Threat actors, also known as bad actors, are individuals or groups who deliberately engage in malicious activities such as hacking, phishing and other cyber crimes with the intent to harm systems, networks or data. These actors are driven by various motivations, including financial gain, political ideology, grievances or vendettas.
In recent years, there has been a considerable surge in threat actor activity. According to IBM's Threat Intelligence report, phishing (39%), exploiting public-facing applications (26%) and exploiting remote services (12%) are the top three attack vectors used by threat actors. Once a vulnerability is exploited, the top five impacts are extortion (21%), data theft (19%), credential harvesting (11%), data leaks (11%) and damage to brand reputation (9%). This means that more than 40% of the resulting impact directly affects data.
Threat actors target every major industry, with manufacturing (25%), Financial Services and Insurance (19%) and Professional and Consumer Services (15%) experiencing the greatest number of attacks. Sensitive Personally Identifiable Information (PII) within the consumer sector is a significant target for threat actors looking to monetise data. Disruptions to processes and supply chains in manufacturing can result in substantial financial losses, making extortion a serious concern. However, the report's estimates of cybercrime and threat actor activity are based on imperfect data. The numerous categories of threat actors, disparate data sets related to events and a lack of transparency indicate that the actual number of actors and events is likely far greater than suggested in the report.
The World Economic Forum has estimated that the total cost of cybercrime will reach $10.5 trillion by 2025. This figure encompasses the impact of threat actors targeting commercial sectors and coordinated attacks on critical public sector infrastructure. As a result, cybersecurity, particularly data protection, is an increasingly pressing concern for senior executives and government leaders.
When considering threat actors, it's beneficial to categorise their activities and motivations into three key areas: access vectors, action, and impact.
Access vectors refer to the methods used by threat actors to gain entry to a system or resource. The most common method is spear phishing via email (approximately 25%), which often involves malware attachments or links to external malware services that unsuspecting users inadvertently click on. People remain the weakest link in security, offering an attractive entry point for gaining unauthorised access to systems and networks.
The second most frequent access vector is exploitation of public-facing applications (26%). The convenience of web applications grants us easy access to valuable yet frequently sensitive information, such as mobile banking, medical records, and corporate data. Organisations and policymakers continually grapple with striking a balance between providing convenient access to data and services while considering their sensitivity and the potential number and size of access vectors. Exploitation of public-facing applications may result from software bugs or misconfiguration, affecting web and application servers, databases and other network services that inadvertently expose themselves to the internet.
Once a threat actor has gained access through an initial access vector, they may use this foothold to expand their reach and execute objectives. The most prevalent actions include the installation of malware (including backdoors and ransomware) (38%), server and remote tool access (10%) and compromising business emails (6%). Ransomware attacks aren't limited to targeting individual or organisational data; they may also aim for disruption of network services, including authentication, authorisation, virtual compute, storage and networking. The average time it took to deploy ransomware decreased significantly between 2019 (two months) and 2021 (only four days), a reduction of approximately 95%.
Cybercrime is expanding rapidly, with frequent occurrences of exploiting vulnerabilities and acquiring significant volumes of sensitive information at previously unseen levels. Notable data breaches from 2023 include the genetic testing company 23andMe, which reported a breach affecting 6.9 million users' ancestry data. Hackers reportedly gained access to these accounts by exploiting customers who reused their passwords, allowing unauthorised login using previously released passwords from other companies' data breaches. While authentication services should detect and temporarily suspend accounts under attack to thwart threat actors, this may inadvertently result in a denial of service for legitimate users. To prevent such brute-force attacks, publicly accessible applications, particularly those handling sensitive information, should enforce two-factor authentication. Although users themselves are responsible for creating strong passwords and avoiding reuse, it's crucial that the applications securely protect their users from these threats.
In early 2023, the UK's postal service, Royal Mail, experienced significant disruption due to a ransomware attack starting in January. Consequences included prolonged delays in dispatching letters and parcels outside of the United Kingdom, as well as data theft of sensitive information. This stolen information encompassed technical details, human resources records including disciplinary files, salary and overtime payment details and even a staff member's COVID-19 vaccination records.
The previous year, 2022, presented numerous challenges for Australia, with major data breaches at Optus, Medibank Private and AHM. In 2023, Latitude Financial. experienced a high-profile data breach, compromising around 14 million records containing driver's licence and passport numbers of their customers.
Overwhelmingly, Personally Identifiable Information (PII) is the most frequently stolen information during a breach. This includes names, addresses, social security numbers, drivers' licences, passports, medical data, credit cards and passwords. Once obtained, this data is often sold on the dark web or other forums to perpetrate further attacks against targets.
To safeguard Personally Identifiable Information (PII), stringent regulations govern its storage and handling. Various governing bodies, regulators and policy makers are responsible for this oversight, including the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the U.S. and the Health Insurance Portability and Accountability Act (HIPAA) also in the U.S.
Despite these efforts, some data breaches can be attributed to organisations not complying with outlined guidelines from regulations and policies. However, a significant number of incidents involve threat actors silently gaining access to privileged user accounts or services. In such cases, threat actors may remain undetected until discovered through unusual behaviour or receiving a notification or ransom demand from the attacker to extort money from individuals or organisations.
Detection of abnormal behaviour in today's environment is growing more challenging as the number of access vectors expands and organisations become more distributed and complex. Behaviour analysis will rely increasingly on Machine Learning models that can discern complex patterns within vast quantities of data. For instance, Security Information Event Management (SIEM) systems are progressively employing real-time data and engineered features from a network of interconnected systems and devices to enhance their anomaly detection capabilities.
To achieve this, real-time data must be effectively collected, filtered and directed for anomaly detection. This involves engineering temporal features, normalising data, enriching it with network or geolocation information and tracking events of interest from the outset. Complex coordinated attacks on networks and systems may transpire over extended periods, enabling threat actors to amass crucial information for future assaults.
In conclusion, cyber attacks and data breaches have surged across all major industries in recent years. With increasing access vectors and the escalating value of data and related services, financially motivated groups or individuals driven by political ideologies or grievances are expected to launch even more attacks. To mitigate these threats, securing public-facing applications and defending against sophisticated phishing attacks will be essential. Neglecting security measures may result in expensive repairs, disrupted critical processes, irreversible damage to brand reputation and potential fines from regulatory bodies. Organisations must find a balance between granting timely access to data services and implementing multi-layered defence systems. Restricting access to data and systems, along with real-time logging of attempts to access these resources, will become increasingly crucial for safeguarding against future cyber threats. Leveraging advanced machine learning models for near-real-time analysis and protection will be fundamental to protecting organisations from emerging threats.