Home Security Engineering Projects Research

Adversarial Threat Actor Categories


A common or "concensus" threat model should be a primary goal of the security engineering community. This model should characterize the threat environment in a way that leads to risk management decisions that lead to actionable and engineering outcomes.

In this categorization scheme, threat actors are grouped by their demonstrated or potential capabilities. In the concept phase of a project, the categorization scheme allows risk managers and engineers to see the kinds of capabilities that an information system must be designed to withstand - using accessible language and examples. This, in turn, should lead to a practical discussion about what is feasible in the context of the project. Alternative architectures can be traded with cost and functionality to achieve the desired operating risk. In some cases, certain business processes and information may need to be removed from the project and considered separately. At worst, it may be determined that the project cannot achieve the desired functionality with the desired level of risk. This last outcome is not a failure because it acknowledges a problem before the project gets off the ground. This is rare in information system security.

A useful analogy can be found in civil engineering. When constructing a bridge or building, the context of the project must consider the threat landscape. This may, for example, involve selecting the highest magnitude of earthquake that a bridge will be constructed to withstand (assume for the moment that this is not already selected by virtue of a building code). Regardless of the risk management process used to arrive at this magnitude, the result sets the engineering target for the bridge in terms of acceptable architectures and the forces that must be withstood. A number of architecture and design options can be selected to try to fit the structure into the available funding envelope. Other factors could also be considered such as restricting the kinds of traffic that can flow on the bridge or the number of floors a building can have. Location could be changed to take advantage of environmental factors (e.g. a smaller span at a further distance from the desired location). Perhaps, after all of this, a safe bridge or building can't be built using the allocated funds. At the end of the day, there will either be a structure that is secure to the level desired or a decision point that allocates more resource or cancels the project.

Characteristics

Attribute Description
Capabilities
  • Abuses authorized access to information system functionality deliberately or by accident. Generally not intentionally malicious but rather arises from lack of training and awareness.
Resources
  • Authorized, possibly privileged access to the information system.
Risk Tolerance
  • Risk unaware.
Representative Examples
  • Information system users (employees, contractors, guests)

Capability Examples by Information System Exposure

Exposure Observe Modify Deny
Physical
  • Read print jobs left on the printer (printer surfing)
  • Connect unauthorized personal devices (e.g. phone, fitness trackers)
  • Use of information system for unauthorized purposes.
Logical
  • Browsing improperly secured files (e.g. shared drives).
  • Processing information on unauthorized devices (e.g. at home) or in unauthorized loactions (e.g. coffee shop)
  • Incorrect data entry or modification
  • Deleting data by accident or through lack of training.
Personnel
  • Discussing sensitive information on social media.
  • Overhearing sensitive discussions (accidental).
  • (TBD)
  • (TBD)
Indirect
  • Incorrect disposal of assets containing sensitive information.
  • Installing or connecting components not received through authorized supply (e.g swag USB sticks, gifts).
  • (TBD)

Characteristics

Attribute Description
Capabilities
  • User-level knowledge of applications.
  • Knowlege of how to set and modify configurations
Resources
  • Access to free/low-cost tools.
Risk Tolerance
  • Risk averse (willing to take little risk)
Representative Examples
  • Information system users (employees, contractors, guests)
  • Petty criminals

Capability Examples by Information System Exposure

Exposure Observe Modify Deny
Physical
  • Deliberate shoulder or printer surfing (e.g. for gossip, grudge, personal agenda).
  • Connecting unauthorized personal devices (e.g. phone, fitness trackers) with full knowledge of consequences.
  • Borrowing or stealing small, attractive components (e.g. memory, media, peripherals).
Logical
  • Using application access for unauthorized personal gain (e.g. view tax returns, look up plates).
  • Modify configuration files to work around safeguards.
  • Use application access to modify files for personal gain.
  • Use application access to delete files for personal gain.
Personnel
  • Eavesdrop on conversations for personal interest.
  • Ask coworkers to share sensitive information or access.
  • Compel coworkers to perform unauthorized actions.
  • (TBD)
Indirect
  • Steal or remove components containing sensitive data from disposal process.
  • (TBD).
  • (TBD)

Characteristics

Attribute Description
Capabilities
  • Applies commonly available, pre-packaged hardware, software, and physical tools to exploit known vulnerabilities (e.g. Metasploit, Mimikat, screwdriver, hammer, crowbar, some power tools, vehicle)
Resources
  • Access to commonly available and free/low cost tools.
  • No significant access to organized funding.
  • Access to commercially available compute and storage.
Risk Tolerance
  • Willing to take significant risk.
Representative Examples
  • Upset employees
  • Criminals
  • Activist (physical disruption, protest)

Capability Examples by Information System Exposure

Exposure Observe Modify Deny
Physical
  • Take documents from printers.
  • Use simple visual enhancements to view display devices (e.g. binoculars).
  • Connect unauthorized devices to accessible ports.
  • Connect unauthorized devices to restricted interfaces.
  • Use simple electromagntic devices to inject faults or interference.
  • Unplanned theft of assets (e.g. smash and grab).
  • Deliberate theft of assets (e.g. break and enter).
  • Destroy assets (e.g. arson, vandalism, handheld EMP, USB Killer).
Logical
  • Eavesdrop on accessible logical communications channels (e.g. phone, text, wireless).
  • Install pre-packaged malware
  • Install software or hardware keyloggers
  • Delete or encrypt files (e.g. out of anger)
  • Conduct DoS or ransomware attack for personal gain.
Personnel
  • Shoulder-surf sensitive data entry.
  • Eavesdrop on targeted, sensitive conversations.
  • Compel or incentivise employees to perform unauthorized actions (e.g. blackmail, threat of violence, intimidation, extortion, bribery).
  • Influencing personnel to perform unauthorized actions using social engineering techniques (e.g pretexting, impersonation, masquerade, phishing).
  • Modify communication between indiviuals.
  • Keep tech support busy on a call.
Indirect
  • Purchase and analyze mass storage devices after disposal.
  • Introduce malware at integration or point of sale.
  • Steal bulk shipments of attractive or valuable assets.

Characteristics

Attribute Description
Capabilities
  • Customizes commonly available, pre-packaged hardware, software, and physical tools to exploit known vulnerabilities(e.g. Metasploit, Mimikat, physical tools).
  • Develops or obtains uncommon hardware, software, and physical tools (e.g. lock-picking set, malware dev frameworks).
  • Performs analysis to find previously unknown vulnerabilties in software, hardware and physical assets.
  • Develops limited exploits for previously unknown vulnerabilities.
Resources
  • No organized access to funding.
  • Access to peer-based labour pool (e.g. friends, clubs, like-minded groups).
  • Access to commercially available compute and storage.
  • Owns potentially signficant compute resources.
Risk Tolerance
  • Risk averse (willing to take little risk).
Representative Examples
  • Security researchers
  • System administrators
  • Hacktivists
  • Experienced Hackers
  • Cyber-enabled Criminals
  • Security vendors

Capability Examples by Information System Exposure

Exposure Observe Modify Deny
Physical
  • Prototype and demonstrate tools to observe physical aspects of processing (e.g. RF, acoustic, visual, thermal).
  • Connect unauthorized devices to easily accessible restricted interfaces (e.g. network ports on exposed switches, keyboard cables)
  • (TBD)
Logical
  • Eavesdrop on weakly secured digital communicatons (e.g. wired, wireless sniffing, phone, text).
  • Install targeted malware using previously unknown vulnerabilities.
  • Install modified hardware components.
  • Delete or encrypt filesystems for political or monetary gain (e.g. wiper malware).
  • Conduct DDoS against websites for political or monetary gain (e.g. LAIC).
Personnel
  • Eavesdrop on conversations using audio and visual tools (e.g multimedia components, camera, mic).
  • Impersonate or spoof one end of a conversation to obtain sensitive information (e.g. pretexting, phishing).
  • Prototype and demonstrate tools to observe personnel processing sensitive information (e.g. acoustic, visual, seismic, RF).
  • Influencing personnel using non-violent, coercive or incentivizing methods (e.g. blackmail, bribery).
  • TBD.
Indirect
  • Collecting and analyzing lifecycled storage media and consumables for sensitive inforamation (e.g. drive analysis, dumpster diving)
  • Taking sensitive material from recycle bin or garbage.
  • Modify open-source code repositories.
  • Modify individual hardware or software components (e.g. gift, swag, try-and-by schemes).
  • TBD

Characteristics

Attribute Description
Capabilities
  • Creates custom tools to exploit publicly known and newly discovered hardware, software, and physical vulnerabilities.
  • Purchases access to unpublished software, hardware, and physical vulnerabilities.
  • Develops frameworks and infrastructures for tool use and deployment.
Resources
  • Access to organized sources of funding.
  • Access to large labour pool.
  • Access to commercially available compute and storage. May own and operate significant compute resources.
Risk Tolerance
  • Willing to take significant risk.
Representative Examples
  • Organized crime

Capability Examples by Information System Exposure

Exposure Observe Modify Deny
Physical
  • Observe display devices using tools to intrpret compromising visual emanations (e.g. reflections).
  • Connect purpose-built hardware (e.g. keyloggers, modified KVM switches, wireless access points).
  • Employing RF jamming and electromagnetic pulse devices to inject errors (e.g. slot machines).
  • Steal large volumes of valuable components.
  • Destroy assets or facilities (e.g. arson, explosives).
  • Use RF jamming and electromagnetic pulse devices disable security mechanisms (e.g. on ATMs).
Logical
  • Eavesdrops on communication channels (wiretap).
  • (TBD)
  • Denies or degrades the use of data or resources for monetary gain (e.g. operates DDoS-for-hire, bitcoin mining, distribution of ransomware).
Personnel
  • Eavesdrop on sensitive conversations using complex audio and video tools (e.g. audio bugs, laser audio, parabolic dish, lipreading software).
  • Observe personnel processing sensitive information using tools to interpret compromising physical emanations (e.g. acoustic, seismic, RF).
  • Influencing personnel using coercive or incentivizing methods (e.g. blackmail, threat of violence, intimidation, extortion).
  • TBD.
Indirect
  • TBD
  • Use organizational hiring processes to insert human agents into an organization.
  • Modify hardware/software at integration points.
  • Steal supply shipments

Characteristics

Attribute Description
Capabilities
  • Creates vulnerabilities in software, hardware and physical assets (through ownership or compromise of production).
  • Creates new tools and customizes existing tools to exploit publicly known and undisclosed vulnerabilities.
  • Performs analysis to find new, undisclosed vulnerabilties in software, hardware and physical assets.
  • Develops automation frameworks for vulnerability exploitation.
  • Purchases access to unknown vulnerabilities.
Resources
  • Access to highly capable, classified/state-funded tools.
  • Access to unlimited funding.
  • Access to unlimited labour pool.
  • Access to unlimited non-public compute resources.
Risk Tolerance
  • Risk averse (willing to take little risk).
Representative Examples
  • Nation states
  • Well-funded state sponsored groups

Capability Examples by Information System Exposure

Exposure Examples
Physical
  • Obtain sensitive information from physical processing, storage or communication elements
    • Obtains sensitive information by observation of display devices using complex visual enhancements
    • Obtains sensitive information by observation of acoustic, thermal, or vibration properties of an IT asset.
    • Observes and interprets accidental or deliberate compromising emanations (e.g. reading monitors, using RF retroreflectors)
  • Modify physical processing, storage, or communication elements
    • Covertly modifying information system hardware components (e.g. adds custom designed circuitry to server motherboard).
    • Selectively injecting electromagnetic energy to induce errors or interference.
  • Deny the use of physical processing, storage, or communication elements.
    • Using non-nuclear based EMP to destroy computers.
    • Using directed high energy RF to disable computers.
    • Conducting narrowband spectrum jamming.
Logical
  • Obtain sensitive information from logical components (units of execution, data structures) or communications between components.
    • Observes sensitive information through sopthisticated covert- and side-channel mechanisms.
    • Observes sensitive information on protected communicatons links using cryptanalysis, source key compromise, and strategic vendor relationships
  • Modify logical components (flow of execution, data structures) or communications between components.
    • Exploiting undisclosed vulnerabilities in applications in order to run sophisticated arbitrary code.
  • Deny the use of logical components (flow of execution, data structures) or communications between components.
    • None
Personnel
  • Obtain sensitive information by observing personnel actions or communications
    • Covertly observes personnel to obtain sensitive information (intercepting or wiretapping conversations, eavesdropping, using complex tools for observation through windows and walls, intercepting conversations, developing software tools to activate device sensors, planting complex bugs).
  • Influence the actions of personnel or communications between personnel.
    • Influencing personnel vulnerable to recruitment.
    • Influencing personnel using coercive or incentivizing methods (e.g. blackmail, threat of violence, intimidation, extortion, bribery).
    • Influencing personnel using social engineering (e.g. pretexting, impersonation, masquerade, phishing).
  • Prevent personnel from processing or communicating normally.
    • Sustained engagement (e.g. keeping key personnel busy)
Indirect
  • Obtain sensitive information from development, procurement, maintenance, or retirement processes and/or supporting information systems.
    • Collecting and analyzing lifecycled storage media and consumables for sensitive inforamation (e.g. drive analysis, dumpster diving)
  • Modify components during development, procurement, maintenance, or retirement processes.
    • Interdicting and modifying hardware during shipping.
    • Using organizational hiring processes to insert human agents into an organization.
    • Creating or dominating and industry sector in order to become the main source of supply.
  • Prevent the operation of critical components through development, procurement, maintenance, or retirement processes.
    • Acquiring and closing critical supply chain elements.
    • Destroying key supply facilities through covert operations (e.g. arson).

Characteristics

Attribute Description
Capabilities
  • Destroys assets or people to achieve tactical or strategic objectives.
  • Creates vulnerabilities in software, hardware and physical assets (through ownership or compromise of production).
  • Creates new tools and customizes existing tools to exploit publicly known and undisclosed vulnerabilities.
  • Performs analysis to find new, undisclosed vulnerabilties in software, hardware and physical assets.
  • Develops automation frameworks for vulnerability exploitation.
  • Purchases access to unknown vulnerabilities.
Resources
  • Access to highly capable, classified/state-funded tools.
  • Access to unlimited funding.
  • Access to unlimited labour pool.
  • Access to unlimited non-public compute resources.
  • Access to military support for operations against logical, physical, personnel, and indirect exposures.
Risk Tolerance
  • Risk indifferent (willing to take significant risk).
Representative Examples
  • Nation-states (Td6 threat actors) in time of crisis or war.
  • Foreign military

Capability Examples by Information System Exposure

Exposure Examples
Physical
  • Obtain sensitive information from physical processing, storage or communication elements
    • Obtains sensitive information by observation of display devices using complex visual enhancements
    • Obtains sensitive information by observation of acoustic, thermal, or vibration properties of an IT asset.
    • Observes and interprets accidental or deliberate compromising emanations (e.g. reading monitors, using RF retroreflectors)
  • Modify physical processing, storage, or communication elements
    • Covertly modifying information system hardware components (e.g. adds custom designed circuitry to server motherboard).
    • Selectively injecting electromagnetic energy to induce errors or interference.
  • Deny the use of physical processing, storage, or communication elements.
    • Destroy information system facilities using kinetic strikes.
    • Using non-nuclear based EMP to destroy information and C2 systems.
    • Using directed high energy RF to disable computers.
    • Conducting wideband and narrowband spectrum jamming.
Logical
  • Obtain sensitive information from logical components (units of execution, data structures) or communications between components.
    • Activates deeply embedded hardware, firmware, or software agents to obtain sensitive operations information.
  • Modify logical components (flow of execution, data structures) or communications between components.
    • Activates deeply embedded hardware, firmware, or software agents to influence or modify situation awareness.
  • Deny the use of logical components (flow of execution, data structures) or communications between components.
    • Conducting national scale denial of service attacks against critical infrastructure or services.
    • Activates deeply embedded hardware, firmware, or software agents to deny the use of information or C2 systems.
    • Activates deeply embedded hardware, firmware, or software agents to deny the use of weapons systems.
Personnel
  • Obtain sensitive information by observing personnel actions or communications
    • None
  • Influence the actions of personnel or communications between personnel.
    • Activates deeply embedded human sleeper agents for offensive operations.
  • Prevent personnel from processing or communicating normally.
    • Kills, maims or otherwise disables key personnel critical to the operation of the information system.
Indirect
  • Obtain sensitive information from development, procurement, maintenance, or retirement processes and/or supporting information systems.
    • None.
  • Modify components during development, procurement, maintenance, or retirement processes.
    • None.
  • Prevent the operation of critical components through development, procurement, maintenance, or retirement processes.
    • Destroying key supply facilities or shipments using kinetic strikes.