Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly
E-Mail vvv

Inside the 4 Most Common Threat Actor Tools

How do you prevent your environment from becoming the next target? Turn the tables on your attackers.

This isn’t Hollywood. Contrary to popular belief -- and what movies have the general population believe — malicious cyber actors and threat groups aren’t the technical super villains as portrayed on the silver screen.

For the most part, they don’t have incredible super powers or one-of-a-kind, hacker-only tools that are assembled in dark laboratories by nefarious guys in hoodies. The reality? The threat actors simply require access to their targets and dwell time. The nature of how most environments and networks are built makes them relatively easy targets for anyone with a moderate skill set — and a bit of time to kill. 

These actors only require patience and a sound understanding of the critical pieces of intelligence needed to gain entry to a network or a user with the appropriate credentials. Sooner or later, the walls — whether logical or physical — will fall.  

So, how do you prevent your environment from becoming the next target? Threat actors and malicious crime groups rely on four basic sources.

Open Season
Open-source intelligence, or OSINT, provides volumes of information on specific technologies and vulnerabilities that are tied to exploits. This provides details for how threat actors may attempt to gain access to a specific network or user machine.

When organizations understand the same information as their adversaries, they’re better prepared to fight back. Then, after the completion of OSINT research, the winning strategy would involve an overlay of known threat capabilities against vulnerabilities. This gives an accurate picture of the surface area of attack.

Data Dumps
Hacker sites, such as Pastebin and other online forums, openly provide thousands of usernames, passwords, database dumps, and other juicy intelligence items. And all are collected and leveraged by threat actors as they plot their activity. For organizations, it’s sound strategy to always know if data has been posted to one of these sites. It’s often a valuable cue that an organization may soon be attacked.

Targeting Tools
The use of open-source frameworks, such as Metasploit and Kali Linux systems, provide even unskilled threat actors with superbly crafted tool sets that are focused on exploitation operations. Having a skilled internal penetration testing team, which can leverage the same techniques to probe an environment, will help organizations get ahead of threats on potentially vulnerable targets or access points.

Going Deep
Leveraging Darknet, P2P, IRC and ToR systems provide threat actors an additional avenue to gain deeper intelligence on targets. It is extremely rare that targeted individuals or organizations are even aware of these dark data sources, much less that threat actors actively seek intelligence within these obfuscated regions.

Unlike the sprawling movie sets and green screens across Southern California, today’s threat actors aren’t seeking domination with attacks on global banks, super computers, and nuclear reactor sites. It’s much more real. And any organization — regardless of size, industry or region — is a target. Every business and every network that connects to the Internet trusts a litany of technologies, vulnerabilities, and targeted intelligence data points that a threat actor can leverage to gain the upper hand during a targeting operation.  

It’s time to turn the tables and become more security-conscious. Building focused threat intelligence operations, via an iterative lifecycle that empower target networks and enterprises, will combat the threats that loom right at the doorstep. The military and global intelligence agencies have been deploying this tactic for years. They proactively seek out specific avenues of threat data, and then nullify the value that is being used by global threat actors. Enterprises and businesses should adopt this same strategy.  

As the threat intelligence lead for Armor, Dr. Chase Cunningham (CPO USN Ret.) proactively seeks out cyber threat tactics and technical indicators of various threat groups. He is regularly cited as an expert on cyber security and contributes to white papers and other ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-05-23
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, to...
PUBLISHED: 2019-05-23
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
PUBLISHED: 2019-05-23
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...