Hacker personas: Inside the mind of a cyber criminal

October 14, 2019

Do you know who would be most likely to hack your information system?  It’s quite possible you’ve never even thought of it.

Probably, your idea of what a hacker looks like, what they want and who they are has been heavily influenced by Hollywood renditions.  Teenage boys in hoodies watching trailing green code. Antisocial computer whizzes. People in eerie white masks.

The Reality

Determined attackers are constantly finding new methods to outwit traditional security systems, using an arsenal of techniques to attack from every angle.

There are many different types of attackers, each with their own reasons for doing what they do. Knowing who is behind your threats and what their motivations are, can help you implement security measure to put them on the defence.

1.  The Nation-State Hacker

This cyber criminal has a big budget and mad skills. As a state sponsored actor, they are likely to target government, energy, defence and utilities targets – but they might not stop there. The 2014 Sony hack was attributed to state-sponsored hackers from North Korea.

It ended up costing Sony more than US $15 million

What is a nation-state hacker after?

Their motivations are twofold: to disrupt and destabilize economies and to gain intelligence, including through IP theft.  Attacks can therefore take a number of different forms, including malware, trojans and SQL injections with the aim of stealing, leaking or altering data, preventing access to or causing damage to information systems.

Two key things to remember about this type of attacker:

• They will have almost unlimited resources
• They are highly determined and motivated

In short, a frightening foe to have.

2.  The Cyber Mercenary

This cyber criminal is purely in the game for the financial reward. Likely targets therefore include financial organisations and retailers, but with the rising use of ransomware these are just the beginning. Healthcare providers have also found themselves at the mercy of these hacker-types, with statistics suggesting 45% of all ransomware attacks in 2017 targeted the healthcare sector.

What do they want?

Money.  Plain and simple.  And they are well set-up to get it.

Professional cyber mercenaries tend to be part of structured organisations.

“Syndicates are set up according to the division of labour principle adopted by many large companies. There are marketing, finance and IT departments, each of which contributes to the performance and overall success of the organisation.”, writes Alex Rolfe for Payments Cards and Mobile.

With the backing of the rest of the syndicate, these cyber criminals are well-resourced. For an example, look no further than the case of Zain Qaiser, who earned almost a million pounds as part of a syndicate specialising in ransomware attacks.

3.  The Malicious Insider

Hackers with inside knowledge can be particularly dangerous.  Typically an individual with insider knowledge and since they’re working from the inside, they have an intimate understanding of your systems and processes to easily circumnavigate existing security protocols.

What’s the Insider after?

• It could be an undercover insider controlled via a criminal network trying to steal your data or intellectual property.
• An ex-employee driven by a personal vendetta, sabotaging operations for revenge or profit.
• Or perhaps – as in the case of Edward Snowden – they’ve come across something in your system they strongly disagree with and they want to blow the whistle.

4.  The Socio-Political ‘Hactivist’

Hactivists are agenda-driven – whether political, religious or idealist. Most likely, they will want to disrupt, damage or destroy operations – not for any commercial gain, but because they believe they are fighting injustice.  The skill level of this type of attacker varies widely.

Often, they work in a group – as in the case of the anonymous hacking of the official website for the state of Michigan to draw attention to the Flint water crisis.

5.  The Opportunist Hacker

Finally, there are those hackers who don’t really have an agenda as such, but may stumble into doing some real damage. They are both the professional and the hobby hacker.  The latter sometimes referred to as ‘Script Kiddies’, this type of attacker typically has a low skill level and will copy and paste available code to perform attacks – rather than having the knowledge to create that code themselves.  Although not as big a concern as the other personas mentioned here, the Opportunist types can still be dangerous.

A quick note on ‘Hacker Hats’

You will sometimes see hackers being referred to by their hat colour. From our perspective, these personas don’t give you enough insight into the hacker’s motivation, but they are still worth knowing about:

• White hat hackers:  Ethical hackers, hacking with permission
• Black hat hackers:  Straight up cyber criminals
• Grey hat hackers:  Someone who is hacking without permission, but doesn’t do it for personal gain
• Green hat hackers:  Newbies who want to learn to become great hackers
• Blue hat hackers:  Hackers with a vengeful agenda, not necessarily very skilled
• Red hat hackers:  Hackers who aim to stop black hat attacks, but who do so in a really aggressive manner

Why do Hacker Personas matter?

Technology is advancing at unbelievable rates – and not always in a good direction. Cyber attacks are considered to be one of the greatest threats facing humanity, so it’s worth gathering as much information as possible about potential attackers.

Building hacker profiles helps us to identify what the likely targets are going to be, how skilled they are, and what kind of defences we need in order to protect ourselves. The greater the accuracy and completeness of the persona, the better chance we have of stopping them.

---

Related articles:

• Risk Identification:  A crucial first step to improved cyber security
• The rise of spear phishing attacks
• 6 Steps to a successful cyber security improvement programme
• The 8 common types of cyber attacks explained
• INFOGRAPHIC: Malware examples: What are the different types?
• SOC (Security Operations Centre) team roles and responsibilities explained

---

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.