Penetration Testing with Kali Linux OffSec


səhifə16/132
tarix21.12.2023
ölçüsü
#187693
1   ...   12   13   14   15   16   17   18   19   ...   132
PEN-200

attack surface
32
describes 
all the points of contact on our system or network that 
could
be vulnerable to exploitation. An 
attack vector
33
is a specific vulnerability and exploitation combination that can further a threat 
actor’s objectives. Defenders attempt to reduce their attack surfaces as much as possible, while 
attackers try to probe a given attack surface to locate promising attack vectors. 
3.2.3
Threat Actor Classifications 
The previous section introduced threats and threat actors. Cybersecurity professionals are chiefly 
interested in threat actors since typically, most threats that our systems, networks, and 
enterprises are vulnerable to are human. Some key attributes of cybercrime compared to physical 
crime include its relative anonymity, the ability to execute attacks at a distance, and (typically) a 
lack of physical danger and monetary cost. 
There are a wide variety of threat actors. Different people and groups have various levels of 
technical sophistication, different resources, personal motivations, and a variety of legal and 
moral systems guiding their behavior. While we cannot list out every kind of threat actor, there are 
several high-level classifications to keep in mind: 
Individual Malicious Actors
: On the most superficial level, anyone attempting to do something that 
they are not supposed to do fits into this category. In cybersecurity, malicious actors can explore 
digital
tactics that are unintended by developers, such as authenticating to restricted services
stealing credentials, and defacing websites. 
The case of 
Paige Thompson
34
is an example of how an individual attacker can cause extreme 
amounts of damage and loss. In July 2019, Thompson was arrested for exploiting a router which 
had unnecessarily high privileges to download the private information of 100 million people from 
Capital One. This attack lead to the loss of personal information including SSNs, account 
numbers, addresses, phone numbers, email addresses, etc. 
This attack
35
was partly enabled by a misconfigured 
Web Application Firewall
(WAF) that had 
excessive permissions allowing it to list and read files. The attack could have been 
prevented
36
by 
applying the principle of least privilege and verifying correct configuration of the WAF. Since the 
attacker posted about their actions on social media, another mitigation could have been social 
media monitoring. 
31
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Exploit_(computer_security) 
32
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Attack_surface 
33
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Attack_vector 
34
(DOJ, 2019), https://www.justice.gov/usao-wdwa/pr/former-seattle-tech-worker-convicted-wire-fraud-and-computer-intrusions 
35
(Krebs, 2019), https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ 
36
(EJJ, 2019), https://ejj.io/blog/capital-one 


Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
37 
Malicious Groups
: When individuals band together to form groups, they often become stronger 
than their individual group members. This can be even more true online because the ability to 
communicate instantly and at vast distances enables people to achieve goals that would have 
been impossible without such powerful communication tools. For example, the ability to quickly 
coordinate on who-does-what over a instant messaging services is just as valuable to malicious 
cyber groups as it is to modern businesses. Malicious groups can have any number of goals, but 
are usually more purposeful, organized, and resourceful than individuals. Thus, they are often 
considered to be one of the more dangerous threat actors. 
Let’s examine an example of a group-led attack. Over the span of a number of months, the 

Yüklə

Dostları ilə paylaş:
1   ...   12   13   14   15   16   17   18   19   ...   132




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin