Ask The Cyber Security Expert: Who is behind all this hacking I hear about?
In a recent post on the truth about cyber attacks (we have a special dispensation to use that phrase). The Cyber Security Expert pointed out that people are behind hacking. So who are these people, and what is a threat actor anyway? We dragged the Cyber Security Expert away from the pub long enough to find out.
What is a threat actor?
Threat actor is jargon speak for ‘people behind a certain category of bad behaviour’. This phrase enables security people like me to sound important when talking to clients, writing reports and looking intellectual on the TV. In fairness it’s not the worst bit of jargon – it does at least focus the mind on threat (i.e. these people are trying to achieve something presumably to your detriment) and actor (actors are people, people are behind hacking. Note not all actors, to the best of my knowledge, are hackers although Johnny Lee Miller played one).
So who is behind all the hacking?
A range of different people. Whilst all hacking is self evidently criminal, the actual motivation for any particular set of activity varies significantly.
The majority of hacking is purely criminal – motivated in one way or another by financial gain. How the gain is realised varies – some hackers will try and compromise your bank account and quite literally steal your money, others will try and capture credit card details which they may use themselves or sell on, whilst some just want to turn your computer into part of a botnet. Botnet is short for robot network, and is in essence a network of compromised computers that can be used for a variety of things; sending spam, carrying out denial of service attacks and other nefarious activity. Botnets are generally charged out by their owners, and it is through providing services to others that they realise their financial gain. Other criminals just try and acquire as much of your personal information as possible, which they then sell on to yet other criminals for use in scams and identity theft.
Ok, that’s criminals – who else?
States – we’ve debunked the APT jargon, but states do hack in support of their national security objectives (espionage, essentially). Security companies regularly release report tagged ‘APT’, which exposes some aspect of what looks to be state backed online spying. The Snowdon releases show this is not just limited to China, though they have certainly had the finger pointed at them frequently.
Activists – online protest has become popular, though the impact of such activity varies significantly. One of the best known ‘hacktavist’ brands is the Anonymous group, though it is these days less of a coherent group and more a label used by those wishing to garner support for a particular cause. The Sochi Olympics was threatened by a group using the label Anonymous (more here), and the Brazil world cup has been threatened similarly. These groups vary hugely in their capability and impact. Whilst under the original Anonymous badge some notable compromises were achieved using a variety of methods (see Statfor and HBGary) , in general activists use denial of service attacks. Although they can use botnets to support their cause, they often rely heavily on sheer weight of numbers – unpopular causes don’t attract much support and hence the DoS attacks go unnoticed.
People who hack for fun – It’s true, some people do just hack for fun, or the kudos of other hackers. Check out the website Zone H for an idea of exactly how many website defacements take place every single day. It’s a lot, and for no obvious gain beyond the fact of having done it. Anyone who runs a website and looks at the logs will see frequent scanning by automated tools, looking for easy to exploit vulnerabilities.
What about terrorists?
Hmm. Well, despite the fact Googling ‘cyber terrorism’ returns over 15 million results at the time of writing and the fact I once genuinely got an email advertising cyber training services which said that ‘cyber terrorism is a fact of life’, your humble author remains unconvinced of the reality. Ultimately it depends what you define as terrorism – are large scale attacks causing death and destruction through cyber means a reality?
Are small scale attacks causing relatively limited damage and harm, but spreading fear through the civilian population realistic?
Look, doing big stuff like that is really hard. Ok, compromising home users or companies and stealing information is pretty easy, but disrupting the power grid or opening the floodgate on dams? Tricky. So, terrorists may well use cyber means to further their ends but the reality right now is its going to be down the unspectacular end of the spectrum. Perhaps denial of service attacks – a terrorist backed botnet is a possibility, but unlikely really to spread terror (though any media reporting of it would undoubtedly be poorly informed and wholly hyperbolic)
Ok so thats a lot of bad people – how do I defend against them all?
Aha well, here is the big cyber security secret no one wants you to know. It doesn’t actually matter that much who is targeting you – they all pretty much do the same thing. Ok, I’ll grant states do it better – they have more time and money, and can really do good research and proper testing and so forth, and if you’re building a stealth fighter you will implement more robust security than if you spend the day baking cakes. But at the end of the day every one of these ‘threat actors’ is trying either to exploit a vulnerability in some software you have installed, or trick your users into doing something they shouldn’t. If you don’t have something installed they can’t exploit it. If your software is all patched and up to date it is much harder to exploit it (not impossible as there may be vulnerabilities the vendors don’t know about). If your users are trained, and suitably paranoid, its much harder to exploit them.
So don’t get too hung up on who is out to get you. Someone is, either for fun, financial gain or to steal your secrets. Doing good, thorough, basic security will make success almost impossible for most of them and very much harder even for the best.
Thanks for reading. Any questions please ask – find us on twitter, or use the contact form.
The Cyber Security Expert