Assets

Anything of value to the organization, including people, equipment, resources, and data.

Vulnerability

A weakness in a system or its design that could be exploited by a threat.

Threat

A potential danger to a company’s assets, data, or network functionality.

Exploit

A mechanism that takes advantage of a vulnerability.

Mitigation

The process of taking countermeasures to reduce the likelihood or severity of a potential threat or risk.

Risk

The likelihood of a threat exploiting the vulnerability of an asset, with the aim of negatively affecting an organization.

Email/social networking

Intercepted email or IM messages could be captured and reveal confidential information.

Unencrypted devices

If data is not stored using an encryption algorithm, the thief may be able to retrieve valuable confidential data.

Cloud storage devices

Sensitive data can be lost if access to the cloud is compromised due to weak security settings.

Removable media

An employee could perform an unauthorized transfer of data to a USB drive or a USB drive containing valuable corporate data could be lost.

Hard copy

Confidential data should be shredded when no longer required.

Improper access control

Passwords or weak passwords that have been compromised can provide a threat actor with easy access to corporate data.

Password crackers

Password cracking tools are often referred to as password recovery tools and can be used to crack or recover a password. Password crackers repeatedly make guesses in order to crack the password.

Wireless hacking tools

Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities.

Network scanning and hacking tools

Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports.

Packet crafting tools

These tools are used to probe and test a firewall’s robustness using specially crafted forged packets.

Packet sniffers

These tools are used to capture and analyze packets in traditional Ethernet LANs or WLANs.

Rootkit detectors

This is a directory and file integrity checker used by white hats to detect installed rootkits.

Forensic tools

These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer.

Debuggers

These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware.

Hacking operating systems

These are specially designed operating systems preloaded with tools optimized for hacking.

Encryption tools

Encryption tools use algorithm schemes to encode data to prevent unauthorized access to the encrypted data.

Vulnerability exploitation tools

These tools identify whether a remote host is vulnerable to security attack.

Vulnerability scanners

These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan virtual machines (VMs), devices brought to work by individuals in a bring-your-own-device (BYOD) situation, and client databases.

Eavesdropping attack

A threat actor captures and “listens” to network traffic. This attack is also referred to as sniffing or snooping.

Data modification attack

If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.

IP address spoofing attack

A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.

Password-based attacks

A threat actor who discovers a valid user account has the same rights as the real user. A threat actor can use a valid account to obtain lists of other users or network information, change server and network configurations, and modify, reroute, or delete data.

Denial of service attack

A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a computer or an entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.

Man-in-the-middle attack

This attack occurs when threat actors have positioned themselves between a source and destination. They can actively monitor, capture, and control the communication transparently.

Compromised-key attack

If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key can be used to gain access to secured communication without the sender or receiver being aware of the attack.

Sniffer attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If packets are not encrypted, a sniffer provides a full view of the data inside the packet.

Adware

Adware is usually distributed by downloading online software.

Adware can display unsolicited advertising using popup web browser windows or new toolbars, or it can unexpectedly redirect a user from a web page to a different website.

Popup windows may be difficult to control as new windows can pop up faster than the user can close them.

Ransomware

Ransomware typically denies a user access to his or her files by encrypting the files and then displaying a message demanding a ransom for the decryption key.

Users without up-to-date backups must pay the ransom to decrypt their files.

Payment is usually made using wire transfer or cryptocurrencies such as bitcoin.

Rootkit

Threat actors use rootkits to gain administrator account–level access to a computer.

They are very difficult to detect because they can alter firewall, antivirus protection, system files, and even OS commands to conceal their presence.

A rootkit can provide a backdoor to threat actors, giving them access to the PC and allowing them to upload files and install new software to be used in a distributed DoS (DDoS) attack.

Special rootkit removal tools must be used to remove them, or a complete OS re-install may be required.

Spyware

Spyware is similar to adware but is used to gather information about the user and send it to threat actors without the user’s consent.

Spyware can be a low threat, gathering browsing data, or it can be a high threat, capturing personal and financial information.

Perform an information query of a target

The threat actor looks for initial information about a target. Various tools can be used, including a Google search, the organization’s website, and whois.

Initiate a ping sweep of the target network

The information query usually reveals the target’s network address. The threat actor can then initiate a ping sweep to determine which IP addresses are active.

Initiate a port scan of active IP addresses

A port scan can be used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Run vulnerability scanners

A vulnerability scanner can query the identified ports to determine the type and version of the application and operating system running on the host. Examples of such tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS.

Run exploitation tools

The threat actor attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist, including Metasploit, Core Impact, sqlmap, Social-Engineer Toolkit, and Netsparker.

Password attack

The threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools.

Spoofing attack

The threat actor has a device pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

Trust exploitation

The threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target.

Port redirection

The threat actor uses a compromised system as a base for attacks against other targets.

Man-in-the-middle attack

The threat actor is positioned between two legitimate entities in order to read or modify the data that passes between the two parties.

Buffer overflow attack

The threat actor exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack.

Pretexting

An attack in which a threat actor pretends to need personal or financial data to confirm the identity of the target.

Phishing

An attack in which a threat actor sends fraudulent email that is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on his or her device or into sharing personal or financial information.

Spear phishing

An attack in which a threat actor creates a targeted phishing attack tailored for a specific individual or organization.

Spam

Unsolicited email, also known as junk mail, that often contains harmful links, malware, or deceptive content.

Something for something

Sometimes called quid pro quo, an attack in which a threat actor requests personal information from a party in exchange for something such as a gift.

Baiting

An attack in which a threat actor leaves a malware-infected flash drive in a public location. A victim finds the drive and inserts it into a laptop, unintentionally installing malware.

Impersonation

An attack in which a threat actor pretends to be someone he or she is not to gain the trust of a victim.

Tailgating

An attack in which a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.

Shoulder surfing

An attack in which a threat actor inconspicuously looks over someone’s shoulder to steal passwords or other information.

Dumpster diving

An attack in which a threat actor rummages through trash bins to discover confidential documents.

ICMP attacks

Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.

Amplification and reflection attack

Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks. In one type of amplification and reflection attack, the threat actor forwards ICMP echo request messages to many hosts. These messages contain the source IP address of the victim. Therefore, these hosts all reply to the spoofed IP address of the victim and overwhelm it.

Address spoofing attack

Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing. In non-blind spoofing, the threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also be done to hijack an authorized session. In blind spoofing, the threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.

Man-in-the-middle (MITM) attack

Threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication. They can eavesdrop by inspecting captured packets or alter packets and forward them to their original destination.

Session hijacking

Threat actors gain access to the physical network and then use an MITM attack to hijack a session.