Application security

Understanding hackers: The 5 primary types of external attackers

January 12, 2022 by Ted Harrington

No one wants to get hacked, that’s simply a fact. But who are these faceless enemies that would attack you, anyway? 

Despite what the media might suggest, “hackers” are not a single idea. (In fact, “hackers” aren’t even inherently bad: that term simply refers to someone who makes things behave differently than intended. Good guys do that too.)

Download Ted’s free ebook, “How to secure your software faster and better.”

Get Your Copy

So let’s be more precise in how we talk about who you are up against. There are five types of attackers that operate from outside your company: casual hackers, hacktivists, corporate espionage, organized crime and nation-states. 

In order to defend, it’s important to understand who the attacker is and what motivates them. Just like the scout for a professional sports team who studies his opponent in order to better compete on game day, you want to understand your attackers so you can better defend against them. 

#1: Casual hacker 

The first group is the casual hacker. Casual hackers (also known as individual hackers or small-group hackers) are explorers, problem solvers and even anarchists. They see hacking as a challenge. They might not even be malicious. They just want to prove they can do it. 

For example, thanks to casual hackers, San Francisco drivers once saw digital construction signs along the freeway declaring: “GODZILLA ATTACK! TURN BACK!” This of course wasn’t a real attack (at least not by Godzilla); it was just a prank.

To determine if you should concern yourself with this attacker, ask yourself:

  • Do you have a prominent brand? If so, a casual hacker would want to brag about exploiting you. Your fame becomes transferable to them if they’re successful.
  • Do you have “cool” technology? If you make something cutting edge, newsworthy or with a strong fan base, a casual hacker might want to brag about hacking it. Your “cool” factor is transferable to them.
  • Could you be used in a stunt? Like the roadside construction signs, if there’s a fun way to pull a prank, a casual hacker may want to attack your technology. 

Casual hackers might not even be malicious (although many are), yet wreak havoc simply through the act of exploration. 

#2: Hacktivists

The second category of likely attackers is the hacktivist. Hacktivists have an ideology and attack in order to draw attention to it. This group includes terrorists who pursue ruthless causes. 

For example, when the United States Federal Communications Commission (FCC) voted to repeal a polarizing law around net neutrality, the hacktivist collective known as Anonymous attacked the FCC information systems in retribution. 

To determine if you should concern yourself with this attacker, ask yourself:

  • Do you have a prominent brand? If so, a hacktivist can obtain media exposure for their mission because a security breach of a prominent brand is newsworthy.
  • Is your business controversial or politicized? If so, hacktivists who hold the opposing view may want to attack to advocate for their ideology.
  • Are any of your key executives publicly outspoken about polarizing beliefs? Like it or not, the personal beliefs of key executives become reflections of the company. If those beliefs are polarizing, hacktivists who share opposing views may attack for ideological reasons.

Even if you agree with their ideology, it’s important to remember that hacktivists attack to do damage, even when it’s for the sake of taking a political stand or highlighting a cause.

#3: Corporate espionage

The third category of attackers is corporate espionage. Some companies attack each other to gain a competitive advantage, steal intellectual property or save on research and development (R&D). They have significant budgets and hire elite talent to carry out the attacks. 

As an example, Chris Correa was an executive for the Saint Louis Cardinals who found a way to access the databases of a rival team. He obtained scouting reports, players’ medical histories and contract negotiation details. The attack went on for years. 

To determine if you should concern yourself with this attacker, ask yourself:

  • Do you protect valuable information or other assets? If so, this attacker might want to obtain the competitive advantage you possess.
  • Do you protect valuable intellectual property in development? If so, this attacker could save time and money by stealing it in order to accelerate their own R&D.
  • Do you hold the dominant competitive position in your marketplace? If so, this attacker might want to chip away at your advantage in order to increase their own competitive position.

Every company has competitors. The question is whether or not yours are willing to act maliciously to get the upper hand. 

#4: Organized crime

The fourth category is organized crime. Their motivation is, perhaps, the most obvious: to make money. Organized criminals have extensive financial resources, time and skills. They’re among the most capable adversaries you’ll face. 

For example, in the middle of the global COVID-19 pandemic, a group called The Maze Team attacked Texas’s Affordacare Urgent Care Clinic and held their systems hostage. The attackers demanded a ransom to unlock the systems so medical staff could get back to treating patients. 

This demonstrates that profit is an incredibly strong motivator, even when it could literally cost lives.

To determine if you should concern yourself with this attacker, ask yourself:

  • Do you need access to your data or operational capabilities every minute, without exception? If so, this attacker might attack in ways that prevent the availability of services in order to force you to pay quickly to avoid downtime.
  • Do you protect valuable data or intellectual property that has monetary value to other companies, governments or groups? If so, this attacker might want to steal those assets in order to monetize them.
  • Is your company publicly traded? If so, this attacker might take a short position on your stock and then attack in order to drive the stock price down when the news breaks of your security breach. 

Making money is enormously motivating, so if your system provides criminals a way to make some by attacking, you should be wary of this attacker type.

#5: Nation-states

The ultimate category of possible attackers is nation-states. Nation-states are the most capable and dangerous attacker type there is. They are countries who seek geopolitical advantage. They have tremendous resources, including plenty of money, skill and computational power. 

Consider NotPetya, a strand of malware used in what is considered to be one of the most devastating cyberattacks of all time, which experts widely attribute to Russia’s intelligence services. The attack spread rapidly, shutting down or outright destroying operations for businesses all over the globe.

To determine if you should concern yourself with this attacker, ask yourself:

  • Do you collect information that would be beneficial to a rival nation-state (such as location tracking, usage behaviors or other data about the people of your own nation)? If so, nation-state actors might want this information to inform their financial, political and other strategies as they compete against your nation.
  • Are you involved with critical infrastructure, such as delivery of medical care, power, water, emergency services, food supply, manufacturing, public health, cybersecurity or any other basic needs of your nation? If so, a nation-state actor may want to disrupt these services, either as a stand-alone attack or in conjunction with a physical attack.

Many companies assume that a nation-state would not focus on them, but don’t be so sure. Even if it’s not immediately obvious to you, consider ways that a nation-state actor could achieve geopolitical gain by attacking your system.

Motivation matters

Defending against attackers requires thinking like them. A key element of that is understanding who your attackers are and what motivates them. 

Now that you know who the primary external attackers are, and why they might want to attack your company, you can lay the foundation of your security plan. To do that, next you’ll want to identify the assets you want to protect, the areas of your system that are exposed to attack, and how those areas might be abused or misused. 

For now, simply take the first step of understanding who you’re up against. Recognize that they’re not all the same, and, finally, recognize that attackers are just like you and me — they’re driven to do things because of what motivates them.

Posted: January 12, 2022
Author
Ted Harrington
View Profile

Ted Harrington is the #1 best-selling author of "HACKABLE: How to Do Application Security Right," and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast. To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit https://www.tedharrington.com.

Leave a Reply

Your email address will not be published.