2.1 Common Threat Actors and Motivations

🏠

Threat Actors

Threat actors are individuals or groups who pose security risks to organizations.

Nation-state

Nation-state actors are government-sponsored entities involved in cyber espionage or attacks.

Example: A foreign government targeting critical infrastructure.

flowchart subgraph NationState nationstate -->|Government-sponsored entities| CyberEspionage end

Unskilled Attacker

Unskilled attackers lack expertise and use simple attack methods.

Example: An individual attempting a basic phishing attack.

flowchart subgraph UnskilledAttacker unskilled -->|Lacks expertise, simple methods| BasicPhishing end

Hacktivist

Hacktivists are individuals or groups using cyberattacks for political or social causes.

Example: A hacktivist group targeting a government website for protest.

flowchart subgraph Hacktivist hacktivist -->|Cyberattacks for political/social causes| WebsiteProtest end

Insider Threat

Insider threats originate from within an organization, such as employees or contractors.

Example: A disgruntled employee leaking sensitive data.

flowchart subgraph InsiderThreat insider -->|Originates from within, employees/contractors| DataLeakage end

Organized Crime

Organized crime groups engage in cybercriminal activities for financial gain.

Example: A criminal syndicate involved in ransomware attacks.

flowchart subgraph OrganizedCrime organizedcrime -->|Cybercriminal activities for financial gain| RansomwareAttack end

Shadow IT

Shadow IT refers to unauthorized or unmanaged technology within an organization.

Example: Employees using unapproved cloud services for work.

flowchart subgraph ShadowIT shadowit -->|Unauthorized/unmanaged technology| CloudServiceUsage end

Attributes of Actors

Attributes describe characteristics of threat actors.

Internal/External

Threat actors can be internal (within the organization) or external (outside the organization).

Example: An internal employee (internal) versus a hacker (external).

flowchart subgraph InternalExternal internalexternal -->|Can be internal or external| InternalEmployee internalexternal -->|Can be internal or external| Hacker end

Resources/Funding

Threat actors may have access to resources or funding for cyberattacks.

Example: A well-funded criminal organization versus an individual hacker.

flowchart subgraph ResourcesFunding resourcesfunding -->|May have access to resources or funding| CriminalOrganization resourcesfunding -->|May have access to resources or funding| IndividualHacker end

Level of Sophistication/Capability

Threat actors vary in their level of sophistication and capability to execute attacks.

Example: A highly skilled nation-state actor versus a script kiddie.

flowchart subgraph SophisticationCapability sophisticationcapability -->|Vary in sophistication and capability| NationStateActor sophisticationcapability -->|Vary in sophistication and capability| ScriptKiddie end

Motivations

Motivations drive threat actors to engage in cyberattacks.

Data Exfiltration

Data exfiltration involves stealing sensitive information for various purposes.

Example: A hacker stealing customer data for sale on the dark web.

flowchart subgraph DataExfiltration dataexfiltration -->|Stealing sensitive data| CustomerDataTheft end

Espionage

Espionage activities aim to gather intelligence and sensitive information.

Example: A nation-state actor spying on a foreign government's activities.

flowchart subgraph Espionage espionage -->|Gathering intelligence| ForeignGovernmentSpying end

Service Disruption

Service disruption attacks target the availability and functionality of systems or services.

Example: A DDoS attack causing a website outage.

flowchart subgraph ServiceDisruption servicedisruption -->|Targeting availability/functionality| DDoSAttack end

Blackmail

Blackmail involves coercing victims by threatening to reveal sensitive information.

Example: Threatening to expose compromising photos unless a ransom is paid.

flowchart subgraph Blackmail blackmail -->|Coercing by revealing sensitive information| CompromisingPhotosThreat end

Financial Gain

Threat actors engage in cybercrime to profit financially.

Example: Stealing credit card information for fraudulent transactions.

flowchart subgraph FinancialGain financialgain -->|Engaging in cybercrime for profit| CreditCardFraud end

Philosophical/Political Beliefs

Some actors pursue cyber activities aligned with their philosophical or political ideologies.

Example: Hacking government websites to promote a political cause.

flowchart subgraph PhilosophicalPoliticalBeliefs philosophicalpoliticalbeliefs -->|Pursuing activities aligned with beliefs| PoliticalWebsiteHacking end

Ethical

Ethical motivations drive actors to expose wrongdoing or security vulnerabilities.

Example: An ethical hacker discovering and reporting a security flaw.

flowchart subgraph Ethical ethical -->|Exposing wrongdoing or vulnerabilities| SecurityFlawReporting end

Revenge

Revenge-driven actors seek retaliation against individuals or organizations.

Example: An ex-employee launching an attack against their former employer.

flowchart subgraph Revenge revenge -->|Seeking retaliation| ExEmployeeRetaliation end

Disruption/Chaos

Some actors aim to create chaos or disrupt critical systems.

Example: A cyberterrorist targeting power grids for chaos.

flowchart subgraph DisruptionChaos disruptionchaos -->|Aiming to create chaos/disruption| PowerGridCyberattack end

War

In some cases, threat actors engage in cyber warfare during conflicts.

Example: State-sponsored cyberattacks during international conflicts.

flowchart subgraph War war -->|Engaging in cyber warfare during conflicts| CyberWarfareDuringConflict end