Cyber threats mean different things to different people, and there is no one true definition. We'll propose a few ways to think about cyber threats and talk through some authoritative sources on the topic. We'll also look more broadly at cyber actors and how we can categorise them.
What is a Cyber Threat?
We'll start with the following simple definition and then compare it to some of the other suggested meanings.
A cyber threat is a possible occurrence with the potential to undermine the confidentiality, integrity or availability of information systems.
The Canadian Centre for Cyber Security provides a similar definition of a cyber threat.
A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains, or to disrupt digital life in general.
This definition focuses on activities intended to cause harm, whereas others consider threats more broadly, including accidental or environmental sources. For example, NIST's Computer Security Resource Center glossary states:
Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image, or reputation), organisational assets, or individuals through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.
NIST's SP 800-30 on Risk Assessments suggests that we can break 'threat' down into 'threat events', which are the actions that cause harm, and then the generic 'threat sources' which may cause those events.
In a cyber threat intelligence (CTI) context, we focus on adversarial (intentionally malicious) threats in terms of specific cyber actors and their activities.
Looking a bit further, in TS 102 165-1, ETSI uses the following definition:
Potential cause of an incident that may result in harm to a system or organisation
This short definition is expanded on with the following notes:
A threat consists of an asset, a threat agent and an adverse action of that threat agent on that asset (clause 6.2 of Common Criteria part 1 - ISO/IEC 15408-1 [i.27]).
A threat is enacted by a threat agent, and may lead to an unwanted incident breaking certain predefined security objectives.
And finally, in their CBEST guidance, the Bank of England define threat as:
- an expression of intent to do harm, i.e. deprive, weaken, damage or destroy;
- an indication of imminent harm;
- an agent that is regarded as harmful;
- a harmful agent's actions comprising of tactics, techniques, and procedures (TTPs).
In summary, we can think of threat as either:
- a broad subject covering all possible causes of harm to information systems (such as the NIST definition, which includes accidental, structural and environmental threat sources);
- or we can focus more specifically on intentional malicious actions of 'harmful agents'.
Types of Cyber Threat Events
There are some well-established sources for categorising threat events. For example, NIST SP 800-30 defines a set of possible threat events, or the VERIS framework defines these seven threat action categories:
When thinking about adversarial cyber threat events, it can be helpful to consider two key components:
- Capabilities - the means used to cause harm, for example, the primary attack vector.
- Intent - what is the motivation behind the attack, and what type of harm is likely to result.
Considering these two components lets us identify more specific types of threat events, such as 'ransomware for extortion' rather than something very ambiguous such as 'malware attack'. Using this approach, some useful threat event types to consider are:
- Ransomware for extortion: ransomware deployed by financially motivated actors to extort a victim for financial gain.
- Social engineering to obtain funds from business: using social engineering (for example, through 'phishing' or 'vishing' to get the victim to transfer money.
- Social engineering to obtain funds from an individual: using social engineering (for example, through 'phishing' or 'vishing' to get the victim to transfer money.
- Disk wiping or encryption for disruption: an attacker wipes disks or deploys encryption against target computers solely for disruptive or destructive purposes.
- Manipulation of industrial control systems: an adversary interacts with industrial control systems or operational technology to adversely affect operations.
- Phishing for theft of credentials: using phishing emails to obtain victim credentials.
- Distribution of malware for financial gain: adversaries distribute malware such as infostealers or banking trojans to profit financially.
- Compromise of network or infrastructure for espionage: attackers gain access to a network or infrastructure to enable espionage operations (typically including theft of data) in the short or long term.
- Compromise of accounts for espionage: a cyber adversary gains access to user accounts/services for espionage purposes.
- Theft of data for extortion: an attacker steals data to extort the victim or sell it.
- Hack and leak for infamy: attacking an organisation or individual and publishing details or data for infamy or personal pride.
- Hack and leak for influence: attacking an organisation or individual and publishing details or data to achieve political or personal aims.
- Exploitation to enable future access: exploitation of vulnerabilities to obtain initial access to victims for potential future use - such as a strategic compromise or onward sale.
- Denial of service attack to disrupt: a denial of service attack which disrupts the victim's operations.
- Public impact for embarrassment: an attack with a public effect (such as website defacement or social media account takeover) intended to damage the victim's reputation.
- Software supply chain compromise to access customer environment: modifying distributed software to gain access to the environments of its users.
- Compromise of service providers to enable access to customer environments: compromising a supplier to enable onward access into their customers' environments.
At a high level, threat sources describe what or who might cause a threat event. In SP 800-30, NIST defines a taxonomy of threat sources grouped into adversarial, accidental, structural and environmental threats.
Adversarial threats are malicious activities intentionally carried out by an individual, group, organisation or nation-state to cause harm. We can think about adversaries in terms of their means (capabilities) and motives (intent) for conducting attacks.
Accidental threats cover users accidentally causing an adverse effect on systems - for example, a user accidentally deleting files or corrupting a service.
Failures of software and equipment due to normal ageing or environmental factors. For example, the failure of hard drives over time.
These may include natural or human-caused disasters (such as fire or floods) as well as broader infrastructure failures such as a power cut.
Types of Cyber Threat Actors
In terms of categorising cyber threat actors, or adversarial threats, the Canadian Centre for Cyber Security propose the following classifications and related motivations:
- Nation-state cyber threat actors - often geopolitically motivated.
- Cybercriminals - often financially motivated.
- Hacktivists - often ideologically motivated.
- Terrorist groups - often motivated by ideological violence.
- Thrill-seekers - often motivated by satisfaction.
- Insider threat actors - often motivated by discontent.
Alternatively, the Structured Threat Information Expression (STIX) language specifies the following threat actor type vocabulary:
What is an APT?
When people talk about cyber threat actors, they often refer to 'APTs'.
APT stands for Advanced Persistent Threat. Again, this can have different meanings depending on the context. Historically the term was used to refer to nation-state cyber actors. However, as other threats (such as criminals) have improved their capabilities, the term may now be used more generally to refer to actors with strong motivation (persistence) and significant capabilities. This change is partly driven by the wide availability of advanced tools (such as CobaltStrike) and an understanding of how to use them for financial gain.
The cybersecurity firm Mandiant explicitly uses the term APT combined with a number to designate nation-state threats. For example, the first 'APT' group they reported on was APT1, which they suspect is attributed to Unit 61398 of China's People's Liberation Army.
Naming and Attributing Threat Actors
It is challenging to definitively tie actions in cyberspace to different groups and ultimately to real people and organisations - this process is known as attribution. A lot of the time, we will never know who is really behind a cyber attack. Furthermore, as cyber actors, or adversaries, improve their operational security (OPSEC) over time, the challenge will only get harder.
We can think of two levels of attribution:
- Tying activity to a specific cyber actor
- Tying that actor to a real-world entity
Certain features of cyber attacks may help with attribution:
- Infrastructure - for example, the reuse of IP addresses or domain names
- Capabilities - for example, the use of specific tools and malware
- Behaviours - for example, always using a similar set of MITRE ATT&CK techniques
- Victimology - the types and locations of victims can give an insight into who might be tracking them
Often threat activity will be tracked as unattributed clusters until sufficient evidence is gathered to tie it to a specific actor. For example, Microsoft uses a 'DEV' designation and Mandiant uses 'UNC'.
Attribution is not a science, and we must be careful not to make unfounded assumptions about who is behind an attack. We should also question how attribution has been determined - different organisations may have different thresholds for attribution. Furthermore, different cyber security firms may use different names to track the same actors, or there may be certain overlaps between actors while not necessarily being the same group.
Sometimes government agencies will make attribution statements based on the comprehensive intelligence resources they have at their disposal. Government attributions can provide valuable insight into who is likely behind certain cyber attacks.
Whoever is making the attribution, we should also consider their motivations and weigh this against the evidence they present.
Example threat actors
We will use some of the Canadian Centre for Cyber Security threat actor categories to look at examples of threat actors that have been reported.
Nation-state cyber threat actors
Charming Kitten - a threat actor tracked since 2017 with links to Iran. The group has been reported for targeting human rights activists, academic researchers and media outlets. The group is also known by other aliases, such as APT35 and PHOSPHORUS.
APT41 - a threat actor attributed to China. The group has been active since at least 2012, targeting a wide range of sectors, from video gaming to education to telecommunications. The group has been observed undertaking both espionage and financially motivated attacks (which appear to be for personal gain).
REvil - a cybercrime group also known as Sodinikibi, with possible (but unconfirmed) links to GandCrab and DarkSide ransomware. The group has conducted multiple high-profile ransomware attacks, including conducting a supply chain attack through the software update mechanism used by IT services company Kaseya. One of their operators was indicted by the US government in August 2021.
Guacamaya - a hacking collective motivated to expose corruption and the destruction of the planet. They have targeted mining corporations, government departments and military organisations to disclose data which they say demonstrates the corruption of several Central and South American governments.
LAPSUS$ - this threat actor appears to be a young group of hackers keen to conduct high-profile attacks against a range of large corporations and publish the details on social media. Their victims include Microsoft, NVIDIA and Okta.
Insider threat actors
In September 2018, a former employee of Cisco connected to their cloud environment and deleted 456 virtual machines, which, according to prosecutors, resulted in the shutdown of over 16,000 WebEx Teams accounts and cost Cisco approximately $2.4 million.
Cyber threats, attacks, incidents and risks
It can be confusing to differentiate between threats, attacks, incidents and risks. So here are some brief definitions.
- Threats generally refer to potential activities that may harm information systems.
- Attacks are specific instances where some threat source interacts with existing systems with the intent to cause harm. Attacks typically have three components: means (capabilities used to conduct the attack), motive (the reason someone has undertaken the attack) and opportunity (some victim infrastructure which is being targeted).
- An incident represents the occurrence of a threat event from the victim's perspective, which may jeopardise the confidentiality, integrity or availability of their information systems.
- A cyber risk is the combination of the likelihood that a cyber threat will occur and the impact that it would cause.
Understanding Cyber Threats
We can use a couple of well-established models to make sense of cyber threats. Firstly, the Diamond Model of Intrusion Analysis describes intrusion events as being characterised by four core features:
Next, multiple 'kill chains' are available, which give us a way of breaking a threat event into stages. For example, the UK's NCSC describes a simplified cyber kill chain with the following four steps:
- Survey - the adversary investigates a target to identify potential vulnerabilities.
- Delivery - the adversary develops any necessary capabilities and infrastructure to exploit the identified vulnerabilities.
- Breach - exploiting the vulnerability to gain unauthorised access to the target.
- Affect - carrying out activities against the target network to meet objectives.
Finally, the MITRE ATT&CK framework gives us a common language to describe capabilities used during an attack. Primarily it defines many 'Techniques' that threat actors may utilise when carrying out a cyber attack.