Common Threat Actors

###What are Threats? A threat is a danger that can be exploited in a vulnerability.

###What are Threat Actors This is an actor who generates adverse effects on an organization.

###Actor Categorization ####Cyber Criminals

  • Hackers or crackers who are looking to make money off malicious and illegal activity.
  • Very varied skill levels

Nation States

These are government backed hacking groups. These have a very high level of technical sophistication and resources. These can be referred to as APTs or Advanced Persistent Threats.

Hacktivists

These are individuals or groups that are socially or politically motivated and use cyber attacks to express their view or beliefs.

Insider Threat

These are people who are intentionally or unintentionally abusing their power and knowledge of an organisation. They often leak classified information.

Actor Motivations

  • Financial motives - making money for either themselves, groups or government/companies
  • Political Motives- often governments attacking enemy governments. Could also be hacktivists who don’t agree with something political or want to try and get a particular candidate elected.
  • Social Motives - usually individuals who want to make a statement or gain a reputation.
  • Unknown Motives - motives of the hacker are not clear.

Naming Conventions

  • Different vendors use different naming conventions
  • Crowdstrike use animals to categorise a group or different nation states
  • Mandiant uses a code numbering system E.G. APT1, APT2…

What are APTs

  • Advanced Persistent threats
  • Most feared security concern
  • Groups of highly skilled hackers
  • Can deliver maximum long lasting damage to companies and corporations
  • APTs have a huge amount of funding and resources.
  • They focus on financial, political or military targets
  • They use advanced tools, attack frameworks, malware and exploits.
  • There attacks are often long term and nee maintained access to the network

TTP

  • Tools Techniques and procedures
  • These are actions attackers take when conducting cyber attacks.
  • Used by the blue team to track different tactics which are being utilised.

Mitre att&ck framework splits these down into 12 categories: 1.Initial Access

  1. Execution
  2. Persistence
  3. Privilege Escalation
  4. Defence Evasion
  5. Credential Access
  6. Discovery
  7. Lateral Movement
  8. Collection
  9. Command and Control
  10. Exfiltration
  11. Impact