Attributes of Threat Actors
Internal/External
Internal/external refers to the degree of access that a threat actor possesses before initiating an attack.
- external threat actor has no account or authorized access to the target system
- must infiltrate the security system using unauthorized access
- e.g., breaking into a building or hacking into a network
- may perpetrate an attack remotely or on-premises
- It is the threat actor that is external rather than the attack method
- must infiltrate the security system using unauthorized access
- internal/insider threat actor has been granted permissions on the system
- e.g., employee, contractors, business partners
Level of Sophistication/Capability
Level of sophistication/capability refers to a threat actor’s ability to use advanced exploit techniques and tools.
- least capable threat actor relies on commodity attack tools that are widely available
- More capable actors can fashion new exploits in operating systems, applications software, and embedded control systems
- highest level threat actor might use non-cyber tools such as political or military assets
Resource/Funding
Resources and funding is the ability of threat actors to draw upon funding to acquire personnel, tools, and to develop novel attack types.
- most capable threat actor groups receive funding from nation-states and organized crime