Identifying threat actors and their intent

As an aspiring ethical hacker and penetration tester, it’s important to develop a good moral compass and understand the differences between various types of threat actors and the motives behind their cyber-attacks. Let’s take a closer look at the following list of common types of threat actors in the cybersecurity industry:

• Script kiddie – A script kiddie is a common type of threat actor who is not necessarily a young adult or kid. Rather, it is someone who does not fully understand the technical details of cybersecurity to perform a cyber-attack or develop a threat on their own. However, a script kiddie usually follows the instructions or tutorials of real hackers to perform their own attacks against a targeted system or network.

  While you may think a script kiddie is harmless because the person does not have the required knowledge and skills, they can create an equal amount or more damage as real hackers, simply by following the instructions and tutorials of malicious actors on the internet. This type of hacker makes use of tools for which they do not know how they properly work, thus causing more harm and damage.

• Cyber terrorist – Cyber terrorists perform cyber-attacks that are designed to compromise communication channels and systems, with the intention to cause enough damage and disruption to create fear and/or intimidate a targeted society to achieve an ideological goal.
• Hacktivist – Across the world, there are many social and political agendas in many countries, and there are many persons and groups who are either supportive or not supportive of these agendas. You will commonly find protesters who organize rallies and marches or even perform illegal activities such as the defacement of public property.

  This is a type of threat actor who uses their hacking skills to perform malicious activities such as defacing websites or launching Denial of Service (DoS) attacks in support of a political or social agenda. While some hacktivists use their hacking skills for good reasons, keep in mind that hacking is still an illegal act and the threat actor can face legal action by law enforcement. Therefore, ethical hackers and penetration testers are required to obtain legal permission prior to performing any attacks on the target.

• Insider – Many threat actors know it’s more challenging to break into an organization through the internet and it’s easier to do it from within the targeted organization’s network. Some threat actors will create a fake identity and curriculum vitae with the intention of applying for a job within their targeted organization and becoming an employee; this threat actor is commonly referred to as a malicious insider. Once this type of threat actor becomes an employee, the person will have access to the internal network and gain better insights into the network architecture and security vulnerabilities of the company. Therefore, this type of threat actor can implement network implants on the network and create backdoors for remote access to critical systems.

  Note

  Network implants can be software- or hardware-based. Software-based network implants are malicious code that is installed and running on a compromised system that enables the threat actor to remotely access and control the target. However, hardware-based network implants are physical devices that are directly connected to the target’s internal network, enabling the attacker to remotely connect to the hardware-based network implant and perform attacks. These network implants are commonly used for monitoring, control, and data exfiltration.

  In addition, there are unintentional insiders who are the legitimate employees of the organization who unintentionally cause harm to the organization’s systems and network due to negligence such as connecting a personal USB flash drive onto the organization’s computer.

• State-sponsored – This type of threat actor is commonly referred to as a nation-state actor. While many nations will send their army of soldiers to fight a war, many battles are now fought within cyberspace (including espionage, disruption, influence operations, and preparing the battlefield for potential physical conflicts); this is known as cyber warfare. Many nations have realized the need to develop and enhance their cyber defenses to protect their citizens, national assets, and critical infrastructure from cyber criminals and other nations with malicious intent.

  Therefore, a government may hire state-sponsored hackers who are responsible for performing reconnaissance (intelligence gathering) on other countries and protecting their own country from cyber-attacks and emerging threats. Some nations use this type of threat actor to gather intelligence on other countries and even compromise the systems that control the infrastructure of public utilities or other critical resources. Keep in mind that state-sponsored threat actors are not only employed by governments but can also include groups or individuals funded, directed, or aligned and supported by national governments.

  Note

  Cyber espionage involves the stealthy extraction of classified, sensitive, or proprietary information. This can include technological blueprints, government plans, or even personal information of key individuals.

• Organized crime – Around the world, we commonly read and hear about many crime syndicates and organized crime groups. Within the cybersecurity industry, there are also crime organizations made up of a group of people with the same goals in mind. Each person within the group is usually an expert or has a specialized skill set, such as one person may be responsible for performing extensive reconnaissance on the target, including additional roles such as social engineering experts, network penetration specialists, malware analysts, money laundering specialists, and legal advisors. Each role contributes to the syndicate’s success by leveraging specific expertise.

  When this level of effort and resources is brought to bear, the group becomes an APT. Within this organized crime group, there is usually a person who is responsible for financially funding the group to provide the best available resources money can buy to ensure the attack is successful. The intention of this type of threat actor is usually big, such as stealing their target’s data and selling it for financial gain.

• Black hat – A black hat hacker is a threat actor who uses their hacking skills for malicious reasons. This is a broad category; these hackers can be anyone and their reason for performing a hack against a targeted system or network can be random. Sometimes they may hack to destroy their target’s reputation, steal data, or even as a personal challenge to prove a point for fun.
• White hat – White hat hackers form another broad category, encompassing the industry’s good people. This type of hacker uses their skills to help organizations and people secure their networks and safeguard their assets from malicious hackers. Ethical hackers and penetration testers are examples of white hat hackers as these people use their skills to help others in a positive and ethical manner.
• Gray hat – A gray hat hacker metaphorically sits between the boundary of a white hat and a black hat hacker. This means the gray hat hacker has a hacking skill set and uses their skills to help people and organizations during the day as a cybersecurity professional but uses their skills at night for malicious reasons. As previously mentioned, ethical hackers and penetration testers have a good moral compass, but gray hat hackers go outside the good moral zone and may use their skills for malicious intentions.

With the continuous development of new technologies, the curious minds of many will always find a way to gain a deeper understanding of the underlying technologies of a system. This often leads to discovering security flaws in the design and eventually enabling a person to exploit the vulnerability. Having completed this section, you have discovered the characteristics of various threat actors and their intentions for performing a cyber-attack. Next, you will gain a deeper understanding of what matters to threat actors when planning a cyber-attack on a target.