Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly
E-Mail vvv

Inside the 4 Most Common Threat Actor Tools

How do you prevent your environment from becoming the next target? Turn the tables on your attackers.

This isn’t Hollywood. Contrary to popular belief -- and what movies have the general population believe — malicious cyber actors and threat groups aren’t the technical super villains as portrayed on the silver screen.

For the most part, they don’t have incredible super powers or one-of-a-kind, hacker-only tools that are assembled in dark laboratories by nefarious guys in hoodies. The reality? The threat actors simply require access to their targets and dwell time. The nature of how most environments and networks are built makes them relatively easy targets for anyone with a moderate skill set — and a bit of time to kill. 

These actors only require patience and a sound understanding of the critical pieces of intelligence needed to gain entry to a network or a user with the appropriate credentials. Sooner or later, the walls — whether logical or physical — will fall.  

So, how do you prevent your environment from becoming the next target? Threat actors and malicious crime groups rely on four basic sources.

Open Season
Open-source intelligence, or OSINT, provides volumes of information on specific technologies and vulnerabilities that are tied to exploits. This provides details for how threat actors may attempt to gain access to a specific network or user machine.

When organizations understand the same information as their adversaries, they’re better prepared to fight back. Then, after the completion of OSINT research, the winning strategy would involve an overlay of known threat capabilities against vulnerabilities. This gives an accurate picture of the surface area of attack.

Data Dumps
Hacker sites, such as Pastebin and other online forums, openly provide thousands of usernames, passwords, database dumps, and other juicy intelligence items. And all are collected and leveraged by threat actors as they plot their activity. For organizations, it’s sound strategy to always know if data has been posted to one of these sites. It’s often a valuable cue that an organization may soon be attacked.

Targeting Tools
The use of open-source frameworks, such as Metasploit and Kali Linux systems, provide even unskilled threat actors with superbly crafted tool sets that are focused on exploitation operations. Having a skilled internal penetration testing team, which can leverage the same techniques to probe an environment, will help organizations get ahead of threats on potentially vulnerable targets or access points.

Going Deep
Leveraging Darknet, P2P, IRC and ToR systems provide threat actors an additional avenue to gain deeper intelligence on targets. It is extremely rare that targeted individuals or organizations are even aware of these dark data sources, much less that threat actors actively seek intelligence within these obfuscated regions.

Unlike the sprawling movie sets and green screens across Southern California, today’s threat actors aren’t seeking domination with attacks on global banks, super computers, and nuclear reactor sites. It’s much more real. And any organization — regardless of size, industry or region — is a target. Every business and every network that connects to the Internet trusts a litany of technologies, vulnerabilities, and targeted intelligence data points that a threat actor can leverage to gain the upper hand during a targeting operation.  

It’s time to turn the tables and become more security-conscious. Building focused threat intelligence operations, via an iterative lifecycle that empower target networks and enterprises, will combat the threats that loom right at the doorstep. The military and global intelligence agencies have been deploying this tactic for years. They proactively seek out specific avenues of threat data, and then nullify the value that is being used by global threat actors. Enterprises and businesses should adopt this same strategy.  

As the threat intelligence lead for Armor, Dr. Chase Cunningham (CPO USN Ret.) proactively seeks out cyber threat tactics and technical indicators of various threat groups. He is regularly cited as an expert on cyber security and contributes to white papers and other ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.