Proactive Defense: Understanding the 4 Main Threat Actor Types

Posted: 23rd August 2016
Proactive Defense: Understanding the 4 Main Threat Actor Types

Key Takeaways

  • Understanding the four main threat actor types is essential to proactive defense.
  • Cyber criminals are motivated by money, so they’ll attack if they can profit.
  • Hacktivists want to undermine your reputation or destabilize your operations. Vandalism is their preferred means of attack.
  • State-sponsored attackers are after information, and they’re in it for the long haul. They’re difficult to identify, so you’ll need to be on top of your security.
  • Insider threats could be malicious, but they could also be well-meaning people who have been led astray. Training and user behavior analytics are the way forward.
Over the past few years, cyber security has made its way onto every organization’s radar. Hardly a week goes by without another high-profile breach, and with each new headline cyber security budgets across the globe are growing ever larger.

But unfortunately, simply spending more money isn’t enough. To avoid the cost and embarrassment of a data breach, you’ll need to understand your adversaries.

Most threat actors fall within four main groups, each with their own favorite tactics, techniques, and procedures (TTPs). By gaining a deeper understanding of threat actors through the lens of the cyber threat intelligence cycle, you’ll be able to assign your cyber security budget to fund the right activities.

Cyber Criminals, Organized and Otherwise

When thinking about cyber criminals, many imagine some nerdy hacker sitting in his mom’s basement eating potato chips. This couldn’t be further from the truth.

These days cyber crime is far more organized than ever before, and last year it even overtook the drug trade to become the most profitable illegal industry. To give you some idea of scale, it’s estimated that victims in the U.S. paid over $24 million in 2015 to groups using ransomware trojans, and that’s just one attack vector.

These groups are well equipped, well funded, and they have the tools and knowledge they need to get the job done. But to really understand cyber criminals, you just need to know one thing: their motives.

Overwhelmingly, cyber criminals are interested in money. Either they’ll use ransomware to extort money from you, or they’ll steal data that can be sold via dark web markets.

Common TTP

Right now, cyber criminals are all about mass phishing campaigns. It’s low cost, easy to pull off, and promises a truly staggering return on investment. Sure, spear phishing is still a big concern, and it’s much harder to defend against, but for pure bang-for-your-cyber-criminal-buck nothing beats a good mass phish.

Typically these campaigns are used to deliver malware payloads (often ransomware), and emails usually include a strong social engineering component. For instance, recipients are often asked to open or forward attachments such as office documents which in turn activate malicious software when opened.

How to Defend Against It

Keep in mind the cyber criminal’s focus on profit. If they can’t convince you to pay a ransom or sell your data, you’re useless to them.

Since phishing is the current weapon of choice for cyber criminals, the best defenses are email filtering and authentication systems. By scanning all incoming and outgoing email for suspicious content (e.g., executable files, “spammy” language, or similarity to previously intercepted emails), you’ll be able to block and quarantine the vast majority of malicious spam. High-quality threat intelligence is extremely beneficial here, as it can be used to constantly improve spam filters and prevent the latest phishing emails from finding their mark.

Equally, some phishing emails originate from domains and IPs that are easily blocked. Using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) will help you avoid a lot of headaches.


Unlike cyber criminals, hacktivists are generally not motivated by money. Instead, they have a burning rage inside them that for whatever reason has been directed at you.

Remember the stereotypical hacker we mentioned earlier? A hacktivist could easily fall into that mold. They often work alone, making their attacks extremely difficult to predict or even respond to quickly — but don’t underestimate them.

Many hackers, ethical or not, are actively involved with the cyber security industry in some capacity. But whether they’re a network administrator, a mid-level IT guy, or even a college student, there’s no way of knowing in advance who they are or when they’ll strike.

Of course it’s difficult to really pin down a hacktivist’s motives in advance, but it is possible to predict their actions. Since they aren’t interested in money, hacktivists are usually in the business of cyber vandalism. If they do aim to steal your data, it’s probably because they expect to find something incriminating, or simply wish to cause you embarrassment.

Common TTP

According to Control Risks, hacktivists overwhelmingly favor attacking websites. Since its website is often the most publicly facing aspect of an organization, this makes perfect sense.

But how do they do it? Well, for many years now, DDoS (distributed denial of service) attacks have been a firm favorite. To initiate a DDoS attack, a hacktivist must first take control of a large number (usually thousands or tens of thousands) of computers, which they typically achieve by using malware spam campaigns.

Once they have control, the hacktivist will use his “botnet” to repeatedly send simple requests (e.g., viewing a webpage) to a specific website over and over again.

The amount of traffic generated by a DDoS attack can be truly staggering, and often leads to site crashes and large hosting bills for the website owner.

How to Defend Against It

Defending against DDoS attacks isn’t easy. First, you’ll need your incident response planning to be spot on. Not only that, you’ll need to identify the signs of DDoS attacks early on, and give yourself the best possible chance to mitigate the attack before it reaches its inevitable conclusion.

Finally, there are a number of DD0S mitigation products and services on the market, so give serious consideration to investing in one of these.

State-Sponsored Attackers

In recent years, we’ve all heard a lot about state-sponsored attacks and cyber espionage. In reality state-sponsored attacks are far less common than cyber crime and hacktivism, but they are nonetheless a real and concerning trend.

Unsurprisingly, state-sponsored attackers aren’t usually interested in your money.

At least, not directly.

Instead, they want your data, and that means gaining sustained access to your IT infrastructure. If your organization operates in a particularly sensitive market where proprietary data is jealously guarded (e.g., technology, pharmaceuticals, or finance), you’re at a greater risk of gaining the attentions of a state-sponsored hacking group.

Common TTP

Since state-sponsored attackers need long-term access to your IT infrastructure, their preferred TTP is known as the advanced persistent threat (APT). Unfortunately, this term is less precise than you might hope.

In essence, because so much is on the line, state-sponsored groups will often work on multiple attack vectors simultaneously, even if they already have access to your infrastructure. In this way, they can collect sensitive data over a long time period, rather than simply performing a smash-and-grab operation.

Sadly, although the average time to detect a breach fell substantially last year, it’s still in the region of five months. Needless to say, nobody wants a state-sponsored hacking group intercepting their private data for even a day, so five months is clearly too long.

How to Defend Against It

Since APTs make use of multiple attack vectors, there’s no single security silver bullet to keep your organization safe. Instead, you’ll need to build a strong, consistent, and ongoing security program that includes both the fundamentals (e.g., vulnerability and patch management) and the more advanced (threat intelligence).

Effective cyber security is a marathon, not a sprint, so if you’re starting from scratch you certainly won’t be able to do everything. Focus on building up your cyber security program one piece at a time, and always look for ways to improve.

Ultimately, even with state-sponsored groups, if you can make their job really difficult, there’s a good chance they’ll go elsewhere in search of easier targets.

The Insider Threat

Don’t be fooled into thinking that all insider threats are the same. Some are simply normal employees who want to be helpful and end up giving away sensitive data to the wrong person. Others feel maligned by their organization, and want to get their own back. Still more are real user accounts which have been compromised by an external attacker.

But whatever their circumstances or motives, insider threats are dangerous, and often hard to spot.

They may aim to vandalize assets as a form of revenge, steal proprietary assets for resale on the dark web, or simply send sensitive data to anybody who asks. And the hard part, of course, is distinguishing these actions from all the legitimate activity that occurs every day on your network.

Common TTP

Although insiders do sometimes commit acts of vandalism, information is usually their target. Insider threats have led to some of the largest data breaches in history, so protecting confidential data should be your organization’s primary concern.

How to Defend Against It

First off, your well-meaning employees should be at the top of your list. Most people want to be helpful, and this trait can be (and often is) abused by hackers to achieve their goals. Security awareness training is an absolute must here, because after all, you may have disgruntled employees, but you’ll always have gullible employees.

For compromised or malicious insiders, a different tactic is needed. Since they’ll be looking for sensitive data, using honeypots in combination with user behavior analytics will enable to you identify those users who are actively searching for data they shouldn’t have.

And once you’ve identified them, you can follow their behavior more closely, and quickly put together the evidence you need to confront them.

Whatever You Do, Be Proactive

When building your cyber security capability, understanding your adversaries is essential. And of course, you can’t develop a security capability that only considers a single type of threat actor.

The best cyber security capabilities in the world belong to organizations that take proactive steps to stay ahead of their attackers. They develop a detailed knowledge not only of their adversaries, but also of the latest and greatest threat actor TTPs. With this information, they constantly improve their security mechanisms, and search for new ways to identify, track, and repel attacks.

If you’d like to take a more proactive approach to cyber security, download our popular white paper written by industry expert Levi Gundert titled, “Understand Your Attacker: A Practical Guide to Identifying TTPs With Threat Intelligence.”

This guide will help you gain a deeper understanding of the different threat actor TTPs that you’ll likely be facing in the coming months and years. And from there, you can proactively build a cyber security capability that your organization can be proud of.

This information is also available to view as a SlideShare presentation.