Threat Actors and Act Types

Hacker by The Preiser Project (CC BY 2.0) at

The grugq has a useful explainer for the different kinds of threat actors an organization might be mindful for, such as hactivists, criminals, and state actors, and how and why they tend to operate as they do. With regards to state, and private-public, teams:

There is a tendency to want to rank the Services, but this is not especially fruitful. More interesting is the culture of the Services teams, their nature, their agility, the problems that the team are expected to address, whether they have internal capacity or rely on third parties, and so on. More relevant is trying to understand what they exist to accomplish, how capable they are of doing that, how agile they are in term of changing their MO and if and how well they can accomplish other goals.

This is an inherent problem with hybrid public/private teams — information sharing. While the private component will probably have superior skills and breadth and depth of operational experience, their lack of big picture understanding will prevent them from surfacing ideas, making connections, or otherwise providing insight to help advance the operation. Generally, having the people actually doing the work involved in suggesting improvements is a good way to improve. Similarly, having the people with wide access to botnet victims know what sort of data will get them paid will produce a greater volume of potentially interesting data.

While I tend to think that his analysis of nation-states is good, it under-emphasizes how certain states either have their farm leagues ‘train’ on civil society or, alternately, team with semi-skilled private operators who operate similar to criminals. Whether these behaviours are representative of training exercises, of not wasting the good stuff on civil society, of deliberately being evident to instil caution amongst civil society, or of something else, isn’t entirely clear. Regardless, there is arguably a bit more nuance that could be added to round out some of the characteristics of different threat actors.


It’s not good to be on Power’s bad side, however. When you are on that side, Power piles on charges rather than shrugging off felonies as simple mistakes. Especially if what you do falls into the gray area of enforcing the letter as opposed to the principles of the law.

You can file all the petitions you like with the powers that be. You can try to make Power –whether in the form of wiretapping without warrants or violating international conventions against torture — follow its own laws. But Power is, as you might suspect, on the side of Power. Which is to say, Power never pleads guilty.


On Hiring Hackers

Kevin McArthur has a response to firms who are demanding highly credentialed security staff: stop it!

Much of his argument surrounds problems with the credentialing process. He focuses on the fact that the time spent achieving an undergrad, MA, and set of professional certifications leaves prospective hires woefully out-of-date and unprepared to address existing security threats.

I recognize the argument but think that it’s somewhat of a strawman: there is nothing in a credentialing process forcing individuals to solely focus on building and achieving their credentials. Indeed, many of the larger companies that I’m familiar with hire hackers as employees and then offer them opportunities to pursue credentials on their own time, on the company dime, over the course of their employment. Many take advantage of this opportunity. This serves two purposes: adds ‘book smarts’ to a repertoire of critical thinking habits and makes the company ‘stickier’ to the employee because of the educational benefits of working for the company.

Under the rubric of enabling education opportunities for staff you can get security talent that is very good and also happens to be well educated. It’s a false dichotomy to suggest that you can have either ‘book smarts’ or ‘real world smarts’: there are lots of people with both. They don’t tend to be right out of university or high school, but they are out there.

What’s more important, and what I think the real focus of the article is meant to be, is that relying on credentials instead of work accomplished is the wrong way of evaluating prospective security staff hires. On that point, we entirely agree.