Domain 2 · 2.2 Threat Vectors & Attack Surfaces

2.2.4 Unsecure Networks & Open Ports

10 min

Unsecured networks and open ports represent exposed attack surfaces where unauthorized access, data exfiltration, and service disruptions occur due to insufficient oversight.

Network Exploitation and Threat Actors Threat actors continuously scan for vulnerabilities to gain unauthorized access to proprietary data and resources. - Criminal Syndicates: Highly sophisticated, well-funded organized crime groups motivated primarily by financial gain through illegal transactions. - State Actors: Nation-state entities that exploit vulnerabilities to gather intelligence or conduct espionage on rival governments and organizations. - Competitors: Rival organizations attempting to steal customer lists, business practices, or intellectual property via competitive intelligence gathering. - Dark Web: Unindexed portions of the internet used by criminals to trade stolen data and tools; it serves as a primary hub for illegal information exchange.

Information Gathering and Intelligence Security professionals and attackers alike use various intelligence sources to assess the security posture of a target. - OSINT (Open-Source Intelligence): Information gathered from public domains, including social media, newspapers, academic publications, and government reports. - ISACs (Information Sharing and Analysis Centers): Collaborative organizations that share threat intelligence between public and private sectors to improve collective defense. - AIS (Automated Indicator Sharing): The exchange of cyber threat indicators between organizations at machine speed. - TAXII (Trusted Automated eXchange of Intelligence Information): A protocol used to exchange cyber threat intelligence over HTTPS to improve situational awareness.

Indicators of Compromise (IoC) When a network is breached via an open port or unsecured connection, it leaves behind forensic artifacts known as Indicators of Compromise. - Unusual Traffic: A sudden spike in outgoing network traffic often suggests data exfiltration or a botnet infection. - Permission Changes: Unexpected modifications to file or folder permissions that grant elevated access to unauthorized users. - Malware Signatures: The presence of known malicious code patterns within system files. - Social Media Leaks: Sensitive information posted by employees on personal accounts, which can lead to unauthorized access or social engineering.

Quick Recall - Open Ports: Any network port (like 21 for FTP or 23 for Telnet) left active without a business need is a primary entry point for attackers. - OSINT: Publicly available information; use this term when the scenario involves "researching a target using LinkedIn or news articles." - TAXII: The transport mechanism for sharing threat data; often paired with STIX (the format). - IoC: Evidence of an intrusion; think "digital footprints" like spikes in traffic or unrecognized log entries. - ISACs: Sector-specific (e.g., Finance, Aviation) groups that share security data.