In the first article we defined Cyber Threat Intelligence (CTI) and we saw how it is very close to traditional intelligence with a couple of additional distinguishing factors. The most important of which was the focus on adversaries otherwise known as threat actors. Analysts research these adversaries by collecting and analyzing information about an adversary’s background, motivations, and tactics to learn their patterns and produce an effective intelligence product.
Since the adversarial research is such a critical part of CTI, it is important to understand how they are identified and categorized. Threat actors can be defined based on various factors including motivations, resources, or group/organization affiliations. We will go through several types of threat actors so you can get a sense who they are, what they do, and how they operate.
The list of threat actors active in the security landscape is never-ending because of the new types of threat actors emerging daily. Many of them target specific industries which require industry specific definitions of adversaries and special investigations to implement effective CTI. We will focus on the more common threat actors that are not specific to any industry.
The following list shows the 4 most common threat actors/adversaries:
· Hacktivists
· Insider Threats
· Cyber Criminals
· Advanced Persistent Threats (APTs)
Hacktivists
The first threat actor we have is the Hacktivist. Clever name that gives a hint to their motivations. They are activists that have a cause or belief system behind their actions. There are many different examples of this type of attacker, and they range from righteous actions of rebelling against an unjust system to simply destructive behavior for the purpose of fame. A lot of the attacks from these threat actors typically include defacing websites or a type of Denial of Service (DOS) attack to disrupt a business or government website. These types of groups usually band together through social media recruitment and as mentioned earlier they are not notably well organized or sophisticated in their structure or attacks.
In an effort to pique your curiosity about these types of attacks, I will provide a link to a story of an Iranian hacktivist group called Adalat Ali (Ali’s Justice) that shed light on the abuse within Iran Evin prison (https://therecord.media/hacktivists-leak-videos-of-abuse-in-iran-evin-prison/).
Insider Threats
The Insider Threat is one of the most interesting actors on this list. This is due to their access and opportunity to conduct their attacks with relative ease whether it is stealing money, financial data, confidential information, or Personal Identifiable Information (PII) to be sold on the dark web. Many times, these threat actors act out of revenge for being treated poorly by their employer or act in the service of a competitor to commit corporate espionage. Even though these attacks can be hard to detect, implementation of company policies and tracking authorization log and other characteristics of employee behavior can be effective tools.
It should be noted that insider threats also include those within a company that click on the suspicious link, download the suspicious file, or give away their company credentials. These threat actors do not have malicious intent, but still can cause an enormous amount of damage to the business and its reputation.
Cyber Criminals
This type of threat actor typically motivated by monetary gain has a large range of individuals and groups now because of the ease with which criminals are able to commit cybercrimes in these times. As you may have seen in the news, there have been a large number of ransomware attacks the past few years, and this can be partially attributed to the Ransomware as a Service (RaaS) platform. This is when a criminal organization can give any individual or group with little to no technical skills the means to conduct a ransomware attack for a fee and a percentage of the earnings from the attack. This significantly lowers the bar for cybercriminals.
As for the other cybercriminals, they have become more organized and have been able to monetize their crimes more easily through the dark web and cryptocurrency transactions where they can be hired to conduct cyberattacks or easily sell stolen information. Speaking of the dark web, this is a great recruitment platform where criminal enterprises can recruit hackers or obtain high level malware to be used in other cybercrimes.
APTs
The APTs are by far the most sophisticated and organized of the group of adversaries presented in this article. They are typically formed and trained by a nation-state and are used to gain an advantage over their enemies through various forms of cyberespionage. Since they are affiliated with a nation-state, this can mean that they are part of a nation’s military or international espionage organization that works solely in the interests of their nation. In addition to the expert training they receive from their nation, they are also granted access to plenty of personnel in service to the cause, updated resources, and support from their government. These factors allow these groups to wage a much longer and more persistent campaign of attack with relative ease. This is how these groups are able to conduct the sophisticated attacks that have been
reported on the news. One of the most notable recent ones being SolarWinds conducted by APT 29 CozyBear.
In order to get a better understanding of these groups, their agendas, and how they operate using sophisticated malware and techniques visit the FireEye APT page for more information (https://www.mandiant.com/resources/apt-groups).
As you can see, even among this small portion of threat actors, there is a huge variance in the characteristics of these attackers. This is why a systematic and effective way of researching and rating these threat actors was developed. In the next article we will be going over the way Indicators of Compromise (IOCs) are correlated to certain threat actors based on historical and contextual evidence. Then, we will show how different types of IOCs are rated on David Bianco’s Pyramid of Pain and why some IOCs are rated higher on the pain scale than others.
There is a lot to look forward to in the coming articles. I hope you enjoy it and keep coming back for more!
Hackhouse.net Author
Lou Dell’Italia
https://www.linkedin.com/in/lou-dell-italia-43745a82/
Suggested Resources:
Mark Lowenthal – Intelligence: From Secrets to Policy https://www.amazon.com/gp/product/B07YHZMBYB/ref=dbs_a_def_rwt_bibl_vppi_i0
John Friedman & Mark Bouchard – Definitive Guide to Cyberthreat Intelligence
Recorded Future – Threat Intelligence Handbook
Recorded Future – Threat Intelligence
https://www.recordedfuture.com/threat-intelligence/
James Dietle – Effective Threat Intelligence