Threats, Part II: External

by | Threats and Vulnerabilities

In Threats, Part I, I talked about internal threats—such as current and former employees and subcontractors—who may have ill intent or may just be thoughtless with data. But when it comes to threat assessment, internal threats amount to less than half of your worries. So let’s talk the other side of the equation: external threats. just like for their insider counterparts, you’ll need all the intelligence about them that you can get. Who are they? What are their motives?

In the table below, you’ll see that these threats all involve human actors, and they are all well within the scope of your cybersecurity program. If you’re looking at this from a business continuity or disaster recovery perspective, you should include accidents, and the only non-human actor: think Mother Nature, pandemics, and related apocalyptic fun. For this post, I’m going to focus on human threats; a discussion of nonhuman threats will take place in a later post.

Table: Threat Agents and Motives
Actor Motive
Cybercriminals Money
Online social hackers Money
Cybers spies Espionage
Hacktivists Activism
Cyber fighters/army Patriotism
Cyberterrorists Terrorism
Script kiddies Curiosity, thrill, fame, money

So! Let’s talk about the humans outside your organization who are coming for your data. How does “motive” drive these threats? To answer that question, you need to recognize your place in the world.

  • Are you a country? It’s a safe bet that the threat agents are motivated by espionage, terrorism, activism, and outright warfare.
  • Are you a utility or part of the national infrastructure? Same concerns! Crippling a utility can cause warfare-scale chaos. Rival nation-states and cyberterrorists can and do jump at the opportunity to interfere with these systems. For example, Ukraine’s electrical grid suffered just this kind of attack in 2016, and it caused all sorts of chaos.
  • Are you a Fortune 5000, a multinational, or massive conglomerate of some sort or another? You are fair game for espionage, sabotage, extortion, activism, and terrorism.
  • Are you in healthcare or education? Then the motive is more than likely data exfiltration for identity theft and money, although terrorism can’t be ruled out, especially in large health care institutions and major universities.

And the motivations for nearly everyone else? That’s easy: in the words of Tom Cruise, “Show me the money!”

According to Cybersecurity Ventures, cybercrime is expected to cost the world $10 trillion by 2025. Yes, trillion. Within the United States alone, the FBI’s Internet Crime Complaint Center reported nearly $7 billion worth of damage in just 2021.

Now that we are in the era of cybercrime-as-a-service, your competitor or a nasty nation-state can buy the services of hackers to achieve their ends. They may want to steal your intellectual property, sabotage your operations, or commit an act of terror—the hackers don’t care as long as they get paid.
Given the absence of any other meaningful ranking, let’s look at the main motives alphabetically.

This is very tricky. After all, one man’s activism is another’s terrorism and vice versa. Was Edward Snowden a patriot? A traitor? An activist? A terrorist? What about Anonymous? Or what about the “Guardians of Peace,” which hacked Sony Corporation? They all framed their actions in some type of social-justice narrative, but we don’t always know the true motives. In many big hacking cases, experts suspect that lurking behind expressed motives of activism (or terrorism) is a nation-state, terrorist organization, or clandestine service that funds and directs the attacks.

Are you a likely target of activists or terrorists? There is actually no easy answer. You need to carefully weigh your industry and your role in the world. Even then, what makes terrorism horrific is that they prey on unsuspecting civilians, who all too frequently pay the ultimate price.

Remember Tinker, Tailor, Soldier, Spy and all those other great books by John le Carré? No more—those days are over. Today, most acts of espionage, be they corporate or state-sponsored, are done over the Internet. The motives behind espionage have not changed but the methods have. The type of attack motivated by espionage is typically advanced and persistent. The skill sets involved are many and complex. And the effects, when successful, can be catastrophic for the victims. Are you at risk? If your intellectual property PII is of value at the international level, then yes. If you are involved in critical infrastructure, communications, energy, or government, then absolutely.

From internal threats to ransomware to denial-of-service (DoS) attacks, take your pick! Money ranks as the highest motive behind the majority of cyber-attacks. The methods are many, the barriers to entry low and getting lower, especially with cybercrime-as-a-service. Are you specifically at risk? One guess: Yes! You are.

Whether they are called “resistance fighters” or “commandos,” the result is the same: These hacker armies perform what they believe to be their patriotic duty by developing and unleashing sophisticated, advanced, persistent threat-type attacks against “the enemy.” Their activities are typically funded—overtly or covertly—by nation-states. If you have any nation-states that consider you the enemy, then of course you’re at risk. But if you’re even perceived to be “working with” or “working for” someone else’s enemy, you are also at risk. For example, a small manufacturing facility that makes those pretty camouflage uniforms is definitely on the list.

It’s not business, it’s personal—and frequently, very ugly. Hell hath no fury like an employee scorned, or one who is, as Freud might put, a bit “kooky.” Who is at risk? Anyone with employees. In fact, insider threats are considered second only to malware in terms of capacity to cause havoc.

Revenge, by the way, doesn’t have to mean destruction of property. It may well mean data exfiltration and sale to your competitor, or leaking it out to the public. Be afraid, be very afraid.

A very dark motive, indeed. These are typically individuals who target other individuals, frequently (but not always) famous or prominent in some way, and deliver attacks designed to tarnish their reputation or cause outrage. There have been cases in which this has jumped from the cyber world to the physical world, just as there have been cases of cyberbullying among young students with horrifying results. Are you at risk? There is no easy way to tell—worse yet, there aren’t many effective controls against a personalized troll attack. If you are in the public eye, and depending on the extent and role, the chances are that you may fall victim of trolling.

Typically, these are hackers who want to make, or maintain, their name and status in the media. Their goal is fame and notoriety. Their targets are not picked based on some ideology, although they may claim otherwise. The target is picked on their potential for making news or based on some real or perceived hacker challenge. Are you at risk? It depends on your visibility as a business or institution or—worse—personal fame. If your company or its staff is frequently in the spotlight, you should expect to attract vanity-driven hackers.

Stuxnet was the first and best-known cyber weapon, used against Iran’s nuclear facility, but there is little doubt that there are many more just like it in the arsenal of most nation-states. Just a few years ago, Pakistani hackers waged cyberwarfare against India by buying up hundreds of Indian domain names and creating Twitter handles to spread misinformation and confusion, practices likely to increase in the region and around the world. Obviously, these are acts executed by well-funded, state-sponsored, and controlled hacker armies. You are at risk if you’re in any business supporting critical infrastructure and, of course, if you are working in any government institution.


Next Steps
Now that you have a sense of the variety of “bad guys” both inside and outside your company, your task is to rank them in terms of which actors and motives are most likely to be engaged in your world. Spend some time and think: Who is the most likely agent for an attack? Assign a numerical value from 1 to 4, ranging from “least likely,” to “somewhat likely,” to “very likely,” to “extremely likely.” In terms of my bias and recommendations? I’d consider the insider as a very likely agent and money/extortion as the primary motive.

You now have an understanding of the threat agents and their motives as they might apply to your organization. This is an excellent first step, but you’re far from finished. Knowing the who and the why of cyberattacks is not enough. You also need to know the how and the when.

“What?!” I hear you cry, “How can I know the how and the when? What do I look like, a mind-reader?”

Sure, psychic ability would be a great skill in the cybersecurity space. Fortunately, you don’t need it. There are lots of reports out there that can help you educate yourself, and in The Basics of Controls, I will introduce you to the wonderful world of threat analysis and threat modeling.

But if the thought of wading through a mountain of threat assessment reports makes you want to curl up under your desk, have no fear. This is our speciality at TMG.


Submit a Comment

Your email address will not be published. Required fields are marked *