The Different Types Of Threat Actors And Their Motivations
In Cybersecurity, it is known that threat actors are often the ones attempting to breach a system in an attempt to exfiltrate information for monetary, political, or personal gains.
However, these individuals or entities can come in various shapes and sizes. From the most sophisticated, well-funded adversaries that utilize advanced methods to breach national systems to novices who use commonly known techniques to exploit vulnerable individuals, there can be a substantial variation in who is attempting to compromise a system and the purpose for doing so.
Let’s explore these different types of threat actors in depth, using the pyramid model for categories of threat actors. Note that this representation is generalized. There will be exceptions to the rule. Some threat actors from tier VI may use tier II tactics and so on and so forth, but the characterization should be broadly accurate.
Categories Of Threat Actors
Tier VI
APTs (Advanced Persistent Threats) fall under this category. Well-funded, nation-state threat actors seeking to exfiltrate national security level information as well as to gain economic advantage. Threat actors in this tier actively create vulnerabilities due to their vast resources and technical expertise. Spearfishing is commonly used by these adversaries, as they possess the funds to persist on a particular target and attempt to extract as much valuable information as possible. The TTPs (tactics, techniques, and procedures) employed by these threat actors may vary depending on different factors such as culture, economics, and geography. For instance, Russia, which can be considered a tier VI threat actor, may opt for covert attacks, making it difficult to trace the actions back to them. Another nation, on the other hand, may use more aggressive and exposed methods to extract valuable information and gain economic advantage.
Tier V
In tier V, there is a noticeable difference in economic resources and size compared to tier VI. Attacks may be less sophisticated consequently, and ideological motivations are possible. For instance, hackers likely from North Korea released confidential data about Sony Pictures employees due to the release of a movie that involved the North Korean Leader Kim Jong Un. Targets often include research and technology. They may also target dissidents (people who oppose official policy). An example of this would be Iran using Cyber attacks to stop the actions of individuals who might try to undermine the government politically.
Tier IV
In tier IV, threat actors become more numerous. As a result, correct attribution of a specific attack becomes more difficult. Some of the adversaries in this tier can have connections with APTs. For example, FancyBear is a Russian Cyber Espionage group whose goals were not necessarily monetary. Instead, they were looking for national security information, and CrowdStrike determined with medium confidence that the group was related to the GRU (Russian military intelligence agency). These groups often provide some legal and political distance from the entity connected to them in an effort to masquerade the primary source of the attacks.
Hacking Teams and Organized Crime also fall under this category. They can be considered cyber mercenaries, and as long as they can get away with not being prosecuted, they will pursue their monetary gains using illicit methods.
At this level, threat actors actively discover vulnerabilities (zero days). They are reasonably well-resourced. Most of the exploitation occurs via the internet, and some of the methods include using backdoors, crypto-cracking, and advanced malware.
Tier III
Crime groups, similar to organized crime, seek monetary gain. An example would be a crime group from Brazil. Although the execution can be sloppy from a technical perspective, the application of social media/social engineering often results in credit card thefts and loss of money for companies.
Hacktivists also fall into this category. They are not necessarily structured hierarchically when compared to a criminal syndicate. Anonymous would be an example. Hacktivists are not interested in monetary gain. The goal is to tarnish a political figure or an organization’s reputation. Due to their decentralized organization, they can be harder to track. Hacktivists are vocal about matters that are important to them. When deploying these attacks, they can use original tools and known exploits.
Tier II
At tier II, attacks become less intense. There is also less monetary gain per target. However, the number of threat actors also increases. Criminals fall under this category, as well as disgruntled workers who can be considered Insider Threats due to the likelihood that they may already possess sensitive information or elevated privileges to cause substantial damage. The target of these attacks are often small businesses or individuals. Prevalent attack methods may include DDOS (Distributed Denial of Service) and bots.
Tier I
Script kiddies fall under this category. They will look for anything they can get into (corporation, university system, etc). Usually, they do not possess the tools or level of expertise to compromise more sophisticated targets. Popular methods used may include phishing, viruses, and DNS attacks.
Non-malicious actors are often interested in seeing what they can do and might try to infiltrate a system to test their penetration testing skills. If they get in, they may even disclose the information regarding the occurrence to help the other party fix the vulnerability.
As mentioned before, technical ability and persistence are going to be lower in this tier. However, the number of threat actors substantially increases. Compromise attempts will often include known exploits and common vulnerabilities.
Summary
Threat actors come in all shapes and sizes. They are humans with different motivations, backgrounds, and sets of skills, after all. As a result, we should always be ready for all types of threats as they emerge. The tier system can be a helpful tool in navigating the different types of adversaries. However, it should be used more as a guiding tool as opposed to something that is precisely determined. When strategizing against these threats, it is also crucial to consider what are the most dangerous and most likely threats. While most likely threats are cheaper and easier to defend against and most dangerous are more expensive and less likely to occur, the level of damage the risk can potentially instigate should always be factored in when making these decisions.
“If you know your enemy and know yourself, you need not fear the results of a hundred battles.” — Sun Tzu
