Threat Actors
We need to create profiles of the different types of attacks we see.
Historically, cybersecurity techniques relied on the identification of static known threats, like viruses, rootkits, trojans, botnets, and other software-specific exploits. However, we also need to know the different types of people that might execute these attacks against organizations (along with their possible motives).
| Attribute | Description |
|---|---|
| Internal External |
Refers to the level of access the actor has prior to executing the attack. |
| Sophistication Capability |
Refers to the level of skill the actor has, and their ability to use complex networking tools to execute their attack. |
| Resources Funding |
Refers to the level of organization the threat actor has. Are they working in a group? Do they have specialized tools, or are they funded by a nation-state or organized crime group? |
| Actor Type | Description |
|---|---|
| Hacker | A single individual with the capability to execute an attack using networking tools. |
| Unskilled Attacker | A single individual that tries to use networking tool without the knowledge to execute new or complex attacks. |
| Hacker Teams and Hacktivists | A single person or a team of people that use their networking skills to promote a political agenda. They might attempt data exfiltration to obtain and release private or classified data to the public as part of that agenda. |
| Nation-state Actors | A nation that executes attacks as part of a political, military, or commercial goals. They have been implicated on attacks against energy, health, and electoral systems. |
| Organized Crime and Competitors | A group of criminals that use networking tools to make money, using methods like blackmail, ransomware, extortion, fraud, and others. |
| Internal Threat Actors | An individual that has already been granted access to several organization resources in the internal network. |
Motivations
More often than not are security incidents simply an unintentional mistake made by an imperfect employee or contractor. If there is a motivation behind it, it can usually fall into three main categories:
- Service Disruption
- Data Exfiltration
- Disinformation
Chaotic Motivations
Internet gangsters like to bring companies to a standstill just for the fun of it. For the sake of being able to say "we did that" and taking credit for the hack.
Financial Motivations
As hacking and malware became more complex, people found ways to monetize cybercrime, including using:
- Blackmail
- Extortion
- Fraud
Political Motivations
- Whistleblowing (call out an organization for unethical behavior)
- Campaign of Disruption
- Corporate or Nation-state Espionage