There are many different types of attackers. In this video, you’ll learn about threat actors from nation states, organized crime, shadow IT, and others.
A threat actor is an entity that is the cause of an event that affects the security of others. We often refer to these actors as malicious actors because the actions that they take tend to have a negative effect on the security of others. We’ll often describe the characteristics of these particular threat actors with a series of attributes. And in this video, we’ll step through these threat actors and how some of these attributes may be associated with their actions.
When you refer to an attack or you’re doing research on an attack of your organization, it’s useful to know who the threat actor is. This might help you get a better understanding of why this attack is happening and what their ultimate goal was in performing this attack.
Attackers can come from anywhere. Sometimes, the attackers work for your organization. And they’re inside the company itself. Or they may be outside the organization, trying to gain access through a number of different public resources.
The number of available resources or financial funding is another way to characterize the threat actor. If they don’t have any money, they may have limited access to resources. Or they might be a threat actor that has a large amount of money available and can provide a number of different attacks based on those resources.
It’s also useful if we can determine a level of sophistication for this particular attacker. It may be useful to know if somebody has no idea the script they happen to be running or what the results of it might be or if somebody is able to build their own tools and provide their own capabilities. And of course, the attacker might have a set of skills that fits somewhere in the middle between those two.
One of the comments I’ll often hear from others when describing certain attacks against organizations is they’ll ask, why would somebody want to do that? Well, the answer is many, many, many different reasons. There could be a need to find data and be able to exfiltrate that data from the organization. This may be a competitor performing espionage, wanting to know what another company may be working on. Maybe they’re just trying to disrupt the service in that company to create problems for their customers. And there could be a number of different motivations. And this simply depends on the situation, the attacker, and who’s being attacked.
Let’s step through a number of different threat actors and see if we can figure out what their motivations might be. Let’s start with a threat actor that is usually on the outside of your organization. This would be a nation state. This is often referenced as an entire government or an arm of that government dealing with national security.
A government might have many different motivations for an attack or disruption of your services. These could be things like data exfiltration, philosophical reasons, maybe political reasons for performing this attack. Or they may just be trying to disrupt the services that you’re already providing. And ultimately, a government may be trying to pull someone into a war.
As you can imagine, a government has enormous resources available for these attacks. A government might use these resources to have constant attacks against their enemies and be able to attack multiple locations at the same time. Very often, these types of attacks are referred to as APTs, or Advanced Persistent Threats.
These can be especially dangerous threat actors because they have the resources of an entire government behind them. They can afford to have the most sophisticated developers creating very advanced attack types. And they’re using these resources to attack military control locations, utilities, or to get control of another country’s finances.
If you’re interested in seeing what a combination of governments working together can do to create a very sophisticated attack, you might want to look into the Stuxnet worm. This is a worm that was created by the United States and Israel. And it was specifically designed to destroy nuclear centrifuges.
We move from attackers that are very sophisticated to attackers that aren’t sophisticated at all. These are unskilled attackers that may run scripts without any knowledge of what’s happening under the surface. If the script works, then the attacker was successful. But if the script doesn’t work, the attacker doesn’t have the skills to understand why the attack didn’t work and what they could do to modify these scripts.
These are attackers that are simply motivated by the attack itself. They may be trying to disrupt services or exfiltrate data. Sometimes there’s a philosophical or political reason behind the attack. Although it’s common for these attackers to be on the outside of the organization, trying to gain access, there are times when we found unskilled attackers on the inside of the organization as well.
As we’ve already mentioned, these are generally unsophisticated attacks. And the unskilled attackers generally don’t have a lot of resources available. They certainly would not have the backing of a government or a large organization. And that means they’re really looking for the easiest way in, using scripts that are readily available.
If you’re a hacker who’s motivated by political reasons, a philosophical difference, maybe you’d like to disrupt or damage an organization, we might categorize you as a hacktivist. This hacktivist, or hacker activist, is someone who’s commonly considered to be outside the organization. But they could also work towards getting hired to be part of the organization and become an internal threat.
These are often very sophisticated technologists. And they can use that knowledge to be able to attack in very specific ways. They might focus on denial of service. They might be trying to gain access to a website so they can put their own messages or deface the website that’s already existing. Or maybe they’re looking to find private documents that they can then release to the public. Fortunately for us hacktivists, don’t tend to have a large amount of finances available to perform these hacks. But there are some organizations that will perform fundraising so they will have the money to apply towards their hacktivism.
An insider threat is an especially difficult problem to locate and even more difficult to stop if they want to do something malicious. This is more than someone simply writing their password down on a yellow sticky and keeping it under their keyboard. This might be someone who’s out for revenge or financial gain against the organization.
With an insider threat, all of the resources already exist within the organization. And this individual is simply taking advantage of the resources that already exist. This is why it’s so important during the hiring process that the proper vetting is done to make sure that you’re not hiring somebody who is then going to work inside of your organization to attack you. You can think of this type of attacker as having a medium level of sophistication. But where they really excel is knowing exactly where in the organization the data might be and how to circumvent the existing security controls to gain access to that data.
Our perception of organized crime may go back to old movies. But in reality, there is a great deal of organized crime in the cybersecurity arena. Threat actors categorized as organized crime are usually motivated by money. Everything they’re doing is to be able to make a profit from the attacks that they’re performing.
Since organized crime is in the business of making money, they often have a number of resources available that they can apply towards these types of attacks. These organizations might have a corporate structure, where one person will be doing the hacking. Another person is managing the different exploits and creating new exploits. Somebody else sells the data to a third party. And you might even have somebody handling customer support, especially in the cases where the organized crime group is targeting organizations with ransomware. It’s difficult to fight an attacker that has this much money available. And they’re going to find many different ways to try to gain access to your data.
A threat actor we don’t often consider is one that’s in our own organization and working around the existing policies and procedures of the IT department. We refer to this as shadow IT. And it’s usually a group or department that is working around the rules that have been put in place by your existing IT department.
They might build their own infrastructure, install their own applications, and start using them without the IT department even realizing what’s happening. This is a group that doesn’t have to deal with the limitations that come with an IT department, such as change control or budgeting. Instead, they’ll use their own budget or credit cards to be able to purchase their own cloud-based services and be able to access those from their browser.
These groups are obviously limited by the amount of budget they might have. But in many cases, they can create quite an infrastructure, using a small amount of budget, and connecting to devices that may be in the cloud. In some cases, none of these people have a background in information technology. They don’t understand what’s required for backups or change control. And this can obviously put a huge risk on the organization, especially if no one in this shadow IT department has any consideration of what security should be in place.
Let’s summarize these threat actors into this single table. We’ll look at the nation state, unskilled, hacktivist, insider threat, organized crime, and shadow IT. The nation state, unskilled, hacktivist, and organized crime tend to be external to the organization. But insider threats and shadow IT are commonly internal.
The resources for each of these different threat actors can vary, where you might have a nation state with extensive resources available. An unskilled attacker may have very limited resources. We can also see that threat actors like organized crime and nation states might have a very high level of sophistication. But if we find a threat actor who may be unskilled or be in the shadow IT department, they might have very low or limited sophistication.
And of course, all of these threat actors have their own motivations for performing these attacks. And if you are a nation state, you may have a specific goal to be able to disrupt or create problems for a different government. Or if you’re an insider threat, you’re out for revenge or some type of financial gain. If we understand the motivation, we can then adjust our security to best prevent this type of attacker from gaining access to our systems.