The psychology of attackers

WithSecure_laptop
Reading time: 5 min

If you are trying to impede or deter attackers, remember that different threat actors have different motivations and tolerance levels. Your actions may not always have the effects that you want.

When will attackers give up?

Most cyber criminals exist on a spectrum of opportunistic to motivated. Impediments, such as patched vulnerabilities and controlled OSINT, are more effective against more opportunistic attackers—those who are less invested in attacking any single organization.

For example, a broad phishing campaign is a very opportunistic attack type. Threat actors who send out these campaigns will discount as a target any organization who does not engage with the phishing attempt; they will not invest any more time or resource attempting to penetrate the environment.

Slightly more motivated attackers may have a list of possible targets, and that list may change or be reprioritized based on the information the threat actors learn over time. If these attackers see significant impediments associated with a specific organization, it may become a less-appealing target.

The most motivated attackers are unlikely to be dissuaded from targeting specific organizations, no matter the impediments they encounter. For example, if they have been hired to target one organization in particular, they have no other options to pursue. In these cases, the usefulness of impediments is limited to increasing the opportunity for detection and response.

Rationality and retaliation

When we talk about deterrence and security, we usually assume that attackers are rational. We assume that attackers won’t expend more effort or resources to penetrate an environment that will not be very valuable, but that might not be the case. The attacker may not think about the cost, or may have another reason for attacking. They may fall prey to the sunk-cost fallacy, and keep attacking even if doing so is irrational.

Attackers may also react unpredictably if they realize that they have been detected, but they are not yet contained.

A story from an incident responder

We had a client who did not have full visibility of their network, although they thought they did. They had a threat actor in their system and tried to contain him, but they did not remove all of his access.

That threat actor retaliated by putting pressure on the management of the company: he put public notes on their web servers and locked the administrators out so that they could not remove the messages. He then tried to ransom the company, asking for money in return for removing the notes.

Fortunately, we had our own access and we were able to delete the page, so no one saw the messages, which would have been very damaging to this company’s reputation.

~ WithSecure™ Incident responder

For more information about deterring and impeding attackers, read our report below:

Read more