Internal and external threat actors: who are we talking about?

Understanding your threats is crucial in preparing for cyberattacks. But who are the people willing to compromise your information system, whether accidentally or intentionally? From malicious individuals to international cybercriminal groups, the motivations and means used to attack you can vary widely. That’s why it’s important to determine what’s relevant to you.

There are two types of threat actors to your organization: internal and external. Employees and contractors are part of your organization. These individuals have access to your environment because they work for you. In contrast, externals threats actors are more numerous. They do not have direct access to your systems.

Internal threat actors

People with privileged access are a major threat to the organization. They are familiar with the company’s environment and operations, which makes them difficult to detect. Someone who no longer works for you, but has retained access, is considered an internal threat, as it is your responsibility to remove access at the end of the contract. Providers who have remote access to your systems will also be considered an internal threat.

Your teams unknowingly threaten your systems

Your teams can unknowingly put the organization at risk by causing incidents or outages unintentionally. This may be due to a lack of knowledge at all levels of the company:

  • The CFO makes an emergency payment following a WhatsApp message impersonating her CEO,
  • The accountant changes the bank details of a supplier after receiving an email without checking with anyone
  • The network administrator forgets to change the security configuration of a device,
  • The technician leaves the default password on the new surveillance camera,
  • The clerk clicks on a phishing link.

Because teams don’t understand the importance of security, and the steps to take at their level, they don’t take the time to do the necessary checks. Worse, they know what they should do, but since they don’t feel responsible, they don’t do it.

Internal fraud, the main threat for organizations

For me, this is the main threat because it is almost impossible to prevent it. Indeed, to have a 100% secure environment, there will be so many controls that your teams will not be able to work.

You need to be skeptical and teach this attitude to your teams. Any situation that appears abnormal should be investigated. Even specialists in a process or application who say that everything is normal can be involved in a fraud.

How a person starts to fraud

Fraud is not a natural and common behavior. It is the result of three elements: opportunity, pressure and rationalization.

Opportunity is the main lever on which you can act. For example, you are not providing access to the organization’s bank accounts to all staff. The same applies to data. You must manage access rights by determining who can access what according to the principle of least privilege. But this management also requires reviewing access and removing what teams no longer need for their work.

The pressure is experienced by the individual. It is often financial and out of your control. It may be personal or family problems that impact the budget. Jealousy, exacerbated by social networks, contributes to put pressure on the individual who wants to get what others “have”. In all cases, the person is looking for the money.

Rationalization precedes action. This is when the employee reassured themselves of the rightness of their act. They remembers that they did not get the promotion they requested, feels that they are not paid enough, or assumes that they will not make a difference to the organization.

From this moment on, the fraud process starts, the employee will use the following model: push – test – smile. At first, they push the system, they go further and further. They test the limits and detection. If they arouse suspicion, they smile and explain that there is nothing wrong. They will then adjust their fraud to stay below the detection line.

External threat actors

Since there are many of them, I separate them into four categories, based on their abilities, skill level and means.

Media and general public

The media informs. They are looking for insider news to feed into their articles, even if it may hurt your reputation. Some members of the public may also want to damage your reputation, or simply use your data to fuel a debate on controversial topics. This is the job of investigation journalists.

The media and the general public do not have advanced offensive technical means to obtain information. However, they will search what is available online. If your data is poorly protected, they will find it. Similarly, if your staff does not understand the importance of the information they have, journalists will be able to obtain confidential information simply by asking.

To avoid this first group of threats, you need to educate your teams. They need to know what information is confidential. People who work on strategic projects need to know this. You can have them sign confidentiality agreements, which are a great way to build awareness and accountability.

Script kiddies

Historically, these were young tech-savvy people who, from their garage, accessed the internal networks of well-known companies. Since then, script kiddies have multiplied, in all genres and all age groups. Their goals are to prove their skills, challenge their peers or just have fun. Obviously, the lure of easy money motivates them, and several large organizations have set up Bug Bounty programs to use and reward their efforts in a legitimate setting.

These hackers have limited technical means, but have the advantage of time and passion. They do not necessarily target specific organizations. So you need to apply basic protective measures.

Competitors or activists

This second group is made up of people who have more means. They are also highly motivated and directly target your organization. They will therefore spend more time to find an entry point and get their way.

A competitor can use its internal resources or bring in a specialist to complete the project. It has a specific purpose: to steal information, block access to your system during a critical moment or change information to damage your reputation.

Activists are politically motivated or act in the name of their ideology. Again, the use of specialists is common and activists spend time studying their targets.

For all of these threats, you must identify your critical data and protect it. Indeed, these groups are highly motivated. They know what they are looking for and will take the time they need to complete their projects. You need effective processes and technologies to protect your information systems from this type of threat.

States and cybercriminal groups

These two groups have significant financial and technical resources and are very powerful. They have the latest technologies, organizational processes and trained teams. The line between states and cybercriminal groups is blurred. In some cases, states directly support cybercriminal groups, using them as a kind of “sword arm” to carry out cyberattacks against foreign targets. Conversely, cybercriminal groups are pressuring their respective governments to let them conduct illegal activities online.

As far as you are concerned, you should remember that powerful groups can get what they want by using all sorts of means. If your organization is of strategic importance in your country or if the compromise of your systems can give access to “secret defense” information, I invite you, if you have not already done so, to contact your authorities to obtain technical support.

The critical infrastructures cover the fields essential to the functioning of the economy, they are :

  • Production, transport and distribution of energy (gas, oil and electricity)
  • Food production, transportation and distribution (from the field to the store)
  • Water supply and treatment (drinking, waste and surface)
  • Telecommunications (fiber and cable networks, wireless networks)
  • Public health services (hospitals, ambulances)
  • Transportation network (roads, railroads, ports and airports)
  • Financial services (banks)
  • Security and emergency services (police, fire department, civil defence, army)

The majority of organizations are not directly targeted. However, all organizations can be collateral victims of a targeted attack. Digital terrorism aims broadly and indiscriminately to finance itself. So you need to keep these threats in mind, no matter how remote they seem.

Summary of threats

The countermeasures add up and stack up to a strong defense against cyber attacks. As threat levels increase, new countermeasures are put in place to limit the impact of an attack. It’s up to you to choose the right countermeasures in your context.

ThreatsContextMotivationTechniquesProtection (cumulative)
Media and general publicBringing to light facts internal to a company (investigative journalism)Monetization of facts CuriositySocial engineering
Software and public scripts for data extraction
General security awareness
Privacy agreements
Security testing for systems exposing data to the Internet
Internal accidentalHuman errorNone (unaware)Misuse of systems
Security configuration errors
Susceptibility to phishing campaigns.
Specific security training
Restriction of administrative rights
Script kiddieWeakly motivated and opportunistic attacksPersonal recognition Financial gainPublic software and scripts (hacking forums, communities)System updates Vulnerability fixes
Competitors and activistsIntellectual property theft Unfair competition ActivismEconomic intelligence Financial gain Political and ideologicalDenial of service
Active exploitation of vulnerabilities
Employee corruption
Strong authentication
Vulnerability scanning
Security auditing
Detection tools
Internal maliciousTheft of intellectual property (e.g. customer files) or fraud SabotageFinancial gain RevengeEscalation of privileges
Social engineering
Segregation and rotation of duties, dual control
Internal access review
Security monitoring
States and cybercriminal gransomware groupsCampaigns targeting specific organizations or sectorsFinancial gain
Economic intelligence
Geopolitics
Ransomware
Social engineering
Phishing
Exploitation of vulnerabilities
Advanced and persistent methods difficult to identify
Incident Response Plan
Immutable backups
Network segmentation
Isolation and encryption of the most sensitive data

How to prepare to face

With a growing number of cyber threats and opportunities, it is impossible to comprehensively analyze all risks. In addition, the cyber threat landscape is rapidly changing, making such analysis increasingly difficult. However, it is possible to do a goal-oriented risk analysis to protect the essentials as quickly as possible. By targeting the most important threats, you can then implement effective protection measures.