Domain 2 · 2.1 Threat Actors & Motivations

2.1.3 Motivations

Financial, espionage, disruption, ideology.

17 min

Threat actors are driven by specific motivations that determine their targets, methods, and the intensity of their attacks.

Financial Motivation The most common driver for cybercrime is the pursuit of monetary gain. This includes direct theft, extortion, or incurring indirect costs on a victim. - Data Theft: Targeting Personal Identifiable Information (PII) like SSNs, addresses, and biometric data, or Personal Financial Information such as credit card numbers and bank logins to sell on the dark web. - Ransomware: Encrypting data to demand payment, often leading to quantitative dollar losses from both the ransom and business downtime. - Operational Costs: Organizations face increased expenses through overtime for incident response, outsourcing remediation, and fines for non-compliance with standards like SSAE or COBIT. - Audit Risks: Neglecting software licensing or using legacy systems (e.g., Windows 7) creates vulnerabilities that lead to stiff financial penalties during audits.

Espionage Espionage involves the unauthorized theft of information to gain a competitive, political, or military advantage. - Intellectual Property (IP): State-sponsored actors or corporate spies target trade secrets, proprietary research, and "blueprints" to bypass R&D costs. - State Actors: Governments target other nations to gain tactical advantages or sensitive government data. - Competitive Advantage: Businesses may attempt to steal client lists or strategic plans from rivals.

Disruption and Sabotage The primary goal here is to diminish the target's ability to function or to damage their reputation. - Availability Attacks: Using DDoS attacks to prevent customers from accessing services, leading to delayed or lost sales. - System Damage: Deleting critical data or bricking hardware to cause chaos. - Logic Bombs: Malicious code triggered by specific conditions to disrupt services from within.

Ideological Motivation (Hacktivism) Attackers driven by political, social, or moral beliefs aim to draw attention to a cause or punish an organization they perceive as unethical. - Defacement: Changing a website’s appearance to display political messages. - Data Leaks: Releasing sensitive internal communications to embarrass a target or expose perceived wrongdoing (whistleblowing/leaking). - Social Justice: Targeting organizations based on religion, race, or geographical indicators.

Quick Recall - PII/PHI: High-value targets for financial and identity theft (names, SSNs, medical records). - Risk Mitigation: Implementing controls to reduce the impact of motivated attacks. - CIS Benchmarks: Useful frameworks for protecting small to large organizations from common threats. - Legacy Systems: Common internal vulnerabilities exploited by financially motivated actors due to lack of security support. - Trigger words: Loss of sales, intellectual property theft, hacktivism, dark web, state-sponsored.