Most cybersecurity observers will have heard the term “threat actor” before, but what exactly is a threat actor? 

In simple terms, a threat actor is an entity responsible for a cybersecurity incident. They are “actors” because it is a neutral term that avoids labeling them as an individual, group, or collection of multiple groups. The term also does not ascribe a motivation to the actor, such as criminal or espionage.

The term threat actor differs from the term “hacker” or “attacker” because unlike a hacker, a threat actor does not necessarily have any hacking or technical skills. They are simply an entity with malicious intent compromising an organization’s security. This could mean anything from copying confidential data onto a USB key to physically destroying servers in the data center. It is a broad term that can apply to both insider and external threats.

That said, many threat actors do have technical skills.

Different Kinds of Threat Actor

Protecting your organization from cybersecurity threat actors is all about staying up to date with the threat actor’s latest techniques and tools. Keep your security patching up to date, make sure employees are cyber aware, and ensure security technologies are fit for purpose. 

Here are the main kinds of threat actors, their motivations, how they typically operate, and how to defend against them.

1) Organized Cyber Criminals 

The threat actor that businesses are most likely to ‘meet’ are organized cybercriminals. They make money by stealing data, tricking you into transferring money, stealing login credentials, encrypting data and then extorting you for a ransom, or defrauding you. 

These threat actors learn fast and constantly evolve their techniques and tools to stay ahead of the defenders. What these threat actors like about cybercrime is that it offers much bigger rewards for far less risk than regular crime, like bank robbery.

Cybercrime is a low-risk for criminals because they can hide their identities online and launder their ill-gotten gains using cryptocurrency. This is the type of threat actor behind most of the splashy cybercrime headlines about ransomware and business email compromises.

According to the Verizon 2020 Data Breach Report [1], this group is still using the most common and low-cost techniques to infiltrate our businesses. Their favorite attack is by email, typically a phishing email that tries to get your credentials or get you to download a malicious attachment. 

How to protect against them - To defend against criminal threat actors, it is essential that your endpoints (and networks) are being protected by modern endpoint protection tools. The tools ideally include intrusion detection and response, next-generation antivirus, and a good security team monitoring for alerts and proactively hunting for threats - services that Digital Hands can provide you with. 

One must be able to detect any potentially anomalous or malicious behavior as it occurs and have remediation capabilities and processes in place to deal with the threats in a timely fashion. It’s also important to regularly update applications and operating systems with any security patches.

It is important to have a strong incident response plan in place, too. That way, all team members know how to respond in the event of a cybersecurity incident.

2) APT Groups 

APT stands for advanced persistent threat. These threat actors have become very busy over the last decade, as 20-30 countries wage cyberwar against each other for political, military, economic, and commercial gain. 

Think of APT groups as industrial or nation-state spies engaged in espionage, political manipulation, and IP theft. They typically target politicians and political groups, the defense industry, government institutions, and large strategic businesses. 

APT threat actors are hard to detect, primarily because they are very advanced in their methods and tend to use custom malware or zero-day vulnerabilities that security systems cannot identify or recognize. They go by many different assignations and colorful nicknames like APT1 (the Comment Crew) or APT36 (Mystic Leopard).

To learn more about individual APT groups, here is an excellent public resource [2] that identifies different groups and their characteristics. Even though APTs are primarily focused on missions that will be of benefit to their own country or government sponsor, sometimes normal businesses accidentally get caught up in the cyberwar. This happened to Maersk when the Russians attacked Ukraine with a cyberweapon called NotPetya. 

APT groups also engage in cybercrime for financial gain. The North Korean government-sponsored APT group Lazarus likes to engage in theft from financial organizations and SWIFT bank cyber robberies as a way of generating funds for their regime. They also like to attack and steal from cryptocurrency exchanges. 

How to protect against them - Defend against APT groups the same way you would cybercriminals. However, double down on those strategies and have excellent threat hunting capability to detect them on networks. 

If you have IP or digital assets that are attractive to a nation-state APT group, engage in thorough risk, vulnerability, and security assessments. We wrote about detecting APT threat actor attacks in a previous article. Be sure to review our five key tips on spotting APT attacks and mitigating against them.

3) Insider Threats 

Sometimes, employees turn against employers, which can have a devastating impact on a business and security. Because they enjoy privileged insider access to systems and networks, they can be a much more serious threat actor than cybercriminals or APT groups. 

However, don’t just think about insider threat actors as malicious; they can also become threats through their own negligence or even through their own unintentional mistakes. According to the Verizon Data Breach report, 22% of breaches were caused by employee errors. Insider threats know your security and have valid credentials to systems. 

How to protect against them - Tracking insider threats is all about tracking unusual or anomalous employee behavior. To do so effectively, you need full visibility across systems and networks, the capability to properly monitor alerts as they arise, and prompt and appropriate issue response.

This takes a SOC team and a SIEM to handle properly - something that Digital Hands can take care of when an organization lacks the internal capability. Lock down endpoints and give each employee only as many privileges as they need. Never give full admin control over machines and the right to install any application they want. 

Also, see that employees receive regular cybersecurity training to increase their awareness and make sure they don’t click on malicious links.

4) Lone Wolf Hackers

The cybersecurity world contains a large number of individuals who want to hack computers because they can. We call these lone wolf hackers ‘script kiddies’. Usually, they are young people who acquire hacking tools built by more talented hackers. Script kiddies use those tools for fun because they can. 

There are more capable and talented lone wolf hackers who also want to hack IT infrastructure because they can, but both represent a serious threat to organizations. A good example is a former Amazon employee who, for no apparent reason, hacked CapitalOne and caused a data breach impacting 100 million CapitalOne customers. 

As a result of the breach, CapitalOne faces several lawsuits and could ultimately cost the company as much as $150 million in fines and settlement fees. There are countless examples of lone wolf hackers engaging in this sort of behavior. It's what makes this threat actor group the most unpredictable - their attacks seem to come out of the blue. 

How to defend against them - Use all of the security controls we have already mentioned, but also to consider a good EDR (endpoint detection and response) solution to protect end-users against random and non-targeted attacks like this. 

It is also important to give employees anti-phishing training. Many of these lone wolves (along with other threat actors) use phishing to gain a foothold in systems. Phishing kits are also very popular with the script kiddie community, who love to try and catch unsuspecting phish and try to hack you. 

5) Hacktivists (Activist Hackers) 

Hacktivists are hackers with a cause. Because their motives are often political, they do not try to be stealthy. They want to send a message as publicly as possible. Hacktivists choose targets because of their politics, the kind of business they engage in, or the kind of customers they have. 

Hacktivist groups like LulzSec and Anonymous have attacked the CIA and governments in the past with DDoS attacks. They have also attacked a large number of businesses and public organizations by defacing their websites and taking over their Twitter feeds to post political messages about their cause.

How to protect yourself against them - Since hacktivists tend to deface websites and social media feeds, it's important to have strong passwords protecting social media accounts and web hosting accounts. It's also important to implement MFA (multi-factor authentication) and 2FA (two-factor authentication). Because hacktivists sometimes attack their targets with DDoS attacks, have a plan in place for mitigating such an attack. 

Update your incident response plan to include a strategy for dealing with any reputational and credibility damage from the fallout of a hacktivist attack against your organization.

Final Thoughts

There’s a wide range of threat actors in the wild that modern businesses need to defend themselves against. Doing so effectively requires a significant investment in cybersecurity people, processes, and technology. 

To recognize threats against systems and people before they become an issue, make investments in SIEM, EDR, and other cybersecurity technologies, as well as the people to leverage those technologies. This can represent a significant capital investment and resource spend. 

Alternatively, outsource elements of your cybersecurity to an MSSP like Digital Hands. We have already made those investments on behalf of our customers. We have trained staff and the right technologies to effectively secure your business and employees.

 

References:

1)https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
2)https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit?usp=sharing

Recent Blogs

5 Characteristics to Look for in a Good Endpoint Security System

Read More

Why Companies Need Endpoint Detection & Response (and Not Just Enterprise Antivirus)

Read More

5 Signs Your Vulnerability Management Solution Isn’t Working

Read More