Intro
In this article I will cover some basics about the types of threat actors, threat categories, and their possible impact on your organization.
Let’s get to it!
Threats
Before looking at the types of threat actors, let me give you a quick rundown of what is considered a threat and how it impacts businesses.
By definition, a threat is an event (unplanned/not controlled by you/your systems) that has for its goal to exfiltrate (exfil), manipulate, or access your organization’s resources. This is tightly coupled with the loss of integrity, confidentiality, and availability of the said resources (CIA triad).
This can impact your organization’s information systems, your network(s), and other resources.
Impact
The impact on your organization can vary, however, it should always be considered as a major concern since it can target anything, from your org’s assets to the financials, and for example personal info of your employees. There’s no list that’s set in stone, but usually, the impact is about:
- Loss of integrity and confidentiality – basically, your data or resources are less trustworthy, this further damages your org’s reputation, and business credibility
- Damage to the customer relationship – this would impact your org’s relationship with its clients, losing some of them, thus resulting in a drop in profits/sales
- Financial losses – your org is faced by financial losses, either directly (maybe you got ransomwared and are asked to pay up), or indirectly (the loss of manhours spent to repair and recover from the breach, etc.)
- Operational impact – disruption to your operations; could even affect your entire org’s network
- Business reputation – you take a hit to your org’s reputation, which can even result in losing existing clients and having troubles gaining new ones
Threat Actors
There are many different types of threat actors out there, however, the ones I am going to list here are what you will usually find in other resources on the Internet, handbooks, etc.
- Script kiddies
- Hacktivists
- State-sponsored hackers
- Insiders
- Cyber terrorists
- Industrial spies
- Recreational (hobbyist) hackers
- Organized/hacker groups
- Ransomware gangs
- APTs
Script kiddies – unskilled ‘hackers’ who usually run malicious scripts, and software in hopes of breaching a system/network. They don’t understand the tooling and its inner workings, they just acquire it and run it blindly against system(s). What you might call – spray and pray tactic.
Hacktivists – People who hack but are driven by political and/or ideological agenda. They are not novices and usually know what they’re doing, however, the whole motivation behind their attacks is driven by that agenda. This is usually manifested in the form of disabling or defacing websites, maybe even doxing and other similar stuff.
State-sponsored hackers – These guys are employed by their respective governments to breach and steal top-secret information, or to just damage the systems of other (competing) governments.
Insiders – These are YOUR employees, within your org, and are usually either terminated employees, disgruntled employees, or just good ol’ untrained staff. Generally, its hardest to hunt for these since they are already inside (detection is useless since they are legitimate users). They can also do a lot of damage to the org for the same reason as above – they have authorized access to your systems. Imagine a disgruntled employee ‘sharing’ their credentials with a hacker group they found on the darkweb, or something along those lines. Nasty.
Cyber terrorists – These individuals are similar to the hacktivists as they are also driven by political, or, in this case, religious agenda, but their goal is a bit different. As we all know their currency is fear, thus cyber-terrorists aim to create fear and/or larger disruptions to your systems/network(s).
Industrial spies – They attack companies for commercial purposes, they are usually hired by competing companies with the idea of attacking their competitors to steal confidential data such as financial records, employee information, your business strategy, or your proprietary data.
Recreational hackers – These hackers are the ones who hack systems so they can learn more, they don’t care about financial gain. They mostly exploit stuff they can for the said learning purposes.
Organized/group hackers – A merry band of hacker friends with a goal to exploit and hack stuff for pure profit. They will go for your SSNs, PIIs, health records, financials, credit card information, etc. Anything they can use for leverage to get their payout or steal directly.
Ransomware gangs – These guys are also an organized group of hackers, but they will usually deploy some kind of ransomware, once they breach you and enter your systems. After encrypting your data, they will ask for you to pay the ransom in order to get the data back. Typically, they focus on using compromised credentials to enter your systems. After that, they drop their payloads in form of specially crafted encrypting malware – ransomware. Some well-known ransomware groups include: Conti, Lapsus, Hive, LockBit, AlphV/BlackCat. (Try not to pay the ransom! Instead have backups and a recovery plan. Disconnect network-based devices where you can – I talked about this in previous articles, and even contact authorities.)
APTs or Advanced persistent threats – These are the stealthiest threat actors out there, and are typically a nation state itself, nation-state sponsored groups, or organized crime groups. They aim to breach your systems silently and establish themselves inside while being unnoticed by your detection systems. Their motivations are typically political or economic. The definition may vary from source to source, but the main thing for these groups is the fact they try to remain inside your systems undetected for as long as they can. Mean dwell-time for APTs (2018 data) is 71 days in the Americas, 177 days in the EMEA, and 204 days in the APAC region! APTs – Wiki
Both ransomware gangs and APTs might be grouped within the organized/group hackers, but I wanted to accentuate the distinction here. My article may not have the structure and strictness of a (hand)book, as my goal was not to bore you or enter a scholarly polemic, just provide you with the info straight on, so you can familiarize yourself with it and even take it further from here.
Threat Categories
Again, this might be structured differently in different sources, but I feel the following categorization is a good starting point, as a loose guideline of sorts.
Categories I included here are:
- Network-based threats
- Host-based threats
- Application-based threats
Network-based Threats – This can pertain to: Information gathering/recon, Sniffing (eavesdropping), Spoofing, MITM – Man in the Middle attacks and session hijacking, DNS and ARP poisoning, Password-based attacks, DOS attacks, Firewall and IDS attacks
Host-based Threats – These would include: Malware attacks, arbitrary code execution, unauthorized access, privilege escalation, backdoors, physical security threats, footprinting
Application-based Threats – These can be (but are not limited to, of course – as the above examples too!): Improper input validation, authentication attacks, security misconfiguration, information disclosure, broken session management, buffer overflow attacks, SQLi, phishing, improper error handling and exception management
Conclusion
Think of this article as an extremely compact explanation on threat actors and categories. I hope it provides enough initial info that you can further build on! In the future articles, I will circle back to this topic and cover some of the stuff that’s mentioned here – or is related too – in more depth.
Until next time! Stay tuned.
Useful Links
https://nvd.nist.gov
https://cve.mitre.org
https://www.vulnerability-lab.com
https://cyber.gc.ca/en/guidance/introduction-cyber-threat-environment
advanced persistent threat – Glossary | CSRC (nist.gov)
Cover image by Martin Sanchez
#threat-actors #threat-categories #impact
