This document outlines different types of threat actors, their motivations, attributes, and common attack vectors.
- Threat Actors
- Types of Threat Actors
- Threat Vectors and Attack Surfaces
- Deception and Disruption Technologies
- Outsmarting Threat Actors
- Data Exfiltration, Blackmail, Espionage, Service Disruption, Financial Gain, Philosophical/Political Beliefs, Ethical Reasons, Revenge, Disruption/Chaos, War
- Internal vs. External Threat Actors
- Differences in resources and funding,
- Level of sophistication
- Unskilled Attackers: Limited technical expertise, use readily available tools
- Hacktivists: Driven by political, social, or environmental ideologies
- Organized Crime: Execute cyberattacks for financial gain (e.g., ransomware, identity theft)
- Nation-state Actor: Highly skilled attackers sponsored by governments for cyber espionage or warfare
- Insider Threats: Security threats originating from within the organization
- Shadow IT: IT systems, devices, software, or services managed without explicit organizational approval
- Message-based, Image-based, File-based, Voice Calls, Removable Devices, Unsecured Networks
- Honeypots: Decoy systems to attract and deceive attackers
- Honeynets: Network of decoy systems for observing complex attacks
- Honeyfiles: Decoy files to detect unauthorized access or data breaches
- Honeytokens: Fake data to alert administrators when accessed or used
-
Threat Actors Intent: Specific objective or goal that a threat actor is aiming to achieve through their attack
-
Threat Actors Motivation: Underlying reasons or driving forces that pushes a threat actor to carry out their attack
-
Different motivations behind threat actors:
- Data Exfiltration: Unauthorized transfer of data from a computer
- Financial Gain: Achieved through various means, such as ransomware attacks, or through banking trojans that allow them to steal financial information in order to gain unauthorized access into the victims' bank accounts
- Blackmail: The attacker obtains sensitive or compromising information about an individual or an organization and threatens to release this information to the public unless certain demands are met
- Service Disruption: Some threat actors aim to disrupt the services of various organizations, either to cause chaos, make a political statement, or to demand a ransom
- Philosophical or Political Beliefs: Attacks that are conducted due to the philosophical or political beliefs of the attackers is known as hacktivism
- Ethical Reasons: Contrary to malicious threat actors, ethical hackers, also known as Authorized hackers, are motivated by a desire to improve security
- Revenge: It can also be a motivation for a threat actor that wants to target an entity that they believe has wronged them in some way
- Disruption or Chaos: Creating and spreading malware to launching sophisticated cyberattacks against the critical infrastructure in a populated city
- Espionage: Spying on individuals, organizations, or nations to gather sensitive or classified information
- War: Cyber warfare can be used to disrupt a country's infrastructure, compromise its national security, and to cause economic damage
- 2 Most Basic Attributes of a Threat Actor:
- Internal Threat Actors: Individuals or entities within an organization who pose a threat to its security
- External Threat Actors: Individuals or groups outside an organization who attempt to breach its cybersecurity defenses
- Resources and funding available to the specific threat actor:
- Tools, skills, and personnel at the disposal of a given threat actor
- Level of sophistication and capability of the specific threat actor:
- Refers to their technical skill, the complexity of the tools and techniques they use, and their ability to evade detection and countermeasures
- In the world of cybersecurity, we usually classify the lowest-skilled threat actors as "script kiddies"
- Script Kiddie: Individual with limited technical knowledge, uses pre-made software or scripts to exploit computer systems and networks
- Nation-state actors, Advanced Persistent Threats, and others have high levels of sophistication and capabilities and possess advanced technical skills, using sophisticated tools and techniques
- Unskilled Attacker(Script Kiddie): Individual who lacks the technical knowledge to develop their own hacking tools or exploits
- These low-skilled threat actors need to rely on scripts and programs that have been developed by others
- How do these unskilled attackers cause damage?
- One way is to launch a DDoS attack
- An unskilled attacker can simply enter in the IP address of the system they want to target, and then click a button to launch an attacker against that target
- Hacktivists: Individuals or groups that use their technical skills to promote a cause or drive social change instead of for personal gain
- Hacktivism: Activities in which the use of hacking and other cyber techniques is used to promote or advance a political or social cause
- To accomplish their objectives, hacktivists use a wide range of techniques to achieve their goals, including:
- Website Defacement: Form of electronic graffiti and is usually treated as an act of vandalism
- Distributed Denial of Service (DDoS) Attacks: Attempting to overwhelm the victim's systems or networks so that they cannot be accessed by the organization's legitimate users
- Doxing: Involves the public release of private information about an individual or organization
- Leaking of Sensitive Data: Releasing sensitive data to the public at large over the internet
- Hacktivists are primarily motivated by their ideological beliefs rather than trying to achieve financial gains
- One of the most well-known hacktivist groups is known as “Anonymous”, a loosely affiliated collective that has been involved in numerous high-profile attacks over the years for targeting organizations that they perceive as acting unethically or against the public interest at large
- To accomplish their objectives, hacktivists use a wide range of techniques to achieve their goals, including:
- Organized cybercrime groups are groups or syndicates that have banded together to conduct criminal activities in the digital world
- Sophisticated and well-structured, they use resources and technical skills for illicit gain
- In terms of their technical capabilities, organized crime groups possess a very high level of technical capability and they often employ advanced hacking techniques and tools such as:
- Custom Malware, Ransomware, Sophisticated Phishing Campaigns
- These criminal groups will engage in a variety of illicit activities to generate revenue for their members, including:
- Data Breaches, Identity Theft, Online Fraud, Ransomware Attacks
- Unlike hacktivists or nation-state actors, organized cybercrime groups are not typically driven by ideological or political objectives
- These groups may be hired by other entities, including governments, to conduct cyber operations and attacks on their behalf
- Money, not other motivations, is the objective of their attacks even if the attack takes place in the political sphere
- Nation-state Actor: Groups or individuals that are sponsored by a government to conduct cyber operations against other nations, organizations, or individuals
- Sometimes, these threat actors attempt what is known as a false flag attack
- False Flag Attack: Attack that is orchestrated in such a way that it appears to originate from a different source or group than the actual perpetrators, with the intent to mislead investigators and attribute the attack to someone else
- Nation-state actors possess advanced technical skills and extensive resources, and they are capable of conducting complex, coordinated cyber operations that employ a variety of techniques such as:
- Creating custom malware, Using zero-day exploits, Becoming an advanced persistent threats
- Advanced Persistent Threat (APT)*: Term that used to be used synonymously with a nation-state actor because of their long-term persistence and stealth - A prolonged and targeted cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period while trying to steal data or monitor network activities rather than cause immediate damage - These advanced persistent threats are often sponsored by a nation-state or its proxies, like organized cybercrime groups
- What motivates a nation-state actor? Nation-state actors are motivated to achieve their long-term strategic goals, and they are not seeking financial gain
- Insider Threats: Cybersecurity threats that originate from within the organization. Insider threats can take various forms such as Data Theft, Sabotage, or Misuse of access privileges.
- Each insider threat is driven by different motivations. Some are driven by financial gain and they want to profit from the sale of sensitive organizational data to others.
- Some may be motivated by revenge and are aiming to harm the organization due to some kind of perceived wrong levied against the insider. Some may take action as a result of carelessness or a lack of awareness of cybersecurity best practices.
- Insider threat refers to the potential risk posed by individuals within an organization who have access to sensitive information and systems, and who may misuse this access for malicious or unintended purposes.
- To mitigate the risk of an insider threat being successful, organizations should implement the following: Zero-trust architecture, employ robust access controls, conduct regular audits, and provide effective employee security awareness programs.
- Shadow IT: Use of information technology systems, devices, software, applications, and services without explicit organizational approval.
- Shadow IT exists because an organization's security posture is set too high or is too complex for business operations to occur without being negatively affected.
- Bring Your Own Devices (BYOD) involves the use of personal devices for work purposes.
- Threat Vector: Means or pathway by which an attacker can gain unauthorized access to a computer or network to deliver a malicious payload or carry out an unwanted action.
- Attack Surface encompasses all the various points where an unauthorized user can try to enter data to or extract data from an environment.
-
It can be minimized by restricting access, removing unnecessary software, and disabling unused protocols.
-
Think of threat vector as the "how" of an attack, whereas the attack surface is the "where" of the attack.
-
There are several different threat vectors that could be used to attack your enterprise networks such as Messages, Images, Files, Voice Calls, Removable Devices, and insecure networks.
-
Messages: Message-based threat vectors include threats delivered via email, simple message service (SMS text messaging), or other forms of instant messaging. Phishing campaigns are commonly used as part of a message-based threat vector when an attacker impersonates a trusted entity to trick its victims into revealing their sensitive information to the attacker.
-
Images: Image-based threat vectors involve the embedding of malicious code inside of an image file by the threat actor.
-
Files: The files, often disguised as legitimate documents or software, can be transferred as email attachments, through file-sharing services, or hosted on a malicious website.
-
Voice Calls: Vhishing involves the use of voice calls to trick victims into revealing their sensitive information to an attacker.
-
Removable Devices: One common technique used with removable devices is known as baiting. Baiting involves an attacker leaving a malware-infected USB drive in a location where their target might find it, such as in the parking lot or the lobby of the targeted organization.
-
Unsecure Networks: Unsecure networks include wireless, wired, and Bluetooth networks that lack the appropriate security measures to protect these networks. Exploiting vulnerabilities in the Bluetooth protocol, an attacker can carry out their attacks using techniques like the BlueBorne or BlueSmack exploits.
- BlueBorne: Set of vulnerabilities in Bluetooth technology that can allow an attacker to take over devices, spread malware, or even establish an on-path attack to intercept communications without any user interaction.
- BlueSmack: Type of Denial of Service attack that targets Bluetooth-enabled devices by sending a specially crafted Logical Link Control and Adaptation Protocol packet to a target device.
-
-
-
Tactics, Techniques, and Procedures (TTPs): Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors
-
Deceptive and Disruption Technologies: Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats
- Honeypots: Decoy system or network set up to attract potential hackers
- Honeynets: Network of honeypots to create a more complex system that is designed to mimic an entire network of systems, including servers, routers, and switches
- Honeyfiles: Decoy file placed within a system to lure in potential attackers
- Honeytokens: Piece of data or a resource that has no legitimate value or use but is monitored for access or use
-
Some disruption technologies and strategies to help secure our enterprise networks:
- Bogus DNS entries: Fake Domain Name System entries introduced into your system's DNS server
- Creating decoy directories: Fake folders and files placed within a system's storage
- Dynamic page generation: Effective against automated scraping tools or bots trying to index or steal content from your organization's website
- Use of port triggering to hide services:
- Port Triggering: Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected
- Spoofing fake telemetry data: When a system detects a network scan is being attempted by an attacker, it can be configured to respond by sending out fake telemetry or network data