State-sponsored hackers and other threat actors are impersonating each other in an attempt to evade detection, according to a recent report from Optiv.
The “2019 Cyber Threat Intelligence Estimate” report, comprised of data from Optiv’s Global Threat Intelligence Center (gTIC), and security firms IntSights and Carbon Black, finds hackers or so-called “hybrid threat actors”—those who masquerade as a different classification to mask their identity—are on the rise.
“Sometimes threat actors may masquerade as a certain type in order to hide their true agenda,” the report noted. “Or, threat actors may belong to two or more classes, switching between them as their priorities change. The report also finds that many vertical industries are still open to ever-evolving cyber threats.”
Jonathan Drake, senior intelligence analyst at Optiv, said relying on typical cyber threat intelligence categorizes of threat is a mistake because “good threat actors are never static.”
That’s because criminals are now impersonating other types of cyber adversaries, he said. For example, nation-state actors may “pretend” to be a financially motivated threat actor targeting a company’s financial database. They red team by using the same malware, the same distribution methods and the same kill chain as the financially motivated threat actor. But instead of going after the database containing PII and financial data, they swing to exfiltrate the real prize: intellectual property (IP). But security automation and orchestration tools will trigger an automated response that aligns with a financially motivated attack instead of a threat actor exfiltrating corporate secrets, he said.
“Threat actors do their homework and have noticed the hard push by leaders to security automation and orchestration tools,” said Drake. “And they have also taken notice to using the tactics, techniques and procedures of another threat actor to hide their true intentions.”
Drake said the findings should prompt organizations to consider an approach to security that ensures business-specific risk and business objectives dictate the security model, rather than the latest cybersecurity threat or compliance mandate.
“Build a strong foundation before the first brick is laid. A hybrid threat actor requires a hybrid response,” he said.
Other findings include a breakdown of verticals most targeted by hackers and other cybercriminals. Retail, health care, government and financial institutions continue to be among the most targeted verticals of cybersecurity attacks or attempts among the 10 categories of Optiv clients.
“According to our research, no vertical is immune, but the financial industry continues to stand out as a key target for advanced attacks,” said Tom Kellermann, chief cybersecurity officer at Carbon Black.
The research also highlights the continued persistence of botnets, distributed denial of service (DDoS), phishing and malware as threat delivery methods, but more modern attack methods and malware delivery systems, such as “cryptojacking” and ransomware, are increasing in popularity.