Portrait of a 21st Century Active Directory Attacker
It’s been almost 30 years since the movie “Hackers” was released and many of us, when we think of a cyberattacker, still picture a guy wearing a hoody, hanging in his basement while hacking away at a keyboard to gain notoriety. However, a lot has changed in the past three decades and the portrait of an Active Directory attacker has evolved greatly. Yes, some cyberattackers likely still wear hoodies and carry out attacks from their basement, but nowadays they’re more likely to be doing it from somewhere far across the globe. At the Hybrid Identity Protection Conference, Allen Brokken shared sobering statistics on cyberattacks as well as the various profiles and intents of modern hackers. Here are the five different categories of Active Directory attacker that Brokken shared during his presentation, “Detect and Respond to Active Directory Breaches”.
5 Different Types of Cyberattackers
The Hacktivist: The 21st century hacktivist is very similar to what you saw in “Hackers”, only the technology is far more advanced and the hacking is very real. Hacktivists are usually motivated by a larger cause or political agenda, and feel that their target is deserving of the attack. This category of Active Directory attacker can be highly sophisticated in their approach and often work together, like a loose set of parties with common interests rather than a true organization. WikiLeaks and Anonymous are both well-known hacktivism organizations that have leaked sensitive information in order to promote a cause.
Nation States: China, Russia and North Korea are all countries that have cyberattack capabilities and are ultimately seeking control of some aspect of the geopolitical realm. Whether it is theft of military intellectual property or corporate espionage, nation state attackers have significant resources and organizational capability to take on major attacks. Just a few months ago, Russia carried out an Active Directory attack which disrupted the Olympic Winter Games opening ceremony. The wiper malware was able to scan Active Directory to determine which systems to target and bring down the Winter Games website for 12 hours.
Modern Terrorist Organizations: Recent reports reveal that cyberterrorism is a growing concern and will be the top infosecurity threat in the coming years. ISIS and other terrorist organizations are leveraging cyberattack capabilities to help fund their battles and push their cause, which they believe is justified for a higher purpose. In some cases, nation state and cyberterrorism organizations partner together to wage attacks against larger, more sophisticated nations. These cyberattackers may function similar to other actors, but their motivations are for the cause more than any direct monetary gain.
Organized Cybercrime: Organized cybercrime is a very real thing and is today’s equivalent of the mafia. The Dark Web provides all the services and cyber weapons that organized cybercrime rings need to carry out their attacks – there’s even crime-as-a-service where cybercrime gangs are offered money in exchange for carrying out attacks. These attackers are generally in it for the money and will invest in a complex attack over time if they see the potential value in it. Nowadays you will see cybercrime gangs with sophisticated organizational structures much like any other business. In many places around the world, attacking others electronically is actually a legitimate full-time job.
Unethical Competitors: In the United States there are strong laws and general ethics that keep companies from directly attacking one another electronically for competitive advantage. However, this ethical norm is not necessarily shared across the globe. In many countries, any way you can gain advantage is considered good business. When an organization has this attitude, they are willing to build attack capability in order to win. There are cases of companies attacking competitor’s pricing systems and automatically underbidding the target intentionally to force them out of business. Most recently, attackers leveraged MBR-ONI malware to encrypt Active Directory servers at multiple Japanese companies and bring businesses to a standstill.
Today’s Active Directory attacker comes in all shapes, sizes and organizational structures but the real moral of the story is that these attackers are evolving and growing in threat and levels of sophistication. In order to protect your enterprise environment, you need to make sure your Disaster Recovery plan enables you to bounce back quickly from any type of malware attack.
To view Allen Brokken’s full presentation on Active Directory attacks, and other presentations from the 2017 Hybrid Identity Protection Conference, click here.