What Is A Threat Actor?

Risks are everywhere. Online, in real life. Digital transformation and the rapid integration of cloud-based technologies has been met with an unprecedented increase in cybersecurity risks. In most cases, standard cybersecurity best practices and a strong mechanism for Identity and Access Management will take care of most exploits, vulnerabilities and human errors that lead to a data leak. 

But what about the Advanced Persistent Threats (APTs) and DDoS attacks coming from organized cybercriminals and nation-state actors with a political or social agenda? 

Knowing the source of these attacks can help you determine the scope of risk and prepare a strategic defense against a variety of threat actors, ranging from hacktivists and script kiddies to the more sophisticated cybercrime underground rings and state-sponsored attackers. 

Let’s take a look

What is a threat actor? (Or, who is a threat actor?)

Threat actors refer to the person, persons or entities responsible for causing cybersecurity incident or more generally posing a cybersecurity risk. This is a broad definition that can encompass a range of entities, including those that are:

• Explicitly posing threats. 
• Implicitly responsible for cybersecurity risk.

The definition also assumes some baseline threshold of risk: a data-driven organization in a tightly regulated industry vertical may have a different outlook for cybersecurity risk than a new startup firm developing MVPs for their latest innovation ideas. Both organizations may perceive cybersecurity threats from a broad spectrum of actors and therefore adopt defensive measures accordingly.

The 5 common threat actors & their defining features

So, let’s review in detail the key characteristics of various cybersecurity threat actors and the best practices on dealing with them:

Script Kiddies

These are opportunist hackers who may take advantage of a known vulnerability and use existing tools and hacking scripts to bypass basic authorization controls such as passwords and ping exposed network endpoints. The intention behind these attacks is usually to gain:

• Recognition in a peer group
• Amusement 
• Simply the thrill of the hacking experience

They are generally inexperienced and therefore may not intend to cause significant financial harm to a business organization.

Hacktivists

Hacktivists are groups of experienced cybercriminals that conduct cybercrime operations as part of a political or social agenda — hence the “activist” part of the name. Their primary objective is to gain recognition on a larger scale. 

Once their voice is heard among the public, they tend to instill fear among the victims regarding exposure of sensitive personally identifiable information and loss of an essential service such as utilities and healthcare. Therefore, they commonly target large organizations involved in the public service, utility companies as well as organizations with a large user base or public following — anywhere they can reach a large audience. 

Popular hacktivist groups such as Anonymous and LulzSec have conducted a range of high profile attacks against media outlets and tech companies.

(Understand ransomware families, another way of categorizing ransomware attacks.)

State-sponsored Attackers

State-sponsored attackers are entities with the backing of a nation state or defense organization. The targets are generally the competing or rival nations in the political, economic or strategic security space. 

Specifically, they may conduct direct cyberattacks to a utilities provider or defense organization of a target state, or install backdoor channels to technologies exported to other nations. The Stuxnet exploit is a popular cyberweapon used in a state-sponsored attack that destroyed a centrifuge in the nuclear plant.

(Go deep into Stuxnet and other major attacks in our recommended security reads & podcasts.)

Disgruntled employees & the Insider Threat

These are the users with authorized access to sensitive business information and system resources who either:

• Intentionally violate the security policies of the organization due to some malicious intent.
• Fall prey to a social engineering attack and inadvertently compromise the security of their organization. 

According to research, over 80% of the cyber-attacks occur due to human involvement — mostly in the form of unintentional security malpractices adopted at the company. This type of internal human involvement is known as an insider threat.

Underground cybercrime markets

For malicious actors that lack the capabilities necessary to conduct a cyber-attack, they can engage cybercriminals for hire in the Dark Web cybercrime underground markets. This is where a variety of cybercrime tools and services are sold in exchange for money. Hacking groups openly advertise their attributes, resources and tools with guaranteed results and payment upon proven, visible outcomes. For example, a DDoS attack can cost $5 an hour.

(Learn how cybercrime as a service works.)

Defending against threat actors: best practices & continuous threat analysis

So how do you defend against these attacks? In addition to the standard security best practices such as using strong authentication systems such as multi-factor authentication, frequent password updates, a general awareness against social engineering attacks and a guideline for cybersecurity best practices, business organizations must take additional measures depending on the threat actors. 

Three main categories of security best practices against these threat actors include:

• Deploy the principle of least privilege access, allowing users to access only the bare minimum information and resources they need to conduct their job functions effectively. In the event of a cyber-attack that compromises login credentials of an employee, attackers will not be able to access resources beyond what is assigned to the user profile.
• Encrypt mission-critical information at rest and in transit. This is especially important for sensitive data stored and processed in the cloud. In event of a data leak, adversaries will not be able to use or threaten exposure of sensitive information.
• Adopt a hybrid multi-cloud service model where sensitive business information remains physically and logically inaccessible to the outside world, while leveraging cloud capabilities as a cost-effective service model for tasks that do not involve access to sensitive information.

Splunk supports enterprise security & enterprise resilience

At Splunk, our purpose is to build a safer and more resilient digital world. Every day, we live this purpose by helping security, IT and DevOps teams keep their organizations securely up and running. When organizations have resilient digital systems, they can adapt, innovate and deliver for their customers.

Explore Splunk solutions for cybersecurity, including with Splunk Enterprise Security, our industry leading SIEM. Better yet? Take a free tour!