Blog

The 6 Types of Threat Actors You Need to Know

If you’ve ever seen a true-crime documentary, you know that the first thing the detectives do upon discovering a crime is postulate the identity of the perpetrator.

To understand the motive, not to mention how the crime was committed, investigators play a game of psychological “what-ifs” to determine what sort of personality they are dealing with. The more they understand the criminal, the more likely they are not only to catch the villain, but also to prevent the crime from repeating.

The exploration of what sort of person commits cyber-crimes is still in its infancy. So much is made of the types of security we use to bottle up our assets, data, and infrastructures, that we don’t often think about who is behind the seemingly relentless stream of attacks that assault businesses, governments, and other web presences.

As is known, eventually even the best lock can be picked, the best fortress penetrated, and the nastiest guard dog appeased by a delicious Porterhouse steak.

Cyber-criminals of all shapes and sizes are out there looking for loopholes in your system. A key component of any threat intelligence platform should be a who-is-who gallery of the kinds of threat actors perpetrating those attacks, their motives, their methods, and best practices for shutting them down.

This blog explores the six established types of actors, including their motivations and mindsets.

Government sponsored threats

Non-aggressive warfare between countries used to involve trade embargoes, saber-rattling, and sabotage. Now it’s evolved into cyber warfare, which is far less bloody, far less traceable, and much more efficient at disrupting the infrastructure of your opponent’s key systems. In the aftermath of 9/11, everyone was waiting for another plane to strike a high-profile target, but terrorist organizations like Hamas and Hezbollah were already shifting their ideology towards using cyber attacks against key parts of the US government. In 2015, the Chinese government used its “Great Firewall of China” to take down Github, sending a message about its thoughts on platforms where anyone can host, share, build, and manage coding. In 2017, US President Donald trump made it official that his own intelligence agents were allowed to use DDoS attacks against North Korea’s military spy branch, the Reconnaissance General Bureau.

The idea of hackers drawing government paychecks sounds like a contradiction of terms, but it’s becoming more and more common. In North Korea, recruitment is a scene straight out of Ender’s Game, in which promising students as young as 11 years old are sent to special academies where they are taught how to hack systems and concoct computer viruses to use against the enemy.

In countries more seasoned in non-aggressive warfare, like US and Russia, these hackers are often professionals who have been contracted by the same government they spent years or decades causing mayhem in, or those who were caught hacking a system and then offered the chance to work for the government to wipe out criminal charges.

Government-funded hackers are an interesting dichotomy, as they are usually the most well-funded, which makes them particularly dangerous. However, since they usually have a singular goal, dictated from their employer, they often don’t do as much damage as a free agent in the same system might. This makes it more easy to predict their likely targets by using threat intelligence feeds such as human intelligence (HUMINT), signal intelligence (SIGINT), and open-source intelligence (OSINT). As countries clash diplomatically and economically, their hackers are usually at work on a deeper level pursuing points of attack.

Organized crime

Organized crime hackers have the most transparent of all goals among the six types of threat actors: they want to steal your money or something they can sell afterwards.

This might take the form of data breaches, DDoS attacks, or the planting of ransomware, three things that every threat intelligence platform must maintain constant vigilance against. The organized crime hacker is usually a veteran criminal who has added hacking to his resume or had started as a hacker and was recruited by a crime syndicate to expand its reach. Organized crime hackers are probably the most dangerous because they are the most efficient - flush with funds but not needing the clunky infrastructure of a government; they divvy up the tasks and go to work. Ransomware is the real killer here because most companies have no idea how to respond to it if they don’t already have the proper threat intelligence tools in place to stop it in its tracks. Do they call the police? The FBI? The end result is either losing everything - a death knell for most small-to-medium sized businesses (SMBs) or paying the ransom and having to take a criminal’s word that the data will be restored.

Hacktivism

Hacktivism often comes across as being somewhat generally positive. Hacktivists are seen as protesting social issues, government controversies, or corporate initiatives that threaten civil rights, the environment, etc. Hacktivists are usually involved in activities that take down websites or replace web content with their own propaganda. Because their cause is typically ideological, they aren’t usually motivated by money, which often means that they are not professionals, but closer to novice and intermediate-level hackers. Open-source intelligence (OSINT) is a great threat intelligence feed to use when watching out for hacktivists, as news reports and social media are primary breeding grounds for anti-government or anti-corporation movements to form.

Inside Threats

Inside threats are usually the toughest to defend against because they can come from so many different locations. Not only are we talking about attempts by the competition to shake down their business rivals, but also ambitious ex-employees as well as people who misplace their credentials, their work-issued devices, and those employees who look for ways to line their own pockets.

A well-rounded intelligence threat platform will surely include all of your company’s competition information. Who they are, where they’re based, how their market share compares to your own, and how they move online. For some industries, cyber attacks are like fights in the NHL - illegal, but everyone knows they’re coming. In fact, when DDoS attacks first became commonplace, some of their chief proponents were gambling companies that operate offshore of the US. Those sites would turn their own hired cyber guns on each other in the minutes and hours before a major sporting event like a boxing prize fight or the Super Bowl to take them offline, costing them thousands or millions of lost bets. Threat intelligence feeds that must be closely monitored against inside threats include:

• Market intelligence (MARKINT) to understand your company’s industry and that of your competitors.
• Financial intelligence (FININT) to understand the financial capabilities or motivation of would-be attackers.
• Open-source intelligence (OSINT) particularly on social media with regard to former and current employees. Some might view this as a large step towards 1984 tendencies, but Facebook and Twitter are breeding grounds for discontent, both external, and internal, and must be monitored.
• Human intelligence (HUMINT): Direct and indirect methods of communication can reveal intent as well as discovery if someone has lost a piece of company-issued equipment, but fears reprisal if they admit to it.

Opportunistic

The earliest days of computer hacking in the 1980s were born of curiosity and the need to show off one’s skills. Most of the time the intent was “to see what’s out there” rather than “how much damage can I do?” With hackers tending to gather in clusters, the desire to join a group is often largely based on a field test of what an individual is capable of. Amateur hackers can either be given a task or simply pull one off in order to get a group’s attention, in the hope of gaining an invitation to take part in bigger jobs, for profit or simply “because it’s there.”

If it sounds like a street gang initiation requiring a potential member to steal the next passer-by’s wallet or go rob the corner store, you’ve got the idea. Because this type of hacker is usually a novice and using other hackers’ scripts or programs, they are often referred to as “script kiddies” or “skiddies”.

These amateur hackers are generally the easiest to trace, repel or identify because they have incomplete strategies and/or lack experience to cover their tracks. It can be a bit like a bank robber successfully picking the lock of the safe and then walking straight to his car, unaware of the security cameras recording him. The inherent danger of the script kiddie attack is twofold: 1) when they do hack into a system, they often cause more mischief than damage because of their inexperience and 2) there are always exceptions to the rule, and every master hacker was one day in the same position, an amateur on the verge of discovering a major flaw or developing new code that will earn them their reputation.

Because every year sees new hackers with new techniques, threat intelligence tools have to evolve as well. Threat intelligence is not a field that can ever stand still.

Internal User Error

Here’s your horrifying stat for the day: Around 80% of cyber incidents start with internal user errors – meaning that while your threat intelligence feeds are devouring data from every corner of the planet, the real problem might be coming from inside your own walls. It’s a big reason why your threat intelligence platform has to start with a deep dive into every nook and cranny of your system and perform that same search mission on a consistent basis. If your system was run by one person for one user, this wouldn’t happen so much, but with all the people involved in the architecture of your network, all the different users with different privileges, and with your system evolving over time to include things like new routers, new servers, and new firewalls – anything could result in a catastrophe if it were to be installed or configured incorrectly.