Companies Need to Understand Cyber Criminals Goals in order to Properly Manage Risk

It seems like every week there is another cyber attack in the news, resulting in an insatiable appetite from technology teams to add new tools to protect their firms.  How should boards and non-technical executives decide where to spend time and money, since the essence of any great strategy is knowing what not to invest in?

Answering that question involves answering another one: who is doing these attacks, and why?

It turns out that there are different types of threat actors, with differing motivations, that use different methods.  Understanding the “actor-motive-method” framework is key to smart risk management and governance; it allows one to focus investment on controls that align with likely attacks without over-investing in controls that are unlikely to be needed.  Imagine an attacker that wants to do harm to the pharmaceutical industry, and who developed a unique cyber-weapon.  If you are in pharma, you need to defend against it.  If you aren’t, there may be better places to invest resources.  “Actor-motive-method” lets you quickly determine whether a newsworthy attack method is material for you.

It’s worth exploring five types of actors, their motives, and some commonly used methods aligned with their goals.

Actor 1: Nation States

Most nation states engaged in hacking are motivated by either espionage or are preparing for cyberwar.  Espionage targets may have proprietary methods and know-how (industrial espionage) or may have valuable data related to national security or public figures.  If you are a defense contractor, healthcare provider, or part of critical infrastructure, you are a target of interest.  If you are a retailer, maybe not.  It’s valuable to view your business through a potential attacker’s lens to understand if compromising you matters to them.

Heavily sanctioned countries, such as Iran and North Korea, are also believed to execute attacks that steal money as a way to mitigate the impact on their economies.  This is far from common, but it’s important to focus specifically on the methods they employ if your company holds significant assets.  Additionally, Russia is believed to have executed disinformation campaigns in which media organizations are a target.

Because they don’t wish to be detected, many of the methods used by nation states are stealthy.  Exploiting “zero day” and unpublished vulnerabilities is common, as are targeted “spear phishing” campaigns and attacks through trusted 3rd parties (vendors with privileged access, software supply chains, etc).

Actor 2: Activists

In contrast with nation-states, activists generally want to draw attention to themselves and a cause.  Their goal is often to disrupt widely used systems and services to maximize impact.  They seek not just visibility, but want their damage or disruption to be attributed to them.  Anonymous is a commonly cited example, often focused on socio-political causes.

Specific actors may focus on a particular target or industry, particularly when they feel their cause has been wronged in some way.  Media organizations are often targets after unflattering publications.  Critical infrastructure is a common target because of the potential for widespread disruption.  It’s common for these actors to use methods like Denial of Service attacks, “wiper” software to delete data, and compromised login credentials.

Actor 3: Organized Crime

Most organized, criminal gangs are financially motivated; they want to steal money or monetary equivalents like cryptocurrency, extort payment, or steal data that can be readily sold.  These attackers are unconcerned about attribution to their organization so long as payment is received, as they often operate with impunity from places with a weak rule of law.  In some cases, they are protected by a government in exchange for only attacking geo-political rivals.

These actors tend to use less sophisticated methods than nation states, such as demanding payment to stop ransomware or Denial of Service attacks, and are less specific in their targeting.  Anyone with a high profile and perceived ability to pay is an extortion target.  Theft of data and account compromises often leverage social engineering, exploiting vulnerabilities, and phishing.

Actor 4: Employees & Partners

Most attacks from employees, contractors and partners are crimes of opportunity.  Theft is a significant motive from what’s called the “insider threat”, but vandalism and data destruction motivates those who have been recently dismissed or reprimanded.  The trusted access given to insiders can let them do significant harm, requiring controls like “least privilege” (limiting access to only what people need to do their job) and “maker-checker” (having an independent reviewer look at high risk things).

Most attacks by insiders are either meant to go undetected, or to be hard to attribute.  Administrative account compromise, intentional misuse of legitimate access, and destructive “time bombs” are common methods used.

Actor 5: Independent Individuals

Individual attackers have a variety of motivations.  Some seek financial gain, others simply want attention or prestige.  While a few have sophisticated skills, the vast majority are referred to as “script kiddies”, less-capable people running brute force attacks or using tools they acquired from others.

Many organizations have some level of exposure to these attackers, and their methods very widely, but their lack of sophistication allows much of the threat to be mitigated by simple controls like firewalls, antivirus, patching, and good authentication (strong passwords or multi-factor authentication).

Most attacks are meant to (or quietly prepare to) damage infrastructure, steal money or IP, access customer information or other sensitive data, disrupt service, damage a reputation, or disseminate misinformation.  Variations and combinations of these exist, of course, and different actors have different methods and capabilities.  Once you know who is most likely to have an interest in attacking your business, and why, you can determine the current and evolving methods they might employ. 

Understanding actor-motive-method allows you to invest more in the right levels of controls against the right forms of attacks, in the right places.