1. Based on your research of the above term, summarize your findings with up to five resources from the above research.2. Describe two separate scenarios for defensive and offensive measures against such a cyber threat targeting a critical infrastructure.
Unformatted Attachment Preview
Mark de Bruijne, Michel van Eeten, Carlos Hernández Gañán, Wolter Pieters
Towards a new cyber
threat actor typology
A hybrid method for the NCSC cyber
Towards a new cyber threat actor typology
A hybrid method for the NCSC cyber security assessment
Mark de Bruijne, Michel van Eeten, Carlos Hernández Gañán,
Faculty of Technology, Policy and Management
Delft University of Technology
This report could not have been made without the help of a large number of people. We
cannot mention all of these people by name, but our thanks extends to all of them. First of all,
the researchers would like to thank all the interviewees, who were promised anonymity, for
their precious time and valuable feedback. They have contributed a lot to the report and our
understanding of cyber actors and the methods which can be used to classify them. We,
furthermore, would like to extend these thanks to the members of the supervisory committee.
The committee consisted of Prof. Stijn Ruiter (chair), drs. Olivier Hendriks, drs. Noortje
Henrichs, dr. Jan Kortekaas, Prof. Eric Verheul, and drs. Wytske van der Wagen. We
appreciated their critical and highly constructive feedback during the entire process.
Needless to say, the usual disclaimer applies: The contributions from respondents or
members of the supervisory committee do not mean that the respondents, members of the
supervisory committee or these institutions automatically agree with the complete content
of the report. Also, we would like to emphasize that the report does not necessarily reflect
the opinion of or the Minister or the Ministry of Security and Justice.
Mark de Bruijne
Delft, July 2017
Executive summary 5
Research aim, research questions and delineation 6
Reader’s guide 7
Designing a method for a cyber threat actor typology 9
What is a cyber actor typology? 9
What should the cyber actor typology do? 10
The CSAN typology and its shortcomings 11
Criteria for a good threat actor typology 14
A method to develop a typology – building the framework 15
The deductive approach – threat actor typology framework 19
Literature review: in search of threat actor dimensions 19
Operationalizing the dimensions: developing the framework 25
Feedback on the framework from experts and stakeholders 30
Observations and feedback from NCSC/NCTV workshop 35
Final threat actor typology framework 38
The inductive approach – data analysis 44
Spam trap data 44
Honeypot data 48
Darknet data 51
Cyber criminal markets 52
A tentative new threat actor typology 54
Key features of the method to develop a threat actor typology 54
Application: combining the deductive and inductive cycles 55
A first version of a new threat actor typology 57
CSAN 2016 typology and new threat actor typology compared 62
Reflection and some final thoughts 64
For some years, the NCSC/NCTV has been using a cyber threat actor typology in its annual
Cyber Security Assessment Netherlands. It has evolved over time and captures a set of
actors with different motives, intentions and capabilities. In view of its age and rather intuitive
development process, the NCSC/NCTV is considering whether the current typology needs to
be updated and improved in light of recent insights from science and cyber security practice.
This report, which was commissioned by the WODC (Research and Documentation Centre)
of the Ministry of Security and Justice, sets out to develop a new and systematic method to
enable NCSC/NCTV to continuously update its cyber actor typology. Section 3.5 contains a
concise description of the framework, to be used as a standalone document. As part of the
method description, we also develop a tentative new typology. This can be found in Section
Het NCSC/NCTV gebruikt deze in haar jaarlijkse cyber security beelden een zogenaamde
cyber actor typologie. De typologie die momenteel gebruikt wordt bestaat al weer enkele
jaren en is gedurende deze periode geëvolueerd. Op een vrij intuïtieve wijze vangt de
huidige typologie een aantal actorgroepen met uiteenlopende motieven, intenties en
capaciteiten. NCSC/NCTV vraagt zich af of deze typologie nog steeds valide is, hoe deze
zich verhoudt tot recente inzichten uit theorie en praktijk en hoe deze eventueel verbeterd
kan worden. Dit rapport, geschreven in opdracht van het WODC van het Ministerie van
Veiligheid en Justitie, ontwerpt een nieuwe en systematische methodiek die het NCSC/NCTV
in staat stelt om de typologie voortaan zelf regelmatig up-to-date te houden. Paragraaf 3.5
bevat een compacte beschrijving van de methodiek die bedoeld is om als losstaand
document gebruikt te worden door analisten. Als onderdeel van de methode wordt een
eerste versie van een nieuwe typologie ontwikkeld. Die is opgenomen in paragraaf 5.3.
In the Netherlands, the responsibility for threat analysis in the digital domain is allocated to
the National Coordinator for Security and Counterterrorism (NCTV). The National Cyber
Security Centre (NCSC) is part of the Cyber Security Department of the NCTV and publishes
an annual Cyber Security Assessment Netherlands (CSAN) (cf. NCSC, 2015; 2016). This
assessment has been compiled since 2011.
The CSAN offers “insight into the developments, interests, threats and resilience in the field
of cyber security over the past year. It is aimed at policymakers in government and the
critical infrastructure sectors to help enhance the digital resilience of the Netherlands or to
help improve current cyber security programmes” (NCSC, 2015:15).
Both public and private organizations contribute to this annual cyber security assessment, as
well as make use of it. The CSAN features a cyber actor typology to provide insight in the
threats and threat actors. In the 2016 Cyber Security Assessment Netherlands (CSAN) the
actors in this typology are defined as individuals or groups “who adversely affect the
reliability and security of information and information systems” (NCSC, 2016:25).
The current cyber actor typology has been existence for some years. It evolved over time
and it intuitively captures a set of actors with different motives, intentions and capabilities. In
view of its age, NCSC/NCTV inquired whether the current cyber actor typology is still valid
today and supported or rejected by recent insights from science and cyber security practice
and in need of improvement. This research project, which was commissioned by the WODC
(Research and Documentation Centre) of the Ministry of Security and Justice aims to
address this knowledge gap.
Research aim, research questions and delineation
This research develops two distinctive products to fill the knowledge gap. First of all, a new
method to develop a threat actor typology is constructed. The method is based upon state-ofthe art insights in cyber actor typologies, designed to be more transparent than the
typologies used in CSAN 2016, and features a structured way to classify threat actors.1 The
method is designed in such a way that it can be repeated over time. In line with the CSAN,
our assignment was to restrict the threat actor typology to the description of actors who either
operate from the Netherlands or attack targets in the Netherlands. We will discuss the
implications of this delineation in subsequent chapters of the report.
Second, the research aims to develop a new tentative threat actor typology from the events,
threat intelligence, and data that were reported in the 2016 CSAN (NCSC, 2016). The report
shows how the method can be used to include input from diverse data sources about cyber
attacks. The researchers do not claim to present a completely new threat actor typology, nor
to have drawn up a final version. Rather, the principal aim of this report is to provide threat
intelligence analysts and security practitioners with a transparent, systematic and repeatable
See https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Netherlands, last
visited May 15, 2017.
method to develop the cyber actor typology on an ongoing basis. In view of their national
responsibility for threat analysis in the digital domain, this research particularly supports
practitioners in the National Coordinator for Security and Counterterrorism (NCTV) and the
National Cyber Security Centre (NCSC) in performing this crucial function. However, the
method and typology presented are explicitly designed to be more broadly applicable as well.
The research questions which accompany the project goals were:
1. To what extent is the current cyber actor typology validated by recent insights from
science and cyber security practice and what design criteria for a new cyber actor
typology can be identified?
2. What method to develop a cyber actor typology satisfies the identified design criteria
and enhances or enriches the current cyber actor typology different cyber actors?
3. To what extent can a typology be constructed based upon state-of-the art knowledge
on cyber actors and empirical data on cyber incidents, and what would the resulting
typology look like?
In response to this research project proposes the development of a new method to
incrementally improve the current cyber actor typology. As a practical limitation, the cyber
actor typology should be restricted to the description of actors who either operate from The
Netherlands or (intend to) focus their attacks on The Netherlands.
The method features a structured analysis of (potential) cyber threat actors as well as a
structured approach on how to use more (diverse) data sources to update the cyber actor
typology in the (near) future. The claim, nor the intention of the report is the complete
development of a new cyber actor typology. Instead, the report describes the first cycle that
would lead to the design of a new cyber actor typology. The report and the method outlined
in it are explicitly designed to facilitate use by threat intelligence analysts and other experts to
continuously improve and update the Dutch cyber actor typology.
A third practical limitation is that the research pays particular attention towards the possibility
for potential collaboration between different cyber threat actors, which has been reported as
an increasingly complexifying trend in cybersecurity (cf. CSAN, 2016). This focus is
highlighted in the research questions (in particular research question 3), which means that
this element features prominently in the analysis of cyber actors and the search for key
characteristics to analyze them. The overarching goal is to develop a design method that
supports ongoing, incremental development and improvement of the cyber actor typology.
We will reflect on this design choice and the implications for the long-term validity of (design
of) the threat actor typology in the report.
In the first chapter, the main method to develop a cyber actor typology is designed. The
report unpacks and articulates the various terms and terminologies that surround the
typology and identifies the intended use of the typology. The report subsequently explores
the underlying complexity and challenges of the design of such a typology. Next, we outline
the limitations of the CSAN typologies. Criteria are drawn up to identify quality indicators for a
cyber threat actor typology. Finally the new method is proposed to fulfil these criteria and to
allow for the creation of a valid and useable cyber threat actor typology. The method is based
on a combined ‘deductive’ and ‘inductive’ approach, which is cyclical in nature and supports
an ongoing, incremental development and improvement of the CSAN cyber threat actor
typology—a hybrid approach.
In Chapter 3, the first part of the method is developed: the deductive cycle. To bootstrap the
design of a threat actor typology, a literature review identifies common dimensions from
existing typologies of threat actors. To enrich the literature research and ensure the
development of a threat actor typology that is fit-for-purpose, recent insights and feedback on
the theoretically deduced dimensions were collected via interviews with cyber security
experts and stakeholders. The result is a ‘deductively’ developed set of key dimensions that
forms the starting point of the new method to develop the threat actor typology.
With the key dimensions in hand, the report proceeds to combine them into a framework and
operationalize them for use by threat intelligence analysts and other experts. The framework
is explicitly designed to support practitioners in the threat classification process. Section 2.2
describes the design and subsequent updates which culminated in a final version of the
threat actor typology framework.
Chapter 4 turns towards the second part of the proposed method to develop a cyber actor
typology: the inductive cycle. This cycle draws on empirical data about incidents and attacks,
available information on online behavior, which is analyzed and fed in the threat actor
typology. Using several datasets which the researchers had at their disposal, it is illustrated
how incident and attack data can be used to gain more insight into certain dimensions of the
actor typology – and is less informative about other dimensions. The chapter reflects on the
added value of large-scale measurement data and how it contributes to current knowledge
and understanding of attackers and their routines.
Chapter 5 presents the culmination of the previous chapters: a tentative new threat actor
typology resulting from a completed deductive and inductive cycle. Since the proposed
method for the development of a threat actor typology in this research project has only
completed a single development cycle, and is thus limited in terms of the underlying data, the
chapter ends with a condensed set of development guidelines and discussion points to
support the subsequent threat actor typology design cycle by NCSC/NCTV.
2 Designing a method for a
cyber threat actor typology
As a starting point for the development of the new method to generate a cyber actor
typology, this report first defines the concept ‘typology’. Next the report explicates on the
intended use of this cyber actor typology in the annual Cyber Security Assessment
Netherlands (CSAN). This is necessary to align what the final products—the method and the
resulting cyber actor typology—actually need to ‘do’.
What is a cyber actor typology?
The on-line Merriam-Webster dictionary defines a typology as: “a system used for putting
things into groups according to how they are similar: the study of how things can be divided
into different types.” In other words, a typology is a specific form of classification. Bailey
(1994:4) claims that “two characteristics distinguish typologies from generic classifications. A
typology is generally multidimensional and conceptual.” A typology is appealing because it
promises to yield a concise yet parsimonious framework to describe and classify observed
patterns. Bennett & Elman (2006:466, Table 1) identify three different subtypes with distinctly
different goals (cf. Clinard, Quinney & Wildeman, 1999:13):
1. Descriptive typologies which answer the question: ‘what constitutes this type’?
2. Classificatory typologies which answer the question: ‘what is this a case of’?
3. Explanatory typologies which allow researchers to extend—if my theory is correct:
‘what do I expect to see? Do I see it’?
The definition and identification of different goals, that can be served by typologies also
forces us to briefly consider and distinguish typologies from other terms can be encountered
in cyber actor research literature, such as the terms ‘taxonomy’ and ‘profiles’. A ‘taxonomy’ is
defined by Merriam-Webster as: “the process or system of describing the way in which
different living things are related by putting them in groups” and a ‘profile’ as: “a brief written
description that provides information about someone or something”. For the intents and
purposes of this report, both cyber actor taxonomies as well as profiles of methods from
cyber attacks or cyber attackers provide valuable input on important characteristics of cyber
attacks or cyber actors which seem relevant for the creation of a cyber actor typology. Yet,
they are not the same. The report returns to this issue later. Sufficient for now is that there
exists a clear distinction between taxonomies and typologies and that typologies are
generally used in the social sciences (cf. Seebruck, 2015:37). In a typology, the dimensions
are made up of concepts which should be considered as “as ideal types rather than empirical
cases, meaning typologies are not necessarily exhaustive” (Ibid.). Typologies can thus be
defined as “conceptually derived interrelated sets of ideal types” (Doty & Glick, 1994:232).
Taxonomies on the other hand “categorize dimensions based on empirical observation and
measurable traits” (Seebruck, 2015:37).
After having shortly identified what a typology is, and having identified its various subsets
and distinguished it from other related terms, the research continues and explicates and
aligns its terminology with intended use of NCSC/NCTV and the employed method to build
such a cyber actor typology.
What should the cyber actor typology do?
A logical second question of the report would be to establish the intended goal that the cyber
actor typology would serve. In the introduction the project’s research goal was identified
based on the tender request: to asses and if needed update or improve the NCSC/NCTV
typology to help security professionals in their efforts to identify and assess threats from
actors who “adversely affect the reliability and security of information and information
systems” in the Netherlands (NCSC, 2016:25).
Obviously, the cyber actor typology and its underlying method need to produce a reliable
output, i.e., when different analysts use it, they should identify a more or less consistent set
of threat actors. Typology and underlying method therefore need to adhere to scientific
design criteria such as consistency, dependability and replicability. That being said, analysts
will face certain trade-offs during the use of the method, such as more precisely
distinguishing different threat actors versus ending up with a manageable number of types in
the typology. Different analysts might make these trade-offs differently based on how the
resulting typology is to be used.
Given the central role that the cyber actor typology plays in threat assessment in The
Netherlands and the highly dynamic environment in which it is embedded, NCSC/NCTV staff
members will have to work with the typology on a day-to-day basis. This requires not only a
reliable, but also a concise typology.
The typology needs to be unambiguous, i.e. (intuitively) clear to its (wide range of) intended
users and must be able to capture the key characteristics of all (potential) cyber actors in a
small set of dimensions which in turn would systematically lead one to identify a threat actor
type based on the available data or assumptions on each of the dimensions. To be more
precise, the cyber actor typology only needs to categorize threat actors who are defined as
actors who (intend to) “adversely affect the reliability and security of information and
information systems” in the Netherlands (NCSC, 2016:25).
Various online activities such as child pornography distribution, copyright infringement, and
cyberbullying do not infringe on those security requirements and are therefore not included in
the typology as a threat actor even though obviously they are conducting illegal ac …
Purchase answer to see full