2016 was a year of monumental attack; Yahoo, Deliveroo and the National Lottery are just a few amongst a group of high profile companies to be breached.
Evidently, despite cyber security now being at the top of the agenda for many businesses, cyberspace is not getting easier to defend and hackers are getting quicker, more focused aggressive and assertive. It's the aggressor who decides the terms of engagement, so it is the aggressor that businesses need to understand.
Organisations need to assimilate intelligence from multiple sources and illuminate blind spots in order to make informed decisions. The problem is organisations too often rely on just data, forgetting that the context of it that’s most valuable. The tactical approach of responding to threats as they happen is no longer enough. It’s like mowing the lawn, cutting the heads of the roots, but letting them grow back. Given hackers’ adaptability and sophistication, organisations must look at intelligence more strategically. One approach is through understanding the objectives of different types of threat actors targeting organisations. Understanding hacker’s motives holds equal value to understanding vulnerable company networks. By doing so, this helps organisations identify which of their assets are most valuable to hackers and better distribute security resources.
Bad actors fall into one of three categories based on their motivations; financial gain, intellectual gain and reputational gain.
Financially cybercriminals have a lot to gain if they execute a successful hack. For many, it is their job and they treat it like a profession.
Organised groups are the most efficient at monetising their hacks. They have a well-established supply chain where different tasks are often supplied by different individuals (spam operations, backdoor operations, carding operations, hosting operations). The “Business Club” that includes the ZeuS author Slavik (Evgeney Bogachev) and PCI intrusion actor Dimitri Smilanets fall into this group. Lesser experienced hackers in this realm are known as repeat offenders/ disorganised criminals. These groups can range from the likes of the ShadowCrew with Gonzzalez and Stephen Watt to the LulzSec and Sabu. They’ve gained some skill and have some connections to monetise their gains, but lack well-oiled criminal connections that other groups have.
Gaining access to confidential data such as log-in details, email addresses, or personal information is their aim. These can be re-sold over and over again. This is arguably the most common type of attack to happen. A key example of a hack of this kind is the 2016 Yahoo breach, which saw 1 billion accounts details compromised.
Those with a point to prove or are focused on making a name for themselves are known as reputational actors. Hacktivists are the biggest group with a point to prove and are regarded as the common criminals of the cyber world. They have usually acquired some sort of vendetta against a company or person and will use anything they can as their vehicle to seek revenge; an email, blog, social media or personal data. Hacktivists make a statement through common techniques such as DDoS attacks or Web defacements, like the various Anon- sects. They are motivated by ideology or politics.
Script kiddies sole motivation is to make a name for themselves. They lack skill and so piggy back off existing scripts or codes to hack into networks. Web defacements are commonly committed by actors of this kind. The recent hack on Aberdeen City Council is a great example of Hacktivists/ Script Kiddies work. Web Defacements act as their calling card. Notoriety, press coverage and getting their name recognised being the only motivation.
Hackers aiming to gain sensitive data that can be given to government and/or businesses for a competitive advantage are known as Nation-state actors or cyber spies. These are true military and intelligence apparatus. With giant budgets and long-running persistent programs, these actors are usually focused on specific political objectives and in-depth intelligence. Often known as APT’s (advanced persistent threats), a set of convert, and continuous computer hacking processes over a prolonged period. The tools used by these groups can be extremely complex, but may be simple since these groups play to the level of their victim, not wanting to unnecessarily burn expensive tools
It is essential that every part of the business has an understanding of the threats coming into it. An effective system should be customisable for each individual organisation, and be aware of all of the possibilities. Having a well-educated team is invaluable and one of your best lines of defence against hackers.
By Nial MacLeod, enterprise solutions architect at Anomali