WEBVTT 1 00:00:00.000 --> 00:00:01.260 In this lesson, 2 00:00:01.260 --> 00:00:04.800 we will learn about threat actor motivation. 3 00:00:04.800 --> 00:00:08.220 Threat actor motivations are the underlying reasons 4 00:00:08.220 --> 00:00:10.680 or goals that drive an attacker 5 00:00:10.680 --> 00:00:14.850 to target a specific organization or system. 6 00:00:14.850 --> 00:00:19.800 Threat actor motivations include geopolitical, espionage, 7 00:00:19.800 --> 00:00:24.390 financial, activism, and notoriety factors. 8 00:00:24.390 --> 00:00:29.100 Geopolitical motivations often involve nation-state actors 9 00:00:29.100 --> 00:00:33.450 seeking to disrupt or influence another country's political 10 00:00:33.450 --> 00:00:35.550 or economic stability. 11 00:00:35.550 --> 00:00:38.280 Espionage is driven by the desire 12 00:00:38.280 --> 00:00:40.740 to steal sensitive information, 13 00:00:40.740 --> 00:00:44.790 such as intellectual property or state secrets. 14 00:00:44.790 --> 00:00:48.990 Financially-motivated attackers seek monetary gain, 15 00:00:48.990 --> 00:00:53.460 usually through activities like ransomware attacks or fraud. 16 00:00:53.460 --> 00:00:56.670 Activists, often known as hacktivists, 17 00:00:56.670 --> 00:01:00.150 aim to promote a political or social cause 18 00:01:00.150 --> 00:01:04.260 by disrupting services or leaking information. 19 00:01:04.260 --> 00:01:08.160 And notoriety driven attackers, including thrill seekers 20 00:01:08.160 --> 00:01:11.340 or those seeking to build a reputation 21 00:01:11.340 --> 00:01:14.010 may target high-profile systems 22 00:01:14.010 --> 00:01:17.310 to gain recognition or bragging rights. 23 00:01:17.310 --> 00:01:20.160 Let's learn more about geopolitical, 24 00:01:20.160 --> 00:01:23.610 espionage, financial, activism, 25 00:01:23.610 --> 00:01:26.970 and notoriety threat actor motivations. 26 00:01:26.970 --> 00:01:30.210 First, we have geopolitical. 27 00:01:30.210 --> 00:01:34.410 Geopolitical motivations are driven by nation-states 28 00:01:34.410 --> 00:01:37.560 aiming to disrupt or influence the political 29 00:01:37.560 --> 00:01:41.250 or economic stability of another country. 30 00:01:41.250 --> 00:01:44.580 These attackers target critical infrastructure, 31 00:01:44.580 --> 00:01:47.940 financial systems, or government networks 32 00:01:47.940 --> 00:01:52.710 to create instability or gain strategic advantage. 33 00:01:52.710 --> 00:01:56.400 For example, advanced persistent threat groups 34 00:01:56.400 --> 00:01:59.310 often tied to specific governments 35 00:01:59.310 --> 00:02:04.310 execute long-term covert campaigns to achieve these goals. 36 00:02:04.770 --> 00:02:08.220 One notable example is the Russian APT, 37 00:02:08.220 --> 00:02:12.450 or advanced persistent threat group, known as Fancy Bear. 38 00:02:12.450 --> 00:02:17.450 Fancy Bear has allegedly been involved in influencing the US 39 00:02:17.460 --> 00:02:22.020 French, German, and Ukrainian national elections 40 00:02:22.020 --> 00:02:26.070 by targeting systems to manipulate public opinion. 41 00:02:26.070 --> 00:02:29.730 Their activities have reportedly included hacking 42 00:02:29.730 --> 00:02:32.040 and leaking sensitive information 43 00:02:32.040 --> 00:02:34.770 to sway voter perspectives. 44 00:02:34.770 --> 00:02:37.320 As an aside, in the real world, 45 00:02:37.320 --> 00:02:39.510 you will see the term APT 46 00:02:39.510 --> 00:02:42.090 or advanced persistent threat used 47 00:02:42.090 --> 00:02:44.610 to describe both threat groups 48 00:02:44.610 --> 00:02:48.660 and tactics, techniques, and procedures, or TTPs, 49 00:02:48.660 --> 00:02:51.810 that sophisticated attack groups use. 50 00:02:51.810 --> 00:02:55.590 This is because, at first, APTs were identified 51 00:02:55.590 --> 00:02:59.010 as sophisticated groups monetarily supported 52 00:02:59.010 --> 00:03:00.540 by nation-states, 53 00:03:00.540 --> 00:03:05.220 and over time, those nation-state's sophisticated actors 54 00:03:05.220 --> 00:03:09.780 were better identified by the TTPs or tactics, techniques, 55 00:03:09.780 --> 00:03:12.300 and procedures that they use. 56 00:03:12.300 --> 00:03:14.310 Nowadays, threat actor groups 57 00:03:14.310 --> 00:03:17.850 may not need nation-state funding to support 58 00:03:17.850 --> 00:03:21.930 and launch sophisticated APT-level attacks. 59 00:03:21.930 --> 00:03:24.750 So the term APT is now being used 60 00:03:24.750 --> 00:03:28.080 to represent sophisticated TTPs 61 00:03:28.080 --> 00:03:29.880 and is not necessarily meant 62 00:03:29.880 --> 00:03:33.000 to represent nation-state support. 63 00:03:33.000 --> 00:03:35.580 At any rate, nation-state actors 64 00:03:35.580 --> 00:03:37.980 often target specific sectors 65 00:03:37.980 --> 00:03:42.780 like elections, energy, finance, or healthcare. 66 00:03:42.780 --> 00:03:46.680 Knowing that these actors aim to destabilize economies 67 00:03:46.680 --> 00:03:49.410 or influence policy decisions, 68 00:03:49.410 --> 00:03:52.920 organizations can implement enhanced monitoring 69 00:03:52.920 --> 00:03:57.000 and threat intelligence to stay ahead of these threats. 70 00:03:57.000 --> 00:04:00.390 By focusing on geopolitical motivations, 71 00:04:00.390 --> 00:04:03.450 businesses can tailor defenses to detect 72 00:04:03.450 --> 00:04:07.530 and respond to complex, long-term threats 73 00:04:07.530 --> 00:04:10.140 that seek to exploit vulnerabilities 74 00:04:10.140 --> 00:04:13.860 and disrupt society on a national scale. 75 00:04:13.860 --> 00:04:16.620 Second, we have espionage. 76 00:04:16.620 --> 00:04:20.880 Espionage is all about stealing sensitive data, 77 00:04:20.880 --> 00:04:24.390 whether it's intellectual property, trade secrets, 78 00:04:24.390 --> 00:04:26.730 or government information. 79 00:04:26.730 --> 00:04:29.460 Motivated by competitive advantage 80 00:04:29.460 --> 00:04:31.500 or intelligence gathering, 81 00:04:31.500 --> 00:04:34.893 these attackers often operate as APTs, 82 00:04:35.850 --> 00:04:38.970 staying hidden for extended periods of time 83 00:04:38.970 --> 00:04:41.940 to access valuable information. 84 00:04:41.940 --> 00:04:45.330 A well-known espionage motivated attack 85 00:04:45.330 --> 00:04:47.340 was the SolarWinds breach, 86 00:04:47.340 --> 00:04:51.540 where allegedly the Russian-backed APT29 87 00:04:51.540 --> 00:04:56.540 known as Cozy Bear inserted a backdoor called SUNBURST 88 00:04:56.640 --> 00:04:58.500 into software updates, 89 00:04:58.500 --> 00:05:01.410 allowing them to access sensitive government 90 00:05:01.410 --> 00:05:03.600 and corporate networks. 91 00:05:03.600 --> 00:05:06.900 Understanding espionage-driven attackers 92 00:05:06.900 --> 00:05:10.530 means recognizing the threat to confidential data 93 00:05:10.530 --> 00:05:13.980 and knowing they aim to remain undetected, 94 00:05:13.980 --> 00:05:17.370 accessing systems for as long as possible 95 00:05:17.370 --> 00:05:19.440 without triggering alerts. 96 00:05:19.440 --> 00:05:22.710 Then protecting against espionage threats 97 00:05:22.710 --> 00:05:26.070 involves strengthening data access controls, 98 00:05:26.070 --> 00:05:29.160 monitoring for unusual access patterns, 99 00:05:29.160 --> 00:05:32.190 and ensuring regular security checks 100 00:05:32.190 --> 00:05:35.190 on software and system updates. 101 00:05:35.190 --> 00:05:39.450 In the end, knowing that espionage-motivated attackers 102 00:05:39.450 --> 00:05:42.480 are seeking specific types of information 103 00:05:42.480 --> 00:05:45.960 helps organizations prioritized protection 104 00:05:45.960 --> 00:05:47.990 for their most sensitive data. 105 00:05:47.990 --> 00:05:52.350 And by understanding the espionage motivation, 106 00:05:52.350 --> 00:05:54.990 companies can recognize the importance 107 00:05:54.990 --> 00:05:57.930 of preventing unauthorized access, 108 00:05:57.930 --> 00:06:02.340 reducing the risk of long-term data exposure. 109 00:06:02.340 --> 00:06:06.720 Third, we have a financially-motivated attacks. 110 00:06:06.720 --> 00:06:10.260 Financially-motivated attackers are typically driven 111 00:06:10.260 --> 00:06:12.810 by the desire to make money, 112 00:06:12.810 --> 00:06:16.230 often through tactics like ransomware, fraud, 113 00:06:16.230 --> 00:06:17.940 and data theft. 114 00:06:17.940 --> 00:06:21.240 Organized crime groups are major players here 115 00:06:21.240 --> 00:06:25.950 using well-funded sophisticated methods to extort money 116 00:06:25.950 --> 00:06:28.470 or steal data for profit. 117 00:06:28.470 --> 00:06:32.130 A recent example involves ransomware attacks 118 00:06:32.130 --> 00:06:34.140 from groups like DarkSide, 119 00:06:34.140 --> 00:06:37.110 which targeted companies' critical systems, 120 00:06:37.110 --> 00:06:42.090 and demanded substantial ransoms to restore operations. 121 00:06:42.090 --> 00:06:44.010 DarkSide gained attention 122 00:06:44.010 --> 00:06:47.250 with its attack on the Colonial Pipeline, 123 00:06:47.250 --> 00:06:49.350 which disrupted fuel supplies 124 00:06:49.350 --> 00:06:52.440 along the United States' East Coast, 125 00:06:52.440 --> 00:06:57.210 leading to significant economic and logistical challenges. 126 00:06:57.210 --> 00:07:00.510 The group's tactics included encrypting data 127 00:07:00.510 --> 00:07:03.390 and threatening to leak sensitive information 128 00:07:03.390 --> 00:07:05.460 if their demands were not met, 129 00:07:05.460 --> 00:07:08.250 pressuring victims to pay quickly. 130 00:07:08.250 --> 00:07:13.250 So financial motivations often lead to high-pressure attacks 131 00:07:13.380 --> 00:07:17.460 with criminals focused on obtaining immediate payoffs, 132 00:07:17.460 --> 00:07:21.960 often using disruptive tactics that halt business functions 133 00:07:21.960 --> 00:07:24.390 until their demands are met. 134 00:07:24.390 --> 00:07:26.970 Understanding the financial motivation 135 00:07:26.970 --> 00:07:31.530 behind these attacks helps businesses recognize areas 136 00:07:31.530 --> 00:07:34.230 vulnerable to ransom or theft, 137 00:07:34.230 --> 00:07:38.580 such as customer data or financial records. 138 00:07:38.580 --> 00:07:42.630 Then by implementing strategies like data backups, 139 00:07:42.630 --> 00:07:44.760 employee training on phishing, 140 00:07:44.760 --> 00:07:46.800 and endpoint protection, 141 00:07:46.800 --> 00:07:49.920 organizations can reduce their exposure 142 00:07:49.920 --> 00:07:52.830 to financially-motivated attacks. 143 00:07:52.830 --> 00:07:56.220 In the end, recognizing the attacker's emphasis 144 00:07:56.220 --> 00:08:00.720 on quick financial gain allows companies to stay alert 145 00:08:00.720 --> 00:08:05.670 for suspicious activities that hint at ransomware or fraud. 146 00:08:05.670 --> 00:08:08.220 Fourth, we have activism. 147 00:08:08.220 --> 00:08:12.040 Activism-motivated attackers known as hacktivists 148 00:08:12.040 --> 00:08:16.890 conduct attacks to advance a political or social cause. 149 00:08:16.890 --> 00:08:20.760 These attackers, often part of a hacktivist group, 150 00:08:20.760 --> 00:08:24.450 target organizations or individuals they see 151 00:08:24.450 --> 00:08:29.220 as opposing their values or as harmful to society. 152 00:08:29.220 --> 00:08:32.250 A prominent hacktivist group, Anonymous, 153 00:08:32.250 --> 00:08:35.340 has launched various cyber campaigns 154 00:08:35.340 --> 00:08:38.160 including those against organizations 155 00:08:38.160 --> 00:08:41.730 that they perceive as corrupt or unjust. 156 00:08:41.730 --> 00:08:44.580 An example of Anonymous' activism 157 00:08:44.580 --> 00:08:48.390 was operation in Tunisia in 2011 158 00:08:48.390 --> 00:08:51.840 where the group supported pro-democracy protests 159 00:08:51.840 --> 00:08:53.940 during the Arab Spring. 160 00:08:53.940 --> 00:08:56.400 In response to internet censorship 161 00:08:56.400 --> 00:08:58.200 and government repression, 162 00:08:58.200 --> 00:09:00.660 Anonymous launched cyber attacks 163 00:09:00.660 --> 00:09:03.360 against Tunisian government websites, 164 00:09:03.360 --> 00:09:07.320 including those of the prime minister and president. 165 00:09:07.320 --> 00:09:10.170 They also provided Tunisians with tools 166 00:09:10.170 --> 00:09:12.810 to bypass government internet blocks, 167 00:09:12.810 --> 00:09:16.860 aiming to empower citizens to access information 168 00:09:16.860 --> 00:09:20.490 and organize protests against the regime. 169 00:09:20.490 --> 00:09:24.600 So hacktivist attacks can disrupt services, 170 00:09:24.600 --> 00:09:26.250 leak sensitive data, 171 00:09:26.250 --> 00:09:30.690 or damage reputations to bring attention to their cause 172 00:09:30.690 --> 00:09:34.470 rather than financial gain or espionage. 173 00:09:34.470 --> 00:09:37.560 By understanding activism motivations, 174 00:09:37.560 --> 00:09:40.710 organizations can anticipate attacks 175 00:09:40.710 --> 00:09:43.740 based on political or social events 176 00:09:43.740 --> 00:09:47.460 and ensure systems are secure against disruptions 177 00:09:47.460 --> 00:09:49.200 or data leaks. 178 00:09:49.200 --> 00:09:53.790 Knowing that activists seek attention and public impact, 179 00:09:53.790 --> 00:09:56.490 companies can monitor external mentions 180 00:09:56.490 --> 00:10:00.210 and threat intelligence to anticipate attacks. 181 00:10:00.210 --> 00:10:03.990 In the end, awareness of activism-based motives 182 00:10:03.990 --> 00:10:07.290 helps organizations manage public relations 183 00:10:07.290 --> 00:10:09.030 and safeguard data, 184 00:10:09.030 --> 00:10:12.030 especially when a controversial issue 185 00:10:12.030 --> 00:10:14.100 could make them a target. 186 00:10:14.100 --> 00:10:17.640 Fifth and last, we have notoriety. 187 00:10:17.640 --> 00:10:21.720 Notoriety-motivated attackers are driven by the desire 188 00:10:21.720 --> 00:10:24.030 for attention, recognition, 189 00:10:24.030 --> 00:10:26.760 or status within hacker communities. 190 00:10:26.760 --> 00:10:31.320 These threat actors, often script kiddies or thrill seekers, 191 00:10:31.320 --> 00:10:34.710 use readily available tools to disrupt systems 192 00:10:34.710 --> 00:10:36.690 and cause downtime, 193 00:10:36.690 --> 00:10:38.910 often without fully understanding 194 00:10:38.910 --> 00:10:41.070 the techniques they employ. 195 00:10:41.070 --> 00:10:45.420 Their primary aim is the visibility or bragging rights 196 00:10:45.420 --> 00:10:47.880 rather than causing serious harm 197 00:10:47.880 --> 00:10:50.610 or achieving financial gain. 198 00:10:50.610 --> 00:10:54.900 A notable example of a group motivated by notoriety 199 00:10:54.900 --> 00:10:56.790 is the LAPSUS$ group. 200 00:10:56.790 --> 00:10:58.860 The LAPSUS$ group gained attention 201 00:10:58.860 --> 00:11:03.860 by breaching large organizations like Microsoft and Nvidia, 202 00:11:03.960 --> 00:11:06.780 often using basic tactics like phishing 203 00:11:06.780 --> 00:11:08.550 or social engineering. 204 00:11:08.550 --> 00:11:11.340 While their attacks lacked sophistication, 205 00:11:11.340 --> 00:11:14.520 they still created significant disruption, 206 00:11:14.520 --> 00:11:18.570 impacting Microsoft and Nvidia business reputation 207 00:11:18.570 --> 00:11:20.910 and operational stability. 208 00:11:20.910 --> 00:11:24.810 So understanding notoriety-driven motivations 209 00:11:24.810 --> 00:11:29.190 helps organizations recognize the risk of low-skill, 210 00:11:29.190 --> 00:11:33.180 high-impact attacks that aim to create noise 211 00:11:33.180 --> 00:11:35.580 rather than breach security. 212 00:11:35.580 --> 00:11:38.850 By securing publicly-accessible systems 213 00:11:38.850 --> 00:11:42.300 and monitoring for unusual traffic spikes, 214 00:11:42.300 --> 00:11:47.130 organizations can quickly detect and mitigate these attacks. 215 00:11:47.130 --> 00:11:51.210 So remember, threat actor motivations 216 00:11:51.210 --> 00:11:54.540 are the driving forces behind attacks, 217 00:11:54.540 --> 00:11:58.020 and they include geopolitical, espionage, 218 00:11:58.020 --> 00:12:02.520 financial, activism, and notoriety factors. 219 00:12:02.520 --> 00:12:07.520 Geopolitical motivations often involve nation-state actors 220 00:12:07.560 --> 00:12:12.030 aiming to disrupt or influence another country's political 221 00:12:12.030 --> 00:12:14.130 or economic stability. 222 00:12:14.130 --> 00:12:16.050 Espionage-driven attacks 223 00:12:16.050 --> 00:12:19.140 focus on stealing sensitive information 224 00:12:19.140 --> 00:12:20.580 such as trade secrets 225 00:12:20.580 --> 00:12:23.280 or state intelligence for competitive 226 00:12:23.280 --> 00:12:25.590 or strategic advantage. 227 00:12:25.590 --> 00:12:29.250 Financially-motivated attackers seek profit, 228 00:12:29.250 --> 00:12:31.890 commonly through ransomware or fraud, 229 00:12:31.890 --> 00:12:33.480 often targeting data 230 00:12:33.480 --> 00:12:36.810 that can yield quick monetary returns. 231 00:12:36.810 --> 00:12:41.160 Activism, in this context also known as hacktivism, 232 00:12:41.160 --> 00:12:45.240 centers on advancing a political or social cause 233 00:12:45.240 --> 00:12:48.900 by disrupting organizations viewed as harmful. 234 00:12:48.900 --> 00:12:51.510 Next, notoriety-driven attackers, 235 00:12:51.510 --> 00:12:53.790 which are often thrill seekers, 236 00:12:53.790 --> 00:12:57.240 aim to gain recognition within hacker communities 237 00:12:57.240 --> 00:13:01.860 by causing disruptions or targeting high-profile systems. 238 00:13:01.860 --> 00:13:05.610 Recognizing these motivations helps organizations 239 00:13:05.610 --> 00:13:09.900 tailor security measures to address specific threats, 240 00:13:09.900 --> 00:13:13.350 and knowing the goals of attackers enables companies 241 00:13:13.350 --> 00:13:18.350 to prioritize defenses for areas most likely to be targeted.