In this article, which is a starting point in our cybersecurity journey, we will focus on Cyber Threat Actors, on how we can group them, what is their motivation, who is their target and how you can perform threat profiling to map those who apply to you or your company.
I do believe that for the beginning will be a better approach to understand who your adversaries are instead of jumping right into solutions for specific problems.
This is an important step because you can go deeper and identify for whom you are the target, what tactics/techniques they use, what tools they are armed with, and what DNSL (Defensive Network Security Level) you need to achieve to defend against them effectively.
What is DNSL?
First, I should clarify DNSL (Defensive Network Security Level) because we will be using it often in all other articles. DNSL represents how severe the threat represented by each adversary group is, but more importantly, what DNSL score your company needs to achieve to defend against those threats effectively. The high-level description might be:
DNSL is an actionable and measurable framework, which consists of policies, processes, procedures, maturity level, and security capabilities that your company need, to achieve protection against adversaries applicable to your company.
For example, if you are likely a target for Cyber Criminals (DNSL 3 group), you need to achieve at least a DNSL 3.0 score to defend effectively against them. DNSL 3 already inherits requirements from DNSL 1+2 while adding new ones on top to cover techniques used by adversaries from this group.
Unless you complete 100% from the previous level, the overall score will not change because all threats from the lower level were not covered yet.
You will then understand why you have specific security capability, policy, procedure, service, how you have it implemented effectively, and how it impacts the cybersecurity posture.
Because adversaries, techniques, and tools are evolving and your environment security level changes in time, the DNSL framework is dynamic. It can reflect the current state, new vectors, inefficiencies, and unknown threats.
DNSL Framework is not available yet for the public. Still, its core is based on the MITRE ATT&CK framework, where each TTP is mapped to components, which can either detect, protect, or mitigate specific threats and how you can monitor, measure, enrich, automatically test, and attribute specific vector.
The biggest problem in Cybersecurity is, that cybersecurity today is unreasonably overcomplicated, heavily based on assumptions, ineffective solutions and with a high price tag for every small problem.
Defensive Network Security Level goal is to simplify such a complex problem, so you can measure where you are at some point in time and what you need to do, to achieve higher DNSL and higher defense against adversaries.
Get connected, so you will know when the DNSL framework will be released.
Cyber Threat Actors
OK, but the main topic for this article is CTA, so let's dive deeper into it.
You can use multiple frameworks, reports, studies, or guides describing different actors, like NIST, ENISA, SANS, CIS, …. Still, each of them is unique because they consider different actors, other targets, and motivation. You can see a comparison of 22 different frameworks below, which is a print screen from the study “Cyber Threat Actors for the Factory of the Future“. As you can see, they are fairly different from each other. None of them is wrong, but inconsistency will not help with our simplification.
For that reason, I created my own table, which tried to make the best out of them, reflect the current situation (some studies are ancient), added my own experience and the result you can see in the table below. In case you are missing something, please let me know in the comments so we can improve it together.
In our CTA table, you can see:
- Various types of adversaries grouped by DNSL levels
- Mapping to STIX CTA type
- What is each adversary:
** Typical tactics (not a comprehensive list)
We all love tables, but let's simplify it, remove some information that is not important for now and map relations to see clearly connections between adversaries and their motives.
OK, it's clearer now. It seems Financial/Economic and Espionage are the primary motivations for most of them. Most espionage forms are anyway motivated by financial gain (person, company, or whole state). So let's group them as well and add targets on top.
💡 If you ever asked why some groups should be interested in you or your company, here you have the answer. Some of them are interested in anyone and you need to achieve at least a DNSL score of 3.0 to defend against them.
Here we go. So what can we see here and how groups operate?
Motivation & Sophistication
We are often speaking about young individuals with individual ideology, typically low resources, and lacking sophistication.
Script Kiddies are partially applicable to unethical companies (ideology) and any Internet user (ego), as even one inappropriate comment on social networks can raise his/her interest in you.
They are typically using tools that they found on the Internet (GitHub, ExploitDB, …), and unless the author intentionally adds a bug in code, they will execute it against websites, servers, or individuals.
Not considered a serious threat.
Motivation & Sophistication
Motives are relatively straightforward, so you should be fine unless you are an unethical company, a political party, or a political party supplier. Their danger lies in the crowd's wisdom, in their motivation, connections to other groups, and the fact that all their attacks are targeted against specific companies, systems, or individuals.
Being recognized as an unethical company is actually not that difficult as you might think, and many companies were subject to a targeted attack for even a small thing like legal actions against jailbreaking PS3. Ethical companies are going beyond what is legal and doing what is “right”, those who care about the environment, employees, and customers. The problem is that even one unethical person in a company can raise interest in hacktivist groups.
Members of those groups have a mix of tools and knowledge from various segments. Still, a combination of this knowledge and connections to other groups often lead to a successful attack against companies or their suppliers from where they can get access to systems of primary objectives.
Motivation & Sophistication
Money is the primary motivation, for the same reason their tools arsenal is more advanced, and you typically can't find them on the regular web. At best on dark web forums where they are sold to other cybercrime units.
Cyber Criminals do even operate as regular companies with shifts, L1-L3 support teams, and management. Like any other company, they are evolving in time, so you need to keep an eye on them and update your Cyber Threat Intelligence repository every time they change some aspects. We will speak more about CTI in the next articles.
I used the chain symbol in the diagram because they can cooperate with or hack systems of your supplier/partner to get into your network, so this aspect you need to monitor and profile.
Some of them are focused on specific industries or countries only, so the threat is more severe. Others are simply using the spray & pray approach, which directly connects them to any user or company on the Internet. Phishing emails trying to let you click on links and download files with ransomware or some other malicious code is very popular since we have cryptocurrencies. Very likely, you met them already via email or landing page.
Each group has a specific set of tools, infrastructure, and TTPs they use at some point in time. Cyber Criminals also have a couple of sub-groups. Some of them are focused only on malware development, some on the build and maintenance of C2C or Exploit Kit infrastructure, others are just buying services from them or managing all of this in-house. It’s now called MaaS (Malware-as-a-Service) or CaaS (Crime-as-a-Service), and you might remember it from the old times when Exploit Kits were on top. Target selection, phishing campaigns, landing page, exploit, dropper, infection, C2C communication. All of this with just a few clicks if you have a few thousands of dollars.
Motivation & Sophistication
The primary objective is cyber terrorism. Dangerous adversaries, usually politically motivated, inflict severe harm to the economy and people. In terms of sophistication, they relate to Cyber Criminals, as they can use MaaS/CaaS, but their motivation is different.
In the cyberspace segment typical target is critical infrastructure (Defense, Government, Communications, Energy, Emergency, Manufacture, Chemical, Transportation, … and other sectors). As stated in our table, their typical tactics are disruptive and destructive in nature. This is the key differentiation for us, as you might have nation-state-sponsored actors doing forms of terrorism as well. Still, there the primary motivation is not political, but more likely economic or military.
Terrorists will not be asking you for payment in BTC. They will delete all data, backups, servers… to cause harm, make an impact, and disrupt critical infrastructure/services, which can impact the whole state.
If you are an important supplier for the government or a company operating in a critical sector, and ideally for them, if you have access to their network, this group of actors is likely applicable.
Attacks against critical infrastructure are unfortunately very effective as ICS/OT environments are those where most of the devices don't even use encryption for data in transit, HMI runs on Windows XP where you are not allowed to upgrade OS or install endpoint protection, and because ICS/OT software was never engineered with security in mind, even one network scan can take them down.
They use similar tools as Cyber Criminals to gain access into systems or networks but on top, everything that can impact services, devices, or infrastructure. DDoS, destructive malware, and wipers. A well-known incident happened in Ukraine where the subject of the attack was Power Grid, and over 200k residents were in the dark.
Motivation & Sophistication
Nation-state or state-sponsored groups, also known as Advanced Persistent Threat (APT). Group of most advanced and stealthy adversaries with high motivation and resources. One differentiator is that other groups will hack into systems and try to achieve their primary objective. APT groups will stealthily get in, clean all evidence about it (if any), make their access persistent, and slowly monitor the environment's behavior before they infiltrate other systems to be sure that their actions will not be detected.
Based on multiple reports, the primary motivation is still espionage to steal intellectual property, support intelligence needs, or further infiltration into upstream companies.
Nation-state actors use the most sophisticated and custom tools, which are (if ever) discovered after years of successful infiltration. To better understand what sophistication level we are speaking about, please read a report about Flame or Stuxnet, both linked to NSA. I'm unable to find a full report about Flame for some time (it has ~90 pages), but I remember how it gives me the heebie-jeebies when I was reading it.
It was a perfectly developed modular implant, with very effective data collection and data exfiltration capabilities even in air-gapped environments (USB infectors). Imagine that they cracked (MD5 hash collision) Microsoft CA certificate and signed their binaries as if they came from Microsoft. They also used MS certificates to inject malicious code to Microsoft update packages on-the-fly and deploy malware on other machines by Windows Update (MitM). All of it was controlled as not every device got infected if it was not interesting for the group operating it—marvelous, but most serious threat at the same time.
Even if you will release yourself from any assumption in cybersecurity and will not, e.g., trust all those ~300 certificates which your Windows trust, Nation-State actors do like stealthy HW trojans as well, which the majority of companies are simply unable to detect and which operate on CPU level or lower (ring -3), so you have zero chance to identify them by any security technology. A good example from a known HW backdoor is Intel ME/AMT, which is included in all Intel CPUs from 2008 and is active even when your computer/server is turned off. Nation-state actors can implant their own HW trojan. Security technologies today are barely able to detect even firmware kits, so do not expect miracles.
Comparable to Cyber Terrorist, so other Nation-State critical infrastructure, their suppliers, and big companies in case it might impact the economic situation of the whole state. One example happened a few months ago when an APT group from China gained access to Taiwan's semiconductor industry. This can be very valuable for nation-state actors because stealing chip schematics could allow Chinese hackers to easily discover vulnerabilities in computing hardware or change schematics in the way they will manufacture implants in the form of HW trojan.
- We sorted adversaries by sophistication level and grouped them by severity.
- You know what the motives, targets, and tools of each group are.
- You do understand that they cooperate and reuse the tools/services from each other.
- You should now be able to identify which groups might apply to you or your company.
- Individuals and Companies of any size are subjects to attack from Cyber Criminals.
- Insiders and threats from Partners/Suppliers apply to any company, but this topic will be explained in a separate article focusing on the Insider Threat Program.
In the next article, we will be speaking about Cyber Threat Intel, which is vital for knowing which groups target which industry, countries, what infrastructure they use, which malware they are armed with, and which TTPs help to attribute them. All of this information from multiple sources can be consumed in the form of IoCs (Indicator of Compromise), which you can use to spot their motion in your environment and take necessary steps to detect or block infection in your environment.
“That’s out of scope.”
— said no adversary ever
You should read as much as you can from trusted sources, but here are a few reports for a start: CrowdStrike (Global Threat), CrowdStrike (Threat Hunting Report), Verizon (Data Breach Report), Check Point (Cyber Security Report)
📰 Related Articles
About Defensive Network -> Cyber Threat Actors (current) -> Cyber Threat Intelligence (next) -> Curated list of Cyber TI sources (soon)
🎬 This is not the end…
Get connected — Twitter, LinkedIn, Facebook.
Credit notes — Diagrams were created using diagrams.net. Images were used from Unsplash, official sites, or Wikipedia, if not stated otherwise.
Legal notes — Opinions expressed are solely my own and do not express the views or opinions of my employer or anyone else.
- If you like it, please share it! If not, constructive criticism is welcomed.
- You can use this content in your materials, but only if you attribute it.
- This article will be continuously updated, so feel free to bookmark it.
Last update: Feb-2021