threat actor

What is a threat actor?

A threat actor, also called a malicious actor or bad actor, is an entity that is partially or wholly responsible for an incident that affects -- or has the potential to affect -- an organization's security. Threat actors can be individuals working alone or groups of individuals working in concert to attack an organization and intentionally harm its people, IT resources, data or some combination of the three.

What does a threat actor do?

Almost all threat actors have a malicious purpose: to intentionally damage an organization. They actively exploit the vulnerabilities or security weaknesses in organizations' networks, hardware devices and software applications.

Threat actors use a variety of techniques to achieve their goals:

• Installing viruses or malicious software, known as malware.
• Getting victims to click on malicious links or download malicious attachments in email, known as phishing.
• Encrypting enterprise devices and demanding a ransom in exchange for the decryption key, called a ransomware attack.
• Exfiltrating data, known as a data breach.
• Spying on the organization, or cyberespionage.
• Flooding a network with fake traffic so that it becomes unavailable to users, known as a distributed denial-of-service (DDoS) attack.
• Remaining hidden in an organization's networks with the intention of doing any of the above for a long period of time, or advanced persistent threat (APT) attacks.

That said, the actual purpose of threat actor A might differ from the purpose of threat actor B, depending on their motivations. Most threat actors fall into one of these categories:

• Cybercriminals. Cybercrime is almost always motivated by the lure of financial gain.
• Cyberterrorists. These threat actors aim to hold some network or systems hostage for a higher purpose, e.g., to disable a country's critical infrastructure.
• Hacktivists. Hacktivism is usually motivated by political ideology, a social cause, or a desire to embarrass or harm an organization or to take revenge against it.
• Nation-state actors. They usually work on behalf of a rogue nation-state, either to support that nation-state's ideology or to gain some financial reward.
• Thrill seekers. These are individuals who execute attacks without a monetary or other purpose; their aim is simply to have fun and to challenge themselves to outwit an organization or government.
• Insider threat actors. These internal threat actors work from inside the company to spy for another company; some insider threats are also motivated by anger or a desire to get revenge.

Often, different threat actors use the same tools and tactics, such as malware, ransomware, phishing, social engineering and backdoors. For example, hacktivist groups such as Anonymous use many of the same tools employed by financially motivated cybercriminals to detect website vulnerabilities, gain unauthorized access or carry out highly coordinated attacks against their targets. Furthermore, the two groups often have the same motivation: to gain access to sensitive information that will negatively affect the reputation of an individual, a brand, a company or a government.

External, internal and third-party threat actors

Threats actors are generally categorized as external, internal and third party. With external threat actors, no trust or privilege previously exists, while with internal or partner actors, some level of trust or privilege has previously existed. External threat actors are the primary concern for organizations, not only because they are the most common, but also because they tend to be the most severe in terms of negative impact.

External threat actors are sometimes referred to as being commodity or advanced. A commodity threat actor launches a broad-based attack hoping to hit as many targets as possible, while an advanced threat actor targets a specific organization, often seeking to implement an APT to gain network access and remain undetected for a long time, stealing data at will.

Internal threat actors generally get less attention from organizations' cybersecurity teams. However, ignoring them can be a mistake because they can also put the company at risk -- inadvertently, e.g., by sending an email to the wrong recipient; carelessly, e.g., by misconfiguring a cloud system; or maliciously, e.g., by purposely leaking sensitive information and publishing it on the dark web.

Similarly, third parties like partners, vendors and suppliers can also be threat actors. When these parties access an organization's systems or data using insecure means -- for example, public Wi-Fi networks -- they increase the risk of a real cyberattack or data breach. Organizations can minimize the risks arising from these threat actors by implementing third-party risk management programs.

Who are the targets of threat actors?

Threat actors might target any individual or organization that they feel could help them achieve their purpose, such as financial gain, bringing down a network, disrupting company operations or spreading chaos.

Large organizations are threat actors' most common targets because they have larger and more complex networks, hold more sensitive data, and have more money. These factors combine to make them very attractive targets for ransomware, phishing, APTs, social engineering, data breaches and other types of cyberattacks.

In recent years, many threat actors have started targeting small and medium-sized businesses (SMBs). This is because these organizations typically have weaker security systems, usually due to limited cybersecurity budgets, smaller cybersecurity teams, and possibly limited knowledge about cybersecurity risks and threats. As a result, attacking SMBs almost always results in a successful outcome for the threat actor, even though the payout from these targets is smaller compared with what could be extracted from a larger company.

Government organizations and critical infrastructure are other targets for threat actors. By attacking and compromising these entities, the actors can cause widespread damage and chaos that could extend to an entire city or country. The Colonial Pipeline ransomware attack is a recent example of an attack on critical infrastructure that had a major effect on the supply of a basic necessity -- oil -- and was also deemed a national security threat. Similarly, the SolarWinds supply chain attack compromised the data, networks and systems of many government organizations all over the world.

Threat actors can also attack individuals or households by hacking into personal devices; eavesdropping on home or public Wi-Fi networks; or stealing personal information, identities or money via phishing scams. Typically, they don't attack individuals by means of denial-of-service or DDoS attacks, supply chain attacks, code injections, man-in-the-middle attacks, or credential harvesting, as those types of attacks target organizations such as companies and governments.

Impact of a successful threat actor

If a threat actor succeeds in executing an attack, the affected organization experiences a security incident that could result in the following:

• System downtime.
• Operational disruptions.
• Financial losses.
• Reputational damage.
• Regulatory fines.
• Legal challenges.

Affected organizations could also incur large costs for investigating and mitigating the impact of such incidents. Many also end up having to pay larger premiums on their cyber insurance policies.

Strategies to stay safe from threat actors

The potential for very high payouts from a successful cyberattack means that the number of threat actors currently operating is constantly increasing. Furthermore, as organizations' networks expand and become more complex, their attack surface also expands, presenting threat actors with more opportunities to attack.

To mitigate the power and impact of threat actors and prevent them from executing harmful security incidents, organizations should consider taking these steps:

• Implement a multilayered security infrastructure that includes a host of technologies, including antivirus, antimalware, firewalls, intrusion detection systems, intrusion prevention systems and endpoint detection and response.
• Adopt multifactor authentication to strengthen user authentication and minimize the weaknesses inherent in password-only authentication systems.
• Implement network protection technologies such as network detection and response and network segmentation.
• Leverage threat intelligence to proactively detect, prevent and mitigate threats.
• Implement advanced systems such as SOAR (security orchestration, automation and response), SIEM (security information and event management) and XDR (extended detection and response) to keep up with sophisticated threat actors and mitigate emerging threats.
• Encourage software development teams to adopt secure coding practices and shift-left testing during the software development lifecycle.
• Create and publish comprehensive security policies that clearly state what employees are allowed and not allowed to do when using the organization's IT assets.
• Provide security awareness training to improve cyber hygiene and create a more security-aware culture.

Organizations should know the key signs of common security incidents and how to respond to keep systems and data safe. Learn about the types of security incidents and how to prevent them.