If you are an information security professional, your primary role is to defend your organisation’s systems and data proactively. To best defend against the mass of threats out there today it’s important to know the “Who” the individuals you are protecting your data and systems from and the “How and Why” the adversary’s associated tactics and motivations. These individuals you are in a battle with are called Threat actors. In cyber security and threat intelligence, a threat actor is a term for any individual or group of individuals that attempt to or successfully conduct malicious activities against enterprises, whether intentionally or unintentionally.
If you know the enemy and know yourself, you need not fear the result of a hundred battles.Sun Tzu
In most cases, monetary gain is the primary incentive for most cybercriminals, but there are many other motivations. Some may also have a social or political agenda, or simply just acting because it’s fun, or want to prove that they can hack a complex system to make a name for themselves or shame an organisation. Some of the attributes that distinguish the different types include their level of sophistication and the resources they have at their disposal for carrying out attacks. The motivation for their actions influences their types of activities and levels of operations. In this article, we will cover the types of Threat Actors, how these adversaries operate and how you can defend against them.
Types of Threat actors
Script kiddies are actors who lack hacking skills to write their own malicious code and rely on scripts written by others, occasionally making minor adjustments and claiming it as their own. Script kiddies were once thought to be mostly teens motivated by peer competition or simple mischief. Because of the lack of Hacking skills, their attacks are not very sophisticated, but even so, with resources so readily available online and tools continuously evolving, script kiddies can still wreak havoc on an information system.
Nation-State Actors are very powerful and well funded often by countries. They are capable of carrying out large-scale attacks as well as advanced persistent threats (APTs). An advanced persistent threat is an attack in which an unauthorised user gains access to a system or network and remains there for an extended period of time without being detected. Nation-state actors’ primary purpose is to infiltrate and maintain a presence in the target network for an extensive period of time, typically to collect targeted types of data. Once access is gained, the attack can move laterally through a network and blend in with regular traffic — one of the reasons they can go undetected for months and years and inflict a high degree of damage to an organisation.
Nation-state actors are not motivated by direct financial gain. Their reasons Typically lie in national security, political espionage, military intelligence and even attempts to influence another nation’s political process. They may also after intellectual property data that could ultimately give the sponsoring nation a competitive advantage on the international market.
The term hacktivist is derived from the words hacker and activist. Hacktivists are on a mission of some sort to inflict damage to an organisation or group. This will usually be for political reasons against an organisation whose views they oppose. Hacktivists may act alone or in groups, as well as recruit a large army of like-minded hackers. Their attacks often follow a pattern and similar tools and techniques. They can pose a serious threat because they’re determined to reach their goals and are increasingly garnering the resources they need to carry out their agenda.
Organised-crime actors are cyber-criminals who engage in targeted attacks driven by profits. That means they typically target data that has a high value on the dark market, such as personally identifiable information and banking information. These cyber rings also engage in more sophisticated ransomware attacks.
It’s a common misconception that outside cyber-attackers are usually actors that use hacking skills from the outside to infiltrate a network. Inside actors are typically attackers operating from internal to your organisation and typically disgruntled employees or ex-employees either looking for revenge or some type of financial gain. Insiders not only have direct access to sensitive data but also knowledge about internal operations and processes. On top of that, their activity is much less likely to trigger a red flag within the network and various tools network intrusion tools, like firewalls, are ineffective against inside threats. Their actions are usually hard to distinguish from the activities that occur on the network as a regular part of the business. On the upside, if the correct tools are in place, negligent inside attackers can often be found through login histories and security logs.
Once you know your potential threat actors, you need to ensure that your network is able to provide you with the intelligence you need to identify when you are under surveillance or attacked by them. this includes implementing the correct monitoring tools, gathering the logs required and setting up an alerting system that will notify you of critical potential breaches.
Knowing your enemy can be vital when it comes to securing a corporation’s critical data, and applying threat intelligence with the different types of threat actors in mind is a crucial step to avoiding security breaches and minimising the damage a breach can cause.