Sun Tzu, the renowned military strategist and author of The Art of War, was known for the saying, “Know thy enemy and known thyself, and you will not be imperiled in a hundred battles.” While the true intention of this quote is likely to remind us that knowing our own strengths and weaknesses is equally important to knowing those of your enemy, I can’t help but simplify it to the rudimentary, “know thy enemy.”
I suspect most security professionals, me included, spend much more time analyzing the technical and mechanical aspects of cyber crime than the social and psychological ones. We dissect attacker’s malware and exploit tools, analyze their code and exploit techniques, but don’t always study who they are and why they do what they do. According to General Tzu, this is a good way to lose many battles.
In order to better understand the nature of the cyber threat, security professionals need to act more like criminal investigators, and consider means, motive, and opportunity. We’ve got the means down (tools and techniques), but some of us may need to work a bit on motive. One of the ways to do that is to understand the different hacker profiles.
Over the last few years, the general hacker profiles and motives have changed quite a bit. We no longer live in a world of fame seeking hackers, script kiddies, and cyber criminals—there are some new kids on the block. It’s important for you to understand these motive and profile changes, since they dictate what different types of hackers are ultimately after, whom they target, and how they tend to do business. Knowing these things can be the key to helping your understand which of your resources and assets need the most protection, and how you might protect them.
With that in mind, I’d like to share some quick highlights about the three main type of attackers I think plague us today:
1. The Hacktivist
Simply put, hacktivists are politically motivated cyber attackers. We’re all familiar with traditional activists, including the more extreme ones. Over the past five years, activist have realized the power of the Internet, and have started using cyber attacks to get their political message across. A few examples of hacktivist groups include the infamous Anonymous, and the more recent Syrian Electronic Army. Most hacktivist groups tend to be decentralized and often not extremely organized. For instance, there can be cases where one factor of Anonymous may do things another factor doesn’t even agree with.
As disorganized as they may sound, these activist groups can cause significant problems for governments and businesses. They tend to rely on fairly basic, freely available “Skript Kiddie” tools. For instance, their most common weapon is a DDoS attack, using tools like HOIC or LOIC. However, the more advanced hacktivists also rely on web application attacks (like SQLi) to steal data from certain targets, with the goal of embarrassing them—something they like to call Doxing.
While hacktivists are arguably the least worrisome of today’s attackers, they still have succeeded in causing havoc for many big companies and governments. Since these hacktivist’s political agendas vary widely, even small businesses can find themselves a target depending on the business they are in or partnerships they have.
2. Cyber Criminals
You’re probably most familiar with the cyber criminal hacker profile, since they’ve been around longer than the other two. This group’s motive is pretty obvious; to make money using any means necessary.
Cyber criminal groups can range from a few lone actors who are just out for themselves, to big cyber crime organizations, often financed and headed by traditional criminal organizations. They are the group of hackers responsible for stealing billions of dollars from consumers and businesses each year.
These criminal attackers participate in a rich underground economy, where they buy, sell and trade attack toolkits, zero day exploit code, botnet services, and much more. They also buy and sell the private information and intellectual property they steal from victims. Lately, they’re focusing on web exploit kits, such as Blackhole, Phoenix, and Nuclear Pack, which they use to automate and simplify drive-by download attacks.
Their targets vary from small businesses and consumers, whom they attack opportunistically, to large enterprises and industry verticals, who they target with specific goals in mind. In a recent attack on the banking and credit card industry, a very organized group of cyber criminals was able to steal 45 million dollars globally from ATMs, in a highly synchronized fashion. The attack was made possible due to an initial, targeted network breach against a few banks and a payment processor company.
3. Nation States (or State-Sponsored Attackers)
The newest, and most concerning new threat actors are the state-sponsored cyber attackers. These are government-funded and guided attackers, ordered to launch operations from cyber espionage to intellectual property theft. These attackers have the biggest bankroll, and thus can afford to hire the best talent to create the most advanced, nefarious, and stealthy threats.
Nation state actors first appeared in the public eye during a few key cyber security incidents around 2010, including:
- The Operation Aurora attack, where allegedly Chinese attackers gained access to Google and many other big companies, and supposedly stole intellectual property, as well as sensitive US government surveillance information.
- The Stuxnet incident, where a nation state (likely the US) launched an extremely advanced, sneaky, and targeted piece of malware that not only hid on traditional computers for years, but also infected programmable logic controllers (PLCs) used in centrifuges. The attack was designed to damage Iran’s nuclear enrichment capabilities.
Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero day, which have no fix or patch. They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. For instance, they might attack a software company to steal a legitimate digital certificate, and then use that certificate to sign the code for their malware, making it seem like it comes from a sanctioned provider. These advanced attacks are what coined the new industry term, advanced persistent threat (APT).
While you’d expect nation state attackers to have very specific targets, such as government entities, critical infrastructure, and Fortune 500 enterprises, they still pose some threat to average organizations as well. For instance, sometimes these military attackers target smaller organizations as a stepping-stone for a bigger attack. Furthermore, now that these advanced attacks and malware samples have started to leak to the public, normal criminal hackers have begun to adopt the advanced techniques, upping the level of traditional malware as well.
Understanding the motives, capabilities, and tools of these three hacker profiles gives you a better idea of what types of targets, resources, and data each one is after. This knowledge should help cater your defenses to the types of attacker you think are most relevant to the business or organization you protect.
Now that you know a little about your enemy, you can focus on getting to know yourself, and match your defenses to your most likely enemy. Once you’ve done that, you will not be imperiled in a hundred cyber battles. — Corey Nachreiner, CISSP (@SecAdept)
To spread the knowledge about today’s three main cyber threat actors, WatchGuard has created a fun and fact-filled info-graphic. Check it out below, and be sure to share it with your friends and co-workers to spread the word.
WatchGuard profiles the three main classes of cyber attackers.
July 25, 2015 
WatchGuard Security Center 