WEBVTT

1
00:00:00.000 --> 00:00:01.350
In this lesson,

2
00:00:01.350 --> 00:00:04.590
we will learn about Threat Actor Resources.

3
00:00:04.590 --> 00:00:06.240
Threat actor resources

4
00:00:06.240 --> 00:00:09.660
are the assets that an attacker has available

5
00:00:09.660 --> 00:00:13.260
to plan, execute, and sustain an attack.

6
00:00:13.260 --> 00:00:17.490
Threat actor characteristics include resource considerations

7
00:00:17.490 --> 00:00:19.350
such as time and money.

8
00:00:19.350 --> 00:00:21.630
Time is a critical resource.

9
00:00:21.630 --> 00:00:24.960
Well-funded actors, like nation-state actors,

10
00:00:24.960 --> 00:00:26.880
may have the luxury to conduct

11
00:00:26.880 --> 00:00:30.060
prolonged sophisticated campaigns,

12
00:00:30.060 --> 00:00:34.260
allowing them to meticulously plan and execute their attacks

13
00:00:34.260 --> 00:00:37.020
over months or even years.

14
00:00:37.020 --> 00:00:41.460
Next, money enables attackers to purchase advanced tools,

15
00:00:41.460 --> 00:00:46.440
hire skilled personnel, or even acquire zero-day exploits.

16
00:00:46.440 --> 00:00:49.890
In this way, money significantly increases

17
00:00:49.890 --> 00:00:54.480
the sophistication and potential impact of operations.

18
00:00:54.480 --> 00:00:57.000
Let's learn more about time and money

19
00:00:57.000 --> 00:00:59.100
as threat actor resources.

20
00:00:59.100 --> 00:01:00.930
First, we have time.

21
00:01:00.930 --> 00:01:04.350
Time is a valuable resource for threat actors,

22
00:01:04.350 --> 00:01:07.080
especially those with high-level objectives

23
00:01:07.080 --> 00:01:08.880
and complex goals.

24
00:01:08.880 --> 00:01:12.420
For well-funded attackers, like nation-state actors,

25
00:01:12.420 --> 00:01:16.290
time enables them to conduct prolonged campaigns,

26
00:01:16.290 --> 00:01:19.260
often spanning months or even years

27
00:01:19.260 --> 00:01:23.730
as they slowly collect data, study system vulnerabilities,

28
00:01:23.730 --> 00:01:26.700
and develop tailored attack strategies.

29
00:01:26.700 --> 00:01:28.830
Time provides these attackers

30
00:01:28.830 --> 00:01:32.130
with the flexibility to act strategically

31
00:01:32.130 --> 00:01:34.920
rather than opportunistically.

32
00:01:34.920 --> 00:01:37.800
The SolarWinds breach exemplifies this,

33
00:01:37.800 --> 00:01:40.740
where attackers allegedly spent over a year

34
00:01:40.740 --> 00:01:43.740
developing, inserting, and deploying

35
00:01:43.740 --> 00:01:47.820
a backdoor into the company's software updates,

36
00:01:47.820 --> 00:01:50.280
allowing them undetected access

37
00:01:50.280 --> 00:01:53.760
to government and corporate networks worldwide.

38
00:01:53.760 --> 00:01:57.090
This extended timeframe allowed the attackers

39
00:01:57.090 --> 00:02:00.900
to maintain a covert persistent presence,

40
00:02:00.900 --> 00:02:03.960
increasing their operational success.

41
00:02:03.960 --> 00:02:08.100
Attacker patience, afforded by the luxury of time,

42
00:02:08.100 --> 00:02:11.730
is particularly dangerous for enterprise networks,

43
00:02:11.730 --> 00:02:14.970
as it means that standard periodic scans

44
00:02:14.970 --> 00:02:17.700
may miss well hidden intrusions.

45
00:02:17.700 --> 00:02:21.030
So understanding the importance of time

46
00:02:21.030 --> 00:02:24.870
for well-funded threat actors can help organizations

47
00:02:24.870 --> 00:02:29.730
develop more thorough detection and monitoring strategies.

48
00:02:29.730 --> 00:02:34.080
That way, instead of relying on single instance alerts,

49
00:02:34.080 --> 00:02:37.920
security teams can focus on behavioral analysis,

50
00:02:37.920 --> 00:02:41.700
anomaly detection, and continuous monitoring

51
00:02:41.700 --> 00:02:45.990
to identify unusual activity patterns over time.

52
00:02:45.990 --> 00:02:48.510
And by being aware of time

53
00:02:48.510 --> 00:02:51.150
as a critical resource for attackers,

54
00:02:51.150 --> 00:02:54.330
enterprises can implement defense strategies

55
00:02:54.330 --> 00:02:57.330
that address long-term subtle attacks,

56
00:02:57.330 --> 00:02:59.940
making it more difficult for threat actors

57
00:02:59.940 --> 00:03:03.210
to maintain undetected prolonged access

58
00:03:03.210 --> 00:03:04.860
to sensitive systems.

59
00:03:04.860 --> 00:03:07.140
Second, we have money.

60
00:03:07.140 --> 00:03:11.190
Money is another essential resource for threat actors,

61
00:03:11.190 --> 00:03:15.900
especially when pursuing complex or large-scale attacks.

62
00:03:15.900 --> 00:03:18.420
Financial backing enables attackers

63
00:03:18.420 --> 00:03:21.990
to purchase advanced tools, hire skilled personnel,

64
00:03:21.990 --> 00:03:24.330
and acquire zero-day exploits

65
00:03:24.330 --> 00:03:26.760
that remain unknown to vendors,

66
00:03:26.760 --> 00:03:29.430
making them harder to defend against.

67
00:03:29.430 --> 00:03:30.960
With sufficient funds,

68
00:03:30.960 --> 00:03:33.870
attackers can also rent infrastructure

69
00:03:33.870 --> 00:03:37.980
for command and control servers, or even recruit insiders

70
00:03:37.980 --> 00:03:42.480
to gain direct access to an organization's network.

71
00:03:42.480 --> 00:03:46.200
The North Korean hacking group Lazarus, for instance,

72
00:03:46.200 --> 00:03:50.010
has reportedly used extensive financial resources

73
00:03:50.010 --> 00:03:52.860
to fund large-scale cyber operations,

74
00:03:52.860 --> 00:03:57.390
such as the 2016 Bangladesh Bank heist

75
00:03:57.390 --> 00:04:00.993
where they successfully stole $81 million.

76
00:04:02.010 --> 00:04:05.610
In this case, access to significant funds

77
00:04:05.610 --> 00:04:09.450
allowed the group to orchestrate a sophisticated attack

78
00:04:09.450 --> 00:04:13.140
involving multiple banks and SWIFT transfers,

79
00:04:13.140 --> 00:04:16.830
exploiting financial infrastructure on a global scale.

80
00:04:16.830 --> 00:04:19.920
So money not only allows attackers

81
00:04:19.920 --> 00:04:22.380
to access advanced resources,

82
00:04:22.380 --> 00:04:25.920
but also enables them to invest in operations

83
00:04:25.920 --> 00:04:29.310
that are out of reach for less-funded groups.

84
00:04:29.310 --> 00:04:31.260
A financially backed actor

85
00:04:31.260 --> 00:04:35.160
can afford to invest in high-end exploit kits,

86
00:04:35.160 --> 00:04:37.620
pay for premium network access,

87
00:04:37.620 --> 00:04:40.350
and utilize professional-grade encryption

88
00:04:40.350 --> 00:04:42.540
and stealth technologies.

89
00:04:42.540 --> 00:04:46.440
This financial backing raises the sophistication

90
00:04:46.440 --> 00:04:49.500
and potential impact of the attack,

91
00:04:49.500 --> 00:04:53.880
as attackers can craft well-designed persistent attacks

92
00:04:53.880 --> 00:04:56.970
that are challenging to detect and mitigate.

93
00:04:56.970 --> 00:04:59.940
In the end, understanding the role of money

94
00:04:59.940 --> 00:05:03.750
in threat actor operations can help organizations

95
00:05:03.750 --> 00:05:06.960
allocate their defenses more effectively.

96
00:05:06.960 --> 00:05:09.390
Knowing that financially-backed groups

97
00:05:09.390 --> 00:05:13.020
have access to advanced tools and personnel,

98
00:05:13.020 --> 00:05:17.070
enterprises can focus on securing high-value assets,

99
00:05:17.070 --> 00:05:19.410
employing multi-layered defenses,

100
00:05:19.410 --> 00:05:23.490
and investing in robust incident response capabilities.

101
00:05:23.490 --> 00:05:26.010
Then recognizing that some attackers

102
00:05:26.010 --> 00:05:28.080
can afford high-end resources,

103
00:05:28.080 --> 00:05:31.230
highlights the need for proactive threat hunting,

104
00:05:31.230 --> 00:05:33.510
specialized malware detection,

105
00:05:33.510 --> 00:05:36.510
and investing in cybersecurity resilience

106
00:05:36.510 --> 00:05:40.590
that can withstand well-funded sophisticated attacks.

107
00:05:40.590 --> 00:05:45.590
So remember, threat actor resources such as time and money

108
00:05:45.900 --> 00:05:48.720
are critical assets that enable attackers

109
00:05:48.720 --> 00:05:52.980
to plan, execute, and sustain their operations.

110
00:05:52.980 --> 00:05:57.840
Time allows well-funded attackers, like nation-state actors,

111
00:05:57.840 --> 00:06:02.190
to conduct prolonged campaigns, gathering information,

112
00:06:02.190 --> 00:06:05.040
and carefully studying vulnerabilities

113
00:06:05.040 --> 00:06:07.650
to ensure a strategic attack.

114
00:06:07.650 --> 00:06:09.450
Money, on the other hand,

115
00:06:09.450 --> 00:06:12.900
gives attackers access to advanced tools,

116
00:06:12.900 --> 00:06:16.800
skilled personnel, and even zero-day exploits,

117
00:06:16.800 --> 00:06:21.030
greatly enhancing the sophistication and potential impact

118
00:06:21.030 --> 00:06:22.380
of the attackers.

119
00:06:22.380 --> 00:06:26.460
Recognizing the importance of time and money as resources

120
00:06:26.460 --> 00:06:31.050
helps organizations understand how attackers might operate.

121
00:06:31.050 --> 00:06:34.950
This allows them to focus on continuous monitoring

122
00:06:34.950 --> 00:06:37.830
and investing in robust security measures

123
00:06:37.830 --> 00:06:39.630
to strengthen their resilience

124
00:06:39.630 --> 00:06:43.323
against well-resourced and persistent threats.