WEBVTT 1 00:00:00.000 --> 00:00:01.200 In this lesson, 2 00:00:01.200 --> 00:00:04.740 we will learn about threat actor capabilities. 3 00:00:04.740 --> 00:00:08.220 Threat actor capabilities are the skills, tools, 4 00:00:08.220 --> 00:00:12.660 and expertise that attackers possess to identify 5 00:00:12.660 --> 00:00:16.410 and exploit vulnerabilities in a target system. 6 00:00:16.410 --> 00:00:19.890 Threat actor characteristics include capabilities 7 00:00:19.890 --> 00:00:24.570 such as knowledge, vulnerability creation, exploit creation, 8 00:00:24.570 --> 00:00:26.970 and supply chain access. 9 00:00:26.970 --> 00:00:30.690 Threat actor knowledge encompasses an understanding 10 00:00:30.690 --> 00:00:33.990 of a target's systems and defenses. 11 00:00:33.990 --> 00:00:38.100 Next, vulnerability creation involves the ability 12 00:00:38.100 --> 00:00:42.270 to introduce new vulnerabilities within a system. 13 00:00:42.270 --> 00:00:44.880 Exploit creation, on the other hand, 14 00:00:44.880 --> 00:00:48.210 refers to the development of tools or methods 15 00:00:48.210 --> 00:00:51.930 to take advantage of identified vulnerabilities. 16 00:00:51.930 --> 00:00:55.410 Finally, supply chain access represents 17 00:00:55.410 --> 00:00:59.130 an advanced capability where attackers infiltrate 18 00:00:59.130 --> 00:01:02.220 third-party vendors or service providers 19 00:01:02.220 --> 00:01:05.460 to compromise the target indirectly. 20 00:01:05.460 --> 00:01:08.880 Let's learn more about the threat actor capabilities 21 00:01:08.880 --> 00:01:13.380 of knowledge, vulnerability creation, exploit creation, 22 00:01:13.380 --> 00:01:15.900 and supply chain access. 23 00:01:15.900 --> 00:01:18.360 First, we have knowledge. 24 00:01:18.360 --> 00:01:21.960 Knowledge is an understanding of a target's systems, 25 00:01:21.960 --> 00:01:25.020 defenses, and vulnerabilities. 26 00:01:25.020 --> 00:01:28.620 Attackers gain this awareness through reconnaissance 27 00:01:28.620 --> 00:01:31.890 or by obtaining insider information. 28 00:01:31.890 --> 00:01:36.150 For example, a threat actor might study the architecture 29 00:01:36.150 --> 00:01:40.320 of a company's network by scanning for open ports, 30 00:01:40.320 --> 00:01:43.560 services and exposed endpoints. 31 00:01:43.560 --> 00:01:46.680 A less sophisticated attacker might use 32 00:01:46.680 --> 00:01:50.730 freely available tools to gather this information, 33 00:01:50.730 --> 00:01:55.140 while a more advanced attacker could employ stealer methods 34 00:01:55.140 --> 00:01:59.100 like custom-built scripts to avoid detection. 35 00:01:59.100 --> 00:02:02.700 As they learn more about the target's infrastructure, 36 00:02:02.700 --> 00:02:07.200 attackers build a map of potential weak points to exploit. 37 00:02:07.200 --> 00:02:10.530 An attacker's knowledge development often begins 38 00:02:10.530 --> 00:02:14.490 with passive reconnaissance, gathering as much information 39 00:02:14.490 --> 00:02:19.320 as possible without directly interacting with the target. 40 00:02:19.320 --> 00:02:22.860 The primary method here is open source intelligence, 41 00:02:22.860 --> 00:02:25.680 or OSINT, where attackers leverage 42 00:02:25.680 --> 00:02:29.850 publicly available resources to gather insights. 43 00:02:29.850 --> 00:02:33.450 For instance, they might search for public records, 44 00:02:33.450 --> 00:02:36.720 scan social media for employee information, 45 00:02:36.720 --> 00:02:40.680 or review a target's website for technical details. 46 00:02:40.680 --> 00:02:45.300 OSINT allows them to compile a substantial amount of data 47 00:02:45.300 --> 00:02:49.680 on the target structure, technologies and personnel 48 00:02:49.680 --> 00:02:53.580 from the information that already exists on the internet. 49 00:02:53.580 --> 00:02:57.750 As their understanding grows, attackers shift their efforts 50 00:02:57.750 --> 00:03:02.220 to active reconnaissance, which means they directly interact 51 00:03:02.220 --> 00:03:05.580 with the target usually by running scans 52 00:03:05.580 --> 00:03:10.290 on public interfaces to pinpoint vulnerabilities directly. 53 00:03:10.290 --> 00:03:14.160 The sophistication level required for knowledge gathering 54 00:03:14.160 --> 00:03:16.260 depends on the detail and stealth 55 00:03:16.260 --> 00:03:18.600 the attacker wants to achieve. 56 00:03:18.600 --> 00:03:23.130 A basic scan with easily accessible tools like Nmap 57 00:03:23.130 --> 00:03:25.680 can reveal information quickly. 58 00:03:25.680 --> 00:03:29.730 However, stealer methods require additional skills 59 00:03:29.730 --> 00:03:33.360 in evasion, such as encrypting communications 60 00:03:33.360 --> 00:03:35.910 or spoofing IP addresses. 61 00:03:35.910 --> 00:03:39.600 Second, we have vulnerability creation. 62 00:03:39.600 --> 00:03:42.600 Vulnerability creation is the capability 63 00:03:42.600 --> 00:03:46.260 to introduce new weaknesses in a system, 64 00:03:46.260 --> 00:03:51.090 often by tampering with software, configuring systems, 65 00:03:51.090 --> 00:03:53.430 or influencing employees. 66 00:03:53.430 --> 00:03:57.720 For example, an attacker might insert malicious code 67 00:03:57.720 --> 00:04:02.720 into an open source project used by a target organization. 68 00:04:03.270 --> 00:04:06.570 This requires a higher level of sophistication 69 00:04:06.570 --> 00:04:10.530 as the attacker needs to understand both the code base 70 00:04:10.530 --> 00:04:12.660 and the target's processes 71 00:04:12.660 --> 00:04:15.900 to make the vulnerability appear legitimate. 72 00:04:15.900 --> 00:04:19.560 Vulnerability creation can also involve physical 73 00:04:19.560 --> 00:04:24.000 or social manipulation, like convincing an employee 74 00:04:24.000 --> 00:04:28.290 to make a configuration change or leave a device connected 75 00:04:28.290 --> 00:04:30.570 to an insecure network. 76 00:04:30.570 --> 00:04:35.160 So to develop the capability for vulnerability creation, 77 00:04:35.160 --> 00:04:38.820 attackers need strong technical skills in programming 78 00:04:38.820 --> 00:04:43.140 and system configuration, along with a deep understanding 79 00:04:43.140 --> 00:04:46.860 of the specific systems they want to target. 80 00:04:46.860 --> 00:04:50.760 Skilled attackers might analyze commonly-used software 81 00:04:50.760 --> 00:04:52.980 in the target organization, 82 00:04:52.980 --> 00:04:57.780 searching for opportunities to add malicious code subtly. 83 00:04:57.780 --> 00:05:01.950 Or attackers might exploit open source contributions, 84 00:05:01.950 --> 00:05:05.700 embedding vulnerabilities in widely used libraries 85 00:05:05.700 --> 00:05:09.000 that are used by the target organization. 86 00:05:09.000 --> 00:05:12.900 Overall, vulnerability creation requires patience 87 00:05:12.900 --> 00:05:15.840 and is often a long-term approach, 88 00:05:15.840 --> 00:05:19.980 as attackers aim to introduce malicious network changes 89 00:05:19.980 --> 00:05:24.270 that go unnoticed but could be exploited later. 90 00:05:24.270 --> 00:05:27.300 Third, we have exploit creation. 91 00:05:27.300 --> 00:05:31.500 Exploit creation is the development of tools or techniques 92 00:05:31.500 --> 00:05:34.230 designed to take advantage of known 93 00:05:34.230 --> 00:05:38.790 or newly discovered vulnerabilities in IT systems. 94 00:05:38.790 --> 00:05:42.840 This capability is essential for sophisticated attackers, 95 00:05:42.840 --> 00:05:45.990 enabling them to leverage newly-discovered 96 00:05:45.990 --> 00:05:50.970 or previously unidentified weaknesses to compromise systems 97 00:05:50.970 --> 00:05:53.190 to gain unauthorized access. 98 00:05:53.190 --> 00:05:56.400 For example, a hacker might write code 99 00:05:56.400 --> 00:06:01.200 to exploit a buffer overflow in a specific software version 100 00:06:01.200 --> 00:06:04.080 used by the target organization. 101 00:06:04.080 --> 00:06:06.960 Basic exploit creation can be achieved 102 00:06:06.960 --> 00:06:10.440 using readily available scripts and tools, 103 00:06:10.440 --> 00:06:12.360 while advanced exploits, 104 00:06:12.360 --> 00:06:15.180 like those used in zero-day attacks, 105 00:06:15.180 --> 00:06:18.327 require in-depth knowledge of the software 106 00:06:18.327 --> 00:06:22.170 and the ability to craft payloads tailored precisely 107 00:06:22.170 --> 00:06:25.260 on the vulnerability being attacked. 108 00:06:25.260 --> 00:06:28.350 Developing exploit creation capabilities 109 00:06:28.350 --> 00:06:31.980 demands programming skills, a solid understanding 110 00:06:31.980 --> 00:06:34.050 of security vulnerabilities 111 00:06:34.050 --> 00:06:37.890 and patience for extensive testing and refinement. 112 00:06:37.890 --> 00:06:42.450 Skilled actors often experiment with multiple techniques, 113 00:06:42.450 --> 00:06:45.120 learning to manipulate vulnerabilities 114 00:06:45.120 --> 00:06:47.340 in diverse environments. 115 00:06:47.340 --> 00:06:50.400 To achieve a high level of sophistication, 116 00:06:50.400 --> 00:06:54.540 attackers may develop or discover zero-day exploits 117 00:06:54.540 --> 00:06:58.470 for vulnerabilities that are not yet publicly disclosed 118 00:06:58.470 --> 00:07:02.040 or patched, requiring sometimes months 119 00:07:02.040 --> 00:07:04.050 of research and trial. 120 00:07:04.050 --> 00:07:06.300 This ability is usually reserved 121 00:07:06.300 --> 00:07:08.880 for well-resourced threat actors 122 00:07:08.880 --> 00:07:11.160 or specialized hacking groups. 123 00:07:11.160 --> 00:07:15.600 Fourth and last, we have supply chain access. 124 00:07:15.600 --> 00:07:19.980 Supply chain access is an advanced threat actor capability 125 00:07:19.980 --> 00:07:24.180 that targets third-party vendors or service providers 126 00:07:24.180 --> 00:07:27.930 to indirectly compromise a primary target. 127 00:07:27.930 --> 00:07:30.330 By exploiting a trusted vendor, 128 00:07:30.330 --> 00:07:32.580 attackers can insert malware 129 00:07:32.580 --> 00:07:36.270 into legitimate software updates or services, 130 00:07:36.270 --> 00:07:39.210 bypassing traditional security measures, 131 00:07:39.210 --> 00:07:42.930 and gaining access to their intended target. 132 00:07:42.930 --> 00:07:46.890 One of the most notable examples of this type of attack 133 00:07:46.890 --> 00:07:50.370 was the SolarWinds breach where attackers compromised 134 00:07:50.370 --> 00:07:54.600 the Orion software platform used by numerous government 135 00:07:54.600 --> 00:07:56.430 and corporate clients. 136 00:07:56.430 --> 00:08:00.480 This allowed attackers to embed a back door in the software, 137 00:08:00.480 --> 00:08:03.870 which was distributed through trusted software updates 138 00:08:03.870 --> 00:08:08.220 and went undetected for months, giving the attackers access 139 00:08:08.220 --> 00:08:10.920 to critical networks globally. 140 00:08:10.920 --> 00:08:13.980 This capability is highly sophisticated 141 00:08:13.980 --> 00:08:17.670 and requires extensive planning, a deep understanding 142 00:08:17.670 --> 00:08:20.550 of the target's supply chain relationships, 143 00:08:20.550 --> 00:08:24.030 and knowledge of vendor security practices. 144 00:08:24.030 --> 00:08:28.440 In a supply chain attack, attackers carefully select vendors 145 00:08:28.440 --> 00:08:31.620 with widespread access to their targets 146 00:08:31.620 --> 00:08:36.480 and potentially weaker security defenses than their targets. 147 00:08:36.480 --> 00:08:39.510 Attackers may use tactics like spear fishing, 148 00:08:39.510 --> 00:08:42.660 social engineering, or direct exploitation 149 00:08:42.660 --> 00:08:46.410 of the vendors' systems to implant malicious code 150 00:08:46.410 --> 00:08:48.780 within legitimate updates. 151 00:08:48.780 --> 00:08:52.770 This supply chain approach means the attack can infiltrate 152 00:08:52.770 --> 00:08:56.040 multiple organizations simultaneously, 153 00:08:56.040 --> 00:08:59.430 often remaining undetected until well after 154 00:08:59.430 --> 00:09:03.030 the compromise has occurred, underscoring the resources 155 00:09:03.030 --> 00:09:06.480 and planning involved in such an attack. 156 00:09:06.480 --> 00:09:08.820 To mitigate supply chain risks, 157 00:09:08.820 --> 00:09:11.460 organizations should thoroughly vet 158 00:09:11.460 --> 00:09:13.680 vendor security practices, 159 00:09:13.680 --> 00:09:17.340 implement strict update verification processes, 160 00:09:17.340 --> 00:09:21.210 and continuously monitor for unusual activity 161 00:09:21.210 --> 00:09:24.240 linked to third-party integrations. 162 00:09:24.240 --> 00:09:28.590 Understanding how threat actors leverage supply chain access 163 00:09:28.590 --> 00:09:32.400 helps organizations prioritize security measures 164 00:09:32.400 --> 00:09:35.040 that address potential vulnerabilities 165 00:09:35.040 --> 00:09:38.730 in vendor relationships, reducing the impact 166 00:09:38.730 --> 00:09:43.730 of any compromised updates or services on their systems. 167 00:09:43.860 --> 00:09:48.860 So remember, threat actor capabilities refer to the skills, 168 00:09:49.740 --> 00:09:53.910 tools, and expertise attackers use to find 169 00:09:53.910 --> 00:09:57.870 and exploit vulnerabilities in target systems. 170 00:09:57.870 --> 00:10:02.870 Key capabilities include knowledge, vulnerability creation, 171 00:10:02.880 --> 00:10:06.960 exploit creation, and supply chain access. 172 00:10:06.960 --> 00:10:10.230 Knowledge allows attackers to gather intelligence 173 00:10:10.230 --> 00:10:15.210 on a target's systems and defenses through reconnaissance. 174 00:10:15.210 --> 00:10:19.140 Vulnerability creation involves introducing weaknesses 175 00:10:19.140 --> 00:10:22.140 in systems often through code tampering 176 00:10:22.140 --> 00:10:24.120 or social engineering. 177 00:10:24.120 --> 00:10:28.890 Next, exploit creation enables attackers to develop tools 178 00:10:28.890 --> 00:10:33.570 to leverage vulnerabilities, including zero-day exploits. 179 00:10:33.570 --> 00:10:37.740 And finally, supply chain access allows attackers 180 00:10:37.740 --> 00:10:40.440 to infiltrate a primary target 181 00:10:40.440 --> 00:10:44.010 by compromising trusted third-party vendors, 182 00:10:44.010 --> 00:10:48.090 requiring advanced planning and a deep understanding 183 00:10:48.090 --> 00:10:51.273 of the target's IT ecosystem.