IT Security 101: Threats and Threat Actors
Introduction
The term threat is often used to generalize bad things that can happen, or bad people who do bad things. It is important for defenders to separate these concepts, and use a common taxonomy to help standardize methods for identification, analysis, and mitigation. This is especially important when assessing risk, and selecting appropriate controls.
In this installment of ITSEC101, I will define threat, and take a close look specifically at threat actors. Look for future articles on that will dig deeper into the topic.
Threat Defined
As with my ITSEC101 entry on vulnerabilities, I will begin by providing definitions from typical sources.
From Merriam-Webster:
“threat - noun
1 an expression of intention to inflict evil, injury or damage
2 one that threatens
3 an indication of something impending”
None of these definitions are quite right for the purposes of InfoSec and CyberSec. The first doesn’t work because there can be unintentional and accidental threats. The second only indicates the person or thing and again implies intention. The third doesn’t seem to imply an negative effect.
To find a more technically focused version, I turned to NIST. Unfortunately, they do not have a single definition. Their glossary shows 22 different definitions from various publications.
So, I suggest that if a specific publication is being used, then adopt whichever definition is being used within it.
However, instead of wasting any more time trying to define the word, it is more useful to consider how it is used, and allow it to define itself.
Threat Usage
Overview
The term threat is not useful on its own. It needs some context.
The main reason for identifying threats is to know how and where to apply security controls. This is primarily accomplished through risk assessments, and more specifically the creation of qualitative and quantitative risk statements. Look for another ITSEC101 soon that takes a closer look at risk assessments. For now think of it like this:
A risk statement includes a threat, how often it might occur, the likelihood that its occurrence will result in a negative outcome, and what the result will be.
Threat is a subset of a risk statement. In very simple terms it can be stated as:
Something happens that has the potential to cause a negative effect.
Now, I’ll take a look at the various components of a threat in that context.
Threat Actor
This refers to the individual, organization, or the “Act of God” that has the potential to cause a negative effect. There are important distinctions to be made between them that help with assessing risk, such as different capabilities, frequencies, and intents.
Threat Source
This is a general term used to categorize threat actors. There are three:
Natural (i.e. the weather, seismic shifts, meteor showers, etc.)
Human (i.e. individuals and organizations)
Environmental (i.e. building fires, power failures, etc.)
Threat Vector
This is a generalized categorization of the pathways by which a threat actor gains access to a target.
Threat Event
This is the holistic combination of a threat actor and a threat vector. Note: it does not include the potential (i.e., likelihood and impact), which is determined during the risk assessment. This is the statement mentioned above: “Something happens that has the potential to cause a negative effect.” It refers to a negative situation that could happen given enough time, based on the features of a threat actor and threat vector. It is important to note the event can be intentional or unintentional.
Threat Potential
This describes the likelihood and impact of a threat event, and is determined when conducting a risk assessment. More on this in future articles.
Attempting to define threat is a challenge, but once its purpose is understood, it becomes useful.
Now, I will take a closer look at an important subset of the concept. For any given threat event, there is a catalyst - a thing that causes the event to occur.
That “thing” is referred to as the Threat Actor. It is most often an individual or group, however, it can also be a natural occurrence such as extreme weather, or a random event, such as a tree falling over.
Below is a list of the commonly recognized Threat Actors, and the distinguishing factors that help determine their potential (i.e. likelihood, and impact). This will be useful later when discussing risk assessments, risk treatments, and control selection.
Threat Actors
Threat actors are separated into categories based on common features such as motivation, targets, and capabilities. This helps when identifying and calculating risk.
For example, Nation States, are generally considered to be the most dangerous because they are highly skilled, well-organized, well-funded and have national authority and sovereignty. Whereas, Script-Kiddies are considered the least dangerous because they lack high-level skills, practical experience, and the means to acquire state of the art tools. Further, they will most likely have different targets based on their motivations and capabilities.
I will describe each category based on their distinctions regarding motivations, targets, methods, and capabilities, and provide a couple of examples when possible.
Nation-State
Motivations: These individuals and groups are primarily motivated by the nation’s political and economic agenda, and strategic military goals.
General Activities: They conduct reconnaissance, espionage, disinformation, theft, and disruptions.
Targets: They target anyone considered an enemy, dissenter, or threat. They target major suppliers and vendors, government agencies, and technology leaders, to steal intellectual property and state secrets. They target critical sectors to disrupt and destabilize other nations. They target the citizen’s of other countries to spread disinformation and propaganda.
Methods: They use supply chain attacks, targeted phishing and malware campaigns, state of the art toolsets, zero-day exploits, intellectual property theft, state secrets theft, disinformation campaigns, propaganda campaigns, and partnerships with cybercriminal organizations.
Capabilities: They are highly coordinated, hierarchical and very well-funded. They ae expertly skilled, with access to state of the art tools. They have knowledge of advanced cyber tactics and unknown exploits. They are able to silently infiltrate systems, maintain persistence and exfiltrate data. They maintain deniability through the use of cybercriminal organizations and other state-sponsored actors.
Examples: They consist of most, if not all, countries with cyber capabilities.
State-Sponsored
Motivations: These individuals and groups are motivated by financial gain, and political, national, religious and ideological allegiance to a Nation-State.
General Activities: They conduct reconnaissance, espionage, disinformation, theft, and disruptions.
Targets: Their targets are similar to those of their associated Nation-States.
Methods: They use the same methods as their Nation-State sponsors.
Capabilities: They have the same capabilities as their Nation-State sponsors apart from national authority and sovereignty.
Examples: APT1 (China), APT28 (Russia), Lazarus Group (North Korea)
Organized Crime Syndicate
Motivations: These individuals and groups are primarily motivated by financial gain and control over illicit markets.
General Activities: They conduct theft, extortion and fraud to achieve their goals, as well as activities that extend beyond the digital realm but leverage digital tools and infrastructure, such as drug and human trafficking, and money laundering.
Targets: They will often target high-profile organizations and individuals, including financial institutions and exchanges, supply chain industries, wealthy individuals, government agencies, e-commerce platforms and media streaming services.
Methods: cryptocurrency money laundering, targeted malware campaigns, targeted phishing campaigns
Capabilities: Coordinated, hierarchical and well-funded. Advanced tools and skills, or the means to obtain and utilize them. Thorough planning and protections in the real-world and digitally.
Examples: I am unable to uncover specific examples in reference to cybercrime, but it is assumed that this could refer to typical organized crime syndicates such as various gangs and mob-like organizations throughout the world.
Cybercriminal
Motivations: These individuals and groups are primarily motivated by financial gain.
General Activities: They conduct theft, extortion and fraud to achieve their goals. They might also sell their services.
Targets: They are often indiscriminate in their targets, but high-value, low-risk targets are generally preferred. For example, they might target a single entity or system, such as a financial institution, or a series of ATMs, or a large vulnerable population of victims, such as the elderly. They may also sell their tools or offer services-for-hire.
Methods: They use ransomware campaigns, credit card skimmers, phishing campaigns, and dark web markets.
Capabilities: Advanced tools and skills, or the means to obtain and utilize them. Potentially well-funded, especially so with each success.
Examples: REvil, DarkSide, Conti, Carbanak
Hacktivist
Motivations: These individuals and groups are primarily motivated by political, social or ideological causes.
General activities: They will conduct activities to raise awareness of a specific cause, or to bring light to unethical practices. They will conduct denial of service attacks to prevent an organization from conducting business, hack public facing systems to deface them and damage an organization’s reputation, leak sensitive and classified information to expose illegal and unethical practices, or “dox” those with whom they disagree.
Targets: They will target individuals and organizations associated with specific political activities, religious sects, and business practices, or who oppose their cause.
Methods: They use denial of service, known exploits,
Capabilities: They tend to be unskilled and not well-funded. They may rely on known exploits and freely available tools.
Examples: Anonymous, The Impact Team, LulzSec
Insider
Motivations: These individuals or groups are primarily motivated by job dissatisfaction, or personal greed. They may also be motivated for political or ideological reasons
General Activities: They will steal intellectual property, sabotage assets, disrupt systems and services, or commit fraud. They may also act unintentionally, such as by making mistakes, or being granted access outside the scope of their job duties or authority.
Targets: They will target their direct employer, or another organization where they are considered a thrusted 3rd-party. In the case of accidental/unintentional events, they may have no target at all.
Methods: They use their inside knowledge and access, and moments of opportunity.
Capabilities: They may have intimate knowledge of systems and processes, allowing them to act in secret and cover their tracks. They may have special administrative and authoritative rights that allow them to perform high-level tasks, or grant them access to critical and sensitive data and systems.
Examples: Edward Snowden, Chelsea Manning
Unskilled/Untrained Hacker
Motivations: These individuals or groups are primarily motivated by curiosity and bragging-rights.
General Activities: They will hack systems to steal data, deface them, or simply to prove to themselves or others that they can.
Targets: They will target easily accessible systems, or potentially high-value targets to gain notoriety.
Methods: They use easily accessible tools, and well known vulnerabilities.
Capabilities: They tend to rely on ready-made easily available tools, and lack practical experience or advanced knowledge. They tend to be noisy.
Examples: I do not have specific names to provide, but see the Mirai botnet attack from 2016, or the TalkTalk data breach from 2015.
The Divine
Motivations: none (or maybe not?)
General activities: Mother Nature and the Gods are mysterious and powerful. They may send tornadoes, storms, earthquakes, meteors, typhoons, tsunamis, hurricanes, and volcanic eruptions. They may decide that a tree should fall on a power line, or a squirrel should chew through an Ethernet cable. They may also cause epidemics and pandemics.
Targets: none (or maybe not?)
Methods: natural disasters, random events
Capabilities: They are capable of inflicting disastrous disruption and destruction.
Additional Insights
The Divine
A note on The Divine. This is another of my poor attempts at humor, and my general term for the “actor” behind all of the random events not directly attributable to humans and human error, that have the potential to cause a negative impact. This generally includes all natural and environmental sources. I use it to maintain a consistent approach to categorizing threats and conducting risk assessments. Such events are generally not mentioned during cybersecurity discussions, but this site is focused on all areas of IT security, and it is a very important concept. After all, natural disasters have extremely high potential impacts.
Insiders
In general insiders are considered a major threat because of their company knowledge, and access to internal systems and data. However, they might lack advanced skills and tools, relying instead on their knowledge and their access rights. This highlights the importance of developing well-defined and specific threat scenarios when assessing risks. It is also important to remember that insiders are capable of accidental or unintentional threat events that can cause serious adverse effects.
Buzzwords
Some phrases sound cool, but hold no value. The term lone wolf is often listed as a type of threat actor used to refer to an individual, but it is redundant. It offers no specific insight into capability and its motives are covered by other categories. Further, all categories of threat actors already include individuals and organizations. Stop using it. Similarly the term cyber mercenary can go. There is already a category of cybercriminal that can be extended to include “mercenary” activities and methods, such as ransomware-as-a-service. I know it sounds cool, but it’s unnecessary. Lastly, I eschewed the term script-kiddy for the more professional unskilled/untrained hacker. I know it lacks the traditional nerdy/cyber/techy cultural cleverness, but there’s a time and a place.
Conclusion
Threats are everywhere and relentless. A successful defender must know how to identify those threats that are relevant to their situation, and how to select appropriate defenses. I hope this article has helped to clarify the concept in that context.
Daily Cuppa
Today’s cup of tea is simply Organic Green Tea provided by Newman’s Own. Organic, and non-profit. It is smooth, delicate, and packed with antioxidants for a gentle energy boost.
If you found this article useful, or enjoy the site in general, feel free to buy the author a cup of tea.