Creating a robust defense relies on an intimate knowledge of the enemy, their motivations, and goals. The core principles of security rarely vary, whether you're attempting to secure a building or an organization's network and systems.
In cybersecurity, this 'enemy' is called the threat actor. We can define a threat actor as person, group, or entity that creates all or part of an incident with the aim to impact an organization’s security.
However, knowing the types of threat actors isn't enough. To create an air-tight cybersecurity plan, you need to be aware of their motivations as well.
Defending against a known attacker is much easier than an unknown one. Sun Tzu's famed quote from The Art of War comes to mind:
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Cybercrime damages are set to cross $6 trillion by 2021 and knowing the threat actors behind this damage has now become more critical than it ever was. First, let's take a look at the types of threat actors out there.
Types of Threat Actors
Cyber Terrorists are a modern mutation of a widespread global problem that has plagued most countries for decades. These threat actors are usually focused on disrupting critical services and causing harm.
Chief Goal: Cause harm and destruction to further their cause.
Typical Targets: Cyber terrorists can target businesses, state machinery, and critical services that would cause the most harm, disruption, and destruction.
These threat actors are funded, directed, or sponsored by nations. They've been known to steal and exfiltrate intellectual property, sensitive information, and even funds to further their nation's espionage causes.
Chief Goal: Espionage, theft, or any other activity that furthers the interests of a particular nation/group of nations.
Typical Targets: Businesses and Government-run Organizations.
Crime is everywhere, and the internet is no different. Criminals who want to steal sensitive data, money, and personal information are out there. However, since they're after financial gain, the data they take does tend to show up on the black market or is sold to the highest bidder. These threat actors are also known to use ransomware to extort business owners directly.
Chief Goal: Financial Gain.
Typical Targets: Cash and/or Data-Rich Organizations and Businesses.
Hacktivists focus on bringing awareness. For example, almost all the information leaked by WikiLeaks was a result of hacktivists who wanted to expose the truth. They're usually motivated by ideological activism.
Chief Goal: Exposing secrets and disrupting services/organizations that are perceived as evil.
Typical Targets: Not limited to any specific type of organization or business.
Sometimes, you don't need to look far to find infiltrators. Some threat actors can go as far as infiltrating your workforce themselves or turning an insider towards their cause/goal. Insiders are a particularly nasty threat to any organization's cybersecurity because of the amount of access they'd have when working from within.
Chief Goal: Work from within an organization to get around its cybersecurity framework.
Typical Targets: Not limited to any specific type of organization.
Some attackers aren't skilled/advanced enough to design penetration tools on their own. Script Kiddies use tools developed by other attackers to penetrate a network or system.
Chief Goal: Attack computer systems and networks, vandalize, and inflict as much damage as possible.
Typical Targets: Easy-to-penetrate systems, which are vulnerable to widely-known threats.
Internal User Errors
Not all threat actors are malicious. But the damage they do cause can be quite extensive. Even simple user errors can end in catastrophe because of their elevated permissions within an organization's systems and networks.
Chief Goal: Not malicious, often inadvertent.
Typical Targets: Can affect any organization, however secure.
Common Threat Actor Motivations
- Political, Economic, Technical, and Military Agendas: Threat actors such as Hacktivists and Government-Backed Actors share such motivations. They are focused and have a set objective/target in mind when they start planning an attack. Moreover, this data is rarely seen available for sale on the black market. For example, the absence of data stolen from the Equifax Attack has many wondering whether the attack was orchestrated/sponsored by another country.
- Profits/Financial Gain: The profit motivation is one of the most frequent motivations of cybercriminals. These threat actors won't usually care about penetrating a specific organization or business.Moreover, they won't care about the discoverability of the crime because they're only interested in stealing assets that they can convert into money as soon as possible.
- Notoriety: Some threat actors are motivated by reputation and attention and will actively seek targets that will help them gain recognition. In fact, those agents that seek notoriety will often ignore chances to attack non-visible assets/targets that won't draw any attention.
- Revenge: Getting back at someone is a pervasive human trait; it's also a common threat actor motivation. The threat actors who plan an attack for revenge are most likely to be either employees or ex-employees -- giving them intimate knowledge about an organization's systems, networks, and even defenses.
- Overlap of Motivations: Of course, a threat actor may be motivated by more than one threat actor motivation. For example, they can have a revenge mindset along with a political agenda.
Understanding threat actors and their motivations is an essential step in the cybersecurity process. It will help you map out your defenses and may help you better outmaneuver attackers successfully.
Make sure that your organization's threat model accounts for various threat actor motivations. You can do this by assessing what business category you fall into and what kind of threat actors are most likely to target you. Use this information as a guide to fixing vulnerabilities, uncovering new ones, and implementing internal security policies.
Now we should say that some threat actors aren't discovered by anyone for even years at a time, simply because they don't draw attention to themselves. These threats are called Advanced Persistent Threats (APTs).
Threat Intelligence Feeds that grant you access to information about newly-discovered Advanced Persistent Threats (APTs) are particularly useful when it comes to protecting yourself against such persistent threats.