Cyber threats can be both terrifying and exciting. As you explore Hack The Box’s Pro Labs, Hacking Labs, and our HTB Academy content, you will learn about a wide variety of real world cyber threats, hands on.
But in this post, I want to get back to the basics. What are cyber threats? Let’s explore some important cyber threat theory.
Cyber threats are any security risk to a computer or computer network. When the people who are supposed to use some data are using it, all is well and good. When people who aren’t supposed to use some data, such as cyber attackers, abuse it, those are cyber threats.
Let’s jump into the nitty gritty of the topic.
All cyber threats impact one or more components of the CIA Triad. No, this CIA isn’t an American intelligence agency. It’s a central principle in cybersecurity theory! CIA stands for confidentiality, integrity, and availability.
Confidentiality is all about making sure that data is only accessible to authorized entities. So when there’s a data breach, that’s a massive cyber threat impacting confidentiality. Spyware, malware that’s designed to spy on a user, is another major confidentiality concern.
Integrity is all about making sure only authorized entities can alter data, by changing it or adding to it. If a cyber attacker acquires access to a software library and puts malicious code into it, that’s a cyber threat to integrity. Cryptographic hashing and code signing are some of the ways we can defend against integrity cyber threats.
Availability is all about making sure that data assets and applications are available when we need them. When a distributed denial of service attack (DDoS) puts a web server offline, that’s a classic cyber attack to availability. If someone sneaks into a datacenter and steals a bunch of hard drives that contains data the organization needs in order to operate, that’s another availability attack. And if the attacker manages to crack the encryption on those drives, then it becomes a confidentiality attack as well.
That segues nicely into my next point. Often cyber attacks will affect more than one component of the CIA Triad. Newer strains of ransomware which target enterprises and institutions not only encrypt data with a key the victim cannot access without paying a ransom, they also threaten to breach the same data. So that’s availability and confidentiality. Some of the modular malware that targets Android phones have modules for spyware, ransomware, and cryptomining malware. So confidentiality is threatened by the spyware, integrity is threatened because some files on the victim’s phone are altered, and availability is threatened by the ransomware, and perhaps by the cryptominer if it overwhelms the device’s memory to the extent that the victim cannot use their phone.
External cyber threats include the classic types of cyber attacks people usually think about. Any cyber threat that originates from outside of a targeted organization is external.
If an Advanced Persistent Threat (APT) group or other sort of cyber crime group targets a bank to steal their financial data, that’s definitely an external cyber threat. As long as the people who are doing the cyber attacking don’t work for the targeted entity, it’s external.
The large majority of cyber threats are financially motivated, especially external cyber threats. These cyber criminals just want to make money. They could make money by stealing sensitive data and selling it on the Dark Web. They could deploy cryptominers to generate cryptocurrency. They could deploy ransomware, hoping to extort the victim into paying them a ransom. The motives of these attacks are easy to understand because money makes the world go round. You can’t live without money, and having a lot of it can make you powerful.
Most external cyber threats that aren’t financially motivated fall into the hacktivism category. Hacktivism is when a person or a group of people engage in cyber attacks for politically motivated reasons, not to make money. For example, a fur coat retailer has an online store. Hacktivists who belong to an animal rights’ organization vandalize the site’s webpages to say “meat is murder.” They don’t make any money from the attack. They’re simply making a point to promote their ideology.
Although hacktivists can work as individuals, some hacktivist groups have become household names in the media. Anonymous was started in 2003 by 4chan users. In 4chan’s design and culture, users are encouraged to omit entering a username when they make a post. If no username is entered, the forum shows that the post was made by “anonymous.” In 4chan culture, it’s not enough to come up with usernames that can’t be associated with real identities. People shouldn’t even be able to tell that the user who made one post also made another!
There is no formal membership in Anonymous. Anyone who says they’re Anonymous, is Anonymous. So likely thousands of people have participated in Anonymous operations over the years. And that’s why the group can have conflicting ideologies.
Internal cyber threats are probably more controversial than external cyber threats, at least from a business perspective. Defending against external cyber threats is all about “we must defend our company’s network from those bad people out there.” Internal cyber threats are caused by people who work for the targeted organization, or otherwise have privileged access to the organization’s data that said organization authorizes. So defending against internal cyber threats is all about “our employees could be the bad people!”
Internal cyber threats can be more destructive than external cyber threats because the threat actors don’t have to work to break into the system, they already have access to it. They also usually have useful firsthand knowledge of their target that an external cyber attacker wouldn’t have.
The classic internal cyber attacker is a disgruntled employee. They hate the company they work for, and they want revenge. Sometimes internal cyber attacks are also financially motivated. The internal threat actor could want to steal money from the company they work for, or sell their data.
The common wisdom about defending against internal cyber threats is to carefully monitor employee user account activity for suspicious behavior, and to limit their access to what they need to do their jobs. Companies are also taught to look for other indicators, such as an employee who makes $40,000 per year driving into the parking lot in a Bentley.
All of that common wisdom is good and useful. But I also have some unconventional advice when it comes to internal cyber threats. Treat your employees well! Pay them well! No company deserves to be attacked, but doing what you can to make your employees happy and healthy is a no brainer.
Here are some HTB Academy courses that I personally recommend so you can understand cyber threats better.
Whether a cyber threat is internal or external, cyber attackers often script at the Bash command line in order to do very bad things. This course is great for beginners to learn this very important hacking skill.
The majority of cyber attacks exploit computer networks. This course will help you to understand how computer networks operate. From TCP/IP to IPv4 and IPv6 to the OSI model, it’s all covered here.
A large percentage of the servers on the internet run a Linux distro of some sort. Privilege escalation is all about going from a limited user account to an account with more privileges. The ultimate goal usually is root access. This course is a lot of fun, and very useful.