WEBVTT

00:01.120 --> 00:07.780
If we want to talk about evil we need to talk about who are the people the organizations that are actually

00:07.780 --> 00:11.770
doing the evil that are doing the attacks to our infrastructures.

00:11.890 --> 00:13.810
And that's what this episode is all about.

00:13.810 --> 00:16.780
I want to talk about what we call threat actors.

00:16.780 --> 00:20.550
These are the people and organizations that actually do the types of attacks.

00:20.560 --> 00:24.150
Now for the exam we're going to go through a number of different types of threat actors.

00:24.160 --> 00:28.400
But what's important is that we understand what the attributes of all these actors are.

00:28.400 --> 00:33.070
So before we go through the actors Let's talk about what would be some types of attributes and you might

00:33.070 --> 00:33.630
see.

00:33.880 --> 00:37.930
First one is that are they going to be internal or are they going to be external or are they going to

00:37.930 --> 00:43.270
be people inside your infrastructure within your organization or are they going to be somebody in a

00:43.270 --> 00:44.780
far off country.

00:44.800 --> 00:47.070
Second is level of sophistication.

00:47.080 --> 00:54.160
It's surprising how much evil a person who is not terribly sophisticated at computing and networking

00:54.160 --> 00:55.870
can do to assist them.

00:55.960 --> 01:01.080
And of course they're also very very sophisticated people out there who could do lots of evil.

01:01.480 --> 01:04.130
Along with that is going to be resources.

01:04.180 --> 01:11.110
And more importantly funding in order to do a lot of evil it requires a lot of resources lots of computers

01:11.350 --> 01:16.750
lots of people with lots of skills and a lot of times it takes a tremendous amount of money so that

01:16.750 --> 01:20.770
also becomes a very strong attribute of different types of threat actors.

01:20.770 --> 01:25.150
The next one is going to be what their intent is what's their motivation.

01:25.150 --> 01:30.520
We need to think about what type of attribute that threat actor might have in terms of why are they

01:30.520 --> 01:36.270
actually doing this and more importantly what is their intention to what are they trying to go for.

01:36.270 --> 01:38.050
What's their goal.

01:38.050 --> 01:43.540
And then the last one is and this to me I I think it's funny the way you put this into the objectives.

01:43.690 --> 01:49.350
But the last one is going to be use of open source intelligence now it wasn't that long ago.

01:49.370 --> 01:55.630
To Mike Myers coming out old again that open source intelligence that we're talking about social media

01:55.990 --> 02:01.160
public records that type of stuff was not that easy to get to today.

02:01.180 --> 02:03.070
It's ridiculously easy.

02:03.190 --> 02:08.020
I do a lot of work here in the United States with the Department of Justice and also the Department

02:08.020 --> 02:08.910
of Defense.

02:09.070 --> 02:14.510
And one of the thing that amazes me is that when the good guys are looking to find the bad guy.

02:14.530 --> 02:17.560
You know one of the first places they turn to Facebook.

02:17.560 --> 02:20.840
So open source intelligence is also a really really big issue.

02:20.920 --> 02:21.580
OK.

02:21.580 --> 02:23.470
So now we know what our attributes are.

02:23.470 --> 02:27.640
Let's talk about the type of threat actors that you're going to be seeing on the exam.

02:27.700 --> 02:32.680
The first one are script kiddies script kiddies is a great day because these are people with just a

02:32.680 --> 02:38.470
trivial amount of attack knowledge and they use scripts and pre-made tools.

02:38.470 --> 02:40.860
They don't really have a lot of sophistication.

02:40.870 --> 02:42.780
They're often not very evil.

02:42.780 --> 02:48.580
They don't have any intent other than they like to pick locks and they'll come into a system and they'll

02:48.580 --> 02:50.110
try to make some attacks.

02:50.110 --> 02:57.400
Most cases script kiddies are the types of people who are easily blocked and good firewalling and good

02:57.400 --> 03:01.750
basic system controls are always going to keep these people out of your hair.

03:01.780 --> 03:03.450
The next one is a hacktivist.

03:03.490 --> 03:09.010
Now hacktivist is someone who has some form of activism that they want to pursue.

03:09.010 --> 03:11.550
So intent really comes into play with these guys.

03:11.650 --> 03:17.470
Hacktivist is going to be Oh I'll come up with a theoretical somebody who wants to save the whales so

03:17.470 --> 03:20.750
they're going to go against the fishing industry or something like that.

03:20.770 --> 03:26.920
So hacktivist the big thing we want to keep in there is what their intent and their motivation is.

03:26.950 --> 03:32.350
Next one is organized crime and this is a huge problem out there today when we're talking about organized

03:32.350 --> 03:38.170
crime we're talking about you know we'd like to think about the Mafia and things like that but really

03:38.170 --> 03:43.870
what we're talking about is very smart groups of people who are working together in order to mainly

03:43.870 --> 03:49.390
more than anything else make money and they can make money and a lot of different ways and organized

03:49.390 --> 03:51.390
crime is a big issue.

03:51.430 --> 03:58.780
Probably the biggest single threat these days are nation states where an entire country has a job and

03:58.780 --> 04:05.230
their job is to have tremendous resources and tremendous sophistication in order to get more often than

04:05.230 --> 04:06.740
not intelligence.

04:06.760 --> 04:12.670
And while I don't want to name any countries here that is a huge problem today with a lot of countries

04:12.670 --> 04:17.470
that have extremely sophisticated tool sets to be able to gather intelligence.

04:17.500 --> 04:23.380
One of the big things that these types of organizations go for as what we call advanced persistent threat

04:23.580 --> 04:27.000
and HPT is nothing more than some form of threat.

04:27.010 --> 04:29.650
They get into a system and they stay there.

04:29.650 --> 04:30.550
They are always there.

04:30.550 --> 04:36.310
It's persistent and that's their big goal they want to hack into a cable and get naval intelligence

04:36.310 --> 04:41.190
or they want to connect into a wireless network and get State Department information.

04:41.230 --> 04:46.480
So A.P. is a big issue that really comes into play with nation states.

04:46.540 --> 04:51.240
Next is going to be insiders insiders is somebody who is inside the company now.

04:51.310 --> 04:56.230
Be careful with this term because when we hear the word insiders you want to think employee.

04:56.320 --> 04:58.320
It doesn't always have to be an employee.

04:58.360 --> 05:01.070
It could be somebody who is within the structure.

05:01.070 --> 05:03.030
It could be the cleaning people.

05:03.050 --> 05:06.510
It could be a vendor who's working inside your infrastructure.

05:06.560 --> 05:12.020
Basically when we say the word infrastructure we're talking about the actual organization itself and

05:12.020 --> 05:16.300
there's a lot of people who may not be employees who are within that infrastructure.

05:16.310 --> 05:22.400
Also keep in mind when we're talking about insiders think in terms of do they have user names and passwords

05:22.400 --> 05:24.260
for some amount of resource.

05:24.410 --> 05:27.890
And if they do you should treat them as an insider.

05:27.890 --> 05:30.000
The last one is going to be competitors.

05:30.000 --> 05:36.470
Now this may have been a bigger issue maybe 10 or even 15 years ago and it still happens but it's not

05:36.470 --> 05:42.740
nearly as much as it used to be mainly because the laws are so onerous today that to have a private

05:42.740 --> 05:51.020
organization do some form of threat actor job against another organization is people are going to be

05:51.020 --> 05:57.380
walking away in handcuffs so the old adage of you know worrying about the competition while it's still

05:57.380 --> 06:01.450
there and I'm not going to say it doesn't exist at all can be a big problem.

06:01.900 --> 06:02.490
OK.

06:02.570 --> 06:07.340
So we went through the different attributes of actors and we went through all the different types of

06:07.340 --> 06:11.840
threat actors that are actually listed on the exam itself for the exam.

06:11.840 --> 06:17.330
Just keep in mind as we talk about these different types of threat actors what are the attributes that

06:17.330 --> 06:19.520
you would apply to each one of them.