Threat Agent/Community Analysis

00:00

Hello and welcome to another penetration testing execution Standard discussion. Today we're going to be looking at Threat agent of community analysis within the threat modeling section of the Pee test standard.

00:14

So a quick disclaimer, any tools or techniques that we discussed during the pee test videos could be used for system hacking. And so anything that we demonstrate or discuss should be understood by the user and the user's should research laws and regulations within.

00:33

They're given regions or areas. While we're having fun learning or apply in this standard

00:39

to our penetration testing efforts, we want to ensure that we don't break any laws within our given area. So what are the objectives for today's discussion? Well, today we're going to discuss defining relevant threats and what that looks like.

00:54

We're going to discuss internal and external examples,

00:58

and we're just going to look a employees and management at a high level. This should be a brief discussion, and it's pretty straightforward with respect to what we're looking at. So defining relevant threats, okay, keyword relevant here

01:12

when defining the relevant threat communities and agents. A clear identification of the threat should be provided in terms of location, the specific community within the location. Okay, so the specific community and any additional relevant information that would assist in establishing

01:30

capabilities and motivation for that specific agent or community. And we'll talk about some of those motivators in a later discussion as well.

01:41

So when we look at internal external examples of threats,

01:46

this could be a way that you could lay this out and put it together again. If you've got a separate methodology or system that you use, please stick with it. But if not, this is a good starting point. So employees, whether knowingly or unknowingly, can be a threat to an organization

02:04

executive and middle management and administrators. So folks that have,

02:07

um, elevated access to systems

02:12

developers, engineers, technicians, contractors, you know, in those cases, if they've got external access, if they're outside of the network or if their internal, whatever the case, may be general user community. And so if you've got users within the network

02:29

and remote support definitely remote support for software applications and things of that nature. So these air folks that have knowledge of the organization

02:38

that are inside the organization day to day

02:42

and you know they could be motivated by different things. Or, you know, there could be again accidental exposure to malicious software. Or they could accidentally let it loose so they could do it on purpose if they're motivated by greed or if someone approaches them because they're in

03:00

financial crisis or if they become disgruntled.

03:04

You know, these are definitely

03:06

potential risks or threats to the organization.

03:08

Now. Business partners may not be internal to the organization, but they may have a say so in the organization that may have access to certain things they may have knowledge of the organization that could be used. Thio potentially cause harm competitors,

03:25

contractors These air contractors that aren't in the organization like internal to it day to day

03:30

suppliers because they've got intimate knowledge of the organization. They provide, AH, particular service or they protect provide a particular product. They could be a threat or a risk vector for the organization.

03:46

Nation states in some cases organized crime activists and script kiddies. These really depend on

03:55

whether or not you're a target for some of the larger nation states organized crime syndicates. But if you get some type of ransomware on a system, if you've ever fallen for any type of social engineer, and it's likely that you were a victim of one of these four categories.

04:12

So this is just again a high level way that we can map out threats on dhe kind of start to look at some of the different areas or vectors that could be of risk to the organization. When we look at employees specifically these air persons working directly for the company under a part time or full time contract of some sort.

04:31

In general, they're not regarded as posing a severe threat at a CZ. Most of them are relying on the company to make a living right, and, assuming they are treated well, they're inclined to protect the company rather than hurt it. You don't want to bite the hand that feeds on DSO. You're being treated well,

04:50

Azan employees.

04:53

Most times you're satisfied with your employer. You want to protect your employees interests, and you know you work to elevate your employees.

05:01

So oftentimes, in data loss incidents, it's accidental in nature or the, you know on the laptop was stolen. It's typically not malicious now, in rare cases, they be in employees could be motivated by outsiders to assist in intrusion.

05:17

Oh, are they may engage in malicious acts on their own.

05:21

Um, while the skill level Mayberry, it's usually low to medium in the threat level, for for the folks like employees, it get disgruntled and try to attack the organization.

05:33

All of this includes executive management as well as middle management.

05:38

Now I would say that this is true for maybe an accounting firm or something of that nature, but I would think there would be an elevated level of risk to the organization for things like developers, administrators of systems, things that make nature. They could easily lock out a system or cause a lot of information to be misplaced

05:55

in one swoop based on level of access. And so I would consider those employees to be a

06:00

higher risk if they were ever disgruntled or engaged by 1/3 party that provided some type of gain or incentive for them to do so.

06:09

So let's step and do a quick check on learning. So true or false suppliers are considered potential internal threats win determining threat agents.

06:19

Well, as we discussed, suppliers are considered external parties, so they would not be considered an internal threat to the organization when determining threat agents. And so this statement, as provided, is false in nature. So suppliers air considered external parties that provides some type of good

06:39

service, et cetera, that aren't

06:41

day to day employee's contract and employees within your organization.

06:46

So in summary,

06:47

we discussed the relevant threats and how we define those. We looked at some internal external examples, and then we overall kind of discussed employees, middle and executive management. Their role as far as being a threat, is rather minimal,

07:04

even with employees who have elevated access it maybe mid tier at best. You know, hopefully, if you're treating employees well

07:13

and they're happy, then there's typically not a reason for them to go out and maliciously damage a system, destroy system or cause harm to the employer. So keep those things in mind when you're doing threat modeling. And again, if you've got a different process for laying those out or mapping those