What are Threat Actors?

In the world of cybersecurity, the more you know about threat actors, the better placed you are to counteract and manage cyber threats and attacks. But what is a threat actor?

We can define a threat actor as a person, group, or entity performing a cyber-attack designed to impact an organisation negatively.

In other words, someone who wants to harm you and or your organisation’s IT infrastructure.

There are many types of cyber attacks and threats, from a disgruntled team member trying to gain unauthorised access to steal sensitive data to nation-states attempting to interfere in political elections.

There are ways to keep cyber secure.

For example, threat intelligence is a resource that organisations can leverage to provide information about current or emerging threats that could negatively impact their security. If we combine available threat intelligence on threat actors, existing and emerging threats, then we have a formidable defence against attacks.

Threat Intelligence also allows us to anticipate and pre-empt cyber risks and attacks, making us proactive rather than reactive.

Different Types of Threat Actors

According to a report (a collaboration based on research provided by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the UK and USA) on publicly available hacking tools:

Today, hacking tools, with a variety of functions, are widely and freely available for use by everyone, from skilled penetration testers, hostile state actors and organised criminals to amateur hackers.

Joint report on publicly available hacking tools – NCSC.GOV.UK

Organised Crime/Cybercriminals

A cybercriminal is the most common type of threat actor, and one most people tend to read or see on the news.

An attack is intended to steal data and make it inaccessible until an organisation or individual pays a ransom. Be it working alone or as a group, money is the cybercriminals primary motivation.

Cyber-attacks are made up of phishing attacks, ransomware, malware and other tactics and techniques.

Insider

Insider attacks, or insider threats, are typically related to an organisation when a team member, former team member, third-party contractor, or partner wants to get at organisational network, systems, or data.

The reasons for doing so are varied. Disgruntled employees could do so for financial gain, or a threat actor may use an organisation’s system to expose confidential information.

An insider cyber threat actor sometimes maliciously and intentionally damages an organisation’s cybersecurity foundations, yet sometimes this is not intentional.

Not every insider threat is motivated by greed or revenge.

Some attacks can be down to a lack of understanding of cybersecurity. One such example is when a staff member falls prey to a phishing cyber-attack and unfortunately shares sensitive information.

Nation-states

A nation-state attack refers to countries that target institutions within other countries to influence elections, disrupt or affect their security, economy, the electoral process, and government departments. Having access to significant financial backing and the necessary tools makes a nation-state one of the most dangerous types of cyber threat actors.

Hacktivists

Hacktivists are a form of threat actor often noted in the media. Groups such as Anonymous, for example, have carried out cyberattacks on terrorist organisations.

The reason for a hacktivist cyber-attack is for them to expose their target entity and disrupt their actions.

There is often a social, political, or ideological reason for the hacktivist to undertake an attack on an organisation, government, or individuals.

Script Kiddies

Script kiddies refer to those individuals with basic hacking skills.

These bad actors may launch existing scripts to deface a website for their cheap thrills.

Organisations targeted by script kiddies can incur severe costs to repair their systems and recover data.

Why Threat Actors Matter

As written above, the type of threat actor varies from motivations, skills, and resources to their reasons and how they attack. Understanding this is an essential step in planning and executing your defence.

Threats actors are continuously looking for ways and means to infiltrate organisations. Your systems can be the conduit they can use. For example, a phishing message may trick you into sharing sensitive credentials through a cleverly worded statement.

Protection Against Threat Actors

An important point to make is that while a threat actor may intend to harm, this should be balanced against their capability to do so.

For example, cybercriminals can hack your customer database but may lack the intent because they cannot gain financially.

Understanding and categorising threat actors give you the chance to focus on your cybersecurity plan.

How does Sapphire Counteract Threat Actors?

Sapphire’s Managed Threat Intelligence Service provides organisations with actionable intelligence.

We work closely with organisations to understand their sector, employees, and systems. Sapphire’s analysts then use this information as a guide to fix vulnerabilities, uncover new ones, and implement internal security policies.

How does Sapphire collect IOCs (Indicators of compromise) about threat actors?

Since cybersecurity is ever-evolving, we must constantly learn and adapt to the new security threat trends and proactively try to find answers.

One of our main objectives as a SOC (security operations centre) and an MSSP (managed security service provider) is collecting data from various threat intelligence sources and indicators of compromise.

These sources include past incidents from the open web, the dark web, and technical sources. Our primary source of collections is threat intelligence platforms, both from open-source and the intelligence platforms we use.

In addition, Sapphire actively gathers via the SOC, where the SOC proactively looks for any significant or minor threat information. 

We use our platforms to go through a series of different triggered alerts that notify the SOC of any threat news. Additionally, we check a variety of threat posts, threat reports, vulnerability advisories and vulnerability posts. We then extract any available threat data.

Threat data is usually thought of as lists of IoCs, such as:

• Malicious IP addresses.
• Domains.
• File hashes.
• Vulnerability information: such as the personally identifiable information of customers.
• Raw code from paste sites.
• Text from online sources or social media.

How does SIEM, EDR detect and defend against threats?

Threat intelligence data can take many forms, but the idea is to get the data into a format that we can use in our SIEM, EDR and CTI services. Most of our platforms are capable of parsing information into relevant fields for easy comprehension by human beings.

The threat data or IoCs are getting manually analysed and reviewed. We create customised rules, alerts, dashboards, reports, investigations, and more based on the collected IoCs.

Not all IoC information is reviewed manually. IoC data integrated into specific rules to alarm certain things will likely have gone through a manual review process.

Most IoCs will be identified and processed automatically before getting pulled into the SIEM/EDR platform, where that information can then trigger alerts.

At Sapphire, we also write reports on a specific circumstance whenever a threat or vulnerability affects our customer(s). We then proceed with providing recommendations whilst enhancing our detection and defence against those threats.