The Dutch government defines cyber threat actors

The Dutch government commissions the creation of a scientific classification of individuals and groups involved in cyber crime

Long gone are the days when IT security was fending off tech-savvy geeks that hack for fame or when arguing with their nerdy friends.

These types of security threats are still out there – and in greater numbers, driven by the lure of hacking combined with the accessibility of information and the availability of easy “starter kits” – but on top of that, there is money attracting criminals and the lure of espionage.

Blurring boundaries

Furthermore, the boundaries between these types of cyber attackers are not clear cut. Script kiddies can cause a lot of damage and sometimes evolve into criminals – or get conscripted by organised gangs of tech oriented criminals. Those professional cyber criminals can then be used or hired by state organisations.

The IT-dependent modern world is living and working in changing times. Ever-evolving technologies, new tactics, different interests, and higher stakes are reshaping the security landscape. The higher stakes are not simply risks of minor, inconvenient IT outages, but potential political destabilisation.

IT has become essential for businesses, governments, consumers and societies. Security incidents of the past few years have shown new levels of impact and numbers, ranging from loss of money and reputation for hacked businesses to identifying theft for hundreds of millions of consumers – and potentially also encompassing democracies and the international community, as evidenced by ongoing investigations into Russian meddling in the US election and possible links with the Brexit referendum.

Ancient Chinese wisdom

“Know your enemy” is a saying derived from the historic treatise The Art of War by the ancient Chinese general and military strategist Sun Tzu. The knowing of the adversary is essential for being able to defeat your opponent. (Incidentally, the full proverb of Sun Tzu also includes the requirement to know yourself.)

Read more about cyber security in the Netherlands

In light of evolving security threats and the actors behind them, there is a concrete need for new classifications of adversaries. The University of Delft in the Netherlands has undertaken the necessary research to come to an updated categorisation of cyber threat actor typologies.

This scientifically underpinned typology was commissioned by the Dutch government’s National Cyber Security Centre (NCSC). The NCSC is part of the Ministry of Safety and Justice (now being rebranded to Justice and Safety).

Both this cyber security organisation and the counter terrorism oriented Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV) has been using a cyber threat typology for some years now.

It has been utilised in the annual cyber security report Cyber Security Assessment Netherlands (CSAN). There is a table featured with a set of actors which might threaten the security of the Dutch IT infrastructure. Those actors all have different motives, intentions and capabilities.

Over time, this table of actors and their characteristics has evolved. But a need was recognised for a more solid – as well as scientific – underpinning. This recognition was in light of continuing cyber security developments, the necessity for further and future evolution of the typology, not to mention the somewhat intuitive making of the original listing. And so the commissioning was done to develop a new, systematic method with which to map cyber threat actors and their motives, intentions and capabilities. This method is also used to update those typologies.

Cyber threat actors

The task was twofold. First, to develop a method to construct typologies of cyber threat actors. This brand new method combines scientific insights and cyber security knowledge to produce a structured way to classify threat actors. Note: due to the focus on the Dutch annual cyber security assessment (CSAN), the typology is restricted to actors with links to the Netherlands. In essence, threat actors who operate from within the national borders or who attack targets in the country.

The second part of the commissioned task was to develop a new tentative threat actor typology, based on intelligence in the 2016 edition of the CSAN. Cyber security incidents, threat intelligence and other data in last year’s report are used to build this second subtask. The resulting method can be used to include data from several sources. Information about cyber attacks is of course coming from numerous parties and entities.

The end result gives threat intelligence analysts and security practitioners a systematic and repeatable method to assess cyber threat actors and their characteristics. Simply put: to know their enemy.

The extensive paper in which the updated and expanded typology is explained said: “As a consequence of the structured application of the proposed method, the new threat actor typology differs significantly from the typology provided in the CSAN 2015 and 2016.”

Digging into the details

For example, the previously used type of “professional criminal” has been split into a specific set of sub-types. These sub-types range from digital robbers (scammers), fraudsters and extortionists to information brokers and crime facilitators. This more detailed definition does justice to the reality of convoluted underground ecosystems in which several different and specialised groups or individuals offer their illicit services and malware products to one another.

All this and more is to be found in the Dutch typology, where the resulting typology takes the shape of a matrix. On one axis are the types of cyber threat actors. On the other axis are the characteristics: targets, expertise, resources, organisation and motivation. Each of these is sub-divided into boxes denominating the sort and level of those characteristics.

For example, a specific kind of cyber threat actor targets enterprises, with medium expertise and low resources, via a market based means, for economic gains. Meanwhile, a quite different kind of actor targets the public sector, with high expertise, a high level of resources in a hierarchical manner, for geo-political goals

A state actor, or a state-sponsored network of cyber threat actors, can be out to gain geopolitical advantage, but can also be cyber spying for economic reasons. And cyber espionage or data theft is of course also quite appropriate for digital robbers and extortionists.

Multiple real-world security incidents of the past few years have made clear that this mixing of motivations and actors is quite real and troublesome. The ability to detect, fend off and possibly even prevent the cyber threats from these – and future – actors depends on knowing them thoroughly. The Dutch-developed typology of cyber threat actors offers a scientific means to that end.

Read more on Information technology (IT) in Benelux