A decade and more ago, cyber attacks were carried out by talented teenagers working on PCs in their bedrooms. Their objective was to gain notoriety. They were out to impress their peers, other hackers. The attack tool of choice by these teenagers, was worms that could self-replicate. The wider and faster their malware spread, the more notoriety the virus developer gained.

Times have moved on, and the malware landscape is very different today. With cyber attacks on the rise, and the cost of breaches to individuals and organisations increasing rapidly, it is useful to examine where the attacks are coming from and what their modus operandi is. This post identifies four distinct groups of cyber attackers (threat agents), each with their own objectives and preferred tools.

1. Criminal gangs

The objective of criminal gangs is to make as money as they can without getting caught. Cyber attacks are a mechanism of fraudulently generating large sums of cash with low risk of identification. Criminal gangs make their money through a number of methods such as identity theft, ransomware, and premium SMS fraud.

Criminal gangs operate through a network involving job specialisation – specific tasks such as the writing of the malware, development of exploits, growth and management of a botnet, mules to launder the money, are all carried out by different specialists.

The tools of choice of cybercriminals include drive-by downloads, trojans, botnets, phishing attacks, keystroke loggers, virus kits, exploit kits and ransomware. Physical theft of devices especially laptops, mobile smartphones and tablets, is also part of the modus operandi of many criminal gangs.

2. Enterprise attackers

The objective of those attacking enterprises is to gain competitive advantage through stealing proprietary information or assets, or by wilfully causing damage to enterprise assets. The threat could come from inside the enterprise, or from a competitor or disgruntled ex-employee wishing to steal or cause damage.

The tools in the enterprise attacker’s toolkit include ransomware, hacking, or spear phishing and keystroke logging in order to gain access into the corporate network. A disgruntled IT employee could also place a logic bomb in the code of vital enterprise software, timed to execute malicious code under pre-determined circumstances.

3. Hacktivists

Hacktivists are politically motivated, their objective is exposure for a social cause. The most well-known group is Anonymous, a loosely structured group of individuals who collaborate on projects to achieve political/social aims. Hacktivists were most active during 2011, however their enthusiasm suffered due to a series of successful prosecutions in 2012 (particularly against members of LulzSec).

The tools in the hacktivist toolkit include hacking and keystroke logging in order to gain access, botnets, ransomware, Search Engine Poisoning (SEP), Distributed Denial of Service attacks (DDoS), and website defacement. Recently, hacktivists made an appeal to have DDoS declared a legal form of protest.

4. Cyber warfare groups

The objective of cyber warfare groups is to conduct sabotage and espionage to achieve political aims. Groups include nation states conducting cyber attacks against other nations, as well as smaller, politically-motivated groups conducting their own cyber commando raids. Cyber warfare raids typically target critical infrastructure in order to cause maximum disruption. A major difficulty in cyber warfare defence is accurately determining the identity of the perpetrator of offensive actions.

Tools of choice of cyber warfare groups include botnets, DDoS, spear phishing attacks, rogue certificates, hacking, and keystroke logging.

There is overlap between the various threat agents such as criminal gangs who target enterprises, and it is sometimes difficult to initially determine whether an attack is by hacktivists or a cyber warfare group. In order to deal more effectively with cyber attackers, it helps to have good understanding of the various threat agents and their traditional tools.