When it comes to defining the “who” in the pool of threat actors, the possible list can be small or large. The size of the list depends on how you choose to compartmentalize the characteristics and traits of the actors. In this article, I’ll provide an overview covering a list of three threat actor categories.
What Are Threat Actors?
First, a threat is any circumstance or event with the potential to adversely impact organizational operations (a negative risk)12020, National Institute of Standards and Technology, NISTIR 8286 – Integrating Cybersecurity and Enterprise Risk Management (ERM). An actor is, well, one who acts. It is one who takes an action.
A threat actor is an individual attempting to breach security controls (or accidentally breaching them) and gain access or wreak havoc within an organization’s systems. Understanding the types of threat actors can help you to better understand your risk. I will list them from the largest to the smallest groups, loosely defined, as the research varies on which group is larger than another in some cases.
Types of Threat Actors
Script Kiddies
- The first group is the script kiddies (though they might prefer that I spell it script kiddiez). This is the largest group of threat actors. They lack what those of us in the IT industry would consider real hacking skills; however, they can certainly develop those skills over time, moving them into a more advanced category. In most cases, they launch attacks using scripts or programs created by others or they follow step-by-step instructions. Because they lack the skills in advanced hacking processes, protection against such threat actors is accomplished by implementing security best practices. For example, if the script kiddie runs a script that exploits a specific vulnerability in an older version of software and you’ve followed the best practice of updating your system, you will not be vulnerable to the attack.
Mistake Makers
- The second group is the mistake makers. These individuals do not necessarily have any hacking skills at all. They simply make a mistake that results in a security threat exposure (remember, its ANY circumstance adversely impacting organizational operations). In my opinion, they are the second largest group of threat actors. Malicious intentions may not drive their actions, but you face the security concern nonetheless. Protection against these incidents comes in the form of training and employee selection.
Skilled Attackers
- The third group is the skilled attackers. While their skills will certainly vary, they have the ability to discover new attack methods or use existing methods in new ways. Their skills can range from extreme depth of knowledge in operating system and network operations, to low-level programming and application reverse engineering. The point is that they can find ways into your networks and systems that script kiddies cannot. Protecting against these actors requires a team of skilled security professionals using real-time monitoring tools that can alert them to anomalies in system and network operations. They must have skill levels approaching that of the attackers themselves.
To be clear, any individual in any of these categories can be an internal or external threat actor. Additionally, their motivations may vary from curiosity to hacktivism. The point is that the lists of threat actor lists are often unconstrained by an attribute set such that the list can be endless. Using the list provided here, you can further define motivations, locations (internal vs. external), and more.
As a final note, a threat actor may not work alone but rather operate within a team. Some hacking groups are very large, with hundreds of members. Some are part of a government agency. The point is that an attack may be executed by a group consisting of all three types of threat actors listed here.