· State sponsored hackers – These are the big dogs. The anonymity of web-based attacks means that nation-states can achieve their more ethically questionable aims via puppet actors, making it extremely difficult to prove links between individual hacks and state-sponsored campaigns.
However, state-sponsored hackers are sometimes identifiable by their attack patterns and dedication to a specific target. They’re a tenacious breed - if you think you’re being targeted by a state-backed hacker (and aren’t a conspiracy theorist), you should be ready for a long struggle to throw them off.
· Ideological attackers – these threat actors, for example the hackers that targeted Dyn DNS systems, are intent on propagating their views with noisy, public attacks - website defacements and DDoS attacks, for example.
If after this sort of petulant demonstration they feel their message is not being heard, then they may look for a more spectacular platform upon which to propagate their doctrines. For some, that means espionage activity or strategic leaks of confidential documents in support of a broader information operations campaign; for others, it might simply mean a particularly mean series of insults on Twitter…
· Criminally motivated – Criminals have always been attracted to an easy buck, so it’s hardly a surprise that they’d take advantage of the way technology has evolved to fill our lives. So for example, malware with moderate antivirus detection that only looks for credit card data and point of sale services may indicate a moderately resourced attacker who is likely criminally motivated.
That’s a fairly well-prepared example. As well as the slightly bumbling phishing emails we’ve all encountered, cyber criminals can also come in two particularly dangerous forms:
o A) The silent attacker – cyber criminals may lay silently within an enterprise for months, biding their time until it’s the right moment to attack. Since some malware can edit its code once installed to mask its presence, these quiet lurkers embed themselves on a network to gather sensitive data in secret, either extracting personal details or monitoring communications, constantly feeding the results back while they wait for the opportune moment to strike.
o B) Sophisticated cyber criminals - on other occasions, the strategy of threat actors transitions from watching to attack. The tools in use are getting to sci-fi levels of sophistication. Highly resourced fraudsters can now use custom malware that surreptitiously replicates itself to thumbdrives to jump air-gapped networks and automatically looks for and collects documents with the keyword “SECRET”. Anything you try to hide is all the more likely to be found.
Not all adversaries are created equal and intent is rarely consistent across the board. For example, if your adversary is driven by espionage then you wouldn’t expect to see any defacement or ransomware activity. Instead, you need to be wary of sensitive information leaving your network.
Organisations that have a strong understanding of their adversaries and can develop persona-based intelligence capabilities will be better placed to automate their security operations, mitigate threats faster and adapt more quickly. Many question whether adversary intelligence is really a must-have, but knowing what they are up against will allow organisations to build more comprehensive mitigation strategies at a tactical level.