Attackers’ profiles and motivations

Date : April 06, 2014

On the topic of threats and attacks we categorize attackers into 4 categories:

  • Hobbyists
  • Hacktivists
  • Cyber-criminals
  • Cyber-spies

 

Hobbyists

This first category includes people who perform small attacks and do them almost manually. Following are examples of such attacks:

  • Defacing web sites with eccentric or childish claims,
  • Launching experimental worms or virus on the Internet with no clear intents,
  • Sending email scams (such as "Nigerian scams") to convince recipients to send money to the scammer.

This category of attackers was dominant in the early 2000s, with for example large worm propagations such as CodeRed or Slammer. It is now a minor element of the landscape, although of course this threat is always present.

 

Hacktivists

This category became visible at the end of 2010, when the Anonymous movement took the defense of Wikileaks and launched DDOS attacks. At that time they blocked MasterCard and Visa websites, and this demonstrated that such a collaborative movement could be very powerful.

Any group with "political" claims can actually make the choice to use cyber attacks to give visibility to its movement. The attacks performed are mainly information theft (stealing "easy to catch" data - commonly called "low-hanging fruit" - on weakly protected websites) and denial of service attacks.

These attacks were very present during 2011 but have declined since this time. This is probably because some of these attacks were severely punished (10 years in prison for an Anonymous member who participated in the hacking of the Stratfor company, and $ 183,000 fine for someone who participated in an attack DDOS) which have of course a highly deterrent effect.

However, the risk of Hacktivist attacks still exists. For example, in 2013, the SEA group (Syrian Electronic Army), which defends Bachar el-Assad and that we consider as being Hacktivists, performed many cyber-attacks, taking the control of several famous Twitter accounts (including  Associated Press, The Guardian, New York Post) and hijacking several prominent DNS servers (New York Times, Twitter, Qatar). These are unsophisticated attacks based on social engineering, but they can successfully affect prominent victims.

 

Cyber-criminals

This category is the one that is best known by general audience, and it exists since about 2003. It includes all the large attacks performed by crooks that aim at money. This typically includes:

  • Spam
  • Botnets,
  • Theft of banking data,
  • "Fake antivirus" or "ransomware" scams.

Unlike "Hobbyists" (whom we mentioned in the first section), the cyber-criminals world is well organized and very professional. The tools used are very sophisticated (exploit-kits, fastflux infrastructure, etc ...). Multiple stakeholders, each with their own specialty, interact in this ecosystem: sponsors, developers, infrastructure managers, resellers, etc...

Favorite victims of cyber-criminals are individuals, as the preferred method here is to steal some money to the largest possible number of victims (e.g. by installing a fake antivirus on the victim's computer and then asking for a small amount of money for disinfecting the computer).

This category emerged in the early 2000s, and until 2010 it remained the most visible threat on the Internet.

 

Cyber-spies

Starting in 2010, cyber-espionage attacks became more and more visible, following the media coverage of incidents of this type, and they took an ever growing importance in the threat landscape.

Cyber-espionage attacks are attacks where hackers infiltrate the IT system of the targeted company, silently install remotely driven backdoors and then explore the IT environment to make its way to its final target. He then performs information stealing actions or sabotage.

These attacks are commonly named APT (Advanced Persistant Threat).They have been existing for a long time (since ever?) at least at the strategic level (state-sponsored attacks, and other such "special" operation). But, since 2010, more and more APT incidents have been disclosed and the APT risk consequently rose up, to become predominant. Since this time, one knows that cyber-espionage attacks are no longer limited to strategic targets: it is now a concern for any company. There are several reasons to this scope change:

  • Such cyber-attacks are quite easy to perform, and the risk is small if the attacker is located in a foreign country. The risk vs complexity ratio is very good and it is tempting to apply this technique at a large scale.
  • Some countries (China is often mentioned on this topic) might have used this technique broadly, where other countries have used it up to now only on specific occasions.

 

What about the insider threat?

It is commonly accepted that, in terms of incidents, the internal threat poses a significant risk which is often quantified by the 80/20 rule: 80% of the incidents have internal causes, and 20% have external causes. As this model gives the most significant attribution to internal causes, this raises the question: should we add "insider threat" to our attacker taxonomy?

On this topic, the Verizon DBIR-2013 report gives interesting figures. According to this report, for 2012:

  • 69% of the incidents came from inside the company, but in fact these internal incidents are most of the time accidental (it is e.g. data loss).
  • 92% of deliberated attacks came from outside the company.

This shows that internal attacks are a very small proportion of the threat. But, they should not be neglected because the cost of these attacks is often very important: as the attacker has a deep knowledge of the targeted IT system, he often causes severe damage to it.

Previous Previous Next Next Print Print