THE THREATS ARE REAL.
The Threats are Real.
In a world riddled with cyberattacks, digital espionage, misinformation and a hyper-partisan political landscape, access to accurate and vetted intelligence is vital to overcoming the array of threats and threat actors.
The threat landscape is as diverse at is sophisticated. Staying abreast of these threats, understanding actors’ motivations and knowing their tactics, techniques and procedures (TTPs) is paramount
What You'll Learn
Radware’s Hacker’s Almanac Series
The Radware Hacker’s Almanac Series serves as a cornerstone for understanding:
Modeling the threat landscape is an essential step to anticipate the impact of external influences such as geopolitics, pandemics and new security threats so your organization can implement a focused security strategy that aligns with your organization’s most valuable resources.
Want to cut to the chase and download a pdf version?
Threat Actor Classification
Threat actors can be categorized into five classes based on their motivations and objectives. Terminology can differ across the security community, but the ideas of represented actors are consistent.
A threat actor will typically fit in one of these classes:
Some of the most notorious threat actors are those employed or contracted by national governments. Nation-state actors and threat groups often have close links, and are typically directed by, military or state intelligence services. Recruits are selected based on their high degree of technical expertise, knowledge of a specific language, or ability to engage in propaganda and misinformation campaigns.
Their motivations can range from largescale disruption and influence campaigns to covert espionage. Some states are in it for economic gain, while others provide an environment that allows their contractors to continue non-sanctioned operations after hours.
While nation-state threat groups are capable of sophisticated attacks, most of their activity is composed of simple attack vectors. They typically attempt to follow common traits used by other groups or actors. These actors do not perform attacks to demonstrate capabilities; they often try to achieve a specific objective as covertly as possible. Attribution of nation-state incidents is difficult and has led to the formation of several industry groups that track activities and assign a variety of names to the same attack.
Many nations have advanced cyberwarfare capabilities; however, this guide focuses on only a few diverse and notable nation states that illustrate the concept. Depending on your location, the notion and urgency of a particular nation-state actor will be biased by geopolitics, cultural differences, economic and trading agreements.
Want to Learn more about Nation-State attacks?
Download the Full Hacker’s Almanac To Learn More About These Countries and Others Such as China, Iran and More
Almost all organized crime groups use communication technology to manage their actions. Some groups specialize in using technology to commit cybercrimes. Criminal activity is so rampant that even nation-state employed actors likely perform cybercriminal activity after hours for personal gain.
Crime pays, so whenever there is an opportunity, organized crime will appear. As more people and devices become connected in the wake of digital transformation, ways for cybercriminals to profit continue to emerge. Even traditional criminals have evolved and digitalized. Drug dealers now anonymously sell drugs and stolen goods online for cryptocurrency without the fear of being caught operating on the streets. The internet provides increasing opportunities for cybercriminal activity and ways for threat actors to organize and create environments that support crime and profitability.
One would assume these threat actors would not want to draw large amounts of attention, yet their crimes are often “noisy” and noticeable. Many threat actors will even leverage media attention to publicize their capabilities, putting increased pressure on victims to comply. If they don’t, outages can be massive and sensitive data shared on the darknet to apply more pressure.
Extortion is the practice of gaining something, especially money, through force or threat. Extortion has evolved from the physical world of gangster shakedowns to the cyber realm through hostage-taking of computer networks for profit. From ransomware to Ransom Denial-of-Service (RDoS), threat actors aim to extort cryptocurrency from victims by threatening to degrade networks or encrypt systems and block access to systems until payment is rendered.
Ransomware is malicious software that infects a system and displays messages demanding a fee to receive a key to unlock the system. Ransomware typically works by encrypting all data and system files and rendering them useless. Entire organizations have shut down for days or weeks in the wake of ransomware attacks.
Ransomware operators modified attacks by including fail-safe capabilities that extract sensitive data before encryption. In the so-called double extortion scheme, if a victim does not agree to pay for the decryption key, the actors extort him or her by threatening to publish sensitive data they exfiltrated during the encryption phase of the attack. Threat actors know the implication of the General Data Protection Regulation (GDPR) in the EU and are happy to leverage the damage to reputation that leaked data can cause.
In some cases, threat actors resorted to launching DDoS attacks to get victims back to the negotiating table if initial attempts did not sway them.
Threat actors use RDoS to conduct extortion-based DDoS attacks that are financially motivated. A DDoS extortion victim will receive a message by email, typically using a private mail service such as Protonmail, GMX or even 10 Minute Mail. The message demands a ransom payment. Upon failure to remit before the deadline, a powerful long-lasting DDoS attack starts a few days after receiving the message. The going rate in 2020 was between 10 and 20 BTC. In 2021, due to bitcoin’s surging value, the rate was adjusted between 5 and 10 BTC. The bitcoin address for the payment is uniquely tied to the target and provides threat actors a way to track payments.
Want to learn more?
Hacktivists are generally considered low-risk threat actors compared to the rest of the field, but they should not be dismissed. One of the properties that makes this group of actors such a formidable threat is their hive mindset. They are able to work together to respond to an event and amplify information within hours, putting severe pressure on the unprepared. Their actions are noticeable because of their impact and the media attention they generate.
The backgrounds of hacktivist threat actors range from concerned citizens with digital means to nation-state threat actors. One of the larger shifts in hacktivism is the growth of local political operations as citizens become more aware and educated about the TTPs used by nation-state actors, organized criminals and other hacktivists. In the past, it was common for nation-state threat actors to use patriotic hacktivism as a cover for their operations, but we now see more citizens running campaigns that are amplified by other parties of interest.
In the digital world, civil disobedience has risen to new heights. It has evolved past the point of simple critical thinking and protest. Hacktivism is the idea of activism and the TTPs of a malicious hacker. Threat actors are typically driven to action by anti-government motives, corporate wrongdoing or social injustice. They achieve their goals by exposing and leaking data associated with those they accuse of wrongdoing and degrading and disrupting their networks. Their toolset can range from rentable and straightforward to sophisticated and advanced.
Generally, hacktivist activity is now more reactionary, social and supportive than the planned and executed attacks of Anonymous. While Anonymous still exists in some capacity, and groups like Ghost Squad Hackers are still active, mainstream hacktivism looks more like the events that unfolded around BlueLeaks or the assassination of Qasem Soleimani.
Want to learn more?
Download the complete Hacker’s Almanac, Series I To Learn About Additional Hacktivist Groups.
The term “hacker” is used to describe a person leveraging a computer for malicious purposes. Not all hackers are threat actors, making it complicated to differentiate between them. In general, the group is divided between black, white and gray hat hackers.
A hacker’s background can be extensive and diverse and include those without any formal technical training or knowledge. As for skillsets, hackers in all three groups can range from your common script “kiddies” to advanced programmers. While their activity can range from noble to malicious, ultimately, they all operate for thrills and bragging rights.
Most people assume that other threat groups are more advanced, yet some of the most sophisticated and technical people fit in the category of white hat hackers. Their work, whitepapers and discoveries are often weaponized by other threat groups who lack ethics and morals. Classifying hackers can be complex, with actors occupying multiple threat groups at the same time. Understanding who you are dealing with can help you handle the situation.
Want to learn more?
Download the complete Hacker’s Almanac, Series I to read more examples and learn more about cyber threats from Hackers and Hacktivists.
The most challenging threat to detect and mitigate is the one that originates from within the circle of trust. Disgruntled insiders are threat actors who are current or former employees who operate out of malice or neglect. These events can include financial fraud, data theft, selling trade secrets, intentional sabotage and internal non-responders. One of the most significant issues is that these threat actors are post-authorization compared to the other groups. They already have initial access and internal knowledge that the other groups have to discover during the reconnaissance stage.
Their tactics are simple compared to other threat actors making them more difficult to detect. They do need to maintain persistence or move laterally. They often act within their domain, looking to cause as much damage as they see fit. This process can include simply copying and pasting trade secrets they already had access to onto a personal device for future competitive use, intentionally deleting or damaging infrastructure/data during or after termination, or simply neglecting to secure critical infrastructure.
Understanding how and why employees turn against their employers might help you understand the psychology, warning signs and how to mitigate the impact of a threat from within.
Angry or disappointed customers can become threat actors. They typically do not persist or pursue a career in crime. Attacks are performed under an intense emotional state of the perpetrator but can nevertheless result in serious damage. Because the actors are not experienced and have no skills to perform their attacks, they will typically rely on hackers-for-hire to conduct the actual attacks. Some of the cheapest and easiest attack tools that can damage an organization’s reputation are DDoS stressers.
Companies in the gaming and gambling industry deal with these threats more often than other industries due to their customers’ emotional involvement. But there are exceptions to every rule.
Interested in a deeper dive?
Download Series 1: The Threat Actors, to further understand cybercriminals and their modus operandi
Download Series II: Tactics, Techniques and Procedures, to understand how TTPs map to the MITRE ATT&CK framework