Published on July 28th, 2015 | by admin
Types of Cyber Attackers and their Motivations
In previous blog posts we’ve talked about how human behavior is a key factor in both the drivers for cyber security threats and also an important tool in understanding how to combat the outcomes of those behaviors.
One of the areas that need to be more fully understood is the types of attackers and their motivations. Normally I am against stereotyping as it tends to close off thought patterns and in the world of cyber security you need to have a very fluid view of the world, especially now, as we see evolving patterns of attacks and vector usage. However, for the purpose of brevity and as a working model, I’ll attempt to create a set of archetypes of cyber criminals, so we can look at who they are and why they do what they do. Feel free to adjust or add to the model. It is a blueprint and input from security experts is welcomed.
Name: The Hacker Apprentice
Profile: The Hacker Apprentice is likely to be young, perhaps mid to late teens and male, perhaps an introvert. I am sure more females will enter this field as we see more females enter programming in general.
Motivation: They will be interested in programming; probably learning to write code since their early childhood. Being a hacker seems glamourous and a way of ‘showing off’ their skills. Invariably, they aren’t too technically savvy (yet) and their hacking expertise is low grade, only being able to hack weakly guarded systems. They’ll use YouTube hacking videos to learn their trade. But don’t be complacent. They can work their way up the cybercriminal ladder as they get older and more experienced if they are that way inclined. Most however, will mature out of this stage and move into working in computer or network focused professions.
Name: The Phisherman
Profile: It seems that phishers are Chinese, Indonesian or American, according to Akamai research. But the profile is a mixed one. On the one hand you have phishers such as the Nigerian phishers who run bank phishing scams and have done so for years and then on the other hand, research by Verizon for their Data Breach Investigations Report 2015 has stated that 95% of incidents can be attributed to state sponsored actors. The reason for the wide profile of the Phisherman is because of the success of this vector. It is used as both a general method of getting data like login credentials, but also a way directly into company resources using spear phishing methods.
Motivation: Motivation is mixed too. General phishers are after financial gain. They want login credentials, or to get you to download malware that ultimately steals bank credentials. Spear phishers are after intellectual property, they can be part of the cyber espionage crew which are detailed below.
Name: My name is Bond, Hacker Bond
Profile: This cybercriminal is a spy. They may work alone or as a group which may be sponsored by a company or even a state. The general way into your organization is via spear phishing (see The Phisherman above) and the use of APTs to persistently steal data. This cybercriminal is a very experienced programmer and architect. They should not be underestimated as they are at the top of their game. Often these types of cybercriminals work as part of a highly skilled group. A recent finding by security firm Kaspersky is of a group called the Equation Group. This group is one of the most highly sophisticated hacking groups of all time. Using highly specialized tools to perpetrate their crime, they are linked to malware infections across 30 countries and attack industries as diverse as government, mass media and aerospace.
Motivation: This cybercriminal is after information and often also to create havoc, even potentially, warfare. Information on your business, such as company account details, manufacturing information, intellectual property, schematics and so on is all game for Mr. Bond. But this cybercriminal becomes most sinister when they are state sponsored and attack critical infrastructures, which can affect not only digital resources, but real world ones too. Probably the most famous cyberespionage attack is Stuxnet where Iranian nuclear facilities were targeted with the intention of taking them over. The cost of cyberespionage to the U.S. is massive. MacAfee in their 2013 report on The Economic Impact of Cybercrime and Cyberespionage has placed estimates of Intellectual Property losses of up to $140 billion, so this must be one of the most successful and profitable cybercriminal personas.
Name: The Less Than Perfect Employee
Profile: An employee, ex-employee, contractor or even customer who has an axe to grind. Insider threats are the most prevalent cyber threats organizations face.
Motivation: The motivations behind an insider doing damage to your organization is varied, but includes, revenge, cyberespionage (see above), for the fun of it, honest mistake, and for pure financial gain. We mentioned in a previous blog post about Insider Threats, that the costs incurred by these type of attacks far outweighs those incurred from phishing attacks, being on average, $213,542 and $45,959 respectively.
Name: The Hacktivist
Profile: An individual or group that wants to make a stand against something they think is wrong or for something they believe in. They have taken activism in the real world and placed it online. There are a number of groups that carry out attacks against targets that they have a grievance with. For example, the international group, Anonymous, carry out Denial of Service (DDOS) attacks against, mainly, government and religious websites.
Motivation: To carry out political acts of defiance. Just like real world activists take on issues that they believe need to be addressed, such as climate change, animal rights and so on. Hacktivists do the same thing, but using digital methods to spread their word and that often comes in the form of a cyber-attack. Motivation can be for good and bad. Sometimes hacktivism is used to attack foreign government policy. For example, Chinese hackers attacked U.S. government sites to protest against perceived U.S. Government wrongdoing against China (you can read more here in a previous blog post). Other times it is used to make a stand. Anonymous have recently targeted IS sympathisers by hijacking their Twitter accounts and either shutting them down, or flooding them with images of Japanese anime characters to alter search engine results for the word IS. Sometimes hacktivism is used as an excuse for hacking certain types of websites. For example, the recent attack on the customer accounts of the adultery website, Ashley Madison, was said to have been carried out to shame the users of the site (rather than sell on their user account details – we shall wait and see how that pans out).
One area I cannot comment on with certainty is the demographics of each profile. I would imagine, however, that age is skewed towards a youthful hacker, purely because cybercrime is a fairly new crime; it probably reflects the model age of programmers in industry. Similarly for gender, I would place a bet that the vast majority of cybercriminals are male, which also reflects the skewing of gender in programming in general.
One thing you’ll note from reading this list of cyber security archetypes is that they are very much intertwined. The Phisherman can also be Mr. Bond who can also pose as The Less Than Perfect Employee. The successful cybercriminal will move between techniques and stereotypes as they see fit and as they find new and better methodologies. To counter these threats, we too have to build a more fluid approach to the cyber chameleon. Our tools need to be as intelligent and as flexible as the criminals they seek.