Cyber attacks are not accidents of nature. Behind every attack is an individual with objectives that they are trying to achieve. Understanding the profile of the person behind the attacks allows us to identify what they might be after, how they might go about getting it, and how we may best be able to stop them.
Broadly speaking we can divide threat actors into three groups:
Hooligans – This group is seeking to cause visible disruption. This could be for personal satisfaction, to raise their profile within a peer group, or possibly for gratification against a grievance. The tools and techniques used as part of the attack are unlikely to be sophisticated or bespoke. If the attack is part of an on-going campaign, the attackers may be tenacious and persistent, but are likely to be ‘noisy’ and to leave lots of evidence of an impending attack.
Criminals – The vast majority of cyber attacks are criminal in nature, someone trying to make illicit financial gain. Con-artistry, extortion, kidnap are age old criminal business models, in their modern guise we encounter them as phishing, denial-of-service and ransomware. The method of making money is the same, but the techniques and ambition are updated for the 21st century.
Criminal gangs can be incredibly inventive and technically sophisticated, however, often criminals tend to stick with the techniques with which they are familiar, and presumably that they know are profitable.
Familiarity with laundering the proceeds of their crime, and adept at masking their real identities means that proficient criminals far too often remain at large instead of being held to account for their actions.
Advanced persistent threats – Although the efforts of the shadowy APT threat actors, with their suspicion of state backing tend to make the headlines, their attacks are a very small proportion of the total. Nevertheless, their attacks are characterised by skill, sophistication, access to resources and importantly patience.
Their goals often appear to be the gathering of sensitive information, however they can be destructive in nature, and may seek to compromise the systems of third parties in order to conduct attacks against a final target.
It’s not necessary to know the exact identity of a threat actor in order to build up defences. Organisations should be aware of the nature of the threat actors who may target them and prepare accordingly. There are many case studies and published examples of attacks by various types of threat actors which can be used to consider how existing defences could protect or detect the attack.
For example, hooligans frequently discuss and co-ordinate their campaigns over social media. Would you be able to identify if the name or your organisation or brands were mentioned as a target for a forthcoming attack? If so, how would you prepare? Do you have denial of service (DoS) mitigation already in place, or could it be deployed in time?
Similarly, hooligan threat actors may seek to discredit an organisation by taking control of the organisation’s social media accounts. Businesses need to ensure they have two factor authentication enabled for social media accounts so that even if the password was disclosed, the attacker wouldn’t be able to access the account. Also, those who have access to the organisation’s social media accounts need to be trained in how to spot and report phishing – and that includes the intern.
Criminal attacks are relentless. Organisations are bombarded with phishing emails and attempts of getting malware inside of organisations. Perimeter defences are excellent at repelling these attacks, but we must be mature enough to recognise that these defences are not infallible.
How would the security team identify a successful infiltration before it resulted in a data breach? How would teams react to resolve an infiltration and expulse attackers from a system?
These are all good questions to have prepared in advance of tackling Advanced Persistent Threat (APT) actors. Not everyone will be faced by APT attacks. Although protecting against attackers with the skill and patience to persist and wait within a compromised system for months before advancing their attack is difficult, it is not impossible.
The malware and command and control traffic of APT threat actors do leave traces, which can be detected. However, it takes a well drilled and prepared security team to identify and prioritise such information.
A strong cyber defensive posture is built on many overlapping layers of security systems. Considering who might attack you, how they could do it, and what their attack might look like within your systems is a very good exercise to conduct in order to spot weaknesses that may let an attacker slip through, but also to train teams to be able to better spot the attack when it does happen.
Like I said – protecting against threat actors is difficult, but it can be done. You just have to get into the mind of one.
Discussion about this post