27/1/2019 TestOut LabSim

2.1.1 Threat Actor Types

Threat Actor Types

In the world of InfoSec, a threat actor is any individual or entity that carries out an attack. And not all threat actors are the same. They all have
different motives, attributes, and attack characteristics.

For example, a single hacker trying to exploit a vulnerability is going to have a completely different attack profile than an organized crime group
waging an assault on your network. Because of this, it's your job to understand the different types of threat actors that exist so you can better
protect your systems.

Targeted vs Opportunistic Attacks

The first thing you need to be aware of is the difference between an opportunistic attack and a targeted attack. Let's start by looking at the less
dangerous of the two, an opportunistic attack.

With an opportunistic attack, the threat actor is almost always trying to make money as fast as possible and with minimal effort. And because
hiding your tracks and presence is very time-consuming, the attacker usually won't bother. They simply want to get in, grab the goods, and get out-
-think of it as the smash-and-grab of cyberattacks.

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities, such as old software,
exposed ports, poorly secured networks, default configurations, and so on. When one is found, the attacker will exploit the vulnerability, steal what
they need, and get out.

A common example of an opportunistic attack is ransomware. An attacker will gain access to a system, plant a virus that encrypts all user data, and
demand a payment for decrypting the data.

The best way to protect against opportunistic attacks is to follow security best practices: keep systems up to date, close all unused ports, disable
unused services, et cetera.

A targeted attack, on the other hand, is much more dangerous and, to be completely honest, impossible to defend against. A targeted attack is
extremely methodical and often carried out by multiple entities that have substantial resources.

The main goal of a targeted attack is to do damage--for example, leak sensitive information or destroy important data. Targeted attacks almost
always use unknown exploits and go to great lengths to cover their tracks and hide their presence. Targeted attacks also use completely new
programs written from the ground up that are specifically designed for the target.

One example of a targeted attack is Stuxnet. Stuxnet is a malicious computer worm that was specifically designed to target only SCADA systems. It
was created to target industrial centrifuges used by the Iranian nuclear program. Stuxnet's code was so large and complex that it would have
required huge amounts of funding and resources to create.

Even though targeted attacks are next to impossible to protect against, it doesn't mean you should throw in the towel. It's still beneficial to protect
your network and minimize your attack surface as much as possible to make it that much harder for an attacker to succeed.

Now that we know the two main types of attacks, let's take a look at the different types of threat actors.

Insiders
The first one we'll look at is insiders. Insiders are one of the most dangerous types of threat actors. And often, they are the most overlooked.

Now, when we say insider, we can be talking about a customer, a janitor, or even a security guard. But most of the time, we are talking about an
employee. And employees pose one of the biggest threats to any organization.

Don't get me wrong, I'm not saying all employees are bad. However, you still need to look at them as potential threats and take the appropriate
actions to prevent them from becoming actual threat actors and exploiting a vulnerability.

There are a lot of different reasons for an employee becoming a threat actor. The employee could be disgruntled and motivated by a personal
vendetta. The employee might want to make money--maybe they've been bribed to steal information, or they could be working alone and decide
to steal customer credit card information.

Both of these reasons require the employee to make a conscious effort to carry out an attack. However, sometimes, an employee can become a
threat actor without them even knowing. This is known as an unintentional threat actor. They create security breaches doing what they think is
harmless day-to-day work. And an unintentional threat actor is the most common insider threat.

See, because the unintentional threat actor has no idea they are doing anything wrong, they will continue to compromise the organization in
ignorance. This means that any employee has the potential to become an unintentional threat actor.

The key point to remember is that insiders typically have easier access to company information and assets than someone on the outside who's
trying to break in, making them a much more dangerous threat.

Competitors

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 1/3
27/1/2019 TestOut LabSim
Another type of threat actor is a competitor.

I know I'm stating the obvious, but business is competitive. And sometimes, that competition causes organizations to cross the line and use
corporate espionage to try to get information from competitors.

And when I say corporate, I'm not necessarily talking about giant corporations. These tactics can be used on non-profit companies, private
companies, and even smaller companies.

There are two tactics used in corporate espionage. The first tactic is internal.

In this case, a competitor hires a spy that gets a job at your company. This new--œemployee--then exploits any internal vulnerabilities they can find
and steals information for their client.

The second tactic is external. This is where the competitor hires a spy to attack a company from the outside by exploiting any external
vulnerabilities that exist and, again, returns the information to their client.

Hackers
The next threat agent that you need to be aware of are hackers. Now, the term hacker is kind of a broad, generic term that tends to be applied to
many different categories of threat agents. But generally speaking, and for our purposes here, a hacker is any threat agent who uses their
technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information.

There are a lot of different reasons why a hacker becomes a threat agent, but the most common reason is for attention. Instead of seeking
financial gain or revenge, they just want the bragging rights and to be able to say, I did that. And this ties into the next reason, which is for the
thrills.

Some hacker threat agents get a thrill out of knowing they can get past security measures and gain access to a system. They might not even do
anything malicious after they gain access.

Another reason is, of course, criminal. The threat agent wants to gain access to your information to receive some type of reward. This reward could
be financial, political, or something else entirely.

Hackers themselves come in a lot of different flavors--that is, their motives and labels are different. For example, some hackers call themselves
hacktivists. These are hackers that have a political motive and are usually are out to disrupt governments, large corporations, or other entities that
oppose their political views.

Another is a script kiddie. Script kiddies aren't hackers in the traditional sense. As their name implies, they are kind of like the kids of the hacking
world. Script kiddies will use applications or scripts written by much more talented individuals to attack systems or compromise devices.

The last type of hacker threat agent is known as a white hat hacker. A white hat hacker is, actually, a good guy who tries to help a company see the
vulnerabilities that exist in their security.

One key attributes all hackers share agent is that they don't want to get caught. Because of this, they take extensive measures to cover up their
tracks and make sure that the attack can't be traced back to them.

Cybercriminals
Now, there's actually a subcategory of hacker threat agents, and they could even be grouped with corporate spies. These are cybercriminals, and
they have some unique aspects that differentiate them from an average hacker.

Cybercriminals have unique motivations. Remember, hackers really don't want to get caught—"neither do cybercriminals. However, cybercriminals
are willing to take a lot more risks and use more extreme tactics because their motivation is usually a significant financial gain. They try to steal
information that has value so they can sell it or use it.

For example, they could target banks to steal financial information or a hospital to steal personal information. In addition, they could be seeking
revenge against a particular company or political entity.

As I said before, cybercriminals tend to be risk takers. They're highly motivated by monetary gain. As such, they tend to be a lot more tenacious
than your average hacker. Because the risk of being caught increases the longer an attack takes, the hackers we talked about before usually won't
pursue an attack for very long. A cybercriminal, on the other hand, is willing to take a more risks because the payoff is a lot higher.

A lot of times, cybercriminals are associated with large organized crime syndicates, such as the mafia.

Nation States
The next threat actor we need to look at is nation states.

The days of protecting systems from a lone attacker or small group are gone. In today's world, we have to deal with attacks from other countries.
And these are some of the most dangerous external attacks you will face.

Why? Because attacks from nation states have several key components that make them especially powerful. First, nation state attacks are highly
targeted. They identify a target and wage an all-out war. Second, they are extremely motivated. Third, they use the most sophisticated attack
techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. And finally,
they have a lot of resources and money at their disposal.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 2/3
27/1/2019 TestOut LabSim
The reality is, if a nation state sets its crosshairs on an organization, they are going to infiltrate it no matter what kind of security has been
implemented. This is why it is so important as a security professional that you are able to recognize what an attack looks like and what abnormal
network traffic or behavior looks like. You need to be able to prevent attacks from occurring, but you also need to identify an attack that has
already occurred.

Summary
One important thing to remember is that the average hacker is usually one person at home, trying to figure out ways to get into a system--and if
things get too risky, they back off.

However, cybercriminals and nation states may spend several years formulating an attack and conducting reconnaissance before executing the
exploit.

TestOut Corporation All rights reserved.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 3/3