Threat actors have been using cyber-disguises to keep their true intentions secret, according to a report published today by Optiv Security.
Typical cyber threat intelligence usually categorizes threat actors in fixed classes, such as nation-states, cyber-criminals, commercial entities, and hacktivists. But, according to Optiv’s new 2019 Cyber Threat Intelligence Estimate (CTIE) report, "it’s a mistake to assume these categories are rigid or to assume that a threat actor’s classification is static."
The CTIE report is inspired by national intelligence estimates, which are analytic reports produced by the intelligence community of the United States for consumption by Congress. The CTIE comprises contributions from Optiv’s Global Threat Intelligence Center (gTIC), cyber threat intelligence company IntSights, and Carbon Black, a leader in cloud endpoint protection.
Optiv researchers found that it's not unusual for threat actors to have multiple criminal identities that they can switch between to get what they want without revealing who they are or what their actual agenda is.
For example, nation-state actors may pretend to be just a regular cyber-criminal targeting a company’s customer database, when in reality their target is to delve into the firm's deepest recesses to steal its intellectual property.
According to the report: "Sometimes threat actors may masquerade as a certain type in order to hide their true agenda. Or, threat actors may belong to two or more classes, switching between them as their priorities change."
Threat actors who demonstrate this switching behavior to cloak the true nature of their dastardly deeds are described by Optiv's researchers as "hybrid threat actors." According to the report, their primary targets are governments, manufacturing, energy, and utilities.
According to Optiv CISO Brian Wrozek, spotting when an impersonation is taking place is "quite difficult." He told Infosecurity Magazine: "Imagine robbing a bank, but the bank robber is able to present themselves as a police officer. It would be extremely difficult to identify that person. Security professionals look for patterns, which can create opportunities for bad actors to abuse those patterns to obscure their true identities."
Asked which class of threat actor is the easiest to impersonate, Wrozek said: "It’s difficult to say which is easiest, but one of the most common places we see this is in regard to nation-states. With so much politically driven activity regarding cybersecurity happening across the globe, it can be easy for nation-states to play the blame game with one another, making attribution difficult. Also, no one likes to admit they got hacked by some random individual. Saying a rich, powerful nation-state was behind an attack is much less embarrassing, so there’s that aspect to consider as well."
Other findings of the report are that crypto-jacking and ransomware attacks are increasing in popularity, and that retail, healthcare, government, and financial institutions continue to be among the most targeted verticals of cybersecurity attacks or attempts among the 10 categories of Optiv clients.
"Cyberspace has become more hostile. Hackers are more organized and sophisticated in 2019, and we’re seeing malicious attackers increase their counter measures to avoid detection,” said Tom Kellermann, chief cybersecurity officer at Carbon Black.
"According to our research, no vertical is immune, but the financial industry continues to stand out as a key target for advanced attacks. We hope cybersecurity leaders and teams will use this data as a clarion call to improve their cybersecurity postures."