Classify Threats and Threat Actor Types

Blue Team
Lesson Introduction

Cybersecurity is a mature discipline with well-established terminology and procedures. Part of this terminology concerns the identification of threats and threat actors, and of attack frameworks and indicators. You must be able to use threat intelligence and attack frameworks to model likely risks to your organization and perform threat hunting to proactively determine that your systems have not already been compromised. This commitment to proactive defense is at the heart of the best approach to security assurance.


Explain the importance of threat data and intelligence.

Threat intelligence helps to focus security monitoring by providing information on new threats and current threat trends. Sources of this information include free online registries and catalogs, commercial registries and monitoring services, and product vendors. Increasingly, these sources are providing threat classification intelligence data in standard formats that are easily processed by automated monitoring systems. In this topic you will review the basic ways of classifying threats and threat actor types.


Historically, cybersecurity techniques depended very much on the identification of “static” known threats, such as viruses, rootkits, Trojans, and botnets. It is straightforward to identify and scan for this type of threat with automated software by matching the malicious code to a signature in a database of known malware. Unfortunately, many adversaries now have the capability to develop means of circumventing these security systems.

The sophisticated nature of modern cybersecurity threats means that when classifying threats, it is important to be able to describe and analyze behaviors as well as enumerate known attack signatures. This type of threat classification underpins tools and procedures that can detect unknown threats. Unknown in this sense means threats that are unlikely to be detected by off-the-shelf tools. Much of the effort in threat modeling has moved to analysis of known unknowns. For example, a research bulletin might reveal the existence of a zero-day vulnerability. The security team will investigate whether their system assets could be affected, and if so, will trigger a heightened alert status, performing scans more frequently. Based on whatever threat intelligence they possess, the security staff will be ready to investigate the type of anomaly they might mark as low priority at another time. This state of alert will persist until the vendor develops an update and the affected systems can be patched. Another example of a known unknown is that malware authors can use various obfuscation techniques to circumvent signature-matching. The exact form that such malware will take is unknown, but its likely use and operation within an attack is predictable, at least to some extent.

** Another useful category is that of recycled threats. This refers to combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning. **

There are also unknown unknowns. This is the domain of completely new attack vectors and exploits. One of the purposes of security research is to try to discover these, using techniques such as analysis of data collected in honeypots and monitoring of discussion boards used by threat actors.

** Classifying threats into quadrants (known knowns, unknown knowns, known unknowns, and unknown unknowns) was popularized by a comment made by Donald Rumsfeld as US Secretary of Defense (, but has a longer history as a personal development analysis framework called the Johari window ( The Johari window has frequently been adapted for project and risk management purposes. The “unknown knowns” quadrant represents risks that are documented or identified but then disregarded or perhaps minimized in importance. **


Because of the need to defend against unknown threats, threat intelligence is not simply a process of identifying malware signatures and technical attack vectors. Threat intelligence must also develop insights into the behaviors of discrete types of adversary groups. You can use threat intelligence reports to monitor nation-state, organized crime, and hacktivist groups and activities that pose relevant threats to your own organization. It is important to identify the level of resources/funding that different adversaries might possess, and whether they can develop sophisticated malware that can evade basic security controls.

When evaluating adversary behaviors, attacks can be characterized as either opportunistic or targeted. Opportunistic attacks might be launched without much sophistication or funding simply by using tools widely available on the Internet. Conversely, a targeted attack might use highly sophisticated tools and be backed by a budget that can allocate resources and skilled professionals to achieving its aims.


Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals. The security company Mandiant’s APT1 report into Chinese cyber espionage units ( was influential in shaping the language and understanding of modern cyberattack life cycles. The term advanced persistent threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or rootkit, an APT refers to the ongoing ability of an adversary to compromise network security—to obtain and maintain access—using a variety of tools and techniques.

Nation-state actors have been implicated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage, but it is known that countries—North Korea being a good example—target companies purely for commercial gain. You should also realize that each state may sponsor multiple adversary groups, and that these groups may have different objectives, resources, and degrees of collaboration with one another.

** Crowdstrike’s adversary universe app provides an overview of currently identified APTs ( **

Organized Crime

In many countries, cybercrime has overtaken physical crime both in terms of number of incidents and losses. An organized crime gang can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail. A blog from Security Intelligence ( discusses some of the strategies and tools used by organized crime gangs.


A hacktivist such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. Political, media, and financial groups and companies are probably most at risk, but environmental and animal advocacy groups may target companies in a wide range of industries. While international groups gained media attention through the early part of the 2010s, recent research ( suggests that most active hacktivist groups are focused on activities at the regional level—within a single country.


Many threat actors operate externally from the networks they target. An external actor has to break into the system without having been granted any legitimate permissions. An insider threat arises from an actor who has been identified by the organization and granted some sort of access. Within this group of internal threats, you can distinguish insiders with permanent privileges, such as employees, from insiders with temporary privileges, such as contractors and guests. The Computer Emergency Response Team (CERT) at Carnegie Mellon University’s definition of a malicious insider is:

A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. (—updated.html)

** There is the blurred case of former insiders, such as ex-employees now working at another company or who have been dismissed and now harbor a grievance. These can be classified as internal threats or treated as external threats with insider knowledge, and possibly some residual permissions, if effective offboarding controls are not in place. **

CERT identifies the main motivators for malicious insider threats as sabotage, financial gain, and business advantage. Like external threats, insider threats can be opportunistic or targeted. Again, the key point here is to identify likely motivations, such as employees who might harbor grievances or those likely to perpetrate fraud. An employee who plans and executes a campaign to modify invoices and divert funds is launching a structured attack; an employee who tries to guess the password on the salary database a couple of times, having noticed that the file is available on the network, is perpetrating an opportunistic attack. It is important to realize that an insider threat may be working in collaboration with an external threat actor or group.

Insider threats can also be categorized as either intentional or unintentional. The examples given previously are intentional threats. An unintentional threat is created by an insider acting with no malicious intent. An unintentional or inadvertent insider threat is a vector for an external actor, or a separate—malicious—internal actor to exploit, rather than a threat actor in its own right.

Unintentional threats usually arise from lack of awareness or from carelessness, such as users demonstrating poor password management. Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit.

Technical controls are less likely to be able to inhibit structured insider threats, as insiders are more likely to be able to bypass them. Implementing operational and management controls, especially secure logging and auditing, is essential. Unintentional insider threats are best tackled via security training and awareness, plus procedural controls to govern critical tasks. Monitoring statistics related to training use and documentation can help to identify employees or departments where there is elevated risk of inadvertent threats.


Another part of threat classification is to describe distinct types of adversary tools, collectively described as malware. While the division of malware into types such as virus, worm, Trojan, rootkit, and ransomware is well known, the development, production, and deployment of malware is highly relevant to threat intelligence, because it reveals clues to the intentions and capabilities of cyber adversaries.

Commodity Malware

Malware has existed for almost half a century and over that time its use has become commodified, meaning that it is sold and exchanged just like any other type of software. Commodity malware refers to code that can be used in general circumstances and that is packaged for general sale, typically through dark web marketplaces ( Examples of commodity malware include remote access Trojans (RATs), such as PoisonIvy, Dark Comet, and XtremeRAT. Once such tools are identified as being generally available through online marketplaces or download sites, threat intelligence feeds will tag the process signatures as commodity. Commodity malware can be contrasted with targeted or custom malware, which is developed and deployed with a target in mind, following careful reconnaissance of that target. The difference is similar to that between general phishing campaigns and spear phishing campaigns. Commodity malware depends on unpatched systems vulnerable to known exploits, while targeted malware is more likely to use a zero-day exploit.

Note that the definition of commodity malware is somewhat fuzzy ( Custom malware may also be available in marketplaces, though sale may be restricted to verified contacts of the group that developed it. Similarly, off-the-shelf or packaged malware can still pose a risk to automated threat detection systems because obfuscation techniques can be used to change the commodity malware code slightly to evade signature detection. From a threat intelligence point-of-view however, identifying malware as commodity versus targeted can help you to determine the severity of an incident because it can help to identify the goals and resources available to the attacker.

Zero-Day Malware

Malware often depends on some sort of software, firmware, or hardware vulnerability, whether it be to achieve initial execution, escalate to higher system privileges, or achieve persistence on the target system. A zero-day is a vulnerability that is discovered or exploited before the vendor can issue a patch to fix it.

** The term zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it. **

The most serious zero-day vulnerabilities are those discovered and exploited by adversary groups. Security researchers also discover new vulnerabilities, in which case it is best practice for them to inform the vendor privately and allow time for a fix to be developed before making the vulnerability public. The time allowed is often 90 days by convention, but this may be reduced depending on the status of the vulnerability. An unpatched but discovered vulnerability can be referred to as n-day. For example, if a vulnerability has not been patched in the week following discovery, it is a 7-day vulnerability.

Zero-day vulnerabilities have significant financial value. A zero-day exploit for a mobile OS can be worth millions of dollars. Consequently, an adversary will only use a zero-day vulnerability for high value attacks. State security and law enforcement agencies are known to stockpile zero-days to facilitate the investigation of crimes.

** Do not allow a classification schema to blind you to potential adversary behaviors. For example, sophisticated threat actors may use commodity malware in initial attacks to probe an organization’s defensive capabilities and possibly obtain some sort of foothold. Using sophisticated custom malware in the preliminary stages of a campaign risks the exposure of the group and the custom tool, and is likely to be withheld until the group is confident of using it to accomplish their objectives before detection. **

** The RAND Corporation has produced a fascinating report on the production and marketization of zero-day vulnerabilities ( **


The term advanced persistent threat (APT) was coined to understand the behavior underpinning modern types of cyber adversary, such as nation-state and organized crime actors. The term originally referred to the group behind a campaign but has been widened to mean the tools such groups use as well. The concept of an APT is a means of modeling known unknown threats. As well as scanning for virus or Trojan signatures, you can scan for the presence of Command and Control (C2) software or network activity or look for unexplained changes in network activity overall. One of the concepts underpinning APT is that of withdrawal, where the adversary removes evidence of the attack. One way of discovering unknowns is to look for signs of any past attacks that have gone undetected.

APTs typically target large organizations, such as financial institutions, companies in healthcare, and other organizations that store large, personally-identifiable information (PII) data sets. APTs have also been known to target governments to carry out political objectives, interfere in elections, or simply to spy on another country.

The “advanced” part of an APT is an important identifier, as these types of threats are very rarely executed by lone, unskilled attackers using prebaked exploits. An APT will command considerable resources, including staff specializing in different realms of exploit development and execution. APTs spend considerable effort in gathering intelligence on their target and are able to craft highly specific custom exploits. Another characteristic of the advanced nature of APTs is that they often combine many different attack elements into an overall threat architecture.

APTs have diverse overall goals, but since a large part of the attack is about stealth, most APTs are interested in maintaining access—or persistence—to networks and systems. There are several techniques that can grant attackers access for months or even years on end without being detected. Because of this, APTs are some of the most insidious and harmful threats to an organization.

Front of Flashcard 1 of 3

What distinguishes an unknown threat from a known threat?

Back of Flashcard 1 of 3

A known threat can be identified by automated detection tools, such as an anti-virus scanner, intrusion detection system (IDS), or vulnerability scanner. Unknown threats are those that cannot be identified from a static signature. You can distinguish between known unknowns, which are threats that may follow some general pattern observable from previous or similar threats, and unknown unknowns, representing completely new threat actors, sources, and techniques.

Front of Flashcard 2 of 3

What types of controls address risks from unintentional insider threats?

Back of Flashcard 2 of 3

Training and awareness programs reduce the chance that insiders will generate risks from ignorance. Procedural controls help to mitigate risks from carelessness and inattention. The presence of elevated risk from inadvertent threat can be assessed by monitoring training adoption and effectiveness metrics.

Front of Flashcard 3 of 3

Security monitoring has detected the presence of a remote access tool classified as commodity malware on an employee workstation. Does this allow you to discount the possibility that an APT is involved in the attack?

Back of Flashcard 3 of 3

No. While targeted malware is associated with highly resourced threat actors such as advanced persistent threats (APT), there is nothing to prevent such actors using commodity malware as well, such as during the initial stages of a campaign. You need to evaluate other indicators to identify the threat actor involved and whether the presence of commodity malware is an isolated incident or part of a wider campaign.

Leave a Reply

Your email address will not be published. Required fields are marked *