When classifying and identifying an attacker, we need to consider their motivations, as well as what resources they need or have to make a successful attack. 

Let me share an example:

Several years ago Sony was hacked by a North Korean group, the Guardians of Peace, because Sony was going to release a movie (the interview, which was about a US plot to assassinate Kim Jung Un (https://en.wikipedia.org/wiki/Sony_Pictures_hack)).   Their motivation was: to stop the releasing of the movie that harmed DPRK interested by ‘defaming’ the supreme leader.  Their other motivation was likely to strike at a US interest (in this case a large company).   

What were their resources?  Typically nation state hackers have great academic training, intelligence community support (for reconnaissance of the target), have large budgets, and have the necessary HW and SW to conduct an attack.

Let contrast this with a ‘script kiddie’ who defaces websites because they can (https://www.zdnet.com/article/script-kiddies-the-nets-cybergangs/).

Their motivation, is because they can, or maybe to prove a point, or maybe because they were bored.  

What are their resources? Usually not much, obviously some hardware, but probably just a laptop or mobile device.  Their software is usually whatever cruft that they can find on the forums of the dark web.  Their training is usually low. They probably cant write the attack software they use, its just a hammer. They go for more the ‘even a blind hog finds an acorn every now and then’ which explains why their victims are so random.

Knowing your opponent/attacker/Opfor/redteam’s resources is important, because it helps illustrate how likely an attack may be, and how to defend against it.   Usually BIG companies are concerned more about BIG threats, and BIG threats come from motivated attackers with BIG resources.   To contrast, a small or medium size business doesn’t need to be worried about nation state hackers for several reasons. 1) they don’t have the ability to defend themselves from that level of attack. 2) there is typically nothing ‘in it’ for the attacker.  China isn’t in the business of DDOSing a local pizzeria’s website because they have noting to gain.


Leave a Reply

Your email address will not be published. Required fields are marked *