By Jonathan Drake, Senior Intelligence Analyst at Optiv Security

Cyber threat intelligence usually categorizes threat actors in fixed classes. While these classes may vary from organization to organization, typical threat actor groups will include: 1) Nation-State Threat Actors, focusing on government interests and espionage-based activities; 2) Cyber-Crime, individuals/groups highlighting ‘criminal intent’ with vast majority being financially motivated; 3) Hacktivism, ideological in nature and extremely resilient; and 4) Commercial Entities, private legal entities that create marketplaces for the commercialization of offensive/defensive hacking and surveillance capabilities.

While categorizing threat actors into classes such as these has been helpful for information security professionals during identification and remediation processes, new research from Optiv Security reports automated threat categorization to be a double-edged sword. According to Optiv’s 2019 Cyber Threat Intelligence Estimate (CTIE) report, it’s a mistake to assume that these categories are rigid or to assume that a threat actor’s classification is distinct and static because a growing trend in cybersecurity is on the rise: threat actors impersonating each other to hide true intentions. Called “hybrid threat actors,” this emerging class of cyber-criminals masquerades as a different classification to hide their true agenda. And, some using more than two, switching between classes as priorities change.

Hybrid threat actors introduce tremendous security risk because security orchestration and automation tools are not looking for the curveball. Let me explain.

Automated security technology is designed to reduce the workload on resource-constrained IT teams.  An example of automated security technology can be found in the detection and response functionality of a SIEM. Automated alert investigation and response is based on pre-determined rules and/or behaviors. Variable thresholds allow organizations to customize their detections in response to changing threats, such as financially motivated attacks. Automation can also be used as an effective tool to set default responses to alerts.

The problem, though, is that threat actors have figured out how to impersonate other categories of adversaries to divert attention away from their true target. For example, there may be a state-sponsored threat actor posing as a garden-variety cyber-criminals targeting the customer database. While security systems are triggering an automated response, attackers shift their tactics to executing on their true intention – installing malware to siphon off intellectual property (IP). The security team thinks it has thwarted an attack on the customer database because of a kill chain trigger, but, in reality, it may have missed the ongoing theft of IP. Think of it this way: Someone breaks into an office and steals a couple of printers to make the police think it’s petty theft, but what they’ve actually done is put listening devices in the CEO’s office and the boardroom so they can manipulate the stock market.

What can be done?

CTIE research shows that activities by hybrid threat actors are on the rise, and they’ve mastered the art of deceiving security tools to reach their intended target. Information security professionals have been doing it for years, so why would we assume that these hybrid threats wouldn’t?  The question for IT security teams is: What can be done to stop them? Here are three best practices that will help defend against this new class of threat actors – and mitigate enterprise risk in the process.

  • Implement a risk-centric approach to security – If there’s one thing that we urge organizations to do, it’s to tie cybersecurity functions to enterprise risk. This means ensuring business-specific risk and business objectives dictate the security model, rather than the latest cybersecurity threat or compliance mandate. With a risk-centric approach to security, IT security teams can accurately identify what data and assets are most likely to be targeted, who is most likely to target them, and how it will likely happen – and then they can customize their security strategy accordingly.

Because the focus is on business risk and not one particular class of threat, the attack method and cyber-criminal motive are no longer the basis for cybersecurity strategy. Rather, prioritizing and protecting high-risk targets is the basis for strategy. In the example cited earlier, the organization would already have understood that state-sponsored threat actors were a likely adversary due to intellectual property importance, so there would be no possibility of leaving that kind of hybrid attack “undefined.”

  • Master security “basics” – Optiv’s recent “State of the CISO” research report found that organizations are not prioritizing security basics like patch management and vulnerability scanning – even though unpatched vulnerabilities are often cited as the most common source of data breaches (57% of all breaches, according to a study by the Ponemon Institute). Failing to execute on security basics leaves holes that cyber-criminals are increasingly adept at exploiting. Not to mention, if a company isn’t operating well when it comes to cyber-security fundamentals, then it won’t be able to successfully implement more advanced security processes, technologies, and initiatives.
  • Maintain the human element – Automated security tools can help us cut down on the noise and make cyber-security more manageable for information security teams, but it’s not the “fix-all” solution. Flipping the automation switch doesn’t surround the organization with an impenetrable shield. Organizations must continue to include the human element in security processes, so, when hybrid threat actors do throw a curveball, information security professionals are there to switch up the grip and grab the home run. It’s also important for information security teams to periodically reevaluate defined threat actor groups and associated security policies to ensure they align with the latest industry developments.  Hybrid threat actors require a hybrid solution.

While hybrid threat actors are a component that many organizations haven’t yet encountered, there’s no reason to panic. By implementing a risk-centric security model and following best practices such as those above, information security teams can build and maintain a solid security foundation. And with this strategy in place, organizations can put themselves in a strong position against the cybersecurity battle, every time.

About the Author

Jonathan Drake is a professional Intelligence analyst accumulating nine-plus years of civilian and military experience. Drake is currently employed as a Senior Cyber Intelligence Analyst with Optiv and is a critical member of Optiv’s Global Threat Intelligence Center Team (gTIC). As a member of the gTIC, he assists staff and clients with cyber-based intelligence research and products. As a professional intelligence analyst, Drake seeks to deploy his refined analytical skills and technical knowledge to assist leaders with obtaining goals and objectives set by stakeholders. Jonathan can be reached online at and at our company website