1.3.1 Actor Types

Script Kiddie:
1. Unskilled individuals who use programs developed by others to attack computer systems
2. Attributes:
  1. Internal/External:
    1. External to their target
  2. Level of Sophistication:
    1. Typically have limited resources.
  3. Resources/Funding:
    1. The amount, sophistication, and extent of their attacks is constrained.
  4. Intent/Motivation:
    1. Motivated by prestige.
Hacktivist:
1. Individuals or members of (typically small) groups
2. The term hacktivist is often applied to a range of different activities:
  1. Hacking for social change
  2. Hacking to promote political agendas
  3. Cyberterrorism
3. Attributes:
  1. Internal/External:
    1. Hacktivists could be internal or external to their target, but are typically external.
  2. Level of Sophistication:
    1. Hacktivists widely vary in their skills.
  3. Resources/Funding:
    1. Hacktivists vary in resources and funding.
  4. Intent/Motivation:
    1. Motivated by anger, justice, or sometimes a political or social cause
    2. Seek to embarrass or deface their target
Organized Crime:
1. Groups that send spam and phishing emails, ransomware, and spyware, and generally do not have targets; instead seek as many targets as possible.
2. Attributes:
  1. Internal/External:
    1. External to their target. May target channels internal to an organization, such as company email.
  2. Level of Sophistication:
    1. Can be highly sophisticated
  3. Resources/Funding:
    1. Often well-funded
  4. Intent/Motivation:
    1. Motivated by money
Advanced Persistent Threat (APT):
1. Nation-state operations that slowly gather information, use covert methods, and are rarely discovered.
2. Attributes:
  1. Internal/External:
    1. May be both internal and external to their attack target.
  2. Level of Sophistication:
    1. Rarely use flashy tactics. Attack surfaces used by APTs are well-tested and rarely discovered.
  3. Resources/Funding:
    1. An APT entity has the highest level of resources, including open-source intelligence (OSINT) and covert sources of intelligence.
  4. Intent/Motivation:
    1. Motivated by knowledge (information)
Insiders:
1. Three categories:
  1. Uneducated Trusted Insiders:
    1. This individual is likely to be taken advantage of by social engineering techniques, or unwittingly initiate a backdoor or privilege escalation attack.
    2. The success of such an attack depends on your security policy and employee training.
  2. Educated Trusted Insiders:
    1. System Administrators
    2. CEOs
    3. Other IT Personnel
    4. HR (Access to Personnel Information)
  3. Educated Untrusted Insiders:
    1. Disgruntled Employees
    2. An employee with a history of mental illness or disciplinary problems
    3. Triggered by a stressful event:
      1. Personal issues
      2. Unfavorable performance review
      3. Passed over for promotion
2. Risk Mitigation:
  1. These controls can protect from insider attacks:
    1. Implement Job Rotations
    2. Separation of Duties
    3. Mandatory Vacations for Critical Staff
    4. Perform Background Checks
    5. Onboarding and Offboarding
    6. Use the Principle of Least Privilege
  2. Behavioral Indicators (Source: FBI) of a Potential Insider Attack:
    1. Taking work materials home
    2. Odd interest in issues outside his/her responsibility
    3. Duplication of office material without explanation
    4. Strange patterns of network activity
    5. Using personal hardware and software in the office
    6. Working odd hours
    7. Unexplained foreign contacts/trips
    8. Unexplained affluence
  3. In all cases, these two strategies are key:
    1. Proper employee education (training)
    2. Identifying key assets and points of interest to an attacker