A threat actor is an individual or group that launches attacks against specific targets, typically employing a particular style in an attempt to gain notoriety. Threat actor is a broad term for a person that is looking to cause damage to a company’s reputation, 财务状况, 和/或整体安全态势.
弗雷斯特的一个播客指出 the emergent connection between threat actors 和 artificial intelligence (AI), 详细介绍了威胁行为者如何越来越多地使用人工智能来创建非常有说服力的假身份,从而导致组织采取潜在的破坏性行动.
为什么顶级威胁参与者总是以大型企业组织为目标,这已经不是什么秘密了:它们比中小型企业更有钱. 追求更大的目标风险更大, 但风险越大, 经济回报就越大.
威胁参与者可能以小型企业为目标的唯一原因可能是该组织是与大型组织相关联的供应链中的供应商——威胁参与者的实际目标. 话虽如此, some industries that continue to be prime targets of threat actors are finance, 医疗保健, 和药品.
这些都是一流的垂直行业,拥有一些蓝筹品牌,威胁行为者梦想从中获得数百万甚至数十亿美元的利润. 这些品牌采用健壮的 安全操作中心(soc) 来保护他们的敏感数据, so the bar is set high for threat actors who would go after such lofty targets.
Threat actors are motivated by money, first 和 foremost. But what are the ways in which threat actors earn money? 通过出售信息. Thus data becomes the primary target when a threat actor attempts a breach. 让我们来看看金钱和一些不那么引人注目的动机是如何让一个威胁演员盯着大奖的.
如前所述, 医疗保健和金融服务等受到严格监管的行业的公司是世界上最富有的公司之一. If a threat actor is able to compromise the security protocols of such a company, the prize could be an astounding sum of money.
当员工或承包商寻求获得潜在经济利益的方法,或对他们工作的公司或合作伙伴怀恨在心时,就会出现内部威胁. This could be most troublesome in the form of the employee stealing customer data, proprietary financial information on the company, or 身份和访问管理(IAM) 工具-密码, 加密 钥匙等. -卖给坏演员.
Ransomware is nefarious code or actions attackers leverage to hold a company’s data hostage, with the ultimate goal of forcing a business to pay a ransom for the return of its stolen data. While a security organization can never be fully impenetrable to ransomware attacks, 他们可以采取措施保护自己的 攻击表面 或者减轻这种攻击的影响.
As the world has experienced in the recent past, 过去十年来,国家支持的威胁行为者对全球选举和政治活动的影响呈指数级增长. 这些类型的威胁行为者正在寻求通过利用人工智能影响选举和目标国家的投票公民, 社交媒体, 和 the electronic apparatus tied to the voting process itself.
虽然我们已经讨论了某些类别的活动以及引发威胁行为者采取行动的动机, 现在让我们来看看目前大规模运作的威胁行为者类型的一些更严格的定义.
这些威胁行为者可能直接受雇于某一国家政府的一个部门,也可能来自某一国家政府雇用的有组织犯罪实体. They generally have deep resources 和 their collective motivations run across the spectrum.
Because nation-state actors are funded extremely well relative to small groups 和 individuals, they can be particularly formidable adversaries for other countries 和 for commercial industries. 国家支持的恶意网络活动可能对一个国家的国家安全和经济造成毁灭性影响.
According to the National Institutes of Health (NIH), “网络恐怖主义行为涉及利用互联网和其他形式的信息和通信技术进行威胁或造成人身伤害,以通过威胁或恐吓获得政治或意识形态权力."
在世界各地的州和联邦政府的基本服务方面尤其如此. If a group of cyberterrorists had the proper motivation, targeting essential services such as power grids, 医院基础设施, 和 city management services could have devastating effects.
黑客积极分子——或黑客积极分子——在发动攻击时通常不受经济利益的驱使. 以这种方式, they're closely related to open-source projects 和 are similarly constrained by the talent they attract. Since anyone can contribute to an open-source project it would seem like their resources are infinite, but in reality hacktivist groups have the arduous task of convincing people to work for them for free.
出于这个原因, 黑客活动分子通常不像其他类型的威胁参与者那样表现出操作的复杂程度. Hacktivist groups typically have less of an actual 攻击路径 发动攻击时, 因此,他们完全可以尝试低开销的攻击,这些攻击的针对性较低,更具机会性.
网络犯罪是, 也许, the most common threat-actor archetype when one thinks of someone targeting a company over the internet. 许多网络罪犯不仅对获取个人信息感兴趣,而且还寻找可以卖给出价最高的人的公司信息.
They deploy ransomware to hold data hostage, perpetrate social engineering 和/or 钓鱼式攻击, 并将寻找可利用的网络漏洞,试图获取对公司有价值的信息, 另一个威胁组织,或者两者兼而有之.
当然, different types of threat actors are going to have different tactics, 技术, 和 procedures (TTPs) they leverage to achieve their ultimate goals. Modern threat-actor outfits are now finding ways to keep an organization in their grip for longer, creating a sort of nightmare scenario for higher-profile companies.
还记得, “威胁行为者”一词可以包括许多不同类型的犯罪者,他们在企业网络上实施了许多不同类型的犯罪行为. 但是SOC分析师和从业者可以利用一些常见的策略来成功地挫败网络罪犯.
安全意识培训 can encompass many different topics of network defense methodologies, 但这种教育项目的总体目的是培训那些不从事网络安全工作的员工.
Whether it’s educating a workforce on 恶意软件, 桌面安全, 无线网络, 或网络钓鱼, enterprise leaders should underst和 what goes into building a security awareness training program, 参与, 并在整个过程中提供反馈.
There are many components of an enterprise “network.” A lot are digital, but there may be a larger amount of physical components – or 端点 ——比你想象的要多. 网络安全 围绕组织的物理和云环境构建防御和攻击框架的深入实践是什么.
网络安全 processes can include reviewing active directory groups, 启用多因素身份验证(MFA), 保持一个强大的 云安全态势. 同时, a network is only as strong as its weakest endpoint (laptops, 移动设备, 服务器, 等.). 因为端点上的漏洞可能正是威胁行为者需要破坏网络并开始横向移动的最终目标.
要求员工或系统用户通过多个验证步骤验证他们的身份是一种最佳实践,以确保他们实际上不是冒充有权访问网络的人的威胁行为者.
IAM协议在用户与本地或基于云的服务器和应用程序之间实现安全层. Components of IAM can include password management, 安全策略的实施, MFA, 和/或访问监控和警报.