Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Pascal Geenens of Radware examines the five main threat actors to enterprises and strategizes how to defend against them.
In a post-pandemic world, companies face a rising tide of threats on various fronts– from cyber-attacks and digital espionage to misinformation and a volatile political landscape. To respond and protect your organization from the array of threats and threat actors, it’s essential to understand actors’ motivations and their tactics, techniques, and procedures.
Modeling the threat landscape is a critical step in anticipating the effect of external influences such as geopolitics, pandemics, and new security threats. It can help your organization implement a focused security strategy that aligns with and protects your organization’s most valuable resources. When referring to the actors, security professionals often use terms such as hackers, attackers, and threat actors interchangeably, usually in different contexts, even though there are important distinctions.
- Threat Actor: A person, group, or organization with malicious intent. A threat actor may or may not have IT skills. Rather, a threat actor might specialize in psychological cyber warfare and mis- or disinformation campaigns.
- Hacker: A person with adept technical skills who may or may not have malicious intent. “Hacker” typically indicates a highly motivated and curious person who likes to understand, invent, create, and manipulate systems.
- Attacker: A person, group, or organization that acts with malicious intent.
When we focus on threat actors, we group them into five categories based on their motivations and objectives.
5 Main Threat Actors and How to Defend Against Them
Through their intelligence services, national governments seek to influence, disrupt, and politically or economically compromise other nations. They are among the most notorious threats because the impact and scale of their attacks can influence change in a region, create chaos, or leave citizens in panic.
Although some nation-state threat groups are capable of sophisticated attacks, most activity is performed through simple attack vectors commonly used by other groups or actors. The priority is to execute successful missions as covertly as possible without being identified. Increasingly, nation-states are using technology as a weapon of war. In some cases, cyber and physical warfare are combined to generate chaos or economic and political uncertainty to destabilize regimes or weaken competing nations.
For example, the Industroyer2 malware was used by Sandworm in a failed attempt to cut the electrical power in Ukraine, and the Stuxnet virus was used by the U.S. against Iran to damage Iran’s nuclear program. Cyber espionage infiltrates research facilities through a global medium with no concept of borders or regulation. These actors operate from the convenience of safe, low-exposure, comfortable, and resourceful workplaces. Nations have never enjoyed a better operating environment for gathering intelligence.
Almost all organized crime groups use technology to manage their actions, and some specialize in using technology to commit cyber-crimes. Even nation-state-employed actors likely perform cyber-criminal activity after hours for personal gain. As more people and devices become connected, cyber-criminals find new ways to profit. Instead of anonymously selling drugs and stolen goods on the street for unmarked cash, that activity has moved online for anonymous cryptocurrency. Today, it’s all about “cyber-crime as a Service” – hacking, bulletproof hosting, ransomware attacks, DDoS attacks, industrial espionage, extortion, and financial thefts. It is all available.
You might assume these threat actors would avoid attention, yet their crimes are often highly publicized. Many organized criminals even leverage media attention to promote their activities, putting increased pressure on victims to comply. If they don’t, outages can be massive and sensitive data can be shared on the darknet to apply more pressure. Because profits are so significant, it is nearly impossible to eliminate the threat as criminals continually refine their efforts to crack the latest security defenses. One way to eliminate the threat is to devalue their marketplaces, but is it possible to decrease the value of personal data or the reputation of a business? Prevention is nearly impossible in a culture dependent on cyber activity where threat actors are organized.
In general, hacktivists are considered low-risk threat actors, but they should not be dismissed. One reason for their formidable threat is their hive mindset. They collectively respond to an event and amplify information within hours, putting severe pressure on the unprepared. Their actions are noticeable because of their impact and the media attention they generate. Hacktivists range from concerned, digital-savvy citizens to nation states.
In the digital world, hacktivists take civil disobedience to new heights far beyond traditional protests. Hacktivism combines grassroots activism with the tactics, techniques, and procedures of a malicious hacker. These individuals are driven to action by anti-government motives, corporate wrongdoing, or social injustice. They pursue their ends by exposing and leaking data and degrading and disrupting networks. Their toolsets range from rentable and straightforward to sophisticated and advanced.
Previously “hacker” described someone with advanced computer skills or who likes to tinker with electronics. Today, the term often describes a person leveraging computer resources for malicious purposes. Not all hackers are threat actors, however, making it complicated to differentiate between them. In general, we divide hackers into black hat, white hat, and gray hat hackers.
A hacker’s background can be extensive and diverse and include those without any formal technical training or knowledge. As for skillsets, hackers in all three groups range from common “script kiddies” (skids) to advanced programmers. While their activities range from noble to malicious, ultimately, they all operate for thrills and bragging rights.
Most people assume other threat groups are more advanced, yet some of the most sophisticated and technical people are white-hat hackers. Their work, whitepapers, and discoveries are often weaponized by other threat groups who lack ethics and morals. Classifying hackers can be complex, with actors occupying multiple threat groups at the same time. Understanding whom you are dealing with will help you approach each situation correctly.
Disgruntled Insiders and Customers
Perhaps the most challenging threat to detect and mitigate originates from the circle of trust. Disgruntled insiders are current or former employees who operate out of malice or neglect. They can commit financial fraud, steal data, sell trade secrets, intentionally sabotage operations or willfully neglect to respond to computing issues. The damage they inflict can be significantly worse than other threat actors because they already have initial access and internal knowledge that the other groups lack.
The background of a disgruntled insider is not complex. They are usually employees of an organization who join the company with good intentions. They can be your best or worst employees. However, when a triggering event arises, their motives can range from a position of simple rage and revenge to one of calculated malice. Their tactics are simple, making them more difficult to detect. They need to maintain persistence or move laterally. They often act within their domain, looking to cause as much damage as they see fit. This can include simply copying and pasting trade secrets for future competitive use, intentionally deleting or damaging infrastructure/data during or after termination, or simply neglecting to secure critical infrastructure.
These threat actors are difficult to mitigate, since some actions they take can be viewed as non-malicious or negligent. Regardless, their actions are notable and newsworthy because they can topple corporations and generate massive media attention long after the hack is complete. Understanding how and why employees turn against their employers can help you understand the psychology and the warning signs and show you how to mitigate the impact.
Prevention is the Best Response
With so many attack fronts to defend, you want to seek every possible advantage. To prevent attacks, start with your most important resource – your people. The best way to defend data, services, and resources is to do all you can to evade threat actors. That starts with educating your employees on cybersecurity issues to reduce their susceptibility to “phishing,” efforts that have grown increasingly sophisticated over time. When messages ask for rapid responses or quick actions, they should be viewed with greater suspicion. Multifactor identification can reduce your vulnerability, and password protocols that require frequent changes will help protect your data. Cybersecurity software – including VPNs and isolated “guest networks” – that are regularly monitored, patched, and updated, can help block malicious actors. And be sure to carefully scrutinize employee activity to identify threats from trusted insiders.
Increasingly, instead of sitting back passively in a defensive position, many companies are moving beyond firewalls, penetration testing, perimeter monitoring, and software patching. They’re actively on the lookout for threats – so-called threat hunting – in hopes of identifying and destroying malware when atypical activity is detected. Some companies are “thinking like hackers” and adopting competition and gamification with their security teams in a spirit of competition, also known as red teaming. They’re crowdsourcing security with “bug bounties” to reward the best white hats– inside and outside the organization. By understanding the nature of threat actors – their motivations, techniques, and operating methods – companies are better positioned to defend against the implicit and explicit threats they pose to corporate computing resources and business operations
- The 5 Main Threat Actors and How to Defend Against Them - March 27, 2023