Threat Actors and Motivations

Overview

Behind every attack is a human being with a reason. Understanding the culprit and their motivation can help security professionals better defend against attacks. You’ll need understand how to use event context to identify potential threat actor motivations.

External Threats

Threat actors can be categorized as internal or external. Threat actors can be also be further categorized by their motivations and traits.

External Threat Actors and Motivations

• Cyber criminals are financially motivated individuals who carry out attacks mainly for monetary reasons.

• Cyber terrorists is defined as: "Individuals or groups who use violent or "virtually" debilitating means to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature." Source: (https://www.fbi.gov/investigate/terrorism)

• Nation-state actors are attackers who sabotage military or critical infrastructure. Other variations include espionage and cyber warfare.

• Hacktivists are groups who carrying out attacks to advance political or social causes.

• Script kiddies are curious newbies with minimal cyber skills who are just playing around or launching beginner attacks.

Reference: NIST

Internal Threats

Internal Threats Actors and Motivations

A significant portion of breaches stem from internal employees and contractors within a company. Here are common internal threats actors and typical motivations:

• Criminal insiders are individuals who steal from their employers or engage in other unauthorized activities that cause harm. They are usually financially motivated.
• Oblivious insiders are naive individuals who fall for social engineering attacks or engage in other unintentional activities that expose the company to risks.
• Third-party insiders are individuals who may not work directly for the company but have authorized access as a vendor or partner working with the organization.
• Disgruntled insiders are employees who are unhappy with the organization and seek to retaliate often through digital resources and exploitation.
• Terminated insiders are individuals who are no longer with the company but steal data as they are leaving or still have access after their separation from the company.

There is often overlap between threat actor motivations. Sometimes, you’ll find multiple motivations exist in one threat actor or group, making it hard to pinpoint the exact intent of an attack. When this is the case, it’s important to note your hypothesis and theories, but don’t get too hung up on it. Remember that in threat assessment, a lot of the work is hypothesizing and building theories based on research. There are a lot of variables and sometimes unclear answers, and that’s okay. Also, some threat actors try to use obvious motivations as smoke screens for a hidden agenda. For example, sometimes attackers launch ransomware attacks, not for the financial gain of the ransom, but to encrypt and hide their activity on the target network. What would appear to be a financially motivated threat actor, could be espionage or some totally different.

Additional Resource

Explore real information on threat actors aggregated and shared by MITRE https://attack.mitre.org/groups/