The title here is a little misleading. I’m not just referring to the word attacker; I’m going to talk about a lot of roughly synonymous terms that you’ll often find in cybersecurity reports: adversary, malicious user, hacker, and my favourite – malicious attacker. These words are designed to be scary, to shock senior management into action, but there is the possibility that they can obscure their true meaning.
So what do these words actually mean? Because these words are usually used synonymously with each other, I prefer an even more obscure term, but one which is more accurate – threat actor. I use this term because of an old saw – never attribute to malice what may otherwise be incompetence.
Within a cybersecurity context, my definition of a threat actor is any force or agent that uses the system being tested in a way other than it’s intended to be used. Clear as mud, right? It’s also a broader scope than most people consider when looking at the words, ‘attacker’, ‘adversary’, etc. because it removes agency and intent.
What do you envision when considering a cybersecurity threat actor? A ‘hacker’*. Is it some faceless person in a hoodie, madly tapping away at a keyboard? Big notifications on your screen that you have an intruder in your system? Sirens and flashing alarms? This, after all, is how the media has portrayed cybersecurity threats for decades. But in reality, the threat isn’t so obvious.
A cybersecurity threat looks ordinary. There are no flashing lights or obvious tells. A threat isn’t always deliberate, isn’t always directed, may not have intent, it simply is.
Consider, instead:
- The person in the cubicle next to you is loading company files on a USB stick, because they’re about to quit and they want to take templates to their next job.
- An office relationship has turned sour, and one of the parties is trying to find the new details about their former partner.
- An employee is bypassing processes because it’s ‘quicker’, but unintentionally causes parts of the system to crash, or to spam notifications internally, or to slow the system down so much that it’s practically unusable.
- Your attacker may be an automated process. A virus, ad ware, a scam sms, a rogue piece of malware disguised as an invoice and opened by your accounting department.
- Your adversary might be a tool scraping raw information off your website, along with every other website it touches, to sell to anyone seeking that type of information.
- You can even be attacked by totally innocent parties – I’m talking about bots that have inserted themselves into other systems, and the owners of those systems have no idea that their system is sending out traffic to cause denial of service attacks.
And sometimes it is actually someone targeting attacks at your system. Sometimes they’re even wearing a hoodie.
*I’ll write another article dedicated to hackers. The short of it is, hackers are (generally) nice people. If someone’s attacking your system without permission, don’t call them a hacker. Call them a criminal.