Part 3: Understanding Self-Serving Adversaries

My previous post described "state-serving" adversaries. In this post I will discuss "self-serving" adversaries.

"Self-serving" adversaries conduct digital theft against target organizations. This adversary pursues financial motives, seeking to monetize stolen data. Many analysts call these foes "criminals," and by most would agree that stealing data for financial gain is a crime.

Some analysts consider "state-serving" adversaries to be "self-serving" as well, in the sense that a foreign intelligence service (FIS) will pay state-serving actors for their deeds. The factor I use to differentiate the groups is the motive of the operation: if the intruders act to meet FIS goals, they are state-serving, but if they act without the direction of a higher authority to seek financial gain, they are self-serving. This distinction does not preclude an intruder or group of intruders to act as state-serving in one operation and self-serving in another. This is the sort of "cross-over" between espionage and crime discussed in recent media reports.

Self-serving groups have traditionally not held long-term access to a victim as a requirement for their operations. Rather, they compromised a target, extracted the data of value, and monetized it. The data of value was likely to be Personally Identifiable Information (PII) of some type. Some creative self-serving adversaries have pursued systematic, long-term compromise as a goal; consider the success of intruders such as Albert Gonzales or Max Ray Butler.

Self-serving groups are characterized by a wide range of funding options. "Start-ups" could be exceptionally poor, relying on totally free exploits and methods, while more established players will build on previous illicit gains to purchase "exploit kits" and other tools. At the high end, self-serving groups will enjoy almost the full range of resources found in state-serving teams. Operational discipline is once again a dividing factor, with advanced teams knowing when to use the latest and greatest and amateurs perhaps not exercising proper judgment.

Victim organizations suffering from self-serving groups fight less extended campaigns when compared to state-sponsored adversaries. The intruder wants to steal PII, convert it to cash, and then raid another organization. Third-party notification is again popular, but usually the victim learns of the intrusion because the stolen PII appears in a black market or is used by a criminal. In other words, criminals buy and sell the PII and they use the PII to purchase goods or take other illegal actions. Due to the nature of the stolen data, the Secret Service is sometimes the lead law enforcement group, although other agencies may be involved.

In the final blog post in this series I will discuss "public-serving" adversaries.