Jump to content

Threat actor

Add links
From Wikipedia, the free encyclopedia

Athreat actor,bad actorormalicious actoris either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including:computers,devices,systems,ornetworks.[1]The term is typically used to describe individuals or groups that performmaliciousacts against a person or an organization of any type or size.Threatactors engage in cyber related offenses to exploit openvulnerabilitiesand disrupt operations.[2]Threat actors have different educational backgrounds, skills, and resources.[1]The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including:cyber criminals,nation-stateactors,ideologues,thrill seekers/trolls, insiders, and competitors.[3]These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.[4]SeeAdvanced persistent threatsfor a list of identified threat actors.

Background[edit]

The development ofcyberspacehas brought both advantages and disadvantages to society. While cyberspace has helped further technological innovation, it has also brought various forms ofcyber crime.[2]Since the dawn of cyberspace, individual, group, and nation-state threat actors have engaged in cyber related offenses to exploit victim vulnerabilities.[2]There are a number of threat actor categories who have different motives and targets.

Financially motivated actors[edit]

Cyber criminals have two main objectives. First, they want to infiltrate a system to access valuable data or items. Second, they want to ensure that they avoid legal consequence after infiltrating a system. Cyber criminal can be broken down into three sub-groups: massscammers/automated hackers, criminal infrastructure providers, and big game hunters.[3]

Mass scammers and automated hackers include cyber criminals who attacks a system to gainmonetary success.These threat actors use tools to infect organization computer systems. They then seek to gain financial compensation for victims to retrieve their data.[2]Criminal infrastructure providers are a group of threat actors that aim to use tools to infect a computer system of an organization. Criminal infrastructure providers then sell the organization's infrastructure to an outside organization so they can exploit the system. Typically, victims of criminal infrastructure providers are unaware that their system has been infected.[2]Big game hunters are another sub-group of cyber criminals that aim to attack one single, but high-value target. Big game hunters spend extra time learning about their target, including system architecture and other technologies used by their target. Victims can be targeted by email, phone attacks or by social engineering skills.[2]

Nation-state actors[edit]

Nation-state threat actors aim to gainintelligenceof national interest. Nation-state actors can be interested in a number of sectors, includingnuclear,financial,andtechnologyinformation.[2]There are two ways nations use nation-state actors. First, some nations make use of their own governmental intelligence agencies. Second, some nations work with organizations that specialize in cyber crime. States that use outside groups can be tracked; however, states might not necessarily take accountability for the act conducted by the outside group. Nation-state actors can attack both other nations or other outside organizations, including private companies and non-governmental organizations. They typically aim to bolster their nation-state's counterintelligence strategy.[2]Nation-state attacks can include:strategic sabotageorcritical infrastructure attacks.Nation states are considered an incredibly large group of threat actors in the cyber realm.[5]

Ideologues (hacktivists and terrorists)[edit]

Threat actors that are considered ideologues include two groups of attackers:hackersandterrorists.These two groups of attackers can be grouped together because they are similar in goals. However, hacktivists and terrorists differ in how they commit cyber crimes.

Hacktivismis a term that was coined in the early days of the World Wide Web. It is derived from a combination of two words: hacking andactivism.[2]Hacktivists typically are individuals or entities that are ready to commit cyber crimes to further their own beliefs and ideologues.[3]Many hactivists includeanti-capitalistsoranti-corporateidealists and their attacks are inspired by similarpoliticalandsocial issues.[2]Terrorism includes individuals or groups of people that aim to cause terror to achieve their goals. The main difference between hacktivists and terrorists is their end goal. Hacktivists are willing to break security laws to spread their message while terrorists aim to cause terror to achieve their goals. Ideologues, unlike other types of threat actors, are typically not motivated by financial incentives.[2]

Thrill seekers and trolls[edit]

A thrill seeker is a type of threat actor that attacks a system for the sole purpose of experimentation.[3]Thrill seekers are interested in learning more about how computer systems and networks operate and want to see how much data they can infiltrate within a computer system. While they do not aim to cause major damage, they can cause problems to an organization's system. As time has gone on, thrill seekers have evolved into modern trolls. Similar to thrill seekers, a troll is a type of person or group that attacks a system for recreation. However, unlike thrill seekers, trolls aim to cause malice.[2]Modern day trolls can causemisinformationand harm.

Insiders and competitors[edit]

Insiders are a type of threat actor that can either be an insider who sells network information to other adversaries, or it can be a disgruntled employee who feels like they need toretaliatebecause they feel like they have been treated unfairly.[3]Insider attacks can be challenging to prevent; however, with a structured logging and analysis plan in place, insider threat actors can be detected after a successful attack.Business competitorscan be another threat actor that can harm organizations. Competitors can gain access to organization secrets that are typically secure. Organizations can try to gain a stronger knowledge of business intelligence to protect themselves against a competition threat actor.[3]

Organizations that identify threat actors[edit]

Government organizations[edit]

United States (US) - National Institute for Standards and Technology (NIST)

TheNational Institute for Standards and Technology(NIST) is a government agency that works on issues dealing with cyber security on the national level. NIST has written reports on cyber security guidelines, including guidelines on conducting risk assessments.[6]NIST typically classifies cyber threat actors as national governments, terrorists, organized crime groups, hactivists, and hackers.[7]

European Union (EU) - The European Union Agency for Cybersecurity (ENISA)

TheEuropean UnionAgency for Cybersecurity is a European Union-based agency tasked in working on cyber security capabilities. The ENISA provides both research and assistance toinformation securityexperts within the EU.[8]This organization published a cyber threat report up until 2019. The goal of this report is to identify incidents that have been published and attribute those attacks to the most likely threat actor. The latest report identifies nation-states, cyber criminals, hactivists, cyber terrorists, and thrill seekers.[3][8]

United Nations (UN)

TheUnited NationsGeneral Assembly(UNGA) has also been working to bring awareness to issues in cyber security. The UNGA came out with a report in 2019 regarding the developments in the field of information and telecommunications in the context of international security.[3][9]This report has identified the following threat actors: nation-states, cyber criminals, hactivists, terrorist groups, thrill seekers, and insiders.[3][9]

Canada - Canadian Centre for Cyber Security (CCCS)

Canadadefines threat actors as states, groups, or individuals who aim to cause harm by exploiting a vulnerability with malicious intent. A threat actor must be trying to gain access to information systems to access or alter data, devices, systems, or networks.[10]

Japan - National Center of Incident Readiness and Strategy (NISC)

TheJapanesegovernment's National Center of Incident Readiness and Strategy (NISC) was established in 2015 to create a "free, fair and secure cyberspace" in Japan.[11]The NICS created a cybersecurity strategy in 2018 that outlines nation-states and cybercrime to be some of the most key threats.[12]It also indicates that terrorist usage of the cyberspace needs to be monitored and understood.[12]

Russia - Security Council of the Russian Federation

The Security Council of theRussian Federationpublished the cyber security strategy doctrine in 2016.[13]This strategy highlights the following threat actors as a risk to cyber security measures: nation-state actors, cyber criminals, and terrorists.[3][13]

Non-Government Organizations[edit]

CrowdStrike

CrowdStrikeis a cybersecurity technology company and antivirus company that publishes an annual threat report. The 2021 Global Threat Report reports nation-states and cybercriminals as two major threats to cyber security.[14]

FireEye

FireEyeis a cybersecurity firm that is involved with detecting and preventing cyber attacks. It publishes a report on detected threat trends annually, containing results from their customers sensor systems.[15]Their threat report lists state sponsored actors, cyber criminals and insiders as current threats.[16]

McAfee

McAfeeis an American global computer security software company. The company publishes a quarterly threat report that identifies key issues in cybersecurity.[17]The October 2021 threat report outlines cybercriminals as one of the biggest threats in the field.[17]

Verizon

Verizonis an American multinational telecommunications company that has provided a threat report based on past customer incidents. They ask the following questions when defining threat actors: "Who is behind the event? This could be the external “bad guy” who launches a phishing campaign or an employee who leaves sensitive documents in their seat back pocket ".[18]They outline nation state actors and cybercriminals as two types of threat actors in their report.[18]

Techniques[edit]

Phishing

Phishingis one method that threat actors use to obtain sensitive data, including usernames, passwords, credit card information, and social security numbers. Phishing attacks typically occur when a threat actor sends a message designed to trick a victim into either revealingsensitive informationto the threat actor or to deploy malicious software on the victim's system.[19]

Cross-Site Scripting

Cross-site scriptingis a type of security vulnerability that can be found when a threat actor injects a client-side script into an otherwise safe and trustedweb applications.[20]The code then launches an infectious script onto a victim's system. This allows a threat actor to access sensitive data.[21]

SQL Injections

SQL injectionis acode injectiontechnique used by threat actors toattackany data-driven applications. Threat actors can inject maliciousSQLstatements. This allows threat actors to extract, alter, or delete victim's information.[21]

Denial of Service Attacks

Adenial-of-service attack(DoS attack) is acyber-attackin which a threat actor seeks to make an automated resource unavailable to its victims by temporarily or indefinitely disruptingservicesof a network host. Threat actors conduct a DoS attack by overwhelming a network with false requests to disrupt operations.[21]

References[edit]

  1. ^ab"Cybersecurity Spotlight - Cyber Threat Actors".CIS.Retrieved2021-11-13.
  2. ^abcdefghijklPawlicka, Aleksandra; Choraś, Michał; Pawlicki, Marek (2021-10-01)."The stray sheep of cyberspace a.k.a. the actors who claim they break the law for the greater good".Personal and Ubiquitous Computing.25(5): 843–852.doi:10.1007/s00779-021-01568-7.ISSN1617-4917.S2CID236585163.
  3. ^abcdefghijSailio, Mirko; Latvala, Outi-Marja; Szanto, Alexander (2020)."Cyber Threat Actors for the Factory of the Future".Applied Sciences.10(12): 4334.doi:10.3390/app10124334.
  4. ^https://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490.pdf[bare URL PDF]
  5. ^"ENISA Threat Landscape Report 2018".ENISA.Retrieved2021-11-14.
  6. ^Ross, Ronald S. (2012-09-17)."Guide for Conducting Risk Assessments".{{cite journal}}:Cite journal requires|journal=(help)
  7. ^"Cyber Threat Source Descriptions | CISA".us-cert.cisa.gov.Retrieved2021-12-07.
  8. ^ab"ENISA Threat Landscape Report 2018".ENISA.Retrieved2021-12-07.
  9. ^ab"A/74/120 - E - A/74/120 -Desktop".undocs.org.Retrieved2021-12-07.
  10. ^Security, Canadian Centre for Cyber (2018-08-15)."Canadian Centre for Cyber Security".Canadian Centre for Cyber Security.Retrieved2021-12-07.
  11. ^"National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) Japan".www.cybersecurityintelligence.com.Retrieved2021-12-07.
  12. ^ab"National center of Incident readiness and Strategy for Cybersecurity | NISC".www.nisc.go.jp.Retrieved2021-12-07.
  13. ^ab"Совет Безопасности Российской Федерации".www.scrf.gov.ru.Retrieved2021-12-07.
  14. ^"2021 CrowdStrike Global Threat Report".go.crowdstrike.com.Retrieved2021-12-07.
  15. ^"[Report] M-Trends 2021".FireEye.Retrieved2021-12-07.
  16. ^"[Report] M-Trends 2021".FireEye.Retrieved2021-12-07.
  17. ^ab"McAfee Labs Threats Reports – Threat Research | McAfee".www.mcafee.com.Retrieved2021-12-07.
  18. ^ab"2021 DBIR Master's Guide".Verizon Business.Retrieved2021-12-07.
  19. ^"What Is Phishing? Examples and Phishing Quiz".Cisco.Retrieved2021-12-08.
  20. ^"Cross Site Scripting (XSS) Software Attack | OWASP Foundation".owasp.org.Retrieved2021-12-08.
  21. ^abc"What is a Web Application Firewall? | WAF Explained | CrowdStrike".crowdstrike.com.Retrieved2021-12-08.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Threat_actor&oldid=1228776431"