CompTIA Security+: Threat Actors

Moving right along from the Attacks chapter (social engineering, application, wireless and cryptographic posts here)… threat actors.  Threat actors are the people or groups responsible for the attacks described in the previous chapter.

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.

Types of Threat Actors

The book defines hacking as “the act of deliberately accessing computer systems and networks without authorization.”  It also refers to the act of exceeding one’s authority in a system.

The book then describes three broad categories of threats–unstructured threats, structured threats and highly structured threats.  They begin by saying that unstructured threats are attacks by an individual or even a small group of attackers.  Attacks at this level are shorter in duration (a few months or less), don’t involve a large number of people, and have very little financial backing.

Later, in the question section, the correct match term to that description is “hacktivists.”  I thought that was confusing and possibly an error in the book.

Script Kiddies

Anyway… first up, script kiddies.  Kind of a pejorative term, script kiddies refer to hackers who don’t have a ton of technical expertise.  They know how to find and use pre-existing scripts (hence the name) or tools to cause damage.

While I thought this term was limited to the infosec community, it has started showing up in some news articles.  Earlier in 2018, concerns over the automated tool kit “Autosploit” and the script kiddies it might empower made it into the press, too.

Hacktivists

The book places “hacktivists” as a step above script kiddies, both in terms of organization and skill.  These people are capable of writing their own scripts (or at least understanding existing scripts and tools well).  Hacktivists are described as a group of hackers working together for a collectivist effort, usually on the behalf of some cause.  I think this is kind of conflating a couple of things, especially as politically motivated hacks become more popular.

Turkish hacktivists were in the news recently for hacking the Twitter accounts of US journalists (and then posting pro-Ergodan messages).  In 2017 and 2018, there were hacktivist attacks on state websites in Michigan and North Carolina, protesting the Flint water crisis and NC “bathroom bill.”  A similar attack happened in Ohio, too, motivation/cause uncertain.

Organized Crime

As businesses move their infrastructure, accounting, etc. onto computer networks, opportunities for bad things increase.  Yes, we’re talking about crime.  Cybercrime.

Again, the book seems to mix two different ideas.  One is that the business reliance on computers allows regular old crimes like fraud, extortion, theft, embezzlement and forgery to all happen through electronics now, as well.  The ability for hackers to monetize their efforts (like in the previous malware section) has allowed for “a criminal cybersecurity marketplace that, in terms of dollars, is larger than the international drug trade.”

Organized crime falls in to the “structured” threat category.  Structured threats are conducted over a longer period of time, have more financial backing, and possible help from insiders.

Recently, hacking group Fin7 was in the news for its impressive levels of organization, and also for three of its members being arrested by the feds.

Nation States/APT

One step above the previous groups are what the book calls “elite hackers.”  Pretty rude to the rest of infosec, amirite?  These people have the ability to write scripts but can also find new vulnerabilities on their own.  This strikes me as being a definition of most security researchers.  The book implicitly seems to agree, noting that most of these folks are employed by cybersecurity firms to combat hacking.

Others are employed by nation states.  One reason for this is “information warfare,” defined as warfare conducted against information and information processing equipment.  Municipal services, telecommunications, water treatment, power grids, finance, etc… an attack on any of these services (even if not government-owned) can have dire consequences for the state or country.

Nation state actors are considered highly structured threats because of the longer time period (years), huge amount of financial packing, and large number of people involved.

This section also covers advanced persistent threats (APTs).  This type of attack involves gaining access to and establishing a long-term presence on another network.  This could be for the purposes of stealing intellectual property, spying on adversaries, etc.

Some recent (and scary) news examples include the electrical grid attack in the Ukraine, as well as threats in the US.  It also includes recent DHS-reported attacks on cloud services.

Insiders

Aaaand from there we’re going to switch back to a completely different categorization.  Insiders are people who are inside the organization under attack, and are either responsible for the attack or are colluding with outsiders (who are responsible).  Insiders are more dangerous than outside intruders, because they understand the systems, and already have digital and/or physical access.

A lot of security measures exist at the boundaries of an organization, to keep intruders out.  It’s much harder to protect against those inside your own walls.  This also applies to non-employees who have access, like cleaning staff, or contractors.

Probably the most famous example of this is Edward Snowden, who stole a bunch of NSA information and then fled the country.

Competitors

Lastly, there are competitors.  Top players within a given field are often in tight competition with each other.  This might encourage the company, or individual people, to steal and then sell or use intellectual property.

In August, there was an interesting case of IP theft from GE, done by an engineer who tried to conceal the theft via steganography.  The book notes that it’s easier to steal data now, given USBs and other data transfer options, than it was decades ago… unfortunately, digital forensics have also improved.

Attributes of Threat Actors

The threat actors mentioned previously could be described via attributes, instead.  The CompTIA Security+ exam will ask questions based on attributes, then you describe the types as understood in the previous section.

Internal vs External

Internal means someone who is an insider.  This means they already have access, which is a big advantage over external actors.

Level of Sophistication

This is, generally speaking, a spectrum from script kiddies to nation-state actors.  The level of sophistication has bearing on the attack group structure (who leads, what methods they use, etc.).  Still, there’s plenty of low-hanging fruit, and potential damage to be created by all levels.

Resources and Funding

As mentioned earlier, individuals or small groups (script kiddies, hacktivists, etc.) have little to no funding.  Nation states and criminal organizations have a lot of funding, at least relatively speaking.

Intent and Motivation

Intent can be one thing, or a number of things.  A less-skilled hacker might be trying to demonstrate that they can do something, create havoc, etc.  They might have a political cause in mind.  APT threat actors, on the other hand, might have business goals (this might be their job, after all).  They might want to avoid detection, and steal something of value.  If they work for a nation-state, there might be patriotism, etc. involved.

Open Source Intelligence

When the book says it wants to talk about open source intelligence, it really means it wants to talk about threat intelligence.

Open source intelligence (OSINT) is information gathered from public sources, so hypothetically, anyone could find this info.

Threat intelligence is gathering info from public and non-public sources to determine which threats are the most serious, and thus, where to focus their efforts.  Like in engineering, you can’t mitigate against everything.  It’s a trade-off of time, resources and “good enough.”

The book then mentions Information Sharing and Analysis Organizations (ISAOs) and Information Sharing Analysis Centers (ISACs).  These groups allow organizations to share the threats they’re seeing (anonymously) in exchange for information from other group members.  This is sort of cybersecurity herd immunity type of thing.  ISAOs are public, ISACs are privately-run but government approved.  The FBI’s Infragard is similar but free.