[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] Threat Actor items
Here are the drafted descriptors for each of the Threat Actor Labels. A few items:
-
I left a question in the last sentence of the Cyber Warrior descriptor as I did not know the proper mechanism here to reference when linking a CW to an associated Spy organization. This must be addressed
before publication.
-
I may not have been consistent in capitalization of the label within the text, as I could not determine the protocol from other documents. This may need to be addressed before publication. The attached doc is the same as text below and is included for convenience. Please let me know if there is anything I can help with. Tim ----- Activist Highly motivated, potentially destructive supporter of a social or political cause.
Activist actions directed towards an organization are often intended to protest and influence the organization’s decisions pertaining to issues such as facility placement, trade and business dealings, or labor
or environmental impacts. Their attacks are usually intended to either disrupt the ability produce product or services or damage the company’s image. The activist may act entirely online, or may extend their operations into the cyber realm in addition to physical
attacks. Activists are primarily motivated by ideology, which can drive extensive and persistent attacks. This category includes actors sometimes referred to as anarchists, cyber vandals, extremists, and hacktivists in addition to what are traditionally known as activists. It does not include terrorists, as activist
attacks can be severe but generally do not intend the personal injury and loss of life sought by terrorists. Competitor An organization which rivals another in the economic marketplace and competes for the same market share.
The goal of a competitor is to gain an advantage in business with respect to the rival organization it targets. It usually does this by copying intellectual property, trade secrets, acquisition strategies, or other
technical or business data from a rival organization with the intention of using the data to bolster its own assets and market position. Highly aggressive competitors may also use disruptive or damaging attacks to slow or block a rival’s progress. “Competitor” can include vendors and partners, but in this context does not include military adversaries (see the Cyber-Warrior and Spy descriptors). The primary motivation for a competitor taking hostile actions
is organizational gain. Crime-Syndicate An enterprise organized to conduct significant, large-scale criminal activity for profit. Crime syndicates, also known as organized crime, are generally large, well-resourced groups that operate to create profit from all types of crime. Their activities can be seriously harmful and even extreme in impact,
and they may use any combination of physical and cyber techniques to both execute attacks and protect their organization. They are almost entirely motivated by organizational gain to create profit, including cases where they have hired out to political or
nationalistic interests to attack on their clients’ behalf. However, they can also act from dominance in establishing local political or social power or in opposing rival syndicates. As the name implies a crime syndicate is generally a larger, formal organization. Those with similar criminal objectives but working independently or in very small groups generally belong in the Thief category. Cyber-Warrior Member of an organization that engages in cyber activities to support active military objectives. Cyber warriors usually work for organizations affiliated with the military forces of a nation state and work at the direction of that state’s government and military leadership, but may work for a private organization.
A cyberwarrior typically has access to significant support, resources, training, and tools and is capable of designing and executing very sophisticated and effective campaigns. Using these capabilities, the cyberwarrior’s role is to support the organization
in active conflicts, either physical or political. Their motivation is primarily dominance, but other motivations such as ideology may come into play. As in all military organizations, intelligence gathered through espionage is essential to their conflict success and that espionage is often carried out by the same organization. Although affiliated with the cyberwarrior,
the espionage role is properly called “Spy,” even though the individual may actually work in a cyber-war unit and may even take on the cyberwarrior role during conflicts. “Cyberwarrior” refers only to individuals engaged in active conflicts, including conflicts
of the “cold war” type. In cases where the espionage and cyber-war organization are the same, that relationship should be noted in the [affiliation construct???]. Employee-Accidental A non-hostile employee who unintentionally exposes the organization to harm.
“Employee” in this context includes any worker extended internal trust, such as regular employees, contractors, consultants, and temporary workers. Every employee occasionally makes mistakes, sometimes serious ones. Some risk factors that increase the likelihood of a security-relevant mistake include poor or incomplete training, fatigue, overwork, and distraction.
For instance, a new hire may not yet have the knowledge to precisely follow confidentiality protocols, or an experienced worker may be may be distressed about a relative's illness and forget an important step in a sandbox configuration procedure. In any case,
the employee is well-intentioned, and the mistakes are unintentional and possibly even unnoticed by the employee. Employee-Disgruntled Current or former employee with intent to harm the organization in retaliation for perceived wrongs. “Employee” in this context includes any worker extended internal trust, such as regular employees, contractors, consultants, and temporary workers. When the grievances of a disgruntled employee (real or perceived) is severe and the situation
escalates, he or she a can seek revengeful and harmful retaliation. Disgruntled threat actors can include both employees and former employees, who may have extensive knowledge that can be leveraged when conducting
attacks. Often a disgruntled employee acts alone but may join an organization, whether group of similar individuals, a competitor, or criminal organization, if the individual believes that doing so will enable greater harm to the source of his or her anger.
A disgruntled person can use cyber or physical means to take any number of actions including sabotage, violence, theft, fraud, espionage, or embarrassing individuals or the organization. Sensationalist Seeks to cause embarrassment and brand damage by exposing sensitive information in a manner designed to cause a public relations crisis.
A Sensationalist may be an individual or small group of people motivated primarily by a need for notoriety. Unlike the Activist, the Sensationalist generally has no political goal, and is not using bad PR to influence
the target to change its behavior or business practices. The embarrassment of the target is the end in itself, along with the “15 minutes of fame” that the scandal may bring to the Sensationalists themselves. Any disruption or damage to the target's infrastructure
is only important insofar as it adds to negative public perception. Spy Secretly collects the sensitive information of another for use, dissemination, or sale.
While in the broad sense spying, i.e., espionage, is a form of theft, it is recognized as special case and is usually treated far more severely than simple thievery. Many spies are part of a well-resourced intelligence
organization and are capable of very sophisticated clandestine operations. However, insiders such as employees or consultants can be just as effective and damaging, even when their activities are largely opportunistic and not part of an overall campaign. This
includes employees who leak information they believe is evidence of wrongdoing, or opportunistically taking information when they leave the organization. In this context, a Spy is one who collects sensitive information for the benefit of any economic, industrial, or military espionage objective, in other words the domain or end user is not considered in defining
the Spy. There can be any number of motivations for spying depending on the individual or organizations involved. Terrorist Uses extreme violence to advance a social or political agenda as well as monetary crimes to support its activities. “Terrorist” does not have a universally accepted definition and usually depends on regional and situational aspects for identification. In this context it refers to individuals who target noncombatants with extreme
violence to send a message of fear far beyond the actual events. They may act independently or as part of a terrorist organization. While terrorist violence requires physical action that action can be generated through cyber means, such as by sabotaging critical
infrastructure or facility safety systems via cyber manipulation. Terrorist organizations must typically raise much of their operating budget through criminal activity, which is increasingly occurring online. Terrorists are also often adept at using and covertly
manipulating social media for both recruitment and impact. The primary motivation for terrorist activity, both violent and monetary, is ideology, which can drive extensive and persistent attacks. Dominance, disgruntlement, and organizational gain are often also present
as motivators. Thief Individual who steals items of value for personal financial gain. A Thief opportunistically attacks wherever it looks like there is easy profit to be made, whether it be from a large company or from another individual. Many kinds of resources can be stolen especially money or
other financial assets such as credit card numbers, but also valuables, hardware, business or personal data, intellectual property, or anything else that can be easily sold. Also considered theft are various avenues of extortion, such as ransomware. Theft
can be as simple as pocketing an unattended smartphone, and as sophisticated as hacking into a large organization to steal thousands of identities to sell on the black market.
Unlike a Spy, who also steals and sells information but for organizational gain, the Thief's goal is simple personal financial gain. As defined here, “Thief” refers to those acting individually or in very small
or informal groups. For sophisticated, organized criminal activity, see the Crime Syndicate descriptor. Just a comment: In 'our' context "Operational" indicates that an entity has the ability to effectively establish infrastructure and use attack
packages developed by others. An analogy might be a group of actors with malicious intent who purchase pre-built exploitation packages, compromised hosts/credentials, etc. from the "black market". They have enough sophistication to configure and run these
pre-built packages but not develop or customize same. Patrick Maroney
On Fri, Jul 15, 2016 at 2:16 PM -0400, "Casey, Timothy P" <timothy.p.casey@intel.com>
wrote: Here is a suggested re-wording of the “Contest” vocabulary item for Attack Resource Level for Threat Actor: “A short-lived and perhaps anonymous interaction that concludes when an ad-hoc group of participants have achieved a single goal. For example, people who
break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced "operations" to achieve a specific goal, such as the original "OpIsrael" call for volunteers to disrupt all Israel
internet functions for a day. Minimum Sophistication level: ???.” There were some changes suggested to Sophistication Level that will need to be reflected in the other Attack Resource Level descriptions. This one was formerly “Operational,”
indicating a moderate level of sophistication but little long-term planning or development capabilities. If there are other items for updating please let me know. Tim |
Attachment:
STIX Threat Actor Descriptors.doc
Description: STIX Threat Actor Descriptors.doc
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]