Hello and welcome to another penetration testing, execution Standard discussion. Today we're going to do some threat capability analysis review within the threat modeling section of the Pee test standard. And really, we're just gonna be looking at terminology with MP test with respect to threat capability
analysis. Now a quick disclaimer.
The pee test videos do cover tools and techniques that could be used for system hacking. Any tools or techniques demonstrated or discussed should be understood by the user. Please researcher laws and regulations regarding the use of such techniques or tools within your given area
to ensure that you don't violate any applicable laws or regulations.
Now today's objectives are as follows. We're going to look at what is threat capability analysis. We're going to discuss analysis, tools and use availability to relevant exploits and payloads with respect to the given threat
communication mechanisms. And we're going to discuss accessibility with respect to overall capability,
threat capability analysis. So once a threat community so like insider threat, like the employees or the external parties have been identified, the capabilities of that community must be analyzed in order to build an accurate threat model. It reflects the actual probability of such a community or agent
being able to act upon the organization and compromise it.
So it requires both technical analysis as well as an opportunity analysis, opportunity analysis being what is the the ability, the likelihood, the capability, the accessibility of that party to have the opportunity to attack a system. Okay, so
when we look at
analyzing the current tools and are in use and what could be in use by a community, it's whatever's available to the threat community or agent. Okay, so tools that may be freely available should be analyzed for the required skill level needed to be utilized on their potential map to that particular community.
So if you got accountants who are particularly
the likelihood of them picking up and using them, the Medicis played framework
is relatively low.
The ability for them to do some Google searches and find on automated
tool or to purchase malware or to just go and find ransomware and throw it on a system
that could be more likely depending on their sophistication level in their ability to find that type of information.
But this can include packet sniffers, port scanners, root kits, password crackers, Web scanners, phone scanners, exploitation tools, the buggers ransom wears a service could be something that these threat actors pick up. And so again, if it's an internal party,
we've got a look at skill level and capability. If it's an external party like a nation state,
chances are they have the capability to use these tools and probably make a few of these tools.
So we have to take that in consideration when we map out
the likelihood of any of these given actors being able to use these tools and what capability
now, we also want to look at the availability to relevant exploits and payloads, and so
should be analyzed in terms of their capability to either obtain or develop exploits for the environment relevant to the organization. Additionally, accessibility to such exploits through third parties, business partners or underground community should be taken into account. So employees again
probably not going to be able to just up and find
exploits and payloads. They may not even know what to look for. Script kiddies
probably able to use exploit d B maybe do some light modification, if any, to those nation states hacktivists, probably developing some custom zero day type attacks or able to do heavy modification of exploits and payloads.
So we have to take those things into account when we're looking at that. And then, you know, as we get into vulnerability analysis,
the relevant payloads and exploits will need to be further narrowed down to what would actually be applicable to the given systems.
And then we've got communication mechanisms. So and this is looking at what's available to the particular community. And really, it'll help us to evaluate the complexity of a particular attack against the organization or what they could mount against the organization.
This could be things is simple, as encryption
all the way through to specialized tools and service is such as bulletproof posting use of drop sites and the use of known or unknown botnets to perform attacks or masks. Source. Information.
Chances of a standard employee on executive assistant,
You know, on administrative assistant
having a botnet and operating a botnet is not as likely
as it would be for ah criminal organization. Hacktivists. Whatever the case may be so again gotta take into account the level of complexity and capability for the given threat and the actual risk that it poses to the organization.
And then accessibility is key here is well, so the threat actors capability in their ability to access assets in the organization. And so, if
you know the network is isolated and air gapped
activist threat actors external to the organization may have a more difficult time accessing that data. Now, internal parties that can access that network
may have a higher chance of causing damage. And so that could elevate that particular threat
based on the fact that it works air gapped and that there are key individuals that have access to that. And so we have to factor in accessibility
when we're looking at providing scenarios and evaluating risk with respect to the organization. It's not fair to say that the nation state is of high threat to an organization that doesn't even have an Internet connection,
right? Not that that would be
something that you would see regularly, but it's something that you would have to take into account when looking at this information.
So let's step into a quick check on learning
true or false, true or false threat analysis does not consider the relevant exploits and payloads available to threat actors,
so threat analysis does not consider the relevant exploits. Are payloads available to threat actors? Well, this is false.
And the reason that this is false is because, yes, we do want to look a relevant exploits and pay lives that are available to our threat. Actors, when determining risk on likelihood that they could, you know,
gain access to our damaged the organization. So we always want to look at those
when we're looking at the threat communities.
So in summary, we discussed what threat capability analysis is and how we go about doing that. We discussed how to look at tools that Aaron use or could be in use availability to relevant exploits and payloads, communication mechanisms and accessibility. Overall, two systems or assets.
that has no technical background
may not be able to use the same tools and techniques that a system administrator could use or a script. Kiddie may have knowledge of certain tools and techniques that a standard employee, when a nation state is going to be able to develop things that a script kiddie wouldn't
all of those things have to be taken into account when we're doing our overall capability and analysis
and determining actual risk levels and threat levels that each of these entities would pose to the actual organization. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.