Cybersecurity Fundamentals – Threat and Attack Terminology
In the first post of this blog series, we’ll cover the fundamentals of cybersecurity, and understanding basic terminology so you can feel comfortable “talking the talk.” Over the next few weeks, we’ll build on this introductory knowledge, and review more complex terms and methodologies that will help you build confidence in today’s ever-evolving threat landscape.
To start, here are some of the foundational terms and their definitions in the world cybersecurity.
Risk: Tied to any potential financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems.
Threat: Any malicious act that attempts to gain access to a computer network without authorization or permission from the owners.
Vulnerability: A flaw in a system that can leave it open to attack. This refers to any type of weakness in a computer system, or an entity’s processes and procedures that leaves information security exposed to a threat.
Exploit: As a noun, it’s an attack on a computer system that takes advantage of a particular vulnerability that has left the system open to intruders. Used as a verb, exploit refers to the act of successfully perpetrating such an attack.
Threat Actor: Also known as a malicious actor, it’s an entity that is partially or wholly responsible for an incident that affects, or has the potential to affect, an organization’s security. Examples of potential threat actors include: cybercriminals, state-sponsored actors, hacktivists, systems administrators, end-users, executives, and partners. Note that while some of these groups are obviously driven by malicious objectives, others may become threat actors through inadvertent compromise.
Threat Actions: What threat actors do or use to cause or contribute to a security incident. Every incident has at least one, but most will be comprised of multiple actions. Vocabulary for Event Recording and Incident Sharing (VERIS) uses seven threat action categories: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.
Threat Vector: A path or tool that a threat actor uses to attack the target.
Now let’s look at how these basic terms become part of a more complex cybersecurity model. You’ve probably heard about the Cyber Kill Chain. This model outlines the various stages of a potentially successful attack. The best-known version of this model is the Lockheed Martin Kill Chain, including several phases.
Reconnaissance – Research, identification, and selection of targets, often represented as crawling internet websites, like social networks, organizational conferences, and mailing lists for email addresses, social relationships, or information on specific technologies.
Weaponization – Coupling a remote access Trojan with an exploit into a deliverable payload. Most commonly, application data files, such as PDFs or Microsoft Office documents, serve as the weaponized deliverable.
Delivery – Transmission of the weapon to the targeted environment via, for example, email attachments, websites, and USB removable media.
Exploitation – After payload delivery to victim host, exploitation triggers the intruders’ code. Exploitation targets an application or operating system vulnerability, or leverages an operating system feature that auto-executes code.
Installation – Installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
Command and Control – Advanced Persistent Threat (APT) malware typically establishes remote command and control channels so that intruders have “hands on the keyboard” access inside the target environment.
Actions on Targets – Typically the prime objective is data exfiltration, involving collecting, encrypting, and extracting information from the victim environment. Intruders may only seek access to a victim box for use as a jump point to compromise additional systems, and move laterally inside the network or attack other partner organizations.
The goal of any attack detection methodology is to identify a threat in as early a stage of the kill chain as possible. In subsequent blogs—as we build upon these foundational definitions and cover things such as attack surfaces and protection mechanisms—we will refer back to the phases of the kill chain when discussing certain threats, like malware and the role of protections such as IPS.
Note that as threat vectors have evolved and changed, the kill chain—although a good resource as a starting point—no longer covers all possibilities. This ensures that the job of a cybersecurity professional will never remain static.