is designed to modify the operating system to create a backdoor that attackers can then use to access the computer remotely.
Most rootkits take advantage of software vulnerabilities to gain access to resources that normally shouldn’t be accessible (privilege escalation) and modify system files.
Rootkits can also modify system forensics and monitoring tools, making them very hard to detect. In most cases, a computer infected by a rootkit has to be wiped and any required software reinstalled.
Threat Intelligence and Research Sources (38.1.14)
The United States Computer Emergency Readiness Team (US-CERT) and the U.S. Department of Homeland Security sponsor a database of common vulnerabilities and exposures (CVEs). These CVEs have been widely adopted as a way to describe and reference known vulnerabilities.
Each CVE entry contains a standard identifier number, a brief description of the security vulnerability, and any important references to related vulnerability reports. The CVE list is maintained by a not-for-profit, the MITRE Corporation, on its public website.
The following are some other sources of threat intelligence.
The Dark Web
This refers to encrypted web content that is not indexed by conventional search engines and requires specific software, authorization, or configurations to access. Expert researchers monitor the dark web for new threat intelligence.
Indicator of Compromise (IOC)
IOCs such as malware signatures or malicious domain names provide evidence of security breaches and details about them.
Automated Indicator Sharing (AIS)
Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of cybersecurity threat indicators using a standardized and structured language. Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) are standards used in AIS.
Check Your Understanding—Common Threats (38.1.15)
Refer to the online course to complete this activity.