Cyber threat actors conduct malicious cyber threat activity by exploiting technical vulnerabilities, employing social engineering techniques, or by manipulating social media. A determined and capable adversary will often carefully select the technique most likely to result in successful exploitation after conducting reconnaissance against their target and may use a range of techniques to achieve their goal. The majority of threat actors, however, simply cast a wide net in hopes of exploiting any unsecure network or database.
Technical vulnerabilities are weaknesses or flaws in the design, implementation, operation, or management of an information technology system, device, or service that provides access to cyber threat actors. For example, a threat actor may attempt to install malicious software, called malware, or take advantage of existing flaws to exploit the targeted system. In addition to installing malware, threat actors also use tools that directly exploit specific technical vulnerabilities.
Exploitation methods that target human qualities, such as carelessness and trust, are collectively known as social engineering. Threat actors use social engineering to trick an individual into inadvertently allowing access to a system, network, or device. Phishing and spear-phishing are common social engineering techniques. (Please see Annex A: The cyber threat toolbox for more information).
Foreign cyber threat actors can also manipulate social media and legitimate advertising and information-sharing tools to conduct online foreign influence campaigns that seek to impact domestic events like an election, census, or public health campaign, as well as public discourse more broadly. With a thorough understanding of how traditional media and social media work – and how individuals consume information – cyber threat actors can promote their message to broader target audiences at a relatively low cost. They can do this by masquerading as legitimate information providers, hijacking social media accounts, or creating websites and new accounts.
Attribution is the act of accurately determining the threat actor responsible for a particular set of activities. Successful attribution of a cyber threat actor is important for a number of reasons, including network defence, law enforcement, deterrence, and foreign relations. However, attribution can be difficult as many cyber threat actors attempt to evade attribution through obfuscating their activities.
Obfuscation refers to the tools and techniques that threat actors use to hide their identities, goals, techniques, and even their victims. In order to avoid leaving clues that defenders could use to attribute the activity, threat actors can use either common, readily available tools and techniques or custom-built tools that covertly send information over the Internet.
Sophisticated threat actors can also use false flags, whereby an actor mimics the known activities of other actors with the hope of causing defenders to falsely attribute the activity to someone else. For example, a nation-state could use a tool believed to be used extensively by cybercriminals.
The ability of cyber threat actors to successfully obfuscate their actions varies according to their level of sophistication and motivation. In general, nation-states and competent cybercriminals are more adept at obfuscation than other threat actors.