-
Drop us a line
info@elvt.io
-
Give us a call
(202) 945-4833
-
USA Based
Mon - Fri
These days, the ‘who’ aspect of malware threats often gets downplayed in the fight to protect data and recover from disasters. There is a common misconception that protecting the systems against theoretically universal and known generic vectors will deter all types of bad actors. However, we forget that the context and thought processes behind the attacks really matter here, as they give insights into the motivations, possessed skill levels, capabilities, and funding behind the threats, as well as the comparative dangers posed by the attacker’s specific goals.
Many malware and hack originators can be profiled as falling into one or more of the following classes, listed generally in the order of threat magnitude, descending. When considering each, note some of the key metrics that help better define them:
Describes how technically advanced and well orchestrated their attacks may be.
Estimates what consequences a successful attack can cause, both in terms of financial, operational and personal collateral.
Rates the time, skills and effort needed to detect, contain and permanently remove a threat in the longer term.
The measure of money, motivation, scale and breadth lurking behind the threat actors.
Keep in mind that not all threat actors neatly fall into some of these categories, but generally understanding who and what they are capable of can provide better guidance on how to protect against them, better tailor defenses, and invest in the right countermeasures. The industry is realizing that it’s not just about throwing up firewalls and hoping for the best; it’s about playing 4D chess in an arena where the players are unpredictable, varied, and constantly changing.
Government-Backed Cyberwarfare and Cyberterrorism – “The Big Guns”: Extremely dangerous and well funded. They’re unmatched in scope, resources, and severity of planned attacks, which are often unfortunately motivated by geopolitical, ethnic, religious, or other large scale economic goals. If these groups have targeted you and you’re not already sufficiently fortified against them, it’s probably already too late. Moreover, the defenses against these groups can sadly require other governments to be involved.
Infiltration Complexity: Extreme. Built for the long game.
Potential Damage and Disruption: Extreme and systematic. And often with pinned targets
Detection Difficulty and Persistence: High
Resources: Practically limitless and fueled by ideology
Specific Protection Measures:
Next to the mega nation-state groups, these are the ones conducting targeted electronic espionage – hacking carried out by private Intelligence firms and corporate mercenary hackers-for-hire. They can still also be funded by nation states, but their goals are ambiguous and ethics are often subjective and fluid going to the highest bidder.
They are persistent, have large internal research labs who develop powerful proprietary tools necessary to find and exploit 0-day vulnerabilities with advanced techniques. Their motives are however mostly financial, which means their services are often prohibitively expensive, fortunately reducing the victim pool they would be interested in going after. “You get what you pay for.” (Palantir)
Example: DarkMatter – A UAE-based cybersecurity company suspected of providing cyber-espionage services and custom widespread spyware.
Infiltration Complexity: Extreme, the masterclass who show how it’s done
Potential damage and disruption: Very High depending on what they were contracted to do
Detection Difficulty and Persistence: Very High
Resources: Fully scalable based on funding
Specific Protection Measures:
These are one of the biggest wildcards, being highly unpredictable and difficult to prepare against. When seeing a low barrier of entry for penetration, those possessing privileged, inside access to proprietary knowledge, can cause significant damage in ways other actors couldn’t even imagine.
They might strike due to grievances, both ideological and personal, or simply be playing the long game once they find a loophole. They are also notoriously hard to detect because of how close they can get to critical systems and are sometimes even people embedded into internal security teams. They generate a substantial portion of leaks and PII breaches.
Example: Edward Snowden – Leaked highly classified information from the National Security Agency (NSA).
Infiltration Complexity: So dangerously Low that nearly anyone could do it
Potential Damage and Disruption: High – privileged access is no joke
Detection Difficulty and Persistence: High and long lasting, often impossible to detect
Resources: Not needed – typically just the motivation, as there are no hackers to hire or software to get first
Specific Protection Measures:
Career criminals who seek financial gain via fraud, ransom, blackmail, identity theft, etc. They’re specifically dangerous because of the nature of direct financial loss caused by breaches. They may be far less funded than large mercenary organizations, but that also makes them desperate and numerous. They often operate from developing nations with few enforced laws, and are willing to target as many victims as possible in a broad net to increase breach probability.
Their footprint may range from a few people in a shack writing scam emails to an organized corporate call center using social engineering to gain remote system access and steal identities. This is where a lot of ransomware and phishing originates from.
Example: REvil – A criminal gang responsible for high-profile ransomware attacks.
Infiltration Complexity: Moderate, often targeting low hanging fruit via social engineering
Potential Damage and Disruption: High. Usually monetary
Detection Difficulty and Persistence: Moderate. They’re in it for the quick pay-out and not the long game
Resources: Low to moderate efforts, potentially high volume
Specific Protection Measures:
They usually claim to promote Ideological causes. Moderately dangerous, often only seeking to disrupt operations or leak data. Fortunately, their plans usually involve taking responsibility and being as flashy as possible in their efforts as the message is part of the end goal. They might not steal your data, but they could ‘dox’ or leak your internal emails, humiliate staff, and share your intellectual secrets publicly.
Example: Anonymous – Involved in high-profile attacks for political and social causes
Infiltration complexity: Low to Moderate
Potential Damage and Disruption: Moderate, mainly due to PII and IP leaks
Detection Difficulty and Persistence: Low
Resources: Moderate. Based on strength of support, but “Where there is a will, there is a way”
Specific Protection Measures:
These are the hackers you often see portrayed in movies. Some of these might be hacktivists, but their ideas are often less altruistic. They usually have selfish goals like fame, notoriety, the thrills of the hack, or purely ‘lols’. The threat they pose varies in danger and is wildly skill-dependent.
Example: Lizard Squad – Known for DDoS attacks and other forms of cyber-vandalism
Infiltration Complexity: High, favoring the most complicated attacks
Potential Damage and Disruption: Varies. Sometimes just for sport
Detection Difficulty and Persistence: Varies based on motivations
Resources: Low
Specific Protection Measures:
These are often the less technically sophisticated or marginally motivated hackers. They might have limited skills and be just attention-seeking, but also can cause chaos with tools they do not understand. They often cause only minor mischief and look for easy targets.
Typically they simply use existing known turn-key hacking tools to deploy their attacks which makes them easy to detect. Think stealing wi-fi passwords, defacing WordPress pages, stealing social media accounts and private pictures.
Note that a subset are also known as Green Hats, as they are those who are still learning to be professionals, and just testing the waters.
Infiltration Complexity: Minimal
Potential Damage and Disruption: Low
Detection Difficulty and Persistence: Very Low
Resources: Minimal
Specific Protection Measures:
Finally, those sometimes called the “nice hackers”, are usually hired security professionals, who help companies find security vulnerabilities and test existing systems via penetration testing and other evaluation tools. They are willingly hired to discover and exploit security vulnerabilities. They test-run hacking attempts and share the methods and extract artifacts with the clients so the defenses can be improved.
You protect yourself against them to practice and learn how to harden systems against real threats. They should be treated as real risks, as it is the closest thing to a fire drill for preparing for when things really go wrong. Their capabilities and the simulated risks posed scale with your budget.
The landscape of cybersecurity threats is always evolving, so understanding the ‘who’ behind the attack is not just a matter of curiosity but an integral part of effective cybersecurity strategy. From nation-state actors armed with almost limitless resources to the script kiddies with a rudimentary understanding of hacking tools, the motivations, infiltration capabilities, and dangers vary widely.
Failing to recognize this diversity amongst threat actors can lead to poorly designed and inefficient security measures. Context matters, and knowing your potential adversary allows for a more targeted, contextual, and effective defense.