Security+: How to explain threat actor types and attributes
One of the roles of information security professionals is to defend their organization’s systems and data proactively. As with any defensive strategy, this requires knowing the adversary’s tactics and motivations. CompTIA’s Security+ exam tests candidates’ understanding of the main types of threat actors and their characteristics.
Threat actors are covered primarily under one of the 28 objectives covered across the Security+ exam domains. Objective 2.1 is "Compare and contrast common threat actors and motivations."
For more information on the Security+ exam, download our free Security+ ebook or learn more about Infosec's Security+ Training Boot Camp covers threat actors and more.
Understanding threat actors
While monetary gain is the primary incentive for most cybercriminals, not all threat actors are motivated financially. Some are engaged in political or commercial espionage, others may have a social or political agenda, and still others may be hunting for vulnerabilities to make a name for themselves.
Some attributes that distinguish the different types include their level of sophistication and their resources for carrying out attacks.
We'll cover the main types of threat actors below.
Nation-state actors
Actors sponsored by nation-states are characterized by a high level of sophistication and resources. They’re capable of carrying out large-scale attacks and advanced persistent threats (APTs), which are stealthy attacks whose purpose is to maintain a presence in the network for an extensive period of time, typically to collect targeted types of data. APTs can move laterally through a network and blend in with regular traffic — one of the reasons they can go undetected for months and years and inflict a high degree of damage on an organization.
Nation-state actors focus on several attack vectors simultaneously and often exploit several vulnerabilities. In recent years, many high-profile attacks have been attributed to them.
Some countries use these sophisticated players to fund their regimes. But more typically, nation-state actors are not motivated by direct financial gain. Their reasons may lie in national security, political espionage, military intelligence, and even attempts to influence another nation’s political process. They may also seek intellectual property data that could ultimately give the sponsoring nation a competitive advantage in the international market.
This category of attackers is well-funded and operates within an extensive support infrastructure that includes multiple hacker networks. Researchers have also been observing international collaboration between different groups of state-sponsored actors.
Organized crime
Another highly sophisticated category is organized crime actors, who are different from state-sponsored ones in that they are most likely to be motivated by profits. That means they typically target data with a high value on the dark market, such as personally identifiable information (PII), banking information or cryptocurrencies. These cyber rings also engage in more sophisticated ransomware attacks.
Organized cybercriminals operate like businesses, albeit an underground one. Various individuals within the organized ring specialize in hacking, managing exploits or even “customer service,” and they invest funds into acquiring technology and automation to improve their return on investment.
Hacktivists
The term hacktivist is derived from the words hacker and activist. As the name implies, hacktivists are on a mission, which could be anything from making a political statement to damaging an organization whose views they oppose.
Hacktivists may act alone or in groups and recruit an army of like-minded hackers. Their attacks often follow a pattern and use similar tools and techniques. They can pose a serious threat because they’re determined to reach their goals and increasingly garner the necessary resources to carry out their agenda.
Inside actors
It’s a common misconception that outside cyberattackers are behind every network or data breach. In recent years, external attacks have increasingly become sources of large data breaches. However, information security practitioners must pay attention to insiders because these actors can inflict more damage.
Insiders not only have direct access to sensitive data but also knowledge about internal operations and processes. On top of that, their activity is much less likely to trigger a red flag within the network, and various network intrusion tools, like firewalls, are ineffective against inside threats.
Some internal actors are simply negligent or careless, and this behavior can be addressed through policies and procedures and regular security awareness training. Insiders often become unwitting participants in an attack because outside actors use social engineering and other techniques to obtain insider credentials — compromising an organization with legitimate user credentials is often easier than trying to breach a network perimeter.
When insiders act maliciously, their motivations can vary from financial gain to retribution against a current or former employer. Insiders pose a challenge because malicious actions may be hard to distinguish from activities on the network as a regular part of business.
Script kiddies
Script kiddies are actors who lack the skills to write their own malicious code, so they rely on scripts they can get from other sources. These can be either insiders or outsiders. Script kiddies were once thought to be mostly teens motivated by peer competition or simple mischief.
Their attacks are not very sophisticated, but even if they’re only out for some mischief, script kiddies can still wreak havoc on an information system. From defaced websites to denial-of-service attacks, their actions can result in more than simple embarrassment for the targeted organization.
Like hacktivists, script kiddies use a variety of tools and social engineering techniques and can be quite persistent in carrying out their attacks. With hacking knowledge and resources easily available and tools continuously evolving, script kiddies pose a danger just as high as any malicious actor.
Use of open-source intelligence
One of the challenges of protecting information systems is that malicious actors use many of the same tools used for defense, including open-source intelligence. Open-source intelligence refers to information gained from publicly available sources, both easily found — like social media, academic texts and forums — and information that’s missed by internet indexing and search engine crawlers.
Hackers use open-source intelligence tools to collect data about their targets, whether for social engineering or other purposes. Information security professionals need to be aware of these tools and techniques, monitor social media channels, and educate their organization’s users about the consequences of sharing information on those channels.
When setting up proactive defenses, it’s much more effective to protect information systems when you know who and what you’re up against. Knowing who the threat actors are, what motivates their actions and what vulnerabilities they may exploit is a fundamental part of creating a solid security strategy.
For more information on the Security+ certification, view our Security+ certification hub and watch our webinar with CompTIA on the latest exam changes.