Understanding hacker tactics and their motives through metrics involves analyzing patterns and data points from various sources. You may consider the key metrics and approaches below:
- Attack Vectors: Types of attack (phishing, malware, ransomware, DDoS, etc.), frequency of each attack vector. Knowing the most common attack vectors helps identify hackers’ preferred techniques and the most vulnerable systems.
- Attack Frequency and Volume: Number of attacks over time, by geography, industry, or target system. Frequent attacks may signal automated tactics like botnets or mass campaigns, whereas lower-frequency but targeted attacks suggest more sophisticated, goal-oriented hackers.
- Time to Breach (Dwell Time): Time taken by attackers to infiltrate systems versus the time it takes to detect the breach. Longer dwell time indicates stealthy tactics, such as APTs, aimed at exfiltrating data or compromising systems over time.
- Types of Data Targeted: Types of data stolen (personal data, intellectual property, financial data). The motive often aligns with the data targeted. Financial data theft might point to cybercriminals, while intellectual property theft could suggest espionage by nation-states.
- Targeted Industries: Distribution of attacks by industry. Certain industries attract different types of hackers (e.g., financial gain, political motives, or activism). This provides insight into motives and methods.
- Monetary Loss or Gain: Financial impact of the attack, ransom amounts demanded. This helps differentiate between financially motivated cybercriminals versus ideological or politically motivated groups.
- Attack Complexity: Number of tools, techniques, and procedures (TTPs) used, the sophistication of malware, and exploitation of 0-day vulnerabilities. More sophisticated attacks often suggest a highly skilled group, while lower sophistication may point to amateur hackers or automated attacks.
- Vulnerabilities Exploited: Common vulnerabilities used in attacks (CVEs), patching timelines. Tracking which vulnerabilities are exploited helps identify the hacker’s technical expertise and focus areas (e.g., if they are leveraging outdated systems or 0-days).
- Post-Breach Activity: Lateral movement within the network, privilege escalation, data exfiltration methods. Hackers’ behaviors once inside a system can provide insight into their end goals—whether it’s to maintain a persistent presence, steal data, or disrupt operations.
- Social Engineering Success Rate: % of phishing attempts that lead to successful compromise. High success in social engineering might indicate a focus on human vulnerabilities rather than technical weaknesses, showing a reliance on psychological tactics.
- Response Times: Time taken by defenders to detect and respond to incidents. Attackers may exploit organizations with slow response times, indicating a strategic focus on such weaknesses.