Achieving a better understanding of the threat landscape is key for organizations; the better they know their enemies, the better they can align their security postures. But it is hard.

We are accustomed to compartmentalizing threat actors into four broad groups: nation-state, state-sponsored, cyber criminals, and hacktivists. Now, lower barriers to entry and complex motivations have combined to call these categories into question and provide adversaries with new opportunities for anonymity.

Firstly, the increased availability of sophisticated hacking tools has served to lower the barriers of entry. Take, for example, the Hacking Team zero-day (CVE-2015-5119) that was incorporated into four well-known and easily available exploit kits just days after it was discovered.  The burgeoning markets for ransomware-as-a-service and extortion-as-a-service also allow attackers to launch sophisticated attacks with limited technical knowledge. Even the less sophisticated tactics, such as DDoS, has been made significantly easier through the emergence of DDoS-as-a-Service.

Secondly, the motivations of the threat actors have changed. New tactics, combined with the availability of tools, mean that actors can embark on a “hack” for a wider range of motivations. Among these actors are grey hat ‘security researchers’, a term that refers to hackers with ambiguous motivations. Vulnerabilities are identified in websites, yet not exploited. This is sometimes done for financial reward but, more recently, it has become common to publish these out of sheer boredom and for kudos.

These two factors are compelling in their own right, but what is most interesting is the way in which they combine to add a layer of subterfuge. Skids (script kids) pose as hacktivists, hacktivists pose as security researchers and nation-states pose as hacktivists. These differing labels offer greater operational security and plausible deniability to the adversary.

Blurred lines have made it more difficult for organizations to understand the threat landscape, but it should not be ignored. At Digital Shadows (now ReliaQuest) we track the changing motivations, targets and TTPs (tactics, techniques and procedures). Armed with this information, organizations can make more informed decisions about their security postures.