Insight

How threat actors perform cyber attacks

Published

Written by

Read time

Written by Jack -Durrant-Associate Director, BA (Hons) ACII

I read an interesting piece recently, which stated: “three golden rules to ensure computer security are: do not own a computer, do not power it on, and do not use it”. The reality of cyber security really is that profound. I don’t think anyone is completely protected from cyber-attacks unless they do not own any technology. 

The media and Hollywood portray hackers as someone sitting in a dark room, with monitors that look like The Matrix, green letters floating down a monitor with progress bars and crypto symbols everywhere. The reality of cyber-attacks and threat actors in the real world is very different.

What is a threat actor?

To put it simply, a threat actor is someone who performs nefarious activities for the benefit of themselves or an organised group (usually based on either moral or political views although some are even state-backed).

Some terms you may see used to describe hackers are white hat, black hat, or grey hat. White hat threat actors are good guys who try to think like the bad guys to expose and exploit vulnerabilities to report these to the people who could improve the security of software. Black hat threat actors are the opposite;, trying to expose system vulnerabilities for their own, or their organisation's gain. There are also grey hat threat actors, who have good intentions, not usually aiming to cause harm, but who will often do this by using techniques without the consent of site or software owners.

What we are interested in is how a threat actor might go about breaking into your systems.

Social engineering

Social engineering is the most common type of attack, which can be easily recognised. Put simply, it’s when someone uses clever societal tactics in order to gain the trust of a victim. This usually leads to further strategies which are employed by the threat actor to gain something material from the interaction. This might include, but is not limited to, planting programs or software into someone’s device/network, changing or manipulating invoice information, or getting passwords by word of mouth. 

Even simple things like ‘tailgating’ through security doors into buildings is a version of social engineering. The simplest case of social engineering is the person with a high visibility jacket, a hard hat, and a clipboard making their way into Wembley Stadium to watch the European Cup Final a few years ago. Although this was mostly harmless fun, many times this tactic is employed by threat actors to gain access to restricted areas within workplaces. Once a threat actor has access, they will usually have a plan to intercept data, give themselves remote access, or garner further information from employees which they can utilise later.

Brute force - The first great password heist

Brute force attacks, although sounding extremely technical, really aren’t that complicated. Most websites detect brute force attempts by blocking repeated wrong attempts for a certain time, or by only allowing three wrong attempts before forcing a password reset. This however does not guarantee protection. 

Brute force attacks have become more sophisticated after millions of unhashed  passwords made their way onto the dark web (55 Important Password Statistics You Should Know: 2024 Breaches & Reuse Data - Financesonline.com). Fairly basic cryptology-optimised brute force software has become much more capable. This, combined with more regular password breaches, means that the same password shared by a single user between sites could spell disaster for account protection.

One telling thing about cryptology is that around 50 per cent of internet users still use the same password for all their accounts and even using variations of the same password make hacking far easier. This is why it's so important to use a mixture of passwords as a minimum standard, but for extra protection you should use complicated passwords with different letters, numbers and special characters, and better than all of these is to use multi-factor authentication to validate your login activity.

To think of these brute force attacks in real terms I’d suggest researching Alan Turing and viewing the film version. The Imitation Game, which is essentially the same thing - he brute forced the Enigma Code.
 

Zero-day

Zero-day exploits are amongst the most dangerous for large organisations and businesses that operate globally. Smaller businesses can be affected by them too, but it's more concerning for large businesses because of the type of threat actor or target who usually carry out these types of attacks.

Zero-day exploits will usually take months of research for teams of hackers and are often state-backed. Entire countries can indeed be victims or perpetrators of these types of attacks.

Because of the cost to research and implement, they’re usually only used on larger targets and many of the zero-day exploits will have very limited use because software companies will patch these as a matter of urgency. For example, there is seemingly quarterly news about iPhones having vulnerabilities which give others access to your files by using some combination of software and hardware to infiltrate the operating system. While they are far less common, they target larger organisations and they are difficult to defend. For most businesses, the best way to protect yourself is by regularly patching your software according to the manufacturer’s instructions.

Phishermen reeling us in...

By now, we’ve have all heard of phishing. It comes in lots of different guises, and the 419 scam, also known as the Nigerian Prince scam, or the ‘hey mum’ scam, are both attempts at phishing. This involves sending multiple emails or texts to attempt to get the victim to allow access or send money to the perpetrator by way of defrauding them. These are common and thankfully many are relatively low value, although there are instances of businesses experiencing this and losing millions. Belgium-based Crelan Bank lost £57m due to an email fraud scam back in 2016.  

How CEO impersonation fraud works | Delano News

These, although known and more common, continue to evolve and I’ve already warned of the impact that high-quality AI will have on these types of attacks. Often because many threat actors operate overseas, we can see small errors with grammar which raises red flags, however these errors I believe will become less noticeable in time.
 

Third-party compromise

This is important because ultimately you or your business can’t control this. We have seen numerous instances of losses or data breaches arising from perpetrators activating their ploy via a third party. In these instances, the most important thing to do is encourage your suppliers and customers to get cyber protection and educate themselves about possible threats.

We saw recently an incident of the Manchester police force losing their employee data via a breach of the company that supplies their ID cards (More than 20,000 details 'at risk' after police data cyber-attack - BBC News). This is just one example of a third party causing another company’s data loss or breach. 

I would warn clients of the risks of dealing with suppliers who don’t have rigorous protocols for their cyber security. You should ask if your suppliers have cyber insurance cover and a cyber security policy, so you can understand who you're dealing with and their chances of falling victim to a cyber-attack and dragging your business down with them.
 

Malware

Malware can make its way onto your system via several routes. It may gain access through social engineering with a keylogger plugged into your computer, via a phishing attack and an individual inadvertently clicking a link, or even via a third party being compromised.

The important thing to know here is that this can give threat actors access to systems, data, and even some control of your network. This is particularly dangerous because threat actors can wait until the most opportune moment to commit an attack, or when you’re least able to counteract it.

On the way out of your systems, threat actors will often exfiltrate data as a bargaining tool for ransom, or deny access to systems where they can leverage this for higher settlements. 
 

What can business owners really do?

While nobody is completely immune from attack, you can make yourself a very difficult target. The best thing to do is to learn from the insurance companies, ask your broker for a cyber report, and to price up coverage options for your business.

By arming yourself with a robust and fit-for-purpose cyber insurance policy, with 24/7 response and risk management support, you’re not only getting yourself help with the ICO, and with recovery if the worst does happen, but you also benefit from services designed to implement the very best in protections before the event of a cyber-attack to ensure you can weather the storm of threat activity.
 

CAPTCHA
8 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
0330 008 1334