Industry Trends

Threat Intelligence – Understanding your Threat Actors 101 (Part 1 of 3)

By Anthony Giandomenico | April 14, 2016

My last blog gave you a “big picture” overview of how understanding External Threat Intelligence, the Cyber Battlefield, and your own Strengths and Weaknesses can give you a measurement of how effective or ineffective your security posture is.

I will continue to explore these security posture issues over the next few weeks. This blog is the first of 3 in which I will focus in more detail on External Threat Intelligence and individuals and groups who are motivated to do you and your organization harm.

Threat Actor Categories

There are many threat actors out there today, but most of them fit into the following categories.

Government Sponsored: These groups are well funded and often build sophisticated, targeted attacks. They are typically motivated by political, economic, technical, and military agendas.

Organized Crime: Most often, these cybercriminals engage in mass attacks driven by profits. They are typically looking for Personally Identifiable Information (PII) such as social security numbers, health records, credit cards, and banking information.

Hacktivists: These attackers have a political agenda and create high-profile attacks and distribute propaganda to cause damage to organizations they are opposed to in order achieve their cause or gain awareness for their issue.

Insider Threat: Insider attackers are typically disgruntled employees or ex-employees looking for revenge or some type of financial gain. They sometimes collaborate with other threat actors in exchange for money.

Opportunistic: These attackers are usually script kiddies driven by the desire for notoriety, but they are also sometimes security researchers/professional hackers looking to profit from finding and exposing flaws and exploits in network systems and devices.

Internal User Error: Users making mistakes with configurations which may bring down critical resources such as firewalls, routers and servers causing wide-spread or departmental company outages. Oftentimes, this is the result of providing an individual with privilege that exceeds their technical skill level.

I am sure you have had to worry about every one of the above-mentioned threat actors, but as I mentioned in the past, you need to prioritize and focus on the ones that are motived to steal your data.

Types of Threat Intelligence

Threat Intelligence (TI) is any external information about a threat that an organization can consume and integrate into its defensive decision-making process that results in something actionable, such as a new policy, configuration, design, or device deployment. These decisions can be Strategic, Tactical, and/or Operational. Below is more information on each type.

Strategic: This type of TI is usually in the form of printed or online reports that focus on threat actors, their intentions, motivations, capabilities, and their plans now and in the future 12 – 18 months out.

This information is usually used by CISOs and management to determine what types of additional administrative, physical, or technology controls may be needed come budget time.

Tactical: This type of TI focuses on understanding the Tactics, Techniques, and Procedures of the threat actors. It asks the question, “How are they accomplishing their cyber mission?”

This information is usually used by Security/Network Operations teams in order to understand and prioritize vulnerabilities and alert escalation, as well as inform design considerations and configuration changes.

Operational: This type of TI is usually consumed into a SIEM or Threat intelligence Platform where it is cross-referenced with network logs and other collected data to determine if a threat actor is trying to engage your organization or has already breached your defenses. This sort of intelligence already consists of Indicators of Compromise (IOC) such as bad IPs, hashes, URLs, domains, and any other system or network artifacts the attacker may leave behind.

This information is usually used by the Incident Response and forensics folks to determine the scope of a breach, as well as for “hunting” for the bad actors.

Most companies are not mature enough to fully leverage all types of threat intelligence, but as a first step, companies can focus on Tactical TI. This will give them some insights as to how the bad guys are executing their cyber mission, which will help them focus when choosing the right security controls. To further understand this type of TI, organizations can start to map the anatomy of an attack - more commonly known as the “Kill Chain,” a term which as coined by Lockheed Martin a few years back. There are many variations of the phases or steps of an attack, but these are the ones generally used: Reconnaissance, Weaponize, Delivery, Exploit, Command and Control (C&C), Internal Reconnaissance, and Maintain. During each phase the attacker will have a goal, and specific tactics they will use to achieve those goals.

Let’s take a general look at these phases, including some of the goals and trends we see with both Nation State and Organized Crime threat actors. Keep in mind that some advanced Organized Crime threat actors are well-funded, and their tactics, techniques, and procedures are often custom-built and may be very similar to those used by Nation State actors, while the average cyber criminal usually just takes advantage of the cybercrime ecosystem’s affiliate programs and off-the-shelf tools and methodologies.

Threat Methodology – Kill Chain Goals and Trends

Reconnaissance: In this phase, the attacker needs to understand as much as they can about your organization and network. They will research and test your defenses and responses, they will sweep your network looking for unpatched devices or operating systems, and will use social media to learn more about your employees and other important company information such as what applications and versions you have on your network. Many times they will also research the business partners you have connections with, since they may have a weaker security stance than you and can become a conduit into your network.

Weaponize: This is the phase where the attackers will build malicious code to exploit identified vulnerabilities within the target, and also ensure that the exploit goes undetected. If the attacker is a nation state actor, they will most likely use a zero-day exploit; however most cybercriminals use or rent exploit kits that contain exploits focused on publicly known vulnerabilities. Keep in mind that many exploits and malware use evasion techniques that can by-pass a number of technology controls, such as firewalls and antivirus.

Delivery: Now that the attacker has chosen their cyber weapon, they have to figure out the best mechanism to deliver it. As most of us know, the delivery vehicles of choice are social engineering and phishing emails. There is so much information available on social media sites about your employees that it’s becoming harder to tell a phishing email from a legitimate one. All the threat actor has to do is trick you into clicking a link. Other delivery mechanisms include infecting websites (drive-by-malware), or using malvertising, where the attacker infects the advertisements delivered to the websites you visit daily.

Exploit/Execute: Once the exploit is delivered it needs to be executed without being detected. Since phishing emails are the delivery mechanism of choice, many attacks are client-side exploits focused on your browser and its vulnerable plug-ins, such as flash and java. Other exploits deliver malicious macros and scripts hidden inside documents sent to users.

Command & Control: Once the vulnerability has been successfully executed, the first thing it does is try to communicate undetected back to its owner or server in order to download malware and other tools for further compromise. In order to communicate undetected, commands and requests are usually tunneled through other protocols, such as HTTP(S), DNS, or TOR, etc. Increasingly, these communications are encrypted, making them difficult to detect and inspect. Domain Generated Algorithms (DGA), which are used to create a large number of domains and IPs to communicate with, are also being used to evade IP and domain blacklists.

Internal Reconnaissance: Since the first insertion point is usually a vulnerable workstation, attackers need to move laterally through the network in order to map the infrastructure and to find the data they are looking for to complete their cyber mission. To do that, they need to compromise other devices including Internet of Things and Healthcare devices in the network, and a good place to start is finding a server that stores all user and device credentials, such as an Active Directory Server.

Maintain: Now that the attackers are in, they want to stay as long as possible. So they will burrow deep inside the network to maintain a foothold. They will install things like rootkits for hiding files, or kernel-mode rootkits called bootkits. Bootkits infect start-up code, such as the Master Boot Record (MBR), in order to gain unrestricted access to an entire computer, which means they can hide their presence by only allowing you to see what they want you to see. Bootkits can even bypass full disk encryption. One challenge that attackers sometimes encounter is that the data they want to take is not located on a device with direct access to the Internet. So once the threat actors have targeted data they may also need to find and compromise a server that has access to the Internet where they can stage their stolen data before exfiltration.


Now that we have a general understanding of threat actors, the phases of an attack, and some of the current criminal trends, the next step is to see what we can glean from this threat intelligence to help build our defenses. Stay tuned for part 2,“Threat Intelligent Defense.”