When considering attacks, it’s important to realize that there are several different types of threat actors, and they each have different attributes. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of threat actor types and attributes.
For example, can you answer this question?
Q. The Marvin Monroe Memorial Hospital recently suffered a serious attack. The attackers notified management personnel that they encrypted a significant amount of data on the hospital’s servers and it would remain encrypted until the management paid a hefty sum to the attackers. Which of the following identifies the MOST likely threat actor in this attack?
A. Organized crime
B. Ransomware
C. Competitors
D. Hacktivist
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Don’t let the phrase threat actors confuse you. It’s just a fancier name given to attackers—anyone who launches a cyber attack on others.
One common method that attackers often use before launching an attack is to gather information from open-source intelligence. This includes any information that is available via web sites and social media. For example, if attackers want to get the name of the chief executive officer (CEO) of a company, they can probably find it on the company’s web site. Similarly, many organizations post information on social media sites such as Facebook and Twitter.
Types of Threat Actors
A script kiddie is an attacker who uses existing computer scripts or code to launch attacks. Script kiddies typically have very little expertise or sophistication, and very little funding. Many people joke about the bored teenager as the script kiddie, attacking sites or organizations for the fun of it. However, there isn’t any age limit for a script kiddie. More important, they can still get their hands on powerful scripts and launch dangerous attacks. Their motivations vary, but they are typically launching attacks out of boredom, or just to see what they can do.
A hacktivist launches attacks as part of an activist movement or to further a cause. Hacktivists typically aren’t launching these attacks for their own benefit, but instead to increase awareness about a cause. As an example, Deric Lostutter (known online as KYAnonymous) was upset about the rape of a Steubenville, Ohio, high school girl, and what he perceived as a lack of justice. He later admitted to participating in several efforts to raise awareness of the case, including targeting a web site ran by one of the high school’s football players. Eventually, two high school football players were convicted of the rape. One was sentenced to a year in juvenile detention and served about 10 months. The other one was sentenced to two years and served about 20 months. Lostutter was ultimately sentenced to two years in federal prison.
An insider is anyone who has legitimate access to an organization’s internal resources. Common security issues caused by insider threats include loss of confidentiality, integrity, and availability of the organization’s assets. The extent of the threat depends on how much access the insider has. For example, an administrator would have access to many more IT systems than a regular user.
Malicious insiders have a diverse set of motivations. For example, some malicious insiders are driven by greed and simply want to enhance their finances, while others want to exact revenge on the organization. They may steal files that include valuable data, install or run malicious scripts, or redirect funds to their personal accounts.
Competitors can also engage in attacks. Their motivation is typically to gain proprietary information about another company. Although it’s legal to gather information using open- source intelligence, greed sometimes causes competitors to cross the line into illegal activity. This can be as simple as rummaging through a competitor’s trash bin, which is known as dumpster diving. In some cases, competitors hire employees from other companies and then get these new employees to provide proprietary information about their previous employer.
Organized crime is an enterprise that employs a group of individuals working together in criminal activities. This group is organized with a hierarchy with a leader and workers, like a normal business. Depending on how large the enterprise is, it can have several layers of management. However, unlike a legitimate business, the enterprise is focused on criminal activity. As an example, Symantec reported on Butterfly, a group of well-organized and highly capable attackers who steal market-sensitive information on companies and sell that information to the highest bidder. They have compromised some large U.S. companies, including Apple, Microsoft, and Facebook. Additionally, they have steadily increased their targets to include pharmaceutical and commodities-based organizations.
The primary motivation of criminals in organized crime is money. Almost all their efforts can be traced back to greed with the goal of getting more money, regardless of how they get it. However, because there isn’t a defined size for organized crime, their sophistication, resources, and motivations can vary widely. Imagine a group of 10 individuals decides to target a single company. They will probably have significantly less sophistication and resources than the criminals within Butterfly.
Some attackers are organized and sponsored by a nation-state or government. An advanced persistent threat (APT) is a targeted attack against a network. The attacks are typically launched by a group that has both the capability and intent to launch sophisticated and targeted attacks. They often have a significant amount of resources and funding. Additionally, individuals within an APT group typically have very specific targets, such as a specific company, organization, or government agency. Successful attacks often allow unauthorized access for long periods of time, allowing attacks to exfiltrate a significant amount of data.
Remember this
Organized crime elements are typically motivated by greed and money but often use sophisticated techniques. Advanced persistent threats (APTs) are sponsored by governments and they launch sophisticated, targeted attacks.
Q. The Marvin Monroe Memorial Hospital recently suffered a serious attack. The attackers notified management personnel that they encrypted a significant amount of data on the hospital’s servers and it would remain encrypted until the management paid a hefty sum to the attackers. Which of the following identifies the MOST likely threat actor in this attack?
A. Organized crime
B. Ransomware
C. Competitors
D. Hacktivist
Answer is A. This attack was most likely launched by an organized crime group because their motivation is primarily money.
While the scenario describes ransomware, ransomware is the malware, not the threat actor.
Competitors often want to obtain proprietary information and it would be very rare for a hospital competitor to extort money from another hospital.
A hacktivist typically launches attacks to further a cause, not to extort money.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on threats, vulnerabilities, and common attacks. The SY0-401 Study Guide also covers attacks in Chapters 6 and 7.