Examining the behaviour of cyber threat actors leads to the intersection of human behaviour, technology, geopolitical tensions and many more facets of our modern world. Using a framework to characterise the dimensions of cyber threat actor behaviour can enhance your understanding of how to manage the cyber risks to your organisation and assets.

Let’s get started with an overview of the framework.

The Framework

The five dimensions comprising the framework are:

  • Capability
  • Intent
  • Resourcing
  • Impact
  • Tenacity

The framework of five dimensions is not an absolute or quantitative way to characterise cyber threat actors.

But it is useful for examining and reasoning with cyber threat actor behaviour at a high level.

The five dimensions can be qualitatively measured using levels such as High, Medium and Low - but this is flexible and can be adjusted based on the needs of your organisation.

Cyber threat actors can span different categories such as state-sponsored actors, cybercrime actors, hacker-for-hire actors, hacktivists and insider threats. This framework can be applied to general classes of threat actors and specific threat actor groups.

The benefit of using this framework is the enrichment of technical measures of cyber threat actor behaviour (such as MITRE ATT&CK) with a lens of human behaviour and technology intertwined.

For each of the five dimensions, I’ve provided a breakdown describing the dimension and three tiers (High, Medium and Low) that can be used to rank threat actors.

Now for the dimensions, starting with capability.

Capability

Capability is the degree of operational and technical sophistication possessed by a cyber threat actor.

The capability of a threat actor may change over time. Low-capability threat actors can still pose a significant risk if they gain access to sensitive systems or information that asymmetrically enhances the effectiveness of their actions.

Tiers of Capability

  • High: Threat actors at a high level of capability have extensive technical skills and operational sophistication, and they use advanced techniques to conduct their attacks. They are typically highly organised and have access to significant funding, infrastructure and data.
  • Medium: Threat actors at a medium level of capability have a limited range of technical skills and resources, but they are still able to carry out moderately successful attacks. They may use less advanced techniques and may have less funding and infrastructure at their disposal, but they can still cause significant harm to their targets.
  • Low: Threat actors at a low level of capability have limited technical skills and resources, and they are generally less capable of causing significant harm. They may use unsophisticated techniques and may not have access to significant funding or infrastructure.

Intent

The intent of a cyber threat actor is their willingness to target a particular system or network.

The distinction between High, Medium and Low intent threat actors is not absolute and can change over time. The intent of a threat actor may vary between targets within the scope of their broader strategic objectives. Furthermore, the motives and goals of threat actors are not fixed quantities and are prone to change based on shifting circumstances or changes to their mission sets.

Tiers of Intent

  • High: High-intent threat actors have a clear and well-defined motive for their attacks, and they are often highly focused on achieving their objectives. These threat actors may be motivated by political, economic or military goals, or they may be seeking to cause widespread damage or disruption.
  • Medium: Medium-intent threat actors may have a loosely defined or opportunistic motive for their attacks. These threat actors may not have a specific target in mind when they carry out an attack. Their primary goal may be to cause as much damage as possible or to steal as much valuable data as they can.
  • Low: Low-intent threat actors have limited motivation or objectives for their attacks, and their attacks are often unsophisticated and poorly planned. These threat actors may be motivated by curiosity or a desire to prove themselves, or they may be testing the security of a target without any intention of causing harm.

Resourcing

The level of resourcing of a cyber threat actor is their degree of access to the various types of assets and supplies (such as financial, personnel, infrastructure and research/development) required to execute and support their operations.

As with other dimensions, the distinction between High, Medium and Low resource threat actors is not absolute. Threat actors can move between resourcing categories as their resources improve or degrade over time. Furthermore, threat actors with limited resources may still be capable of causing significant harm if they are highly skilled, have access to advanced technologies or privileged insider access.

Tiers of Resourcing

  • High: Highly resourced threat actors have substantial financial, technological and personnel resources available at their disposal, which they use to carry out their attacks effectively and efficiently. These threat actors may have large-scale operations with numerous employees, access to advanced technology, and significant funding to support their activities. They are typically well-equipped to conduct sophisticated and highly targeted attacks, and they may have a long-term agenda.
  • Medium: Medium-resourced threat actors have access to a moderate level of financial, technological and personnel resources. These threat actors may be small groups or individuals who have limited access to funding, technology and personnel, but are still capable of conducting moderate-level attacks. They may use commercially available tools and techniques, and their attacks may be less sophisticated and less well-coordinated than those of highly resourced actors.
  • Low: Low-resourced threat actors have limited financial, technological and personnel resources available to them. These threat actors may be individuals or small groups who are not well-equipped to carry out complex attacks and may rely on publicly available tools and techniques. Their attacks may be less sophisticated and less targeted than those of better-resourced actors, and they may be more opportunistic.

Impact

The impact of a cyber threat actor is the severity of the harm that they may cause.

It is important to note that the impact of a cyber attack in first-order and higher-order effects can depend on many factors. Some of these factors include the specific system or network that has been attacked, the TTPs1 employed by the threat actor, the level of preparedness and resilience of the target, and the interconnectedness of the target with other systems.

Tiers of Impact

  • High: High-impact threat actors are those that can cause widespread harm and disruption. They may use advanced tactics such as zero-day exploits or malware that is difficult to detect and mitigate. The impact of a successful attack from a high-impact threat actor could be devastating, potentially leading to financial loss, reputational damage, or even physical harm.
  • Medium: Medium-impact threat actors are less capable than high-impact actors but still pose a significant risk. The impact of a successful attack from a medium-impact threat actor could still result in significant financial loss but is less likely to cause widespread harm.
  • Low: Low-impact threat actors are those that have limited capability and resources. The impact of a successful attack from a low-impact actor is likely to be relatively small but can still result in inconvenience or financial loss for the victims.

Tenacity

The tenacity of cyber threat actors is their degree of persistence and determination to carry out attacks despite obstacles and resistance.

Tenacity can vary greatly between threat actors and can change over time. Some of the factors that can influence the tenacity of a threat actor include available resources, technical capabilities, objectives for a particular attack campaign and the nature (e.g., targeted vs. broad) of their objectives.

Tiers of Tenacity

  • High: A high-tenacity threat actor shows exceptional persistence and determination in carrying out their attacks, often adapting and evolving their methods to overcome obstacles and achieve their goals.
  • Medium: A medium-tenacity cyber threat actor has a determined approach to their attacks but may be limited by certain constraints or face more difficulties in achieving their goals compared to high-tenacity threat actors.
  • Low: A low-tenacity cyber threat actor may lack persistence and determination in carrying out their attacks, possibly giving up easily when faced with obstacles or resource constraints.

Final Thoughts

The framework is a work in progress and I welcome your thoughts on how it could be improved. If you have found the framework useful, I am interested to hear how you have applied it.

I find that the framework can be quite flexible, pairing well with more detailed and technical information about cyber threat actors and discussing threat actor behaviour at a high level.

Reach out to me on LinkedIn or GitHub and let me know what you think!


  1. Tactics, Techniques and Procedures