Cyber Threat Categories

Cyber Threat
INTELLIGENCE

Standardize and Categorize
Threat Information for
Improved Risk Analysis

TURN CYBER THREAT DATA INTO INTELLIGENCE YOU CAN USE

As overwhelming volumes of raw cyber event data are ingested into the SurfWatch data warehouse, they are aggregated and standardized into the CyberFact information model, which leverages a simple ATEP structure - Actor, Target, Effect, and Practice. Now security and IT professionals, executives and analysts can understand risks facing their organization and make more strategic and informed cybersecurity decisions.

KNOW WHAT CYBER ACTIVITY IS OCCURRING AND ITS IMPACT ON YOUR BUSINESS THROUGH CYBERFACT THREAT CATEGORIES

As part of the ATEP information model, SurfWatch Labs creates high-level threat categories for tags within a piece of information (i.e. a document). Associated with every CyberFact are Industry Target Tags, which describe the business or organization most impacted by the event. Below is the listing of threat categories for Actor, Target, Effect and Practice, along with definitions and real-world examples.

CyberFact

Actor

Who conducted/will conduct the attack?

State-sponsored
Organized Crime
Hacktivist

Target

What was specifically targeted in the attack?

POS Systems/Software
Cloud Services/Applications
Wireless Networks

Effect

What occurred as a result of the attack?

Data Stolen/Leaked
Vandalism
Device Hijack

Practice

What method was used to carry out the attack?

Social Engineering
Espionage
Network Intrusion

THREAT INTELLIGENCE SPECIFIC TO YOUR BUSINESS

Once the cyber event data is put into the ATEP structure, SurfWatch Labs runs sophisticated analytics and adds a layer of human intelligence to filter out all the "white noise". This resulting strategic and operational cyber threat intelligence is available via:

Cyber Advisor

THREAT ANALYST

ANALYTICS API

Immediately establish a threat intelligence operation that delivers personalized intelligence based on your specific business profile.

LEARN MORE

Gain visibility of relevant threats to your business, supply chain and industry, and mitigate your risk.

LEARN MORE

Easily access and integrate threat intelligence with your existing environment to compare relevant, external-facing threats to what you're seeing inside your network.

LEARN MORE

SURFWATCH LABS THREAT INTELLIGENCE CASE STUDY

"SurfWatch serves as our threat intelligence team, providing us with critical link analyses and insights to proactively address any potential cyber threats to our customers and our business. Knowing what cyber threat and Dark Web activity is occurring helps us ensure the safeguarding of customer information and focus our cybersecurity efforts in the right areas."

Larry Larsen
Director of Cyber Security

ADDITIONAL CYBER THREAT INTELLIGENCE RESOURCES

Free Whitepaper

Reduce Supply Chain Cyber Risks

Download Now

THREAT INTEL E-BOOK

Build the Business Case for Threat Intel

Download Now

Free Webinar

Connect the Dots Between Threat Intelligence & Business Operations

Watch Now

Category	Description	Examples
State-sponsored	The Actor or group is employed by the government of a nation-state.	Chinese government hackers, National Security Agency (NSA), United Kingdom Government Communications Headquarters
Individual	A specific person or group acting on their own, and not a member of any other Actor threat category.	Kid at school brings down school network 'for fun'. Group of people that deface sites in hopes of impressing someone (no political reason)
Hacktivist	An actor that performs attacks in order to draw attention to a cause (such as free speech or human rights), or hinder the support of a cause. If the cause is political, and/or designed to inflict terror, they are instead considered a Cyber terrorist.	Anonymous, Lulzsec_root, Syrian Electronic Army
Cyber terrorist	Actor carries out an attack designed to cause alarm or panic with ideological or political goals. Alternatively, if the actor is party to a known terrorist organization.
Organized Crime	Groups of criminals that intend to engage in illegal activity, most commonly for monetary profit. Attacks are designed to either extort money from the target, or the actors are funded to carry out an attack.	Producers of ransomware, Black-market data thieves
Identity Unknown	Actor is not identified within the document, either by handle or affiliation.	A report indicates that abc.com has been taken down by an attacker, with no additional information.
Organization	Organizations not specifically associated with information security but having some affect over the information security space.	Microsoft patch release notes, organization deploying new firewall/security measures
Information Security	Includes organizations or persons from, or whose actions affect, the Information Security sector. These are security researchers, computer scientists, antivirus vendors, CERTs, threat intelligence (non-state-sponsored).	Brian Krebs, IntelCrawler, Kaspersky Lab
Law Enforcement/Authority	Will include anyone involved in law enforcement (police, police cyber crime units, courts, judges) as well as attorneys and lawyers.	INTERPOL, United States Attorney, NYPD, Baltasar Garzon

Category	Description	Examples
Administrator Accounts	Accounts used to manage system/network resources and services	DNS accounts, server credentials
Social Media Accounts	Accounts for social networking and microblogging	MySpace, Facebook, Twitter, Tumblr
Email Accounts	Email addresses and accounts	Employee email accounts, Gmail accounts
Financial Accounts	Accounts related to banking, trading, payment cards, or any other financial service	Banking credentials, bitcoin wallets, tax accounts
Customer Accounts	Accounts used to purchase/manage services, and facilitate billing (like cell phone or utility accounts)	FedEx accounts, Adobe accounts, health insurance accounts
User Accounts	Accounts used to access a service (Forums, gaming platforms, news sites)	WhatsApp accounts, YouTube accounts
Cloud Account/Single Sign On	Accounts connected to cloud services	iCloud accounts, Google Drive accounts
Point of Sale Systems/Software	Refers to the area of a store where customers can pay for their purchases. The term is normally used to describe systems that record financial transactions. This could be an electric cash register or an integrated computer system which records the data that comprises a business transaction for the sale of goods or services.	Includes all parts of the system, customized hardware, scanners, electronic cash registers, touch screens
Storage Devices/Removable Media	A device for recording or storing information.	USB storage devices, hard drives, CDs and DVDs, tape backup
Medical Equipment	Medical Devices and equipment specific to the healthcare industry	Pacemaker, insulin pumps, any wireless medical devices
Consumer Electronics/Home Appliances	Electronic equipment intended for entertainment, communications, office productivity, and home electrical/mechanical machines.	TVs, gaming consoles, Apple TV, Bluetooth and GPS devices
Network Equipment	Devices that facilitate the use of a network.	Routers, switches, firewalls
Network Resources	Devices that provide services to end users over a network.	Printers, fax, video conferencing systems, server hardware
Desktops/Laptops		Personal computers, employee computers and business workstations
Vehicles/Vehicle Computer Systems	Electronic Control Units (ECUs) and other microprocessors used in automotive	Vehicle anti-theft systems, vehicle electronic control unit, vehicle sensors
Industrial Equipment	Equipment used in manufacturing, energy, and utilities.	Industrial Control Systems
Banking Equipment	Equipment specific to the banking industry	Automated Teller Machines (ATM/ABM), teller terminals, currency dispensers, encoders, cash processing equipment
Security Systems	Security devices, access-control and alarm systems	Cameras, bio-metric scanners, and electronic locking devices
Facilities	data/call centers, commercial or industrial buildings, housing, ...	New York EU office, nuclear installations
Payment Cards	All banking cards	Credit and debit cards, transit cards, loyalty program cards.
Firmware	Hardware embedded control software
Operating Systems	All desktop, laptop and server operating systems	Microsoft Windows, OS X, Ubuntu, AIX
Mobile Operating Systems	All mobile operating systems	Android OS, iOS, BlackBerry OS
Mobile Applications	All mobile applications regardless of function	BlackBerry Messenger, Angry Birds, Google Play
Web Browsers	Browsers and browser add-ons/plug-ins	Internet Explorer, Google Chrome, FireFox
Entertainment Software	Software used for leisure such as media players, video games, and gambling software	Quicktime, Windows Media Player, iTunes, Call of Duty
Communications Software	All remote access, file exchange (FTP clients), and messaging software clients including email clients and instant messaging/chat	Outlook Express, Foxmail, FileZilla, Yahoo Messenger
Productivity Software	Word processing, database, spreadsheet, and all other office/end user productivity applications	MS Office, Photoshop, Adobe Acrobat
Financial Software	Banking software, BitCoin software and electronic trading software	ClearPort, FOCUS IV, TradeFortress
Development Software	Application and web development software, programming software and APIs	Java, Adobe ColdFusion, Jboss Application Server
Management Software	Website back-ends, administration software, protocol servers (FTP, HTTP), enterprise security management software, inventory and access control software	Apache, Exchange Server, IIS, vSphere Update Manager
Industrial Software	Industrial control and distribution software, construction and computer-aided design software, production and manufacturing software	AutoCAD, Automated Identification Systems, SCADA
Security/Utility Software	Antivirus clients, security software clients (end user programs), and system utilities	Encryption software, iTouch, MacUpdate, McAfee anti-virus
Cloud Services/Applications	Anything-as-a-Service. This category also includes applications hosted on websites, web 2.0, HTML5 and ASP apps.	Amazon Cloud Drive, iCloud, Evernote, Dropbox, CryptoCat, Pandora, Talkr
Content Management Systems	Website management software and plugins	Wordpress, Joomla, Datalife, vBulletin
Data	Digital assets, includes documents, records, database contents, intellectual property, cred card information, PII, account credentials	Electronic health records, source code, customer data, SMS messages
Search Engines	Search engine related targets	Bing, Google Bot, Graph Search
Individuals	Persons Names, and pseudonyms	Mark Zuckerberg, Michelle Obama
Customers/Clients	Persons or organizations that purchase/manage goods or services from a business. Keywords: investors, guests, shoppers	Russian banking customers, Sebastian Corp. customers, Westin Hotels & Resorts guests
Patients	Persons receiving or registered to receive medical treatment	Medicaid clients, UnityPoint Health patients
Employees	Persons employed for wages or salary, includes non-official government employees. Keywords: staff, executives, administrators, coworkers, aides	US military personnel, White House employees, University of Maryland staff
Students	Someone who attends an educational institution (includes alumni - a former student)	University of Maryland, College Park students, University of Delaware students
Users	Persons that utilize a service or system. keywords: visitors, readers, players, owners, subscribers	Cake Poker users, Forbes website visitors, Microsoft Office users, Netflix users
Communities	Countries, cities, towns, regions. Keywords: residents, citizens	People of West Papua, Middle East countries
Group Members	Organization members/volunteers, threat groups (hactivist/hacking/APT groups), and groups of individuals with no organization. keywords: prisoners, activists, fans	Pro-government hackers, Syrian Electronic Army, LulzSec hacktivists
Government Officials	People elected or appointed to administer a government	Turkish Prime Minister, Ukrainian parliament members, Members of the Ukrainian Parliament
Wireless Networks	Any wireless local area network (WLAN), usually providing a connection through an access point to the wider Internet. Includes other wireless tech. like satcom and terrestrial microwave.	Airport WiFi networks, WiFi access points
Cellular Networks	Radio networks for mobile transceivers (phones, pagers, etc.)	3g/4g mobile networks, LTE networks, GSM telephone networks
Government/Military Networks	Networks owned and operated by government and military entities	German National Data Center, Centcom's computer system, Australian Federal Police (AFP) networks
Telecommunications Networks	High speed, high capacity, long-distance networks consisting of switches, cables, satellite, wireless transmitters and antennas which support data communications between smaller networks.	International communications links, Ukraine telecommunication systems, Indosat networks
Financial Networks	Networks owned and operated by financial organizations, included financial private networks	Markets, exchanges, Flexcoin networks, HBGary Federal networks
Private Networks	Networks owned and operated by businesses and other organizations	Boeing Company system, Boone Hospital Center networks, enterprise environments
Public Networks	Networks available to anyone	The internet, TOR, IRC
Domains	Generic and country-code top-level domain names as well as second and third level domain names	.com, .edu, .gov.nl
Infrastructure and Utilities	The physical components of interrelated systems providing commodities and services essential to enable, sustain, or enhance a society. This category includes networks supplying a community with electricity, gas, water, or sewerage.	Critical infrastructure, gas and oil pipelines, electric power, water systems
Websites	A public site for a company/business or any other entity. Frequently the target of defacements.	Walmart.com, google.com, and all other websites.
Forums	An online discussion site where people can hold conversations in the form of posted messages.	Ubuntu forum, NASDAQ forum
Blogs	A discussion or informational site published on the web.	Skype's Official blog, personal blogs, WordPress Blogs

Category	Description	Examples
Data Stolen/Leaked	When information is illegally copied or taken from a business or other individual. Includes all data types other than Personal and Financial Information.	Intellectual property, such as design documents, sensitive data, such as source code and military technology, user data, such as documents and photos, and other records.
Personal Information Stolen/Leaked	When any form of personal information is illegally copied or taken from a business or other individual.	Includes personally identifiable information (PII), such as social security numbers, protected health information (PHI), such as medical records, and contact information, such as home addresses and telephone numbers.
Financial Information Stolen/Leaked	When financial information is illegally copied or taken from a business or other individual. Commonly, this information is credit card information, online banking credentials and any other financial account information.	Includes payment card data such as credit card numbers and track data, bank account information, and financial records, such as transaction records.
Credentials Stolen/Leaked	When account credentials are illegally copied or taken from a business or other individual.	Stolen SSL keys, stolen file transfer protocol (FTP) credentials
Account Hijacked	Account hijacking is a process through which an individual's email account, computer account or any other account associated with a computing device or service is stolen or hijacked by a hacker.	Often time this will include things like the hijack of a Facebook or Twitter account but can include bank accounts/bitcoin wallets, any instance where an account has been accessed or taken over by a hacker.
Intercepted Communications	Interception of signals, whether between people or from electronic signals.	Electronic surveillance, compromised emails, eavesdropping
Data Altered/Destroyed	The process of destroying or altering data stored on all forms of electronic media - possibly results in making the data completely unreadable or inaccessible.	Examples: deleted database, ransomware encrypted files, altered DNS entries, altered grades
Damaged Reputation	Often related to times when accounts are taken over and used them to spread slanderous / misinformation that effects the reputation of an individual or company.	The hacking of an antivirus company or security company may affect the reputation of how well that company can secure their customers.
Financial Loss	Money has been stolen, or the net result has a financial impact.	This can include hacking into bank accounts to steal money or any hacking incident that costs a company money in fixing the issue/or costing them customer base
Fraud	A form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name.	A hacker steals people's personally identifiable information resulting in identity theft by using that individual's information to make purchases/makes changes to their bank account etc.
Destruction of Property	Attack results in damage or destruction of physical hardware	Any instance where the data theft or physical theft effects the physical properties of the equipment which the information was stored.
Vandalism	The act of editing a website in a malicious manner that is intentionally disruptive. Vandalism includes the addition, removal, or other modification of the text or other material that is either humorous, nonsensical, offensive, humiliating, or otherwise degrading nature.	Website defacement is the most common form of web vandalism. This will often occur by hackers defacing a website with a photo and a socio-political message of some sort, usually attributing the attack to themselves
Service Interruption	Attack results in a service or website to be unavailable for a period of time. Often times this is a result of a DDoS attack or after a website defacement has interrupted the sites serviceability.	The Anonymous Hacktivists deface websites of the US government with a message/photos etc. This takes over the web site, not allowing customers/internet users to access the site – interrupting the service.
Infected/Exploited Assets	A computer or server or network has the potential to, is currently, or has been infected or exploited.	When a hacker infects a mobile phone through an application and can make changes to the device or infect it with mobile malware.
Device Hijack	A process through which an device has been taken control of by another user.	Hijacked webcam, remotely activate lights
Security Bypass	Vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of an application or system.	Security tools compromised, security breached, Facebook security breach
Software Patched/Updated	This tag can be used for everything software related that has a positive effect.	When researchers identify a software vulnerability and the software is patched or updated in a manner to fix the problem.
Threat Intelligence	Reporting/discovery of malicious URLs/IPs and files, phishing, spam campaigns, and advanced threats	Includes APT, malware, and vulnerability discovery, as well as reports on cyber-criminal activity
Threat Prevention	Threat detection and removal, fraud prevention, defenses against DoS, malware and viruses.	Prevented malware, prevention of data breaches
Improved Security	Advances in encryption, network security, malware, threat detection, fraud prevention, upgrades due to standards and regulatory compliance, system upgrades, added security features.	Patched vulnerabilities, Sefnit botnet eradicated
Charges and Penalties	Used for instances where legal action has been taken against malicious actors or assets. This effect corresponds to the practice Law Enforcement Intervention.	Includes arrests and penalties, such as fines and prison terms, and seizure of malicious assets, such as domain suspension

Category	Description	Examples
Malware	Software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems	Virus, Trojan, etc.
Network Attack	Interacting with computer communications to cause an attack.	DDoS, sniffers, spoofed packets, etc.
Network Intrusion	Gaining access to a forbidden computer network.
Unauthorized Access	Getting data beyond what you are permitted.	Looking at your friend's amazon account info. Guessing a password to steal a company's HR records - hijacking verification codes, bypass encryption - brute-force attack
Social Engineering	Manipulating people to give you information under false pretenses.	Calling someone and posing as help desk to get sensitive information. Phishing techniques to gain sensitive data - phishing, spear phishing.
Illicit Distribution	The illegal or undesirable trade or dissemination of data, information, or technology.	Doxxing, carding, and leaking
Insider Activity	A person employed by a company causes cyber damage through their accesses.	A disgruntled System Administrator deliberately brings down the network on his last day, or a medical employee uses their positions to obtain patient record information for their individual use - BYOD breach.
Espionage	(Spying) Involves a government or individual obtaining information considered secret or confidential without the permission of the holder of the information	Signals intelligence operations (SIGINT), Operation Flatliquid, Corporate espionage
Software vulnerability exploit	When a hacker uses a software security hole which has not yet been patched by software developers to conduct a cyber attack.	AIS protocol vulnerabilities, CVE-2013-3613, Touch ID vulnerability
Hacking Operation	Campaign or Operation in action by hacker(s) which typically targets a specific group/industry	Anonymous targets the Italian government and announces the hacking as an operation. #OpUSA, #OpItaly, Operation Troy
Law Enforcement Intervention	This category can be used for a variety of law enforcement actions such as making an arrest, conduct a raid, confiscate equipment related to a cyber crime, or any other law enforcement involvement.	An instance of this would be if an online criminal marketplace was discovered by law enforcement and they seized any equipment or bitcoins from the site operations or arrested individuals etc.
Security Research	There are many companies that conduct security research and publish their findings this tag should be used when research is conducted in order to find vulnerabilities in operating systems, programs or any software.	Microsoft security researchers find a vulnerability and post their findings in a documents.
Mitigated Attack	This tag can be used anytime a business/entity/organization detects an impending attack on their networks or systems and prevents the attack from occurring.
Security Solutions	This tag is for hardware products, software, or services used for threat prevention or attack mitigation.	Examples: Frontier Communications Announces Computer Security Pro & Mobile Security Pro for SMBs. IBM launches Threat Protection System product suite and the Critical Data Protection Program.

TURN CYBER THREAT DATA INTO INTELLIGENCE YOU CAN USE

KNOW WHAT CYBER ACTIVITY IS OCCURRING AND ITS IMPACT ON YOUR BUSINESS THROUGH CYBERFACT THREAT CATEGORIES

CyberFact

Actor

Target

Effect

Practice

THREAT INTELLIGENCE SPECIFIC TO YOUR BUSINESS

Cyber Advisor

THREAT ANALYST

ANALYTICS API

SURFWATCH LABS THREAT INTELLIGENCE CASE STUDY

ADDITIONAL CYBER THREAT INTELLIGENCE RESOURCES

Free Whitepaper

Download Now

THREAT INTEL E-BOOK

Download Now

Free Webinar

Watch Now

Products

Solutions

Partners

Resources

Company

Socialize With Us

Demo

Buy