Understanding Threat Actors - Cybersecurity Fundamentals

Introduction to Threat Actors

A Threat Actor is an individual or entity responsible for incidents that impact security and data protection. These actors can range from lone hackers to Organized Crime Groups or even Nation-state entities. They initiate attacks to steal, alter, or destroy your data. Understanding Threat Actors and their motivations is a crucial part of developing effective cybersecurity strategies.

A Threat Actor can be anything from the neighborhood kid trying to crack your Wi-Fi password to enjoy some free internet, all the way up to government-funded organizations seeking to cause chaos and disruption among their enemies.

Course Objectives Covered

In this section, we focus on Domain-1 and Domain-2, specifically Objectives 1.2, 2.1, and 2.2:

Objective 1.2: Summarize fundamental security concepts.
Objective 2.1: Compare and contrast common Threat Actors and motivations.
Objective 2.2: Explain common threat vectors and attack surfaces.

Threat Actor Motivations

Threat Actor motivations are the reasons why Threat Actors do what they do. Understanding these motivations helps security professionals anticipate and counter potential attacks.

💰

Financial Gain

Most common motivation - stealing data or deploying ransomware for monetary profit.

🕵️

Data Exfiltration

Stealing sensitive information from organizations for various purposes.

🔍

Espionage

Obtaining classified information for political, military, or economic advantage.

⚠️

Service Disruption

Disrupting operations through DDoS attacks or infrastructure sabotage.

💻

Blackmail

Threatening to release sensitive information unless demands are met.

🌐

Philosophical or Political

Promoting a cause or ideology through cyber attacks.

⚖️

Ethical Reasons

Finding and exposing vulnerabilities to improve security.

⚔️

Revenge

Retaliating against perceived wrongdoing by an organization.

💥

Disruption or Chaos

Creating disorder simply for the challenge or entertainment.

🛡️

War

Nation-states engaging in cyber warfare as part of broader conflicts.

Common Threat Actor Motivations

Threat Actor Attributes

Threat Actor Attributes refer to the specific characteristics or properties that define and differentiate various Threat Actors from one another.

Internal versus External Threat Actors

Internal Threat Actors: Operate from within the organization with some level of trusted access.

Current or former employees
Contractors or business partners
Often have legitimate access credentials
May act intentionally or unintentionally

External Threat Actors: Operate from outside the organization without prior access.

Need to find a way to penetrate defenses
Often rely on social engineering, vulnerability exploitation
Examples include hackers, criminal organizations, competitors

Differences in Resourcing and Funding Levels

The resources available to threat actors significantly impact their capabilities and attack sophistication:

Low-resource actors: Limited funding, basic tools, opportunistic attacks
Medium-resource actors: Moderate funding, commercial tools, targeted attacks
High-resource actors: Substantial funding, custom tools, persistent threats
State-sponsored actors: Nearly unlimited resources, advanced persistent threats

Level of Sophistication and Capability

Threat actors vary widely in their technical expertise and operational capabilities:

Low sophistication: Using publicly available tools, limited technical knowledge
Medium sophistication: Able to modify existing exploits, good technical understanding
High sophistication: Developing custom exploits, advanced evasion techniques
Expert sophistication: Zero-day exploits, advanced persistent threats, complex attack chains

Types of Threat Actors

Understanding the different types of threat actors helps organizations prepare appropriate defenses.

Threat Actor Type	Motivation	Sophistication	Resources	Common Tactics
Unskilled Attackers	Curiosity, Learning, Thrill	Low	Limited	Pre-written scripts, publicly available tools
Hacktivists	Political/social causes	Low to Medium	Limited to Moderate	Website defacement, DDoS, doxing
Organized Crime	Financial gain	Medium to High	Substantial	Ransomware, phishing, identity theft
Nation-state Actors	Espionage, Warfare, Sabotage	Very High	Extensive	APTs, zero-day exploits, supply chain attacks
Insider Threats	Revenge, Financial gain, Inadvertent	Varies	Insider access	Data exfiltration, privilege abuse, negligence

Threat Actor Types by Sophistication and Resources

Unskilled Attackers

Individuals with limited technical experience who use readily available tools like downloaded scripts or exploits to carry out their attacks. Often called "script kiddies," they typically lack the knowledge to develop their own attack methods.

Example: A teenager using a publicly available DDoS tool to take down a school website during exam period.

Hacktivists

Cyber attackers driven by political, social, or environmental ideologies, often aiming to draw attention to a specific cause. They use cyber attacks as a form of protest or to promote their message.

Example: A group defacing a corporation's website to protest environmental policies or leaking sensitive documents to expose perceived wrongdoing.

Organized Crime

Well-structured groups executing cyber attacks for financial gain, usually through methods like ransomware, identity theft, or credit card fraud. These groups operate like businesses with specialized roles.

Example: A criminal organization deploying ransomware across multiple healthcare facilities and demanding bitcoin payments for decryption keys.

Nation-state Actors

Highly skilled attackers sponsored by governments who carry out cyber espionage, sabotage, or cyber warfare against other nation-states or specific targets in various industries.

Example: Government-backed hackers infiltrating critical infrastructure systems of another country to gather intelligence or prepare for potential future conflicts.

Insider Threats

Security threats originating from within the organization, often due to employees seeking revenge or careless staff misusing their trusted access to systems and data.

Example: A disgruntled employee who has been passed over for promotion exfiltrating proprietary data before leaving the company.

Shadow IT

Shadow IT refers to Information Technology systems, devices, software, applications, and services that are managed and utilized without explicit organizational approval. These can pose significant security risks to your organization.

Common Examples of Shadow IT

Cloud storage services (Dropbox, Google Drive) used without IT approval
Collaboration tools installed by employees without authorization
Personal smartphones accessing corporate data
Third-party applications integrated with business systems
Employee-developed spreadsheets or databases storing sensitive information

Security Risks of Shadow IT

Data leakage and potential regulatory compliance violations
Lack of proper security controls and updates
No visibility for security teams to monitor or protect
Bypassing of established security policies
Increased attack surface for the organization

Threat Vectors and Attack Surfaces

Threat vectors are the pathways or methods that attackers use to gain access to a system for malicious purposes. Attack surfaces represent all the potential points where an unauthorized user can attempt to enter or extract data from an environment.

✉️

Message-based

Email phishing, SMS phishing (smishing), instant messaging, and social media messages.

🖼️

Image-based

Malicious code embedded in images, steganography to hide data, malicious QR codes.

📁

File-based

Infected documents, malicious macros, trojanized software, malware-laden attachments.

📞

Voice Calls

Vishing (voice phishing), social engineering through phone calls, pretexting.

💾

Removable Devices

Infected USB drives, external hard drives, malicious firmware on peripherals.

🌐

Unsecured Networks

Public Wi-Fi exploitation, rogue access points, man-in-the-middle attacks.

Common Attack Vectors and Their Prevalence

Deception and Disruption Technologies

Organizations can employ various deception technologies to detect, delay, and analyze threat actors' activities.

🍯

Honeypots

Decoy systems or servers designed to attract and deceive potential attackers, simulating real-world IT assets to study their techniques.

Example: A vulnerable-looking database server that contains no real data but logs all access attempts and techniques.

🕸️

Honeynets

Networks of decoy systems to observe complex multi-stage attacks and attacker movements between systems.

Example: A simulated corporate network with multiple interconnected honeypots mimicking various organizational systems.

📄

Honeyfiles

Decoy files placed within systems to detect unauthorized access or data breaches when they are accessed.

Example: Files with names like "employee_salaries.xlsx" or "network_passwords.txt" that trigger alerts when opened.

🔑

Honeytokens

Fake pieces of data, like fabricated user credentials, inserted into databases or systems to alert administrators whenever they are accessed or used.

Example: Fake login credentials that, when used, indicate a compromised database or access attempt.

Deception Technology Architecture

Key Takeaways

Threat Actors are individuals or entities responsible for security incidents impacting data protection.
Motivations of Threat Actors include data exfiltration, financial gain, political beliefs, revenge, and warfare.
Threat Actor attributes differentiate them by internal vs external origin, resources, and sophistication.
Types of Threat Actors include unskilled attackers, hacktivists, organized crime groups, nation-state actors, and insider threats.
Shadow IT and various threat vectors increase organizational security risks.
Deception technologies like honeypots, honeynets, honeyfiles, and honeytokens help detect and disrupt attackers.