ipl-logo

2-Identifying Security Threats

.docx
School
King Abdul Aziz University**We aren't endorsed by this school
Course
CS 410
Subject
Information Systems
Date
Dec 21, 2024
Pages
23
Uploaded by DukeRook4784
Cybersecurity ThreatsCybersecurity Threats Come in Various Different Forms!As a security analyst, it's important to be aware of all the different possibilities and vectors of threats that can arise.NIST Defines a Threat as:"Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability." ~ NISTIn This Lesson, We Will Cover:Threat TypeDescriptionUnintentional ThreatsThese are threats to an organization that don't have intent behind them and can be classified as accidental, human error, or computer failures.Intentional ThreatsThese are threats to an organization that have malicious intent behind them and seek to cause disruption or personal financial gain.Internal ThreatsAny threat to an organization originating from within the company.External ThreatsAny threat to an organization originating from outside.Natural ThreatsAny threat to an organization originating from natural disasters such as hurricanes, earthquakes, floods, tornadoes, etc.
Background image
Threat LandscapeIncreasing ThreatsWith the increasing reliance on technology, it's no surprise that organizations are facing more threats than ever!The increase in cyber threats can be attributed to so many things. In just the last year, we've seen a sharp rise in the skill level of threat actors grow. This, combined with a lack of competent security professionals, has led to a gap between attackers and defenders. The financial damages from cybercrime have continually gone up every year, with experts predicting nearly 6 Trillion dollars worth of damage in 2021!What's the Damage?We've seen an astronomical rise in all types of cybersecurity attacks ranging from malware to phishing. In 2018, there were a reported 812.67 million cases of malware.There's been a considerable rise in social engineering which is the psychological manipulation of users togain confidential information from them. This is primarily used in Phishing, which is currently the most popular form of attack and the biggest danger to organizations currently. 92% of malware is delivered through email!Ransomware has seen a prominent rise in the last few years, targeting many companies with a new victim almost every 14 seconds in 2019.The US is the number one target for targeted cyber attacksat roughly 38%!43% of all breach victims were small and medium businesses, followed by Public Sector at 16% and Healthcare at 15%.Source:Where did we get all of these crazy stats? We got them from here!
Background image
Internal ThreatsIntentional and Unintentional ThreatsOne of the most dangerous threats facing an organization doesn't come from outside but from inside! We can classify these threats as those with intent and without intent.Common Unintentional Internal ThreatsHuman ErrorThis encompasses a lot of internal threats that organizations see.Employees generally show poor decision-making and succumb to a phish/scam.Accidental data leakage through improper configurations.Poor security cultureLack of cybersecurity training and support.There isn't a strong security-oriented culture.Lack of proper security policies such as a strong password policy or implementing access controls.Common Intentional Internal ThreatsDisgruntled employeesDisgruntled employees have the motive to cause harm to an organization. They can have access to sensitive information that they might look to leak or expose and sabotage the company.Insider-aided threatsAn insider-aided threat is when an internal employee has help from another individual outside the company to access sensitive information. They can be working with the outside entity for a financial reward.Former employeesThese are employees that have been let go or left the organization, and their access hasn't been revoked. They can have ill intent and look to cause damage by leaking sensitive information.
Background image
DoS, MitM, and PhishingExternal ThreatsNow we explore external threats! These are threats that have ill intent behind them to gain access to your organization's data. There are countless different variations of attacks, but we will focus on covering some of the more common types of external threats an organization faces.DoS/DDoSDenial of Service is an attack that simply overwhelms a system's resources. A Distributed Denial of Service is the same attack from multiple machines that the attackers control. The common attacks are HTTP flood, ICMP flood, TCP SYN flood attack, teardrop attack, smurf attack, ping-of-death attack, and botnets.MitMMan in the Middle is an attack where a hacker places themselves between a user and a server in order to read/edit/mess with the communications between the two. Common attacks include IP spoofing and session hijacking.Phishing and Spear PhishingEmails that try to obtain personal information or get users to do something (download and run a file, click a link, etc) by appearing to be from a trusted source. Spear phishing refers to extremely targeted phish that comes from social engineering where perpetrators can falsify email headers to make them more believable to the victim.
Background image
Botnets, Adware, Spyware, and WormsMalware, Malware Everywhere!Malware is one of the common external threats to organizations today! There are so many different types of malware and many different ways they can propagate. Malwareis defined as any malicious software that is installed on your system without consent.In the following section, we will cover the many different types of malware.BotnetsBotnets are a network of computers that have been infected by malware and are controlled by a Command and Control server (CnC). The infected machines are referred to as bots or zombies, and they await instructions to perform attacks such a DDoS attack.AdwareType of malware that delivers advertisements. Adware can be found on websites as pop-up ads and is sometimes bundled with free software. Adware is generally not dangerous but is sometimes bundled with spyware.SpywareType of malware that infects your machine with the goal of gathering information about you. It can gather some of the following information: activity monitoring, keystrokes, and user information. It runs quietly in the background while it enumerates as much information as it can on the infected victim.Worms
Background image
Type of malware that copies itself from computer to computer. A worm self replicates itself autonomously without user interaction, and, in it's simplest form, a worm will continuously self replicate and deplete a system of all its resources. The worm is considered the first type of malware discovered!Ransomware, Trojans, RootkitsRansomwareType of malware that requires users to pay a ransom before accessing their files. The most sophisticated forms of ransomware currently encrypt all of a user's files and will only decrypt them once payment has been delivered.TrojansType of malware that hides as something else to gain access to your system. Once inside, the Trojan executes itself to install further malicious malware or steal sensitive information. Social engineering playsa role in how Trojans are delivered, and by gathering information on a victim, a Trojan can be concealed and delivered to the victim without them ever knowing.RootkitsType of malware that looks to stay hidden on the infected system and provides admin access to the attacker. Rootkits are difficult to locate and can go for long periods of time without ever being discovered. Rootkits are often delivered through phishing emails and drive-by downloads.OWASP Top 10OWASPThe Open Web Application Security Project (OWASP) is a non-profit organization with the goal of providing security information to improve the security of software. They have developed a list of the 10 most common application vulnerabilities to raise security awareness. We will explore all 10 application vulnerabilities as they can pose a huge threat to an organization if not handled properly.The OWASP Top 10 (2017) consists of the following:InjectionBroken Authentication
Background image
Sensitive Data ExposureXML External Entities (XXE)Broken Access ControlSecurity MisconfigurationCross-Site Scripting (XSS)Insecure DeserializationUsing Components with Known VulnerabilitiesInsufficient Logging & MonitoringOWASP Top 10Broken AuthenticationApplication functions related to authentication and session management are often implemented incorrectly. This allows attackers to compromise passwords, keys, or session tokens or exploit other implementation flaws to assume other users’ identities temporarily or permanently. (common attack is brute force dictionary attacks)
Background image
Broken AuthenticationSensitive Data ExposureMany web applications and APIs do not properly protect sensitive data, such as financial, healthcare, andPII. Attackers may steal or modify weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest orin transit. Sensitive data requires special precautions when exchanged within the browser. (Use HTTP versus HTTPS)XML External Entities (XXE)Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.XML External Entities (XXE)
Background image
OWASP Top 10 IIBroken Access ControlRestrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data. Attackers could access other users' accounts, view sensitive files, modify other users’ data, change access rights, and more.Security MisconfigurationSecurity misconfiguration is the most commonly seen issue. This is commonly a result of insecure defaultconfigurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashionInsecure DeserializationInsecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks such as replay attacks, injection attacks, and privilege escalation attacks.Using Components with Known Vulnerabilities
Background image
Components, such as libraries, frameworks, and other software modules, run with the same privileges asthe application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.Insufficient Logging & MonitoringInsufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to do damage to a system. They can further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show that the time to detect a breach is over 200 days, and it is typically detected by external parties rather than internal processes or monitoring.OWASP Top 10 UpdatesThe OWASP Top Ten is a list of the most prevalent web application security risks at the time of its creation, with updates every 3-4 years. Although the 2017 edition was the latest version at the time of course creation, it's essential to stay current with the latest 2021 edition to ensure optimal security.Three elements of the older list are no longer in the top 10: XML External Entities, Cross-Site Scripting, and Insecure Deserialization. They are still important security concerns that are very useful to be familiarwith, but they are not found on as many sites as before. Three new risks broke into the top 10 list, which you can find on this page.OWASP TOP 10 Changes from 2017 to 2021Insecure DesignInsecure design is a broad category representing weaknesses, expressed as "missing or ineffective control design". A perfect implementation cannot fix an insecure design, as needed security controls were never created to defend against specific attacks. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.
Background image
Software and Data Integrity FailuresSoftware and data integrity failures are caused by code and infrastructure that do not protect against integrity violations. Examples include applications relying on plugins, libraries, or modules from untrusted sources. Insecure CI/CD pipelines can introduce the potential for unauthorized access, malicious code, or system compromise. Many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application.An attacker can access the victim through the web server but not directly.Server-Side Request Forgery (SSRF)SSRF flaws occur when a web application is fetching a remote resource without validating the user-supplied URL. This allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or other network access control list (ACL). As modern web applications provide end-users with convenient features, the incidence of SSRF is increasing, and the severity is becoming higher due to cloud services and the complexity of architectures. (It enables attackers to send crafted requests from the backend server to other web applications and compromise server-side functionality to perform unauthorized actions.)
Background image
Injection & XSS **+ص+خ+ل+م +م+ه+مThe Most Common AttacksTwo of the most popular and known threats facing organizations come from Injection and XSS attacks. They both have the same goal of stealing information, but one is geared towards attacking databases whereas the other is focused on attacking end-users.Cross-Site Scripting (XSS)XSS flaws occur when an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.InjectionInjection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Background image
Exercise: Exploring OWASP Top 10 **Very important NoteWhat is node command in Linux?Node allows developers to write JavaScript code that runs directly in a computer process itself instead ofin a browser. Node can, therefore, be used to write server-side applications with access to the operating system, file system, and everything else required to build fully-functional applications. Node.AnswerND324 SAND C2 L01 Exploring OWASP Top 10 Exercise Solution - YouTubeThreat ActorsA threat actoris an entity that is responsible for a security incident. Threat actors can be both internal and external.Organized CrimeCyber criminals whose primary motive is money. They are looking for sensitive information, money, and anything of value.State-Sponsored attacksThese attacks refer to when a threat actor is acting on, and funded by, a government body.Script Kiddies
Background image
Amateur cyber criminals with unclear motivations. They can be actual teenagers using scripts made by other individuals or working engineers who have decided to hack into a site. They commonly employ phishing techniques to start, and they use prebuilt tools to complete their hack.Some External Threat ActorsHacktivistsSimilar to APT Groups but with less stealth! Since they are a group with no intention to be hidden, they often use DDoS to get their point across and cause disruption. They also can deface websites/leak sensitive information (often emails).Insider ThreatWhile a malignant employee can be devastating, negligence and unintentional errors can be just as damaging. These types of threats are hard to detect and prevent since they are legitimate users with valid credentials. They can commit sabotage, espionage, theft, and fraud.Advanced Persistent Threat (APT) GroupsThis refers to industrial spies and governmental agencies that partake in cyber warfare. They are extremely elusive and hard to keep track of as they are organized and secretive. They usually focus on attacking other nations, but businesses and finances often get affected, especially if the company handles sensitive information for a nation.More Threat Actors
Background image
Threat Actors: TTPTactics, Techniques, and Procedures (TTP)TacticsThe big picture considerations as to what should be done and how it should be done.TechniquesActions that can be executed to achieve some goal without giving specific details on how to complete the action.ProceduresThe specific details for each technique and how to actually complete a certain actionThreat Actors and Their Expected TTPsOrganized CrimeTheir TTP is to contact large amounts of people and gain money either through ransomware or crypto jacking. This usually starts with mass phishing with an associated file that is the ransomware or a crypto miner.State-SponsoredThey are extremely proficient threat actors with dedicated resources at their disposal. Their target is usually intellectual property or espionage in order to gain information on the target.APT Groups
Background image
They generally want to infiltrate specific companies and governmental agencies to gather information. They utilize multiple points of attack in order to "get their foot in the door: and then enable other attacks.Insider ThreatVandalism and data breaches are the most common techniques that occur from insider threats.HacktivistThey want to make a statement about a site or deface an individual's image. Their most common attack is DDoS in order to crash a site.Script KiddySimilar to an insider threat, it’s hard to define their overall tactics since there usually isn’t a large cohesive bigger picture. They use well-known open-source prebuilt tools.Threat Actors: TTP IITTP SourcesNow that we've identified possible TTPs that threat actors fall under, let's look at some TTP sources. These can help us further identify threat actors and build our threat intelligence. Below are some sources we can use to help identify the TTPs that threat actors might employ:Open Source Intelligence (OSINT)Massive databases on the different TTPs threat actors can use. These are most often automatically generated by scraping data rather than human-designed since there is a huge amount of information to go through.DarknetsCompletely useless sections of your network that are self-contained and have nothing useful. When these are accessed and used, it serves as an indicator that something is going wrong since they normally aren't. Darknets are a reactive form of protection.TelemetryTelemetry refers to the data that is collected through your network when interacting with users. This can be the ports that are open, download/upload attempts, traffic, connection attempts, and more. “Internaltelemetry” refers to data collected within your own network. “Vendor aggregated” telemetry helps train individuals to understand the difference between genuine network data and malicious traffic. Similar to Darknets, telemetry is more reactive and helps identify when a problem is occurring rather than stopping the problem entirely.Malware Processing/Sandbox Analysis
Background image
Collecting and activating malware in a safe environment (sandbox analysis) in order to improve security protocols and understand what went wrong and what could have gone wrong.TTP SourcesFurther ResearchCheck out OSINT here!Zero-Day ThreatsNew ThreatsWe've identified a massive amount of threats and threat actors that are currently known to us! But what happens in a scenario when we encounter a threat that hasn't existed before? How do we prepare for something we don't know?Zero-Day ThreatsA zero-day threatis a threat that exploits an unknown vulnerability, and there is no patch or fix in place.
Background image
Zero-Day TimelineStuxnetOne of the most dangerous zero-day threats ever existed was Stuxnet. Stuxnet, to this day, is one of the most sophisticated worms written.Stuxnet exploited 4 zero day vulnerabilities, and it was widely believed to have been a weapon of the US and Israeli governments against Iranian nuclear facilities. The purpose of Stuxnet was to delay the development of Iran's nuclear weapons. The attack on the Iranian nuclear plans is believed to have started all from a single USB!From that USB, the worm’s replication process was extremely aggressive and was able to propagate and continually replicate itself. Stuxnet had a crippling effect on Iran’s nuclear development, reportedly ruining almost one-fifth of Iran’s nuclear centrifuges and infecting over 200,000 computers.GlossaryTermDefinitionUnintentional ThreatsThese are threats to an organization that don't have intent behind them andcan be classified as accidental, human error, or computer failures.Intentional ThreatsThese are threats to an organization that have intent behind them and seek to cause disruption or personal financial gain.Internal ThreatsAny threat to an organization originating from within the company.
Background image
TermDefinitionExternal ThreatsAny threat to an organization originating from outside.Natural ThreatsAny threat to an organization originating from natural disasters such as hurricanes, earthquakes, floods, tornadoes, etc.Human ErrorThis encompasses a lot of internal threats that organizations see. Employees generally show poor decision making and succumb to a phish/scam. Accidental data leakage through improper configurations.Poor security cultureLack of cybersecurity training and support. Their isn't a strong security oriented culture. Lack of proper security policies such as a strong password policy or implementing access controls.Disgruntled employeesDisgruntled employees have motive to cause harm to an organization. They can have access to sensitive information which they might look to leak or expose and sabotage the company.Insider-aided threatsAn insider-aided threat is when an internal employee has help from anotherindividual outside the company to access sensitive information. They can beworking with the outside entity for a financial reward.Former employeesThese are employees that have been let go or left the organization and theiraccess hasn't been revoked. They can have ill intent and look to cause damage by leaking sensitive information.DoS/DDoSDenial of Service is an attack that simply overwhelms a system's resources. A Distributed Denial of Service is the same attack from multiple machines that are controlled by the attackers. The common attacks are HTTP flood, ICMP flood, TCP SYN flood attack, teardrop attack, smurf attack, ping-of-death attack and botnets.MitMMan in the Middle is an attack where a hacker places themselves between a user and a server in order to read/edit/mess with the communications between the two. Common attacks include IP spoofing and session hijacking.Phishing and Spear PhishingEmails that try to obtain personal information or get users to do something (download and run a file, click a link, etc) by appearing to be from a trusted source. Spear phishing refers to extremely targeted phish that comes from social engineering where perpetrators can falsify email headers to make them more believable to the victim.BotnetsBotnets are a network of computers that have been infected by malware and are controlled by a Command and Control server (CnC). The infected
Background image
TermDefinitionmachines are referred to as bots or zombies, and they await instructions to perform attacks such a DDoS attack.AdwareType of malware that delivers advertisements. Adware can be found on websites as pop-up ads and is sometimes bundled with free software. Adware is generally not dangerous but is sometimes bundled with spyware.SpywareType of malware that infects your machine with the goal of gathering information about you. It can gather some of the following information: activity monitoring, keystrokes, and user information. It runs quietly in the background while it enumerates as much information as it can on the infected victim.WormsType of malware that copies itself from computer to computer. A worm self replicates itself autonomously without user interaction, and, in it's simplest form, a worm will continuously self replicate and deplete a system of all its resources. The worm is considered the first type of malware discovered!RansomwareType of malware that requires users to pay a ransom before accessing their files. The most sophisticated forms of ransomware currently encrypt all of a user's files and will only decrypt them once payment has been delivered.TrojansType of malware that hides as something else to gain access to your system.Once inside, the Trojan executes itself to install further malicious malware or steal sensitive information. Social engineering plays a role in how Trojans are delivered, and by gathering information on a victim, a Trojan can be concealed and delivered to the victim without them ever knowing.RootkitsType of malware that looks to stay hidden on the infected system and provide admin access to the attacker. Rootkits are difficult to locate and can go for long periods of time without ever being discovered. Rootkits are often delivered through phishing emails and drive-by downloads.Broken AuthenticationApplication functions related to authentication and session management are often implemented incorrectly. This allows attackers to compromise passwords, keys, or session tokens, or exploit other implementation flaws toassume other users’ identities temporarily or permanently.Sensitive Data ExposureMany web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit. Sensitive data requires special precautions when exchanged within the browser.
Background image
TermDefinitionXML External Entities (XXE)Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.Broken Access ControlRestrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data. Attackers could access other users' accounts, viewsensitive files, modify other users’ data, change access rights, and more.Security MisconfigurationSecurity misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashionInsecure DeserializationInsecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks such as replay attacks, injection attacks, and privilege escalation attacks.Using Components with Known VulnerabilitiesComponents, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.Insufficient Logging & MonitoringInsufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to do damage to a system. They can further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show that the time to detect a breach is over 200 days, and it is typically detected by external parties rather than internal processes or monitoring.InjectionInjection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.Cross-Site Scripting (XSS)XSS flaws occur when an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser
Background image
TermDefinitionwhich can hijack user sessions, deface web sites, or redirect the user to malicious sites.Organized CrimeCyber criminals whose primary motive is money. They are looking for sensitive information, money, and anything of value.State-Sponsored attacksThese attacks refer to when a threat actor is acting on, and funded by, a government body.Script KiddiesAmateur cyber criminals with unclear motivations. They can be actual teenagers using scripts made by other individuals or working engineers whohave decided to hack into a site. They commonly employ phishing techniques to start, and they use prebuilt tools to complete their hack.TacticsThe big picture considerations as to what should be done and how it should be done.TechniquesActions that can be executed to achieve some goal without giving specific details on how to complete the action.ProceduresThe specific details for each technique and how to actually complete a certain actionOrganized CrimeTheir TTP is to contact large amounts of people and gain money either through ransomware or cryptojacking. This usually starts with mass phishing with an associated file that is the ransomware or a cryptominer.State-SponsoredThey are extremely proficient threat actors with dedicated resources at their disposal. Their target is usually intellectual property or espionage in order to gain information on the target.APT GroupsThey generally want to infiltrate specific companies and governmental agencies to gather information. They utilize multiple points of attack in order to "get their foot in the door: and then enable other attacks.Insider ThreatVandalism and data breaches are the most common techniques that occur from insider threats.HacktivistThey want to make a statement about a site or deface an individual's image.Their most common attack is DDoS in order to crash a site.Script KiddySimilar to an insider threat, it’s hard to define their overall tactics since there usually isn’t a large cohesive bigger picture. They use well-known open-source prebuilt tools.Open Source Intelligence (OSINT)Massive databases on the different TTPs threat actors can use. These are most often automatically generated by scraping data rather than human-
Background image
TermDefinitiondesigned since there is a huge amount of information to go through.DarknetsCompletely useless sections of your network that are self-contained and have nothing useful. When these are accessed and used, it serves as an indicator that something is going wrong since they normally aren't. Darknets are a reactive form of protection.TelemetryTelemetry refers to the data that is collected through your network when interacting with users. This can be the ports that are open, download/upload attempts, traffic, connection attempts, and more. “Internal telemetry” refers to data collected within your own network. “Vendor aggregated” telemetry helps train individuals to understand the difference between genuine network data and malicious traffic. Similar to Darknets, telemetry is more reactive and helps identify when a problem is occurring rather than stopping the problem entirely.Malware Processing/Sandbox AnalysisCollecting and activating malware in a safe environment (sandbox analysis) in order to improve security protocols and understand what went wrong and what could have gone wrong.Zero dayA threat that exploits an unknown vulnerability that is known but there is no patch or fix in place.
Background image