Page 1039 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1039

GRIZZLY STEPPE.

                  Their pattern of attack was to gain a foothold, often with a spear
                  phishing campaign using shortened URLs. Sometimes they

                  exploited known vulnerabilities. For example, investigators may
                  discover one of the APTs exploited the Apache Struts web
                  application vulnerability that caused the Equifax data breach. Once
                  they got in, they installed remote access tools (RATs) that provided
                  the attackers with access to the internal network. They then

                  escalated their privileges, installed additional malware, and
                  exfiltrated email and other data through encrypted connections.

                  While the JAR focuses on the APTs activities against a specific U.S.
                  target, it also states that these same APTs have “targeted
                  government organizations, think tanks, universities, and
                  corporations around the world.” Experts think that APT 28 likely
                  formed as early as 2004, and APT 29 likely formed in 2008.

                  Several reports indicate that they continue to be active in many
                  countries around the world.




               Threat Modeling Approaches
               There’s an almost infinite possibility of threats, so it’s difficult to use a

               structured approach to identify relevant threats. Instead, many
               organizations use one or more of the following three approaches to
               identify threats:

               Focused on Assets This method uses asset valuation results and
               attempts to identify threats to the valuable assets. Personnel evaluate
               specific assets to determine their susceptibility to attacks. If the asset

               hosts data, personnel evaluate the access controls to identify threats
               that can bypass authentication or authorization mechanisms.

               Focused on Attackers Some organizations identify potential
               attackers and identify the threats they represent based on the
               attacker’s goals. For example, a government is often able to identify
               potential attackers and recognize what the attackers want to achieve.
               They can then use this knowledge to identify and protect their relevant

               assets. This is becoming increasingly more difficult, though, with so
   1034   1035   1036   1037   1038   1039   1040   1041   1042   1043   1044