Get in Touch Close Menu

What are Threat Actors?

25 October 2021

In the world of cybersecurity, the more you know about threat actors, the better placed you are to counteract and manage cyber threats and attacks. But what is a threat actor?

We can define a threat actor as a person, group, or entity performing a cyber-attack designed to impact an organisation negatively.

In other words, someone who wants to harm you and or your organisation’s IT infrastructure.

There are many types of cyber attacks and threats, from a disgruntled team member trying to gain unauthorised access to steal sensitive data to nation-states attempting to interfere in political elections.

There are ways to keep cyber secure.

For example, threat intelligence is a resource that organisations can leverage to provide information about current or emerging threats that could negatively impact their security. If we combine available threat intelligence on threat actors, existing and emerging threats, then we have a formidable defence against attacks.

Threat Intelligence also allows us to anticipate and pre-empt cyber risks and attacks, making us proactive rather than reactive.

WHAT ARE THREAT ACTORS?

Different Types of Threat Actors

According to a report (a collaboration based on research provided by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the UK and USA) on publicly available hacking tools:

Today, hacking tools, with a variety of functions, are widely and freely available for use by everyone, from skilled penetration testers, hostile state actors and organised criminals to amateur hackers.

Joint report on publicly available hacking tools – NCSC.GOV.UK
The Different Types of Threat Actors

Organised Crime/Cybercriminals

A cybercriminal is the most common type of threat actor, and one most people tend to read or see on the news.

An attack is intended to steal data and make it inaccessible until an organisation or individual pays a ransom. Be it working alone or as a group, money is the cybercriminals primary motivation. Cyber-attacks are made up of phishing attacks, ransomware, malware and other tactics and techniques.

Insider

Insider attacks, or insider threats, are typically related to an organisation when a team member, former team member, third-party contractor, or partner wants to get at organisational network, systems, or data.

The reasons for doing so are varied. Disgruntled employees could do so for financial gain, or a threat actor may use an organisation’s system to expose confidential information.

An insider cyber threat actor sometimes maliciously and intentionally damages an organisation’s cybersecurity foundations, yet sometimes this is not intentional. It is worth noting that not every insider threat is motivated by greed or revenge.

Some attacks can be down to a lack of understanding of cybersecurity. One such example is when a staff member falls prey to a phishing cyber-attack and unfortunately shares sensitive information.

Nation-states

A nation-state attack refers to countries that target institutions within other countries to influence elections, disrupt or affect their security, economy, the electoral process, and government departments. Having access to significant financial backing and the necessary tools makes a nation-state one of the most dangerous types of cyber threat actors.

Hacktivists

Hacktivists are a form of threat actor often noted in the media. For example, groups such as Anonymous have carried out cyberattacks on terrorist organisations.

The reason for a hacktivist cyber-attack is for them to expose their target entity and disrupt their actions. There is often a social, political, or ideological reason for the hacktivist to undertake an attack on an organisation, government, or individuals.

Script Kiddies

Script kiddies refer to those individuals with basic hacking skills. Script kiddies may launch existing scripts to deface a website for their cheap thrills. Organisations targeted by script kiddies can incur severe costs to repair their systems and recover data.

Security-information-&-event-management

Why Threat Actors Matter

As written above, the type of threat actor varies from motivations, skills, and resources to their reasons and how they attack. Understanding this is an essential step in planning and executing your defence.

Threats actors are continuously looking for ways and means to infiltrate organisations. Your systems can be the conduit they can use. For example, a phishing message may trick you into sharing sensitive credentials through a cleverly worded statement.

Protection Against Threat Actors

An important point to make is that while a threat actor may intend to harm, this should be balanced against their capability to do so.

For example, the cybercriminal can hack your customer database but may lack the intent because they cannot gain financially.

Understanding and categorising threat actors give you the chance to focus on your cybersecurity plan.

How does Sapphire Counteract Threat Actors?

Sapphire’s Managed Threat Intelligence Service provides organisations with actionable intelligence.

We work closely with organisations to understand their sector, employees, and systems. Sapphire’s analysts then use this information as a guide to fix vulnerabilities, uncover new ones, and implement internal security policies.

How does Sapphire collect IOCs (Indicators of compromise) about threat actors?

Since cybersecurity is ever-evolving, we must constantly learn and adapt to the new security threat trends and proactively try to find answers.

One of our main objectives as a SOC (security operations centre) and an MSSP (managed security service provider) is collecting data from various threat intelligence sources and indicators of compromise.

These sources include past incidents from the open web, the dark web, and technical sources. Our primary source of collections is threat intelligence platforms, both from open-source and the intelligence platforms we use.

In addition, Sapphire actively gathers via the SOC, where the SOC proactively looks for any significant or minor threat information. 

We use our platforms to go through a series of different triggered alerts that notify the SOC of any threat news. Additionally, we check a variety of threat posts, threat reports, vulnerability advisories and vulnerability posts. We then extract any available threat data.

Threat data is usually thought of as lists of IoCs, such as:
• Malicious IP addresses.
• Domains.
• File hashes.
• Vulnerability information: such as the personally identifiable information of customers.
• Raw code from paste sites.
• Text from online sources or social media.

How does SIEM, EDR detect and defend against threats?

Threat intelligence data can take many forms, but the idea is to get the data into a format that we can use in our SIEM, EDR and CTI services. Most of our platforms are capable of parsing information into relevant fields for easy comprehension by human beings.

The threat data or IoCs are getting manually analysed and reviewed. We create customised rules, alerts, dashboards, reports, investigations, and more based on the collected IoCs.

Not all IoC information is reviewed manually. IoC data integrated into specific rules to alarm certain things will likely have gone through a manual review process.

Most IoCs will be identified and processed automatically before getting pulled into the SIEM/EDR platform, where that information can then trigger alerts.

At Sapphire, we also write reports on a specific circumstance whenever a threat or vulnerability affects our customer(s). We then proceed with providing recommendations whilst enhancing our detection and defence against those threats.

Want to know more about how our Threat Intelligence service detect and defend against threats?

Contact our team today

Name
I agree to the terms & conditions

Related Articles

ISO 27001 Certification: Now is the Time to Consider the Benefits | Sapphire
19 November 2021

ISO 27001 is a standard set out by the International Standards Organisation that helps your organisation to manage the security of your information assets (electronic/paper, reputational, applications, infrastructure, third parties, etc.).

Additionally, the certification helps organisations formulate an Information Security Management System (ISMS) to mitigate the growing number of information and cyber attacks.

Find Out More
What does the OWSAP 10 mean?
18 November 2021

The Open Web Application Security Project (OWASP), Top 10 list (maintained since 2003 and announced every few years), highlights the ten most critical security risks to web applications.  It is recommended that organisations adopt the OWASP Top 10 to ensure their web applications are not exposed to any cyber risks. According to OWASP:  Using the OWASP Top 10 […]

Find Out More
What is Security Awareness Training?
8 November 2021

Security awareness training helps organisations prevent and mitigate user risk. A security awareness program helps people understand the vital role they play in helping to combat cyberattacks – at work or at home. According to the Department for Digital, Culture, Media & Sport: “All businesses can benefit from understanding cyber threats and online fraud.” We spoke […]

Find Out More