Section 3.1 Threat Actors
As you study this section, answer the following questions:
- What are the three types of hackers?
- What is an advanced persistent threat?
- How are tactics, techniques, and procedures (TTPs) important to cybersecurity?
In this section, you will learn to:
- Identify the different threat actor types
- Identify the different threat classifications
- Determine the different tactics, techniques, and procedures used by threat actors
The key terms for this section include:
| Threat Actor Type | Description |
|---|---|
| Hacker | A hacker is a type of threat actor who gains unauthorized access to computer systems or networks. They aim to exploit system vulnerabilities for personal gain, theft, or other malicious purposes. |
| Nation-state | A nation-state hacker works for a government and attempts to gain top-secret information by hacking other governments. |
| Hacktivist | A hacktivist's primary purpose is to protest and express views and opinions. Hacktivists often deface websites or use denial-of-service attacks. |
| Criminal organization | Criminal organizations have transitioned many of their operations to a virtual setting. The internet provides various targets and options for obscuring their actions. |
| Internal-intentional | Internal-intentional threats can include employees, vendors, or contractors who use their network access to access confidential information or hinder data or systems availability. |
| Internal-unintentional | Internal-unintentional threats are usually a result of a lack of training or laziness. Although these insiders do not intend to cause harm, their actions could result in unintentionally weakened security points that could be used by intentional attackers. |
| Third-party vendor | If a third-party vendor has access to an organization’s system and data, it could be a security risk. The vendor could intentionally or unintentionally cause harm to the organization by compromising its systems or stealing sensitive information. |
| Advanced persistent threat (APT) | An advanced persistent threat (APT) is a sophisticated type of cyber attack that involves a prolonged and targeted effort to compromise a specific target. |
| Script kiddie | A script kiddie is a hacker lacking the technical skills to create their own programs or exploit vulnerabilities. Instead, they rely on pre-existing tools and scripts to launch attacks, often seeking to cause damage or disruption for personal gain or notoriety. |
This section helps you prepare for the following certification exam objectives:
| Exam | Objective |
|---|---|
| CompTIA CySA+ CS0-003 | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts
|
| TestOut CyberDefense Pro | 4.1 Manage security incidents
|
3.1.1 Threat Actor Types
Click one of the buttons to take you to that part of the video.
Threat Actor Types 00:00-00:13 In this video, we'll discuss threat actors. A threat actor is a person or organization that threatens another person's or organization's security.
Hacker Types 00:13-00:28 Let's break down the threat actor types even more by looking at their motivations. Hackers almost always have unethical, malicious intentions. Some hackers are motivated by religious or political beliefs. Others are motivated by greed, blackmail, or revenge.
Hacktivist 00:28-00:43 A hacktivist often targets government agencies or corporations to protest their actions. Hacktivists are most known for defacing websites and executing denial-of-service attacks. Their main purpose is to protest and campaign for public attention.
Nation-State Hacker 00:43-01:04 A nation state hacker works for a government and attempts to gain top-secret information by hacking other governments' devices. Many nations have invested in the development of their cybersecurity presence and are willing to use this presence to reach their political or economic goals. Election systems, energy grids, intelligence agencies, and other critical systems are common targets.
Criminal Organizations 01:04-01:32 Criminal organizations have also transitioned much of their operations to the virtual setting. The internet provides a wider range of targets and provides additional options for covering their tracks. Because criminals are often targeting individuals in different jurisdictions, prosecution can be very difficult.
A threat actor doesn't necessarily have to be an outside hacker. They could be an internal threat, or even someone who causes a security vulnerability through negligence.
Internal Threats 01:32-02:20 Intentional internal threats could include employees, vendors, or contractors that use their network access to access confidential information or to hinder the availability of data or systems. The motivations for these insiders could include competitiveness, greed, or grievances against the organization. They could be acting on their own accord, or they could be recruited by an outsider.
Unintentional threats are usually a result of a lack of training or laziness. Although they don't intend to cause harm, their actions could result in unintentional weakened security points that could be used by external attackers. The best network security systems can be rendered practically useless if employees don't know how to use them effectively. Security training is critical for employees at all levels of an organization.
Summary 02:20-02:35 That's it for this lesson. In this video, we discussed threat actor types. such as hacktivists, nation state hackers, criminal organizations, and internal threats.
3.1.2 Threat Actor Type Facts
This lesson covers threat actors.
Threat Actors
Threat actors are individuals or groups who exploit network or system vulnerabilities. They attempt to gain unauthorized access to sensitive data, disrupt operations, or extract financial gain.
These actors may include:
| Type | Description |
|---|---|
| Hacker | A hacker is a type of threat actor who gains unauthorized access to computer systems or networks. They aim to exploit system vulnerabilities for personal gain, theft, or other malicious purposes. Hackers may use a variety of tactics and techniques, including malware, phishing attacks, or social engineering, to exploit weaknesses in a system's defenses. Hackers are classified into three different categories:
|
| Nation-state | A nation-state hacker works for a government and attempts to gain top-secret information by hacking other governments. |
| Hacktivist | A hacktivist's primary purpose is to protest and express views and opinions. Hacktivists often deface websites or use denial-of-service attacks. |
| Criminal organization | Criminal organizations have transitioned many of their operations to a virtual setting. The internet provides various targets and options for obscuring their actions. Because criminals often target individuals in multiple jurisdictions, prosecution can be difficult. |
| Internal-intentional | Internal-intentional threats can include employees, vendors, or contractors who use their network access to access confidential information, or hinder data or systems availability. The insiders' motivations could be competitiveness, greed, or grievances against the organization. They could be acting on their own accord or recruited by someone on the outside. |
| Internal-unintentional | Internal-unintentional threats are usually a result of a lack of training or laziness. Although these insiders do not intend to cause harm, their actions could result in unintentionally weakened security points that could be used by intentional attackers. The best network security systems can be rendered useless if employees do not know how to use them effectively. Security training is critical for employees at all levels of an organization. |
| Third-party vendor | If a third-party vendor has access to an organization’s system and data, it could be a security risk. The vendor could intentionally or unintentionally cause harm to the organization by compromising its systems or stealing sensitive information. |
| Advanced persistent threat (APT) | An advanced persistent threat (APT) is a sophisticated type of cyber attack that involves a prolonged and targeted effort to compromise a specific target. APTs are typically undertaken by state-sponsored groups or other highly skilled actors. They can involve multiple stages, including reconnaissance, initial exploitation, and long-term data exfiltration. |
| Script kiddie | A script kiddie is a hacker lacking the technical skills to create their own programs or exploit vulnerabilities. Instead, they rely on pre-existing tools and scripts to launch attacks, often seeking to cause damage or disruption for personal gain or notoriety. |
3.1.3 Threat Classifications Facts
This lesson covers threat classification.
Threat Classification
The following table describes four types of threat classifications:
| Classification | Description |
|---|---|
| Known threats | Known threats are threats you have information about and can prepare for. |
| Unknown threats | Unknown threats exploit security weaknesses you do not have information about and can only prepare for in a very general way. |
| Advanced persistent threats | The term advanced persistent threat (APT) describes the behavior underpinning advanced cyber adversaries, such as nation-states and organized crime groups. APT originally referred to the group behind a campaign but has been widened to describe the tools these groups use. The concept of an APT helps to model threats. Besides basic scanning for virus or Trojan signatures, scanning for the presence of command and control (C&C or C2) software and unusual network activity are also essential actions. One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack. APTs typically target large organizations, such as financial institutions, companies in healthcare, and other organizations that store large volumes of personally identifiable information (PII), when the PII describes important government and political figures. Historically, APTs have been observed targeting governments to carry out political objectives, interfere in elections, or spy on another country. As APT groups are identified and profiled, they are assigned unique number identifiers and code names. Government agencies and security researchers often refer to the same group using different names, and members of one group often participate in many others. The "advanced" part of an APT is a crucial identifier, as these types of threats are rarely executed by lone attackers using publicly available exploits or exploit frameworks (such as Metasploit). APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution. APTs spend significant time gathering intelligence on their targets to develop particular exploits. APT groups often combine many different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer. APTs have diverse overall goals, but since a significant focus of their attack activities includes custom software development and stealth, most APTs are interested in maintaining access—or persistence—to networks and systems. Because of this, APTs are some of the most notorious and harmful threats to organizations and governments. |