Cybersecurity for Busy Executives - The Different Types of Attackers

81% of large companies have reported a cyber breach at some point and the average cost of a breach is between £600k and £1.15m[1]

‘Nearly half of UK businesses identified at least one cyber security attack in 2016, according to UK government data.’[2]

In order to defend your organisation from cyberattacks, it is worth understanding the different profiles of attackers because some organisations will only be randomly targeted, whereas others, particularly large multi-national corporations, will be targeted specifically.  In order to protect your organisation as well as possible, it is important to understand the motives of the different types of potential attackers.  Each type will also likely use different methods of attacking your organisation and we will discuss different attack methods later in the series.

Broadly, these are the following different types of attackers:

1.     Cyber criminals

2.     State Sponsored

3.     Industrial Competitors

4.     Hackers

5.     Hacktivists

6.     Employees

We will now explore each one in more detail:

1.     Cyber Criminals.    This type of attacker has become far more prominent over the past 5 years since traditional criminals have realised it is easier to make money illicitly through cybercrime than traditional crime, and they are also less likely to get caught.  Issues around jurisdiction also mean that it is far harder to catch and bring charges against people who are committing cybercrime.  These types of hackers will generally commit fraud or make money from selling individuals’ or companies’ financial and sensitive personal data, looking to redirect funds.  Ransomware is also a common methodology.  Potential attackers have access to an entire ecosystem of tools which can be rented or purchased to help facilitate different types of attacks.  They are based all around the world, but there is a prominence in Eastern Bloc countries where there is a high standard of computer programming and a tendency to turn a blind eye to the state. 

Their characteristics are as follows:

  • Very commercial.  Usually part of a wider group or syndicate.  They will often go for easier (cost-effective) targets.
  • Technically proficient and will be able to use the latest hacking skills.
  • Good resources to draw from and able to move fast.
  • Their targets are usually: Financial Services, Retail, Healthcare.
  • Will also target individuals performing high value transactions – e.g. someone buying a house.

2.     State Sponsored.  Often linked to Industrial Competitors (below) and they have overlapping goals, including spreading misinformation, facilitating economic instability, gaining economic advantage and to steal Intellectual Property.   They are:

  • Highly trained and well-motivated, often performing determined protracted attacks.
  • Fiercely nationalistic.   
  • Have a huge resource pool from which to draw on and will often have the cutting-edge hacking tools.  Often use special care to hide their activities and minimise traces of their activities.
  • They target: Defence, Government, Energy and Utilities and also high-tech companies.  We can expect that anyone with access to future technology to be focussed-on over the next few years.
  • State sponsored hackers often make some of their tools available for the rest of the Hacking community to further their own ends and increase their own attack surface. It also won't be "state attributable" so you wouldn't really know that was happening anyway.

3.     Industrial Competitors.  This group are more interested in gaining economic advantage for their own company and stealing Intellectual Property.  A recent study puts cost of cybercrime at $24 billion to $120 billion in the U.S. and up to $1 trillion globally.[3]

  • Often from countries with less regulation regarding Intellectual Property theft.
  • Will often coerce employees to steal financial information or Intellectual Property.
  • Will also employ Hackers to steal the information themselves by gaining access to companies’ systems.
  • Sometimes works in collaboration with the state.
  • Targets all industries.           

4.     Hackers.  This is a wide range of individuals and they will often work for some of the other types of attackers, and also draw some of their tools from the other groups.  These are often individuals who see breaking into an organisation as an intellectual challenge.  Often this is just a hobby for some, but for others they want to gain notoriety and to increase their standing within the hacking community, who communicate through forums and message boards.  State sponsored hackers often make some of their tools available for the rest of the Hacking community.  The two different types are:

a.     Hobbyist.  Often known as ‘script kiddies.’ 

  • Resourceful and skill levels can vary.
  • Will often use ready-made hacking tools widely available on the dark web.
  • Motivated by boredom, the intellectual challenge or a desire to prove themselves among the hacking community.

b.     Professional Mercenary.  Can evolve from the ‘Hobbyists’ in order to make money.

  • Guns for hire and will work for any of state actors, criminal gangs or industrial competitors.
  • Access to cutting edge hacking tools through the underground hacking community.
  • Very proficient and difficult to catch, or even know if you have been breached.

5.     ‘Hacktivists.’  These are usually Hackers who are ideologically motivated, anarchists or anti-capitalists.  They usually attack companies or Governments for political or ideological reasons.  They attack commercial entities for anti-capitalist reasons or if they disagree with how the corporation behaves and what they stand for.  They may also be disaffected by social and economic inequality.

  • De-centralised, often operating in cells in a similar way to terrorist organisations.
  • Varied skill levels.
  • Their goals are to disrupt companies and government entities.  Think F-Society from Mr Robot.

Mr. Robot.jpg

6.     Employees.  These can be malicious employees acting as insiders or those making errors accidentally.  We will mainly focus on malicious insiders in this instance.  This is more commonly known as the ‘Insider Threat,’ encompassing all threats from employees, malicious or accidental, and is often the largest vulnerability to any organisation.  This is contrasted between employees supplying information unwittingly to hackers who wish to gain access to the company’s IT estate and data; or disaffected employees who are maliciously stealing data or assisting hackers in their attempts to access the organisations IT estate and data.  We will discuss this in more detail in later blogs, but organisations with strong cultures, where employees genuinely buy into company goals, are less likely to have malicious insiders, and will also be more likely to spot insiders, malicious or otherwise. 

  • Malicious insiders may be commercially, or ideologically motivated.  Or they may be a former employee who still has access to systems, or who has stolen data.
  • They are likely to know exactly where to look and will often be highly professional.
  • Their goals are usually to steal intelligence (from Government organisations – think Edward Snowdon), trade secrets or Intellectual property, or to divert funds.
  • A well-motivated and intelligent insider is extremely difficult to protect against, but there are a number of safeguards that organisations can put in place – developing a strong culture, only giving access to systems people need, robust internal audit, transparency in monitoring of leavers and joiner’s procedures are just some of them.  It is worth pointing out that when Edward Snowdon worked for the NSA, via Booz Allen (a Consultancy), he went through extremely stringent vetting procedures and was not deemed a threat, so sometimes it is just impossible to identify an insider.

So, that’s the end of our third blog.  Next week we will be giving an overview of some of the most common attacks.

Download this article in PDF

[1] CESG, ‘Common Cyber Attacks: reducing the Impact.’

[2] City AM, ‘Access Denied: The fight against cyber criminals.’ - http://www.cityam.com/281657/access-denied-fight-against-cyber-criminals

[3] ‘The case for enhanced protection of trade secrets in the Trans-Pacific Partnership agreement,’ US Chamber of Commerce: