What are Cybersecurity Threat Actors?

A threat actor is an entity that poses a threat to an individual, group, or organization. In the context of cybersecurity, threat actors are typically categorized by their motivation, which can include financial gain, political gain, or ideological gain. Cybersecurity threat actors may also be categorized by their capabilities, which can range from unsophisticated to highly sophisticated. They may operate independently or as part of an organized group.

What are the motivations of threat actors?

Treat actors can be individuals, groups, or organizations, and their motivations can be financial, political, or ideological. While the goals of threat actors can vary, they typically fall into one or more of the following categories:

• Accessing sensitive data: This can include personal data, trade secrets, or other confidential information.
• Disrupting business operations: This can include destroying data, launching denial-of-service attacks, or sabotaging physical infrastructure.
• Causing reputational damage: This can involve releasing sensitive information to the public, defacing websites, or sending phishing emails.
• Influencing political decisions: This can include spreading disinformation or conducting cyber espionage.

Threat actors often use stolen credentials, malware, social engineering, and other techniques to achieve their goals. While the methods used by threat actors can be sophisticated, their goals are usually relatively straightforward. By understanding the motivations of threat actors, organizations can be better prepared to defend against their attacks.

What are the types of threat actors?

There are seven common types of threat actors: Hacktivists, Nation-States, Organized Crime, Script Kiddies, Terrorists, Unaffiliated Individuals, and Vulnerable Groups.

• Hacktivists are individuals or groups that engage in hacking activities for political or social reasons. They often target high-profile organizations in order to bring attention to their cause.
• Nation state actors are motivated by political gain and typically have the resources and skills to carry out sophisticated attacks.
• Organized crime groups are motivated by monetary gain and typically target financial institutions or businesses.
• Script kiddies are unskilled individuals who use pre-written code or tools to exploit vulnerabilities.
• Terrorist organizations use cyber attacks to further their political or ideological goals.
• Unaffiliated individuals or lone wolves are motivated by revenge, challenges, or simply curiosity.
• Insider threat actors and insider threats are a threat to an organization that comes from within, typically from someone who has authorized access to the organization’s systems and data.
• APT Groups. An Advanced Persistent Threat group is a designation given to cyber threat actors that are sponsored by a nation-state. Apt groups are often very well-funded and have access to sophisticated tools and techniques. They also tend to be highly skilled and experienced in carrying out cyber operations. As a result, apt groups pose a significant threat to organizations and individuals alike. Some of the most well-known apt groups include Fancy Bear, Cozy Bear, and Lazarus Group.

Techniques used by Threat Actors

Advanced Persistent Threat, nation state actors and cyber threat actors are constantly coming up with new ways to obtain access to systems and data. Here are just a few of the techniques that have been used by threat actors in recent years:

• Phishing attacks: This involves sending emails that appear to come from a legitimate source, such as a financial institution or online retailer. The email will contain a link that takes the user to a fake website, which is designed to collect personal information such as login credentials. Or install a malware, or a crypto-ransomware for a user to fall prey.
  
• Malware: Malicious software, or malware, is often used to infect systems and allow hackers to obtain access to sensitive data. Once installed, the malware can give cyber criminals the ability to remotely control the system, install other malicious software, or even stealing data.
  
• SQL Injection: This attack exploits vulnerabilities in web-based applications that use SQL databases. By injecting malicious code into an SQL query, a threat actor can gain access to the underlying database and view or modify data.
  
• Denial of Service (DoS): A DoS attack is designed to render a system or network unusable by flooding it with traffic or requests for data. This can prevent legitimate users from accessing the system, and can cause significant disruptions for businesses.

Tools that are most commonly associated with Nation States Threat Actors

Threat actors use many hacking tools to gain unauthorized access to organization’ networks and steal data. Some of these tools are designed to take advantage of vulnerabilities in computer systems with exploit kits, remote access trojans, while others are used to spoof identities with phishing messages to deliver malware or simply obtain personally identifiable information. Some also launch distributed denial-of-service attacks (DDoS attacks). Threat actors may also use social engineering techniques to trick unsuspecting users into revealing confidential information or downloading malicious software.

During the exploitation phase, advanced persistent threats and other nation state threat actors have been known to use zero day vulnerabilities, however, cyber criminals, use a wide range of techniques, such as using fake LinkedIn profiles to socially engineer legitimate users into opening malicious files to gain access to a computer or service or for collecting intelligence ahead of an attack. This further highlights the need for good cyber hygiene within organization.

However, once inside the organization’s network, malicious threat actors are known for using windows utilities to obtain information about the organization’s security, the network, gain access to computer system and/or move laterally. Aside of course from using in-network reconnaissance techniques and tools.

Some of these windows utilities are listed below.

• NLTest (nltest.exe) is used by cyber threat actors to enumerate active directory trust
• WMIC (wmic.exe) Windows Management Instrumentation is a command-line interface for provided by the WMI program
• Net (net.exe) Utility component manages users, groups, services, and network connections.
• Schtasks (schtasks.exe) enables the creation, deletion, query, modification, execution, and termination of scheduled tasks on a local or remote computer.
• Whoami (whoami.exe) provides information about the user who is presently logged in to the local system, including user, group, and privilege information.
• Vssadmin (vssadmin.exe) shows all installed shadow copy writers and providers as well as the most recent volume shadow copy backups.

MITRE ATT&CK References

• Domain Trust Discovery (T1482)
• Windows Management Instrumentation (T1047)
• Scheduled Task/Job (T1053)
• System Owner/User Discovery (T1033)
• Inhibit System Recovery (T1490)
• Network Share Discovery (T1135)

Who identifies threat actors?

The government and public sector work together to identify threat actors. They share information and resources to help identify potential threats. By identifying potential threats, they can take steps to protect the public. Government officials have access to information that the public does not about nation state threat actors, so they are able to identify potential threats before they happen. The government also works with private companies to identify a potential threat actor. Furthermore, private companies have more resources and manpower than the government, so they are able to help the government identify potential threats, by monitoring the dark web, terrorist groups chats, cyber criminals forums, critical infrastructure leaks, or any login credentials leaked on the internet. This partnership between the government and private companies helps to keep the public safe and secure.

Government entities identifying threat actors.

• European Union (EU) – The European Union Agency for Cybersecurity (ENISA)
• Canada – Canadian Centre for Cyber Security (CCCS)
• United States (US) – National Institute for Standards and Technology (NIST)
• Japan – National Center of Incident Readiness and Strategy (NISC)
• United Nations (UN)

How to Stay Ahead of Threat Actors?

The best defense is a good offense. That’s especially true when it comes to cybersecurity. Cyber criminals, insider threats and nation states are becoming more sophisticated and active, and they’re constantly looking for new ways to exploit vulnerabilities. The best way to stay ahead of them is to adopt an active defense strategy. That means being proactive, rather than reactive, in your approach to security. Rather than waiting for hackers to strike, take a proactive approach.

The following are the first strategies you should put in place for avoiding threat actors:

• To cut down on human error, educate staff about cybersecurity.
• To keep data secure, use multifactor identification.
• Keep an eye on staff behavior to spot any potential insider threats.
• Install cybersecurity software to thwart attackers.

Protect Yourself from Threat Actors with Active Defense

Lupovis Snare is an industry-leading deception-based security platform. By deploying decoy assets inside and outside your network, Lupovis offers unparalleled proactive security measures that lead to a strengthened security posture, advanced threat intelligence, and high-fidelity alerts in the event of a breach.

With Lupovis Snare, you can be confident that your organization’s data and assets are well-protected against even the most sophisticated cyber threats. Contact us today to learn more about how Lupovis can help keep your business safe and secure.