2.1.2 Threat Actor

Attributes of Threat Actors

  • Static Known Threats: Historically, cybersecurity techniques relied on identifying static known threats.
    • Examples include viruses, rootkits, Trojans, botnets, and software vulnerabilities.
    • Automated software can straightforwardly identify and scan for these threats.
    • Adversaries have developed methods to circumvent signature-based scanning.

Motivations of Threat Actors

  • The sophisticated nature of modern cybersecurity threats necessitates the profiling of threat actors.
  • Factors for Evaluation:
    • Location: Where the threat actor is based.
    • Capability: Skills and tools available to the threat actor.
    • Resources/Funding: Financial means to carry out attacks.
    • Motivation: The underlying reason for the attack (e.g., financial gain, revenge).
  • Internal vs External Threats:
    • Internal Threats: Threat actors granted permissions on system (e.g., employees, contractors).
    • External Threats: Unauthorized access with no prior account on the target system.
    • May involve physical infiltration or remote hacking.

Sophistication/Capability

  • Description: Refers to the threat actor's ability to utilize advanced exploit techniques and tools.
    • Least Capable: Rely on widely available commodity attack tools.
    • More Capable: Develop new exploits in systems in various environments.
    • Most Capable: Utilize non-cyber tools, like political or military assets to achieve objectives.

Resources/Funding

  • Higher capabilities require substantial resources/funding.
  • Description: Sophisticated threat groups acquire resources like:
    • Customized attack tools.
    • Skilled professionals (strategists, designers, coders, hackers, social engineers).
  • Funding often comes from nation-states or organized crime syndicates.

Types of Threat Actors

Structured vs Unstructured Threats

  • Structured/Targeted Threat: Specific, calculated attacks aimed at particular targets (e.g., cybercriminal gangs attacking customer databases).
  • Unstructured/Opportunistic Threat: Generic attacks lacking a specific target (e.g., viral email worms).

Attack Strategies and the CIA Triad

  • CIA Triad describes how threats affect confidentiality, integrity, and availability of information:
    • Data Exfiltration: Compromises confidentiality.
    • Disinformation: Attacks integrity.
    • Service Disruption: Targets availability.
  • Chaotic Motivations: In early internet days, disruptions were often for chaos or credit.

Examples of Motivations

Chaotic Motivations

  • Early attacks focused on the thrill of chaos through vandalism.
  • Modern motivations may include political purposes or revenge.

Financial Motivations

  • Blackmail: Demand payment to prevent information release.
  • Extortion: Demand payment to halt attacks (e.g., ransom).
  • Fraud: Tampering with records for financial gain.

Political Motivations

  • Attacks aimed at governance or societal change.
  • Espionage: Targeted approaches to steal secrets (commercial or governmental).

Types of Threat Actors in Detail

Hackers

  • Description: Individuals who use unauthorized means to access computer systems.
  • Hacker Types:
    • Unauthorized Hackers: Black hat (malicious) hackers.
    • Authorized Hackers: White hat (ethical) hackers.
  • Unskilled Attackers: Use tools without deep knowledge.

Hacker Teams and Hacktivists

  • Groups use cyber weapons for political agendas (e.g., Anonymous, WikiLeaks).
  • Targeted organizations may include political, media, and financial sectors.

Nation-State Actors

  • Countries leveraging cybersecurity for military and commercial objectives.
  • Advanced Persistent Threat (APT): Maintains prolonged access to networks using various tools.
  • Notable threats against energy, health, and electoral systems.
  • Pursue objectives like disinformation and espionage.

Organized Crime and Competitors

  • Cybercrime surpasses physical crime in prevalence.
  • Activities focus on profit-driven crime, blackmail, and even cyber espionage against competitors.

Internal Threat Actors

  • Defined as actors who had legitimate access to systems (e.g., employees).
  • Types include:
    • Permanently privileged insiders (employees).
    • Temporarily privileged insiders (contractors).
    • Former insiders harboring grievances (ex-employees).
  • Motivations often include revenge and financial gain.

Unintentional Insider Threats

  • Often due to carelessness, like poor password management or shadow IT: using unapproved tools, leading to potential vulnerabilities.

Conclusion

  • Understanding motivations and behaviors of different threat actors helps in risk assessment and mitigation strategies.
  • Awareness of how these actors operate can inform risk management practices and cybersecurity initiatives.