Types of Threat Actors
To defend against unknown threats, threat intelligence goes beyond just identifying malware. It also helps us understand the behaviors of different enemy groups. You can use reports to monitor threats from nation-states, organized crime, and hacktivists. Knowing how much money and resources these groups have is important because it affects their ability to create advanced malware. Attacks can be either opportunistic, using simple tools, or targeted, using sophisticated methods and skilled professionals.
Nation-State Threats
Most countries have developed strong cybersecurity skills and use cyber weapons for military and commercial purposes. The Mandiant APT1 report on Chinese cyber espionage helped people understand modern cyberattacks. The term “advanced persistent threat” (APT) describes how adversaries can continuously compromise network security using various tools.
Nation-state actors are often behind attacks on critical systems like energy and elections. Their main goals are espionage and gaining strategic advantages, but some countries, like North Korea, also target companies for profit. Each country may support multiple groups with different goals and resources.
Organized Crime
In many places, cybercrime has become more common than physical crime, leading to more incidents and higher financial losses. Organized crime groups can operate online from different locations, making it hard to catch them. They look for ways to make money through activities like financial fraud and blackmail. A blog discusses the tools and strategies that these crime gangs use to carry out their operations.
Hacktivists
Hacktivist groups, like Anonymous, WikiLeaks, and LulzSec, use cyber-attacks to promote their political ideas. They may try to access and share secret information, launch denial of service (DoS) attacks, or change websites to spread their message. Political, media, and financial organizations are often targets, but environmental and animal rights groups may also go after companies in various industries. While international hacktivist groups were very visible in the early 2010s, recent research shows that most active groups are now focusing on local issues within a single country.
Insider Threat Types
Insider threats come from people within an organization who have access to its systems. Unlike external threats, insiders have been granted some level of permission to access information. There are two main types of insiders: those with permanent privileges, like employees, and those with temporary access, like contractors or guests.
Motivations for Insider Threats
Insider threats can be motivated by sabotage, financial gain, or business advantage. They can be either opportunistic or targeted. For example, an employee may plan a scheme to alter invoices and steal money, which is a structured attack. In contrast, if someone tries to guess a password for a database, that’s an opportunistic attack.
Intentional vs. Unintentional Threats
Insider threats can also be intentional or unintentional. Intentional threats are those where the insider acts with malicious intent. Unintentional threats occur when insiders make mistakes without meaning to cause harm. For example, poor password management or using unauthorized software (known as shadow IT) can create vulnerabilities that others might exploit.
Addressing Insider Threats
To manage insider threats, organizations need both technical and operational controls. Technical measures might not always stop a determined insider, so secure logging and auditing are crucial. Unintentional threats can be reduced through security training and awareness programs. Monitoring training statistics can help identify departments at higher risk of accidental threats.
Commodity Malware and Zero-Day Threats
Threat classification includes different types of malware, which are tools used by cyber adversaries. Malware can be divided into categories like viruses, worms, Trojans, rootkits, and ransomware. Understanding how malware is developed and used is important for threat intelligence, as it reveals the intentions and capabilities of attackers.
Commodity Malware
Commodity malware refers to widely available malicious software that can be bought or traded, often on dark web marketplaces (csoonline.com/article/3249765/what-is-the-dark-web-how-to-access- it-and-what-youll-find.html).. Examples include remote access Trojans (RATs) like PoisonIvy, Dark Comet, and XtremeRAT. When these tools are recognized as generally available, threat intelligence systems label them as commodity malware.
This type of malware is different from targeted or custom malware, which is designed for specific attacks after careful planning. Commodity malware typically targets unpatched systems using known vulnerabilities, while targeted malware often uses zero-day exploits, which are vulnerabilities that have not yet been publicly disclosed.
Importance of Classification
The line between commodity and targeted malware can sometimes be unclear. Custom malware may also be sold on dark web sites, but usually only to trusted contacts. Even off-the-shelf malware can pose risks, as attackers may slightly modify it to avoid detection. Identifying whether malware is commodity or targeted helps assess the severity of an incident and understand the attacker’s resources and goals.
Zero-Day Malware
Malware often targets vulnerabilities in software, firmware, or hardware to execute attacks, gain higher system privileges, or maintain access to a system. A zero-day vulnerability is one that is found or exploited before the software vendor can release a patch to fix it. This term can refer to the vulnerability itself or to malware that takes advantage of it.
Importance of Discovery
The most serious zero-day vulnerabilities are those exploited by adversary groups. Security researchers also discover these vulnerabilities, and best practices suggest they should inform the vendor privately first. This allows time for a fix to be created before the vulnerability is made public, typically allowing about 90 days for this process, though it can vary.
N-Day Vulnerabilities
Once a vulnerability is discovered but not yet patched, it is called an n-day vulnerability. For example, if a vulnerability remains unpatched for a week after being discovered, it is considered a 7-day vulnerability.
Value of Zero-Day Exploits
Zero-day vulnerabilities are highly valuable, sometimes worth millions of dollars, especially for mobile operating systems. Because of this, attackers usually reserve zero-day exploits for high-value targets. Even state security and law enforcement agencies may stockpile zero-day vulnerabilities to help investigate crimes.
Advanced Persistent Threat (APT)
The term advanced persistent threat (APT) describes a type of cyber-attack often linked to nation-states and organized crime groups. Initially, it referred to the group behind a campaign, but it has since expanded to include the tools they use. APTs help model threats that are not easily identifiable, allowing for more than just scanning for viruses or Trojans. For example, you can look for Command and Control (C2) software or unusual network activity, as well as signs of past undetected attacks.
Targeting Large Organizations
APTs usually target large organizations, such as financial institutions and healthcare providers, which store sensitive personal information. They may also focus on government agencies to achieve political goals, spy on other nations, or interfere in elections.
Characteristics of APTs
The “advanced” aspect of APTs is crucial because these threats are rarely executed by unskilled attackers using basic methods. APTs require significant resources and often involve teams of specialists who develop and execute sophisticated exploits. These groups invest a lot of time in gathering intelligence about their targets, allowing them to create highly specific custom attacks.
Goals and Stealth
APTs have various goals, but a common one is to maintain long-term access to networks and systems without being detected. They use techniques that can keep them inside a system for months or even years, making APTs some of the most dangerous threats to organizations.
Leave a Reply