Security+: How to Explain Threat Actor Types and Attributes [Updated 2019]
One of the roles of information security professionals is to defend their organization’s systems and data proactively. As with any defensive strategy, this requires knowing the adversary’s tactics and motivations. CompTIA’s Security + exam is designed to test candidates’ understanding of the main types of threat actors and their characteristics.
While the monetary gain is the primary incentive for most cybercriminals, not all threat actors are motivated financially. Some are engaged in political or commercial espionage, others may have a social or political agenda, yet others may be hunting for vulnerabilities, so they can make a name for themselves. Some of the attributes that distinguish the different types include their level of sophistication and the resources they have for carrying out attacks.
Actors sponsored by nation-states are characterized by a high level of sophistication and resources. They’re capable of carrying out large-scale attacks as well as advanced persistent threats (APTs), which are stealthy attacks whose purpose is to maintain a presence in the network for an extensive period of time, typically to collect targeted types of data. APTs can move laterally through a network and blend in with regular traffic — one of the reasons they can go undetected for months and years and inflict a high degree of damage to an organization.
Nation-state actors focus on several attack vectors simultaneously and exploit a number of vulnerabilities. In recent years, many high-profile attacks have been attributed to nation-state actors.
Some countries use these sophisticated players to fund their regime. But more typically, nation-state actors are not motivated by direct financial gain. Their reasons may lie in national security, political espionage, military intelligence and even attempts to influence another nation’s political process. They may also after intellectual property data that could ultimately give the sponsoring nation a competitive advantage on the international market.
This category of attackers is well-funded and operates within an extensive support infrastructure that includes multiple hacker networks. Researchers have also been observing international collaboration between different groups of state-sponsored actors.
Another highly sophisticated category, organized-crime actors are different from state-sponsored ones in that they are most likely to be motivated by profits. That means they typically target data that has a high value on the dark market, such as personally identifiable information (PII) and banking information. These cyber rings also engage in more sophisticated ransomware attacks.
Organized cybercriminals operate in a way like a business, albeit an underground one. Various individuals within the organized ring specialize, whether it’s in hacking, managing exploits or even “customer service,” and they invest funds into acquiring technology and automation to improve their return on investment.
The term hacktivist is derived from the words hacker and activist. As the name implies, hacktivists are on a mission of some sort, and this could be anything from making a political statement to damaging an organization whose views they oppose.
Hacktivists may act alone or in groups, as well as recruit a large army of like-minded hackers. Their attacks often follow a pattern and similar tools and techniques. They can pose a serious threat because they’re determined to reach their goals and are increasingly garnering the resources they need to carry out their agenda.
It’s a common misconception that outside cyberattackers are behind every network or data breach. In recent years, external attacks have increasingly become sources of large data breaches. However, information security practitioners need to pay attention to insiders because these actors can inflict more damage.
Insiders not only have direct access to sensitive data but also knowledge about internal operations and processes. On top of that, their activity is much less likely to trigger a red flag within the network and various tools network intrusion tools, like firewalls, are ineffective against inside threats.
Some internal actors are simply negligent or careless, and this kind of behavior can be addressed through policies and procedures as well as regular education and training. Insiders often become unwitting participants in an attack because outside actors use social engineering and other techniques to obtain insider credentials — and compromising an organization with legitimate user credentials is often easier than trying to breach a network perimeter.
When insiders act maliciously, their motivations can vary from financial gain to retribution against a current or former employer. Insiders particularly pose a challenge because malicious actions may be hard to distinguish from activities that occur on the network as a regular part of business.
Script kiddies are actors who lack skills to write their own malicious code, so they rely on scripts they can get from other sources. These can be either insiders or outsiders. Script kiddies were once thought to be mostly teens motivated by peer competition or simple mischief.
Their attacks are not very sophisticated, but even so, and even if they’re only out for some mischief, script kiddies can still wreak havoc on an information system. From defaced websites to denial-of-service attacks, their actions can result in more than simple embarrassment for the targeted organization.
Like hacktivists, script kiddies will use a variety of tools at their disposal as well as social engineering techniques and can be quite persistent in carrying out their attacks. With hacking knowledge and resources easily available, and tools continuously evolving, script kiddies pose dangerous just as high as any malicious actor.
Use of Open-Source Intelligence
One of the challenges of protecting information systems is that malicious actors use many of the same tools that are used for defense, including open-source intelligence. Open-source intelligence refers to information gained from publicly available sources; both easily found — like social media, academic texts, and forums — and information that’s missed by internet indexing and search engine crawlers.
Hackers use open-source intelligence tools to collect data about their targets, whether for social engineering or other purposes. Information security professionals need to not only be aware of the tools and techniques but also monitor channels like social media and educate their organization’s users about the consequences of sharing information on those channels.
When you’re setting up proactive defenses, it’s much more effective to protect information systems when you know who and what you’re up against. Knowing who the threat actors, what motivates their actions and what vulnerabilities they may exploit is a fundamental part of creating a solid security strategy.