What will make your typical hacker tick? We hear pretty much every working day about new cyber attacks and data breaches concentrating on all distinctive types of organisations, from forums and social media companies all the way to federal government departments and important multinational companies. What helps make one particular organization a much more desirable target than yet another, though? Are there any popular threads that dictate how hackers decide their victims and, if so, how can organisations use this expertise to tailor their defences?
Unique varieties of hackers
In advance of we take a look at how hackers go about picking their targets, we must to start with study who these hackers are there are a multitude of unique versions, each and every with special motivations that impact how they select their victims and the techniques they hire.
Arguably one particular of the ideal-regarded types of hacker, many thanks to the steps of teams like Anonymous, is the hacktivist. They’re usually inexperienced, can possibly work on your own or as portion of compact cells, and often are likely to be youthful than other types of hacker. They are principally determined by ideology, concentrating on institutions or firms whose actions or viewpoints they disagree with. Hacktivists typically attempt to release incriminating info stolen from targets’ networks or deface sites and social media webpages as a kind of protest.
Targets of hacktivist exercise have formerly provided terrorist groups like ISIS and US neo-Nazis, govt entities this sort of as the states of Michigan and North Carolina (in response to the Flint h2o crisis and anti-trangender guidelines, respectively), and private providers these types of as more-marital dating site Ashley Madison. Though their techniques may be brash and eye catching, this variety of hacker is truly rather unusual.
In distinction to these elusive figures, the most typical style of hacker is the financially inspired cyber criminal. These are often joined to organised criminal offense syndicates, which have lengthy recognized the likely of online crime as a revenue-generating tool, and use a wide assortment of different attack campaigns. A lot of of their routines, such as phishing scams and ransomware strategies, are created to function at scale, indiscriminately targeting as quite a few probable victims as probable to maximise the odds of receiving a payout.
Other strategies are far more targeted several attacks contain figuring out wealthy organisations and working with spearphishing or direct network intrusion tries to carry out fraud, theft or blackmail functions. These kinds of attacks are ordinarily aimed at non-public sector organisations, as these are typically much more money-rich than public sector bodies and people.
“A weak cyber security posture that is discoverable on a rapid query is the equal to portray a focus on on your again,” claims Rois Ni Thuama, head of cyber governance for Purple Sift. “There’s a new email conventional on its way referred to as BIMI, and that will indicate that a company has robust email authentication benchmarks in put. Of class, the absence of this identifier will generate a new ‘tell’ for hackers so that they won’t need to have to run a question. They can simply just mail a message to an individual in the company and the response will reveal to what extent this agency is vulnerable.”
The other major class of hacker is the state-sponsored operative. These hackers run below the banner of a certain governing administration, and are enlisted to carry out attacks on their behalf. For the functions of plausible deniability, they are generally hacktivists or prevalent cyber criminals whom the governing administration in issue employs on a freelance foundation, but they can also be aspect of the condition intelligence equipment.
These country-state actors are equivalent to both equally other varieties of hacker in various respects they from time to time attack certain victims based mostly on political motivations – typically for some perceived slight, as in the circumstance of the Sony Shots hack, which was greatly concluded to have been carried out by North Korea in reaction to the launch of The Interview, or in Russia’s hack on the Democratic Countrywide Committee (DNC). Having said that, they have also been observed to carry out monetarily-inspired attacks the same North Korean-joined group driving the Sony attack has also been accused of spreading the Magecart credit history card skimmer in purchase to swell the country’s coffers.
“APT actors are genuinely inspired and directed by national policy aims,” clarifies Ian Thornton-Trump, CISO of danger intelligence business Cyjax. “They perform different offensive and defensive operations in assist of those plan targets. Whilst infiltration and information exfiltration are common hallmarks of both of those cyber criminals and APT actors, in common APT actors are targeted but on espionage, disinformation, denial, disruption or destruction normally in help of kinetic or army operations.”
What this demonstrates is that there are a vast variety of objectives that hackers are trying to get to complete when they detect likely attack targets. For the the vast majority, the most significant objective is simply to improve their personal prosperity, possibly by immediate payments in the kind of ransomware decryption service fees, from blackmailing victims with the menace of dumping stolen data, or by employing fraud to initiate bogus money transfers.
If this is the most important factor, then it would make sense for hackers to go right after these victims who are most probably to pay back up, which frequently means wealthy firms, and preferably publicly-traded kinds whose share price tag is liable to consider a awful dip in the celebration of a hack getting produced community. An alternative tactic is to go for a mass-impression attack like ransomware distribution which aims to gain a scaled-down volume from a bigger selection of victims.
For ideological attacks, on the other hand, the motivation turns into a contact murkier. Human mother nature is this sort of that there are uncountable reasons why an individual may well consider issue with a company’s steps it’s possible they disagree with a distinct ingredient of your corporate values, it’s possible your the latest actions have outraged them, or perhaps you only signify a worldview or system that they want to strike a blow at.
Whichever the precise motivation, the intention is usually to embarrass the target, which is usually completed by shining a light-weight on things that the target would fairly continue to be unseen. Inner emails are frequently a crucial concentrate on for hackers in this type of attack, as are monetary files which may well reveal possible wrongdoing.
There is, nevertheless, one frequent thread that runs through almost all of the cybercrime that we see in the wild: Hackers are lazy. They will normally go for the much easier selection, which applies just as a lot to their selection of victims as it does to what procedures they use to attack them. No hacker will use a finely-crafted zero-day if they can use a established of unchanged default qualifications as a substitute, and in the same way, when offered with two opportunity targets, the significantly less well-defended 1 will constantly be the initially decision.
Thornton-Trump details out that hackers usually cruise for effortless targets on portals like Shodan, a lookup engine that lists unsecured internet-connected gadgets. “Showing up on Shodan with a complete pile of vulnerabilities… is the ‘hit me’ indication of InfoSec,” he notes, introducing that social media controversy or community spats can also draw in the focus of cyber criminals.
Hackers now have obtain to just as many scanning and evaluation equipment as security groups, if not additional. It is relatively trivial to evaluate how a lot of opportunity routes of entry there are into a prospective victim’s network, so it pays to make guaranteed that your personal is at minimum abiding by greatest-practises. It is like that aged joke: “I really don’t have to outrun the lion – I just have to outrun you.”
Some elements of this article are sourced from: