adam's notes

Motivations of Threat Actors

Threat Strategies

To help to analyze motivations, it is first useful to consider the general strategies that a threat actor could use to achieve an objective:

  • Service disruption
    • attack that compromises the availability of an asset or business process
    • can be an end in itself if the threat actor’s motivation is to sow chaos or gain revenge
    • can be used as a blackmail threat, or it can be used as a tactic in the pursuit of some different strategic objective
  • Data exfiltration
    • attacker takes data that is stored inside of a private network and moves it to an external network
    • threat actor might perform this type of theft because:
      • they want the data asset for themselves
      • they can exploit its loss as blackmail
      • or to sell it to a third party
    • Espionage
      • type of data exfiltration aimed to learn secrets rather than sell them or use the theft for blackmail
      • commonly perpetrated by nation-states
        • or commercial companies
  • Disinformation
    • attack that falsifies an information resource that is normally trusted by others
    • e.g.,
      • changing the content of a website
      • manipulating search engines to inject fake sites
      • or using bots to post false information to social media sites

Motivations

Chaotic Motivations

  • in early Internet, many service disruption and disinformation attacks were perpetrated with the simple goal of causing chaos
    • for no other reason than to gain credit for the hack
    • less prevalent now
  • might use service disruption and disinformation to further political ends, or nation-states might use it to further war aims
  • motivated by revenge
    • might be perpetrated by an employee or former employee or by any external party with a grievance

Financial Motivations

  • Blackmail
    • Demanding payment to prevent the release of information
    • e.g., stolen information or created false data that makes it appear as though the target has committed a crime
  • Extortion
    • demanding payment to prevent or halt some type of attack
    • e.g., might have used malware to block access to an organization’s computers and demand payment to unlock them
  • Fraud
    • falsifying records
    • Internal fraud might involve tampering with accounts to embezzle funds or inventing customer details to launder money
    • Criminals might use disinformation to commit fraud, such as posting fake news to affect the share price of a company, promote pyramid schemes, or to create fake companies

Political Motivations

  • threat actor uses an attack to bring about some type of change in society or governance
  • can cover a very wide range of motivations:
    • An employee acting as a whistleblower because of some ethical concern about the organization’s behavior or using illicit behavior to gather information for whistleblowing
    • A campaign group disrupting the services of an organization that they believe acts in contradiction to their ethical or philosophical beliefs
    • A nation-state using service disruption, data exfiltration, or disinformation against government organizations or companies in another state in pursuit of war aims

Graph View

Backlinks