1.5 Explain different threat actors, vectors, and intelligence sources

  • Actors and Threats
    • Advanced Persistent Threat (APT)
    • Insider Threats
    • State Actors
    • Hacktivists
    • Script Kiddies
    • Criminal Syndicates
    • Hackers
      • Authorized
      • Unauthorized
      • Semi-Authorized
    • Shadow IT
    • Competitors
  • Attributes of Actors
    • Internal/External
    • Level of Sophistication/Capability
    • Resources/Funding
    • Intent/Motivation
  • Vectors
    • Direct Access
    • Wireless
    • Email
    • Supply Chain
    • Social Media
    • Removable Media
    • Cloud
  • Threat Intelligence Sources
    • Open-Source Intelligence (OSINT)
    • Closed/Proprietary
    • Vulnerability Databases
    • Public/Private Information-Sharing Centers
    • Dark Web
    • Indicators of Compromise
    • Automated Indicator Sharing (AIS)
      • Structured Threat Information eXpression (STIX) / Trusted Automated eXchange of Intelligence Information (TAXII)
    • Predictive Analysis
    • Threat Maps
    • File/Code Repositories
  • Research Sources
    • Vendor Websites
    • Vulnerability Feeds
    • Conferences
    • Academic Journals
    • Request for Comments (RFC)
    • Local Industry Groups
    • Social Media
    • Threat Feeds
    • Adversary Tactics, Techniques, and Procedures (TTP)

Actors and Threats

Before we can protect against the threats, we need to know who is responsible for them and what their resources are.

A nation state or state actor may have a government agency that engages in hacking.  Nation state intelligence agencies purchase and store millions of dollars worth of zero-day vulnerabilities, which they use against high value targets.

A nation state will engage in attacks for

  • National security purposes

  • Political purposes

  • Intellectual property theft that is then provided to companies within the country

  • Cyber attacks against business competitors in other countries

Attacks by nation states may cost millions of dollars to develop and may take years of planning.  The attacks may be performed by intelligence agencies or subcontracted to third parties (or to companies that are state-run/state-affiliated).

The use of cyber warfare is increasingly popular, and all countries are engaging in it or considering it.

A major strategy in intellectual property theft is to slowly steal secrets from a competitor’s systems without being caught, over a period of several years.  This is accomplished by installing a backdoor into the system or possibly by bribing system administrators to provide access (or to ignore the backdoor).  This is known as an APT or Advanced Persistent Threat

In 2013, Ji Li Huang, and Xiao Guang Qi, both citizens of China, pled guilty for attempting to steal trade secrets from the Pittsburgh Corning Corporation, which produces FOAMGLAS® insulation.  How did they do it?

  • They placed an advertisement in a Kansas City newspaper that was near Corning’s manufacturing plant.  They used the advertisement to recruit an experienced employee of Corning’s plant.

  • The two Defendants asked the Defendant to provide them with trade secrets belonging to his employer.  They offered him $100,000 in cash.  They also offered him the opportunity to move to China and set up an insulation manufacturing plant there.

  • The two Defendants were also spotted attempting to access the Corning plant, without authorization.

  • The Corning employee notified his employer, who notified the FBI

  • The FBI set up a sting operation at a nearby hotel.  The employee met with the Defendants at the hotel and provided them with fake documents.  When the money was exchanged, the two Defendants were arrested.

Companies that are vulnerable to foreign actors include those with employees who are

  • Loyal to a foreign government

  • In financial distress

  • Have a large ego and can be easily manipulated.  A smart employee, like a scientist or engineer, may have a timid personality and few social connections.  It is easy to take him to a bar or restaurant and sweet talk him.  Then he will give up all the company secrets.  People like to talk, and people like to brag about their accomplishments.

How to detect a foreign actor in your company (not all of these are absolute indicators of foreign threats, but all should be investigated)

  • Employees who are sponsored by a foreign government to study or work in the United States may collect data and trade secrets

  • Employees who are requesting information about subject matters that are unrelated to their job description

  • Employees who are stealing sensitive data

  • Employees who are bringing recording devices to work without authorization

  • Employees who frequently travel to their home country on short trips.  A person visiting their family is likely to make longer, less frequent trips.

  • Employees who appear to have more money than they should

How to prevent

  • Perform background checks, including credit checks on all employees and contractors

  • Store proprietary information securely

  • Implement a document control system that tracks each time a document is viewed, printed, or modified, and by whom.  Set the system to alert the administrator when anomalies are discovered.

  • Provide a method for allowing employees to anonymously report suspicious behavior, and fully investigate each report

  • Screen employees against foreign risk.

  • Prohibit employees from bringing recording devices and external storage devices (such as USB drives) to work

Criminal Organizations perform hacking for financial rewards.  Due to the substantial return on investment, organized criminal organizations can afford to invest in employees with advanced hacking skills and high-end technology.  These organizations can also afford to engage in schemes that take a long time to pay off.

A criminal organization can participate in a scheme on behalf of another organization (for example a nation-state may pay a criminal organization to steal data from a country or business).

Criminal organizations cover their tracks by using cryptocurrency and the dark web.

Some of the activities that organized criminals engage in

  • Ransomware

  • Denial of Service

  • SPAM

  • Identity Theft

  • Credit Card Fraud

  • Sale of Illegal Products/Services on the Dark Web

A script kiddie is a relatively unsophisticated hacker.  A script kiddie may download or purchase malware deployment tools and deploy them.  Many developers of malware make them available on the internet for others to use.

A script kiddie may be caught quickly after they go on a website such as reddit or 4chan to brag, or if they do not take measures to mask their online identity.

Script kiddies perform a clear majority of the attacks, but not necessarily the most damage.

A hacktivist is more advanced than a script kiddie.  A hacktivist can write scripts, and hacktivists may work together to advance a specific political or social purpose.  For example, an environmental or animal rights activist may hack into an oil company and erase their data.

An insider is a person who is inside the organization.  This person may be a contractor or an employee.  The insider may be motivated by

  • Financial purposes.  For example, stealing data to provide to a business competitor.

  • Political purposes.  For example, stealing government secrets to provide to a foreign country (in exchange for a financial or political reward).

  • Personal reasons.  The employee may be upset with the way that the company treats him or the way that the company conducts itself in the community.

An insider may cooperate with an attacker on the outside.  The insider may weaken security protocols at his organization and/or ignore an attack placed by an outsider.

It is difficult to detect and/or prevent attacks placed by insiders because most of their behavior may appear legitimate and because they already have access and knowledge of the organization.

Two famous insiders who leaked data were Edward Snowden and Chelsea Manning.  Snowden was a contractor for a US government agency, who leaked thousands of classified documents.  Manning was a member of the military.  Neither of them was motivated by financial purposes, but instead were dissatisfied with the conduct of their organizations.

How to prevent

  • The type of security protocols required depend on the sensitivity of the information that the employee has access to

  • It is important to conduct background checks on current and future employees and on contractors

  • More severe methods include

    • Implement security protocols including document controls that monitor when files are accessed/printed/modified

    • Search all employees when they leave the building

    • Prohibit personal electronic devices

    • Provide multiple people with access to security system checking (and enforce vacations and job rotations)

  • It is important to note that most of the information leaves the building through the brains of the employees, and there is currently no way to prevent people with good memories from taking information out of the organization.

A competitor is an individual or organization that is in the same market or industry as the victim.  The competitor may try to steal intellectual property, trade secrets, or business strategies.  The competitor may also try to sabotage operations.  For example, a competitor may attempt to hack into a piece of industrial equipment and attempt to destroy it.

The competitor may be in the same town, a different state, or a different country.

The Shadow IT is technology that is connected to the organization but not directly under its control.  The organization may outsource management of some of its functions to a third party.  If the third party is hacked (or is malicious), unauthorized users could gain access to the company’s infrastructure.  Some examples of Shadow IT

  • The photocopiers and printers report the use of their consumables to the manufacturer, which sends replacement supplies as required

  • The organization outsources management of their network to another company, which monitors it remotely

  • The organization buys SolarWinds because SolarWinds sales people keep calling.  The organization uses SolarWinds to monitor their ends points and SolarWinds gets hacked.

Hackers can be grouped into three categories

  • Authorized.  An authorized hacker is one that is permitted to gain access into the system.  We might hire a hacker to perform a penetration test to find vulnerabilities that we can later patch.

  • Unauthorized.  An unauthorized hacker has no permission to access the system but does so anyways.

  • Semi-Authorized.  A semi-authorized hacker has permission to access some parts of the system but attempts to access areas that he is not authorized.  This type of hacker may be a user who attempts to gain administrator rights instead of sending his requests to the IT department. 

    It could also include a customer who notices a vulnerability and is gathering more information about it with the intent of reporting it.  Some large companies such as Google and Facebook have something called a “bug bounty”.  If you discover and report a vulnerability in one of their applications, they will provide you with financial compensation.

Attributes of Actors

We can classify actors by their attributes

  • Internal/External.  Internal actors are those within the company.  Internal actors may have less resources, but they have access to the systems (many times they have admin level access).  External actors require additional steps to access the system.

  • Level of Sophistication.  The level of sophistication is low with script kiddies and higher with nation states.  Many attacks can be performed at low levels because of unpatched vulnerabilities or negligent security practices.

  • Resources/Funding.  Nation states and criminal organizations have better access to funding.  We can eliminate some threats by making them too expensive.  But if the actor is a nation state, and their motivation is political, and they have turned people within our organization against us, we may not be able to stop them.

  • Intent/Motivation.  Organized crime and competitors have specific financial goals.  Script kiddies just want bragging rights. 


The way that the actor gets into our system is called a vector.  We can group vectors into the following categories

  • Direct Access.  Direct access means that the actor has physical or remote access directly into our system.  They could be a user or a trusted vendor.  With direct access a user will be able to bypass firewalls and other security measures.

  • Wireless.  If the wireless network is not encrypted or if offers access to guests with little security, then an actor can use it to gain what is effectively direct access to the network.

  • Email.  Some say that e-mail is currently the most common threat vector.  E-mail can be used to transmit viruses and other forms of malware.  Through social engineering, it can also be used to trick people into giving up their credentials.

  • Supply Chain.  If we give vendors remote access to our system, then our system is only as secure as theirs.  Hackers will go after the weakest link in a chain.  If they can gain access to a vendor’s system, then they will gain access to ours.

    Even if a vendor does not have access to our system electronically, a hacker can target us by hurting one of our suppliers.  For example, if we manufacture cars, but we buy our car parts from a third party, then a disruption to that third party means that they will be unable to supply us with additional parts, which means that we will be unable to manufacture more cars.

  • Social Media.  Remember that hacking in 2021 or 2022 or whenever you read this book isn’t just about logging into a computer and deleting files or stealing data.  There are many ways to harm an organization without ever touching their computers. 

    Social media can be used to spread rumors about an organization and hurt its reputation.  For example, an attacker might create a report about how the company’s food product is contaminated, which causes their stock price to crash.

    Social media can also be used to gain user credentials through social engineering.  People are stupid and post everything online.  It is easy to find out where somebody works by looking at their LinkedIn profile and it is easy to find out where somebody lives and who their friends are by looking at their Facebook profile, and it is easy to find out what somebody is thinking by reading their Twitter feed.

    By way of example, I have found that in some smaller branch offices of large organizations,  the only person with keys to the server room is the receptionist.  This is the type of office with maybe 50 employees and no on-site IT person.  Most of the IT work is performed by vendors, at the direction of somebody in the head office.

    It is easy to figure out who some of the vendors are because their trucks are parked outside or their names are in the sign in sheet at the front desk.

    And it is easy to figure out who the receptionist is from her LinkedIn profile.  If you buy the receptionist the type of chocolates she likes, she might give you keys to the server room.  You don’t even need to pretend you are a legitimate vendor, but it does help.

  • Removable Media.  Removable media such as DVDs and USB drives can be used to steal information.  It’s easy.  An employee or vendor inserts the USB drive into a computer or server, copies files, and takes it with him.

    We can go one step further and put a virus on USB drives and give them to employees at a trade show, or mail them to people, or drop them in the parking lot or drop them in the floor.  People will pick them up and plug them into their computers.  People are stupid.  Now their computers are infected, and we can steal all their data.  If the virus is sophisticated enough, it can spread from one computer to another over the network.

    USB drives are especially dangerous because viruses can infect the firmware, and the firmware cannot be scanned with an antivirus program.

  • Cloud.  An attacker who gains access to an organization’s cloud account can gain access to all their resources, especially if that cloud account isn’t set up with proper user credentials and access levels.

    Consider the following

    • You have an office with several servers.  You use Microsoft Active Directory and you properly control which users have access to each server.  You may also have file access control lists so that only certain users have access to specific files.

    • Only specific people have access to the servers.

    • Now you move the servers to the cloud.  Your cloud service provider gives you an account, which you can use to log in and create or manage the servers. 

    • You replicate the same Active Director and access control lists on the cloud servers.  Users who log in to the cloud servers are subject to the same security policies as they did when they logged into the office servers.

    • But if somebody gains access to the cloud account they could do any of the following

      • Reboot a cloud server

      • Take an image of a cloud server’s hard disk drive and download it

      • Create a new cloud server

      • Delete an existing cloud server and all the data associated with it

    • You can protect against cloud attacks by

      • Enforcing permissions and privileges on cloud accounts just as you would on regular user accounts that log in

      • Requiring approval from multiple users before data or infrastructure is deleted or modified.  This can be implemented through a change management system

      • Enforcing multi factor authentication

An actor may need to take advantage of more than one vector to perform an attack.  For example, a vendor with direct access to a system but no administrator rights will not be able to accomplish an attack.  But he may use e-mail or social media to steal administrator credentials from another user and carry out the threat.

Threat Intelligence Sources

How can we learn more about threats before they happen to us?  There are several good sources.

  • Open-Source Intelligence (OSINT).  This is information that is gathered and available to the public.  It includes information on social media and the deep web.  The problem with OSINT is that there is now a massive amount of available information, which makes it difficult to verify its legitimacy or filter through it.

    There are many books, resources, and courses available on mining and analysing OSINT.

  • Closed/Proprietary.  Closed sources are not shared with the public.  Closed intelligence data may be collected by the government, law enforcement, or private investigators. 

    The government may share some of their intelligence with other governments or with private companies who are affected.  This information may have been gathered through the use of an expensive investigation, surveillance, or a confidential source.  Making this data public could compromise a criminal investigation or reveal sensitive law enforcement techniques.

    Closed data may be more reliable than OSINT, but not always.

  • Vulnerability Databases.  There are many public and private databases that keep track of common vulnerabilities.  Each time a vulnerability is discovered, it is added to the database.  An organization can search the database to learn about vulnerabilities with devices that it uses.

    Common Vulnerabilities and Exposures or CVE is a free database that keeps track of cybersecurity vulnerabilities.

    It is available at https://cve.mitre.org/

    Another database is the National Vulnerability Database, which is available at https://nvd.nist.gov/

    These databases only track public vulnerabilities.  When a company discovers a vulnerability, it might keep it a secret until it has time to release a patch.  This way, hackers won’t read about the vulnerability and take advantage of unpatched systems.

  • Public/Private Information-Sharing Centers.  These centers are resources where government and law enforcement agencies can share vulnerability information with private organizations that are affected.

    The sharing centers can be run by local, state, or federal agencies.  In the United States, the Cybersecurity & Infrastructure Security Agency maintains several programs to share cybersecurity data.

    These programs include

    • Cyber Information Sharing and Collaboration Program.  This program shares security data between the federal government and the owners of critical infrastructure such as power plants.

    • Information Sharing and Analysis Centers.  These centers allow multiple critical infrastructure operators to share data with each other.  They can be organized at the federal, state, or local level and are member-driven and member-funded.

  • Dark Web.  We can learn about non-public vulnerabilities through the dark web.  If you’re a hacker, and you discover a vulnerability or steal a database of information, you might try to sell it on the dark web.  And you might sell it to multiple people.

    Manufacturers should check the dark web to see if vulnerabilities for their products are for sale.  You may also check the dark web to see if your customer’s information is for sale.  You must be careful because some of the information on the dark web is fake.

  • Indicators of Compromise.  An indicator is a red flag that tells us an attack has taken place.  It could include an entry in a log file, changes to a system file or configuration, or unusual behavior. 

    The indicator may also be a normal activity that is present at a higher volume.  For example, if an average of 10 users change their passwords each day, but today 250 passwords have been changed, that could indicate the presence of an attack.
  • Automated Indicator Sharing (AIS).  As more organizations share threats, some structure and uniformness are necessary to keep the data from becoming a mess.  Organizations can now share threat data automatically a standardized format as the Structured Threat Information eXpression (STIX).  STIX information is transported through the Trusted Automated eXchange of Intelligence Information (TAXII) framework.  STIX and TAXII are open source, and STIX data is encoded as XML.

    When you receive threat data in the STIX format, it contains the following fields
    • Who did it?
    • What were they doing?
    • Why were they doing it?
    • What were they looking to exploit?
    • Where was it seen?
    • Why should you care about it?
    • What should you do about it?
    • What are you looking for when you try to detect it?

  • Predictive Analysis.  If we gather enough data about existing threats, we can use it to predict where the attackers will strike next.  Predictive analysis is not a substitute for proper security, but it has applications in detecting fraudulent credit card transactions and other types of financial fraud.

  • Threat Maps.  A Threat Map is one that shows existing threats already detected.  It can be grouped by location, organization, network type, or other parameters.  We can use a threat map to visually predict the location of the next attack.

  • File/Code Repositories.  Good coding practice says that each time we release a new version of an application, we should archive the old version.  We also add release notes to the new version.  The release notes tell people what we changed and why.  There are four reasons to update a program

    • Add new features

    • Fix a bug that causes undesired operation

    • Modify the application so that it is compatible with a new operating system or device

    • Fix a security hole

If the application is open source, the older versions and release notes might be on the internet.  Many open source applications can be found on GitHub.  Even if the application is closed source, the release notes might still be on the manufacturer’s websites.

The point is, we can go back through the release notes and code repositories to see which vulnerabilities were discovered and patched.  Maybe we are using the application but haven’t upgraded to the latest version.  Maybe we wrote an application that is affected by a similar vulnerability and we haven’t released a patch of our own.

Research Sources

We can also conduct additional research about vulnerabilities.  Sources include

  • Vendor Websites.  A vendor will release patches and updates about vulnerabilities for their own products.  Some of these are picked up by the vulnerabilities databases, but we should nevertheless monitor vendor websites if we use their products.

  • Vulnerability Feeds and Threat Feeds.  A feed is a mechanism that updates you with the latest vulnerability data.  It is connected to the vulnerability database.  The benefit of a feed is that you automatically receive the latest vulnerability data without having to manually check for updates.

  • Conferences.  Some vulnerabilities are announced at conferences such as DEFCON or Black Hat.  These conferences bring hackers together, who demonstrate vulnerabilities that they discover in products and services.  Some of these hackers work with the affected organizations to patch the vulnerabilities.

  • Academic Journals. Some vulnerabilities are published in academic journals.  This usually happens when the vulnerability is discovered by a researcher at a security organization or academic institution.

  • Request for Comments (RFC).  An RFC is published when an industry is developing a new standard.  People who agree or disagree with the contents of the RFC can send in their comments.  For example, when the framework for IPv6 was being developed, RFC 2460 was published.  RFC detailed the initial framework for IPv6.

    The RFC may explain the vulnerabilities in the old standard that is being replaced.  For example, RFC 4764 described a standard for EAP-PSK encryption.  It showed how EAP-PSK was supposed to work and why other methods of encryption (which it was replacing) were vulnerable.

  • Local Industry Groups. Security experts regularly meet to discuss threats, especially in a big city.  If there is a security group in your area, you should join.  If there isn’t, you should form one. 

    The group doesn’t necessarily have to be exclusively about security – it may cover IT in general.

  • Social Media.  You can find a lot of information on social media.  Some of it is fake, so you should be careful.  You might find some useful information on reddit or in Amazon reviews.
  • Adversary Tactics, Techniques, and Procedures (TTP).  This is a system for profiling the way in which an attacker will act and what techniques he will use to gain access to the system.  By understanding your adversary, we can better protect against them.