Part 4: Understanding Public-Serving Adversaries

My previous posts described "state-serving" and "self-serving" adversaries. This post will discuss "public-serving" adversaries.

"Public-serving" adversaries conduct a variety of digital activities against victim organizations or individuals. A public-serving party seeks to bring attention to either a cause or to the party itself. The actions of the party may be outright malicious, or in other cases "benign," with the characterization of the action often in the eye of the beholder. Some security analysts call public-serving adversaries "hacktivists." The key to recognizing this category of actors is their calling card: widespread dissemination of news of their digital activity, usually via Twitter or other social media mechanisms. Because of this activity, one might also call them "publicity-seeking" adversaries.

Public-serving groups do not typically maintain persistent access to victim organizations. They may sustain access for short periods of time (days-weeks), but they are usually eager to let the world know of their accomplishments. Although some public-serving groups will access intellectual property or Personally Identifiable Information, and may criminally monetize it, this is not their primary goal. It is more common for public-serving groups to steal information, publish it, and then use it, or encourage others to use it, to the detriment of the victim organization. For example, a public-serving group might steal and publish credentials or credit cards, then publicize it for others to take advantage of the information. By the time the public-serving group broadcasts their deeds, they have often departed the victim organization.

Surprisingly to some, public-serving groups are often the most damaging to victim organizations in terms of data destruction. State-serving and self-serving adversaries limit their actions to theft, whereas public-serving foes tend to adopt a "scorched earth" policy. After penetrating and looting a Web site and database, the public-serving foe might delete everything it finds, leaving behind only a defaced Web page.

The skill sets of public-serving groups range from tool-users to tool-builders. The groups may have loosely assigned membership facilitated by a close-knit core, or take on other clan-like structures. These groups can be remarkably resilient to law enforcement pressure, although the arrest of key leaders can temporarily disorient them.

For incident responders, involvement in a case perpetrated by a public-serving group is unlike those involving state- or self-serving foes. By the time the IR team joins the case, the damage is already done and any work going forward should be to support a possible prosecution and avoid similar incidents in the future. Public-serving adversaries may decide to operate in opportunistic or targeted modes, so it is possible for organizations to repel a good number of these sorts of attackers.

I hope this short series on different types of adversaries has helped inform how you handle attackers based on capabilities and intentions.

I'd love to know what additional topics you'd like me to write in the future. Please write them below.