In every crime, the police work hard to determine the basics of Who, Where, When, Why, and How. The process is the same in the cyber landscape where IT security professionals try to figure out what’s going on with crime targeting their organization, be it a Public or Private enterprise. Where the percentages of the main threat actor and types of attack may change by industry vertical or sector, the types of actors involved are the same: There are good guys and bad guys, and sometimes people that make mistakes.
Armed with information about the types of threat actors and their respective motivations, organizations can start to tell their enemies from their allies and learn how to thwart the first while educating and supporting the second.
Security Researchers are the white knights of the cybercrime world. These ethical hackers are often employed as part of security teams, working to make an organization’s security system secure. Sometimes these Security Researchers are students, independent operators, or IT workers that have become security enthusiasts, working to earn bug bounties. Their motivation varies anywhere from a simple paycheck and ideology of foiling the malicious hackers of the world, to searching for the glory and credit of halting a damaging exploit and facing new challenges. This variance in motivation and background also leads to similar variety in skill level and determination or drive. The ‘white hat’ practitioners’ skills range from novice to elite, depending on experience and previous employment or schooling. Their methods typically include mapping or reconnaissance utilities, automated tools, and occasionally custom-designed or even open-source software.
Nation State Hackers
Nation State Hackers are Public sector individuals, motivated by pay, nationalism, and a dedication to national security. Their goal is surveillance, command and control, military power and even financial or strategic control over enemies and allies. Extremely skilled, coordinated, and strategic, Nation State Hackers will pursue their target no matter how long it takes, really putting the P in Advanced Persistent Threat. Their methods of attack and organization can depend on their country of origin, but they are typically well funded, with abundant resources. Nation State Hackers are either employed directly or contracted by government agencies as part of cyber-defense efforts. An example of a Nation State attack is when the U.S. and Israel government created and used the Stuxnet cyber attack to slow down Iran’s progress towards building an atomic bomb. But just as important to consider is the possibility of an entirely different hacker philosophy – ethnicity and patriotism are more important in the East than the West, and information a Westerner takes for granted can be seen as a threat to valued Eastern institutions.
Hactivists are the politically-motivated cyber criminals of the world. Like other activists, Hacktivists work to push their own political agenda, often pursuing activities that expose (real or perceived) wrongdoing, or exacting revenge to target an entity or organization prominent in the mainstream news. Their skill levels vary, typically ranging from complete novice to intermediate, but occasionally their numbers include highly-skilled professionals. The goal of the Hacktivist is one of three: Exposing information, changing or defacing information, or denying access to services. To this end, the Hacktivists’ preferred methods of attack include off-the-shelf tools and toolkits, as well as DDoS attacks. Unlike other hacker-types, Hacktivists lack the financial backing for more advanced and costly methods of developing long, patient attacks. They tend to be reactionary, with set deadlines. The true talents of the Hacktivists lie with coordinating and communicating amongst their organization, proving more powerful and effective as a collective than as an individual. The challenge in identifying a Hacktivist is that, quite simply, one need only declare something like “I am a part of Anonymous” to take part in many of their attacks, and accept the humorous list of ‘rules’. There have not been many reported incidents of the higher-level members of Hacktivist organizations being caught or prosecuted for their crimes, but those that have been caught have often included less-experienced teenagers or college students. Examples of Hacktivist attacks have been going on for years.
Organized Crime Hackers
Organized Crime Hackers are professional criminals motivated by money – hacking to steal data, money and computing resources. Organized Crime Hackers are well funded and extremely organized, and may have relations with Nation State Hackers or even Hacktivists in some opportunistic cases. Operating at a very sophisticated level, Organized Crime Hackers diversify their organizational skill sets for protection with a sophisticated supply chain – one person does the hacking, one does the exploit writing, another sells the data, and perhaps another group handles tech support for selling services. These cyber criminals perform reconnaissance, then target the easiest and weakest links in an organization first, opting for targets with the fastest financial return. Their means of attack can also be the most patient and sophisticated, typically including SQL injections, password ruse, phishing and spear phishing, using advertising networks to distribute malware, and DDoS attacks or distributing ransomware. For example, Maryland and California hospitals both have recently been victims of ransomware attacks in which their computer network and patient records were held hostage for Bitcoins. Patient records can sell for over $300 per record on the black market.
Terrorist Hackers are the most recent persona to enter the threat landscape. Motivated by politics or religion, these cybercriminals work with high levels of determination and persistence to achieve a political end, often by means of creating fear and chaos. Similar to Hacktivists, Terrorist Hackers are highly coordinated and strategic, borrowing techniques from other hacker personas – using Organized Crime techniques to attain money and Hacktivist techniques to gather data and information. With lack of funding, it is rumored that Terrorist Hackers participate in Organized Crime as a means to fund their other activities. Recent examples of successful attacks include when hackers from ISIS took over U.S. military social media accounts and tweeted out pro-Islamic State messages and provided personal information of U.S. Military officials. As with any criminal class, sometimes individuals get caught.
As a wryly amusing note, we must remember that sometimes the bad guys bicker amongst themselves: Anonymous fought back against ISIS and their Doxxing attacks recently by hacking them right back.
People make mistakes. People lose their laptops, and put their logins and passwords on sticky notes by their phones. People download PowerPoint slides from their mom, and insert USB drives into their laptops to copy music or movies their friends burned for them. Tools, policy, and repeated education are the best defense against mistakes and common social engineering weaknesses in your ecosystem. Malicious insiders on their way out or other disgruntled individuals are harder to stop with deliberate actions, which is why you’ll read Security Researchers constantly harping on topics like Least Privilege and Encryption.
How Do We Defend Ourselves?
It’s a jungle out there, but the basics are always a good place to start in terms of presenting as smooth an attack surface as possible. Our Security Researchers recommend a common-sense approach to security: Scan your most critical systems. Patch what you can as soon as you can. Educate your entire organization on policies and procedures, and encourage your developers to learn secure coding practices to avoid commonly-known (like OWASP Top 10) vulnerabilities.
For an at-a-glance reference guide to the various hacker personas, download the “Who’s That Hacker?” infographic.