Understanding hackers: The 5 primary types of external attackers
No one wants to get hacked, that’s simply a fact. But who are these faceless enemies that would attack you, anyway?
Despite what the media might suggest, “hackers” are not a single idea. (In fact, “hackers” aren’t even inherently bad: that term simply refers to someone who makes things behave differently than intended. Good guys do that too.)
Download Ted's free ebook, "How to secure your software faster and better."
So let’s be more precise in how we talk about who you are up against. There are five types of attackers that operate from outside your company: casual hackers, hacktivists, corporate espionage, organized crime and nation-states.
In order to defend, it’s important to understand who the attacker is and what motivates them. Just like the scout for a professional sports team who studies his opponent in order to better compete on game day, you want to understand your attackers so you can better defend against them.
#1: Casual hacker
The first group is the casual hacker. Casual hackers (also known as individual hackers or small-group hackers) are explorers, problem solvers and even anarchists. They see hacking as a challenge. They might not even be malicious. They just want to prove they can do it.
For example, thanks to casual hackers, San Francisco drivers once saw digital construction signs along the freeway declaring: “GODZILLA ATTACK! TURN BACK!” This of course wasn’t a real attack (at least not by Godzilla); it was just a prank.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you have a prominent brand? If so, a casual hacker would want to brag about exploiting you. Your fame becomes transferable to them if they’re successful.
- Do you have “cool” technology? If you make something cutting edge, newsworthy or with a strong fan base, a casual hacker might want to brag about hacking it. Your “cool” factor is transferable to them.
- Could you be used in a stunt? Like the roadside construction signs, if there’s a fun way to pull a prank, a casual hacker may want to attack your technology.
Casual hackers might not even be malicious (although many are), yet wreak havoc simply through the act of exploration.
#2: Hacktivists
The second category of likely attackers is the hacktivist. Hacktivists have an ideology and attack in order to draw attention to it. This group includes terrorists who pursue ruthless causes.
For example, when the United States Federal Communications Commission (FCC) voted to repeal a polarizing law around net neutrality, the hacktivist collective known as Anonymous attacked the FCC information systems in retribution.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you have a prominent brand? If so, a hacktivist can obtain media exposure for their mission because a security breach of a prominent brand is newsworthy.
- Is your business controversial or politicized? If so, hacktivists who hold the opposing view may want to attack to advocate for their ideology.
- Are any of your key executives publicly outspoken about polarizing beliefs? Like it or not, the personal beliefs of key executives become reflections of the company. If those beliefs are polarizing, hacktivists who share opposing views may attack for ideological reasons.
Even if you agree with their ideology, it’s important to remember that hacktivists attack to do damage, even when it’s for the sake of taking a political stand or highlighting a cause.
#3: Corporate espionage
The third category of attackers is corporate espionage. Some companies attack each other to gain a competitive advantage, steal intellectual property or save on research and development (R&D). They have significant budgets and hire elite talent to carry out the attacks.
As an example, Chris Correa was an executive for the Saint Louis Cardinals who found a way to access the databases of a rival team. He obtained scouting reports, players’ medical histories and contract negotiation details. The attack went on for years.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you protect valuable information or other assets? If so, this attacker might want to obtain the competitive advantage you possess.
- Do you protect valuable intellectual property in development? If so, this attacker could save time and money by stealing it in order to accelerate their own R&D.
- Do you hold the dominant competitive position in your marketplace? If so, this attacker might want to chip away at your advantage in order to increase their own competitive position.
Every company has competitors. The question is whether or not yours are willing to act maliciously to get the upper hand.
#4: Organized crime
The fourth category is organized crime. Their motivation is, perhaps, the most obvious: to make money. Organized criminals have extensive financial resources, time and skills. They’re among the most capable adversaries you’ll face.
For example, in the middle of the global COVID-19 pandemic, a group called The Maze Team attacked Texas’s Affordacare Urgent Care Clinic and held their systems hostage. The attackers demanded a ransom to unlock the systems so medical staff could get back to treating patients.
This demonstrates that profit is an incredibly strong motivator, even when it could literally cost lives.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you need access to your data or operational capabilities every minute, without exception? If so, this attacker might attack in ways that prevent the availability of services in order to force you to pay quickly to avoid downtime.
- Do you protect valuable data or intellectual property that has monetary value to other companies, governments or groups? If so, this attacker might want to steal those assets in order to monetize them.
- Is your company publicly traded? If so, this attacker might take a short position on your stock and then attack in order to drive the stock price down when the news breaks of your security breach.
Making money is enormously motivating, so if your system provides criminals a way to make some by attacking, you should be wary of this attacker type.
#5: Nation-states
The ultimate category of possible attackers is nation-states. Nation-states are the most capable and dangerous attacker type there is. They are countries who seek geopolitical advantage. They have tremendous resources, including plenty of money, skill and computational power.
Consider NotPetya, a strand of malware used in what is considered to be one of the most devastating cyberattacks of all time, which experts widely attribute to Russia’s intelligence services. The attack spread rapidly, shutting down or outright destroying operations for businesses all over the globe.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you collect information that would be beneficial to a rival nation-state (such as location tracking, usage behaviors or other data about the people of your own nation)? If so, nation-state actors might want this information to inform their financial, political and other strategies as they compete against your nation.
- Are you involved with critical infrastructure, such as delivery of medical care, power, water, emergency services, food supply, manufacturing, public health, cybersecurity or any other basic needs of your nation? If so, a nation-state actor may want to disrupt these services, either as a stand-alone attack or in conjunction with a physical attack.
Many companies assume that a nation-state would not focus on them, but don’t be so sure. Even if it’s not immediately obvious to you, consider ways that a nation-state actor could achieve geopolitical gain by attacking your system.
Motivation matters
Defending against attackers requires thinking like them. A key element of that is understanding who your attackers are and what motivates them.
Now that you know who the primary external attackers are, and why they might want to attack your company, you can lay the foundation of your security plan. To do that, next you’ll want to identify the assets you want to protect, the areas of your system that are exposed to attack, and how those areas might be abused or misused.
For now, simply take the first step of understanding who you’re up against. Recognize that they’re not all the same, and, finally, recognize that attackers are just like you and me — they’re driven to do things because of what motivates them.
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- Understanding hackers: The 5 primary types of external attackers
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security