Bestiary noun, plural bes·ti·ar·ies.
The term “hacker” is often used to describe anyone who attempts to exploit weaknesses in computer systems, regardless of any differentiating factors such as their resources, motivations, and level of skill. However, a lack of understanding as to what hackers who might target an organisation are attempting to achieve, what skills and tools they might have at their proposal, and how they might conduct an attack, security teams are working blind. It is not possible to deliver accurate threat modelling on which effective risk management is based without understanding the nature of the threat posed.
In this blog post we look at the different types of hackers known to operate, describing their differing motivations, techniques, and practices. Awareness of the different threats they pose can be key to defending organisations from the specific types of attacks that might be launched against them.
Hackers are sometimes referred to as though they were a homogenous and generic group, either through a simple lack of awareness as the existence of different types of hackers, or a lack of regard for the advantages in understanding their often-differing actions and motivations. However, an understanding of the taxonomy or typologies of different types of hackers can provide those in the cybersecurity field with a clearer insight into the likely attacks that might be launched against them. There is a clear defensive advantage in understanding the motivations of hackers, as well the types of attacks they use and their likely level of sophistication and capabilities. Ensuring that security controls are appropriately resourced and efficiently focused to address the greatest threats can only be done when the nature of the threats posed are fully understood.
From the earliest days of computer and communications security, hacker culture has made use of slang internally to describe different types of hackers, such as “crackers”, “phreakers”, “thugs” and “lamers”. What has changed more recently is the adoption of hacker terminology by researchers in attempts to formally classify hackers in relation to threat management. Scientific journals, periodicals, and other peer-reviewed publications such as the International Journal of Cyber Criminology have all published work from security researchers that attempts to assign a typology to different types of hackers, characterised by factors including their sophistication, motivation, and value systems.
In this blog post we present an accessible summary of some of the current most commonly used typologies. A familiarity with these can greatly assist security teams in understanding the most likely sources and methods of threats within their own unique industry and operating environment. The terminology is by no means universally agreed-upon and the meanings and usages can sometimes be contradictory and overlapping depending on the source. The below list is based on the most common consensus but may contradict specific individual sources.
At the highest level of abstraction, security researchers differentiate between good and evil, yin and yang, dark and light. It’s a somewhat crude distinction analogous to the trope of “white knights” and “black knights” in Hollywood films and medieval literature and aped in Star Wars’ white-robed Jedi and black-clad Sith. The same colour scheme is applied to hackers, providing the simplest differentiation between those who hack “for good” and those who hack “for evil”: a third “grey” form of hacker is usually also included, to describe those whose activities fall somewhere in between the two extremes.
“Black hats” is the name given to the classic form of hacker that the general public is widely familiar with: hackers with purely malicious intentions. “Black hat” hackers have many different sub-types, as we shall see, but are often involved in the theft of data or attempt to steal funds and are usually (although not always) motivated by personal financial gain. Their activities are almost always entirely illegal.
A “white hat”, by contrast, is a hacker, but one whose actions are almost always legal. The term “ethical hacker” is sometimes used interchangeably, and “ethical hacking” is sufficiently mainstream and respectable that various professional certifications are available, including the “CEH” (Certified Ethical Hacker) qualification. There is a broad overlap between “ethical hacking” and penetration testers, although the former is a slightly wider category. The activities of white hat hackers are normally restricted to targets against which the hacker has the owner’s explicit consent to attempt to hack. Rather than exploiting any vulnerabilities found, white hat hackers will aim to identify any vulnerabilities the current system has for benign or altruistic goals. If a vulnerability is found, the hacker might for instance report it to the system owner privately, in order to allow them to remediate the flaw before it can be otherwise discovered and exploited by a hacker with less benign motives.
A grey hat hacker lies somewhere between the two types above and is a slightly more nebulous term that is not universally used. It is intended to indicate a cybersecurity expert who has the same benign intentions as a “white hat hacker” but may at times be testing systems without explicit permission having been granted.
Rather than operating on behalf of an organisation under contract (as a penetration tester or bug bounty hunter for example) they may engage in hacking as a learning experience to improve their skills, or as a personal challenge and for the enjoyment of the excitement of finding flaws in systems or networks without the owner’s permission (even though they aren’t trying to cause any harm).
Since “grey hats” are operating outside of legal boundaries, some sources simply include them under the same category as “black hats”, seeing the activity (unauthorised testing) as fundamental, and any claimed altruistic intentions as irrelevant.
The three categories above are incredibly broad and really cover a simple binary split into authorised and unauthorised activities. What they do not address is factors such as the individual skill levels of hackers, nor their precise motivations or common targets. For that, a much broader dictionary of terms are used. There is much less agreement on these, and a degree of overlap in some cases. Contemporary research is still ongoing to try and establish a more formal agreed classification, but the below are some of the more commonly described subsets of threat actors:
“Hacktivists” (a portmanteau of “hack” and “activist”) or “ideologists” are terms often used to describe individuals and groups who perform hacking either as a form of civil disobedience against a government or regime, to promote a political agenda of their own, or to agitate for a political cause or desired social change. The causes can vary massively: from the targeting of individual politicians or public figures to campaigns relating to divisive topics such as abortion rights, environmentalism or animal cruelty, agitation against a government or regime, campaigns for free speech or human rights, or freedom of information movements. There is a degree of overlap between hacktivists and other groups such as cyber-vigilantes (who may for example try and expose alleged sex offenders) as well as cyberterrorists (which we shall look at later). Often, a group may be classed differently by those within in compared to those outside it, especially those they are targeting.
Hacktivists often operate illegally (essentially as black hats), believing that the moral justification for their actions overrides official legality. Because hacktivism often revolves around some form of cause celebre, it can often create an ad hoc and often geographically dispersed network of threat actors, working in collaboration toward common goals though without a strict framework, central authority, or organized hierarchy.
Generally-speaking most private organisations would not typically be the target of hacktivists unless they were operating in some potentially controversial or politically sensitive arena or industry, such as animal testing or abortion support.
There is a fine line between hacktivism and some forms of cyberterrorism, which are also politically motivated. Sometimes the difference can be a matter of perspective, and hackers that consider themselves hacktivists might be considered cyberterrorists by the victims of a political attack.
However, Cyber-Terrorism also extends to attacks targeting nations and with the intent of causing disruption or system outages that could threaten the physical safety of people and even lead to the loss of life. There is also a degree of overlap in this respect between cyber-terrorism if it is state-sponsored and the operation of nation-state actors that we shall look at separately below. There is often a very grey line between the two, with either explicit or implicit support (or simply a blind eye) being offered by certain nation states to technically “rogue” groups that nevertheless act in a state’s interests against a foreign adversary.
Concerns have been raised against the threats posed by cyber-terrorists to key national infrastructure such as refineries, power generation and distribution centres, transport infrastructure, and even automated farming systems.
The term “elites” is often used to describe highly experienced and technically adept hackers who are essentially “guns-for-hire”, willing to deploy an arsenal of exploits on behalf of a client. Since the term really relates only to the level of experience of the hacker and not their targets or the motivations of their clients, it is not possible to describe their “typical” targets. They are most probable (with the exception of nation state actors) to have access to sophisticated “0day” exploits, against which there are no existing detection patterns or patches available.
Rather than risking arrest by executing attacks themselves, professionals and elites are more likely to craft exploits that they then sell on to other black hat hackers or criminal organisations within a wider ecosystem. When elites craft exploits for others they are sometimes referred to as “Facilitators”.
A relatively niche term not found in all sources, a samurai is the label (often self-ascribed) used in relation to hackers who contract out their skills for hacking that may be either legal or illegal but for which the hacker believes is a justifiable or noble cause. A samurai hacker, whilst contracting services on a paid basis typically, may choose only to perform services for clients whose goals they support or to which they ascribe at least some merit or nobility of cause. This may include examples such as political groups to which they are sympathetic, or lawyers pursuing privacy-rights and similar “rights”-based cases.
Not all hackers are highly experienced. Students of hacking who are just starting out but lack malicious intent and who hack to gain knowledge are known as “green hat” hackers, or sometimes as “neophytes”. A green hat hacker is primarily focused on increasing their cyberattack skills rather than causing damage to a target. Since their main intent is to improve their skills, they will often spend their time practicing hacking although without “weaponizing” exploits, in order to reduce their chance of detection, as well as looking for learning opportunities from more experienced hackers.
A green-hat hacker may not at their relatively early stage yet have decided exactly which path to take and could (if they choose to continue their activities) potentially focus on either black-hat or white-hat activities in the future.
Some less experienced hackers moving on from the “neophyte” stage, and referred to as “cyberpunks”, “crashers”, or “thugs” depending on the source, are motivated my nothing more than causing disruption, damage, or havoc. More commonly lower in skill, and often younger in age, cyberpunks can perform simple hacks simply to gain reputation among their peers, for fun, or to show off. Rather than seeking to exfiltrate data or gain a persistent presence, cyberpunks will most commonly seek maximum visibility for their hacks on the shortest timescale possible. This often means that a cyberpunk attack will focus on the compromise of highly visible web services and may result in defacement of the site in question, and replacement with an often-explicit image or set of text. It will frequently attribute the hack to a specific group or nick-named individual.
Despite the apparent low threat from cyberpunks, and lack of sophistication in techniques, a compromise of a public web service by a cyberpunk can still be incredibly damaging to an organisation since it is highly visible to customers. Cyberpunks are generally not overly concerned with their choice of target, but visibility is a key for them when selecting their target.
Some of the most sophisticated hacking groups are either employed by or directly embedded within national intelligence agencies. State- or nation-sponsored hackers will be directed by a country’s government to gain access to another nation’s computer systems. They are highly skilled, highly resourced, highly focused on specific objectives, and willing to be patient and persistent, often working for months on a given target. If they gain initial access, they will generally do nothing other than cover their traces and seek to increase their foothold further.
Nation-state actors follow carefully developed methodologies that rigorously step through a series of stages: they will gain initial access to a target network, often via an original “0day” exploit of high sophistication. They will seek to exploit this to gain persistent access via reverse shells, rootkits, and other tools in order to escalate their privileges either vertically (gaining administrative rights on the originally-compromised host) or laterally (pivoting their attack to compromise further systems). Known as “Advanced Persistent Threats”, nation-state actors will seek to persist their presence for an extended period without detection, taking care to cover their traces and work slowly and methodically to expand their presence.
The term “cracker” is one of the least agreed-upon terms in hacking. It is sometimes used to refer to any black-hat hacking. Other sources use the term to represent all activity that we would normally refer to as “hacking”, reserving the term “hacker” instead for other activities altogether such as creative development practices. However, in the most widespread usage, “crackers” normally refer to more skilled black hat hackers who use hacking in order to make profits or to otherwise benefit their own interests, rather than just vandalizing web properties as cyberpunks do. Crackers, unlike “elites” will typically seek to exploit vulnerabilities and profit from them directly themselves, using methods such as ransomware. Crackers are typically focused upon targets of opportunity and most organisations will be under some risk from their activities.
A script kiddie (sometimes “skid”) is a comparatively inexperienced hacker. They will typically perform hacks using exploits in the form of scripts or programs (such as a web shells or rootkits) that have been developed and made available for use by other, more experienced hackers.
“Script kiddies” is a term that relates more to level of experience than to motivation and has some overlap with the “cyberpunk” type hacker we looked at above. Script kiddies may be trying to impress friends or others within their social circle or hacking community. A script kiddie attack, as with a cyberpunk attack, is not typically overly planned or strategized and focuses on maximum impact within minimal timescale. They do not typically make use of advanced persistent threat techniques such as long dwell times and pivot attacks and may simply be trying a single exploit against many targets in sequence without even understanding how the tool or script they are using really works.
Hacking can be highly profitable, and organized crime gangs are known to operate. This can take the form of social engineering attacks such as online versions of the so-called “Nigerian letter scam”, also known as advance fee fraud or “419 fraud” in which a sender requests help facilitating the illegal transfer of money but defrauds the recipient.
However, organized crime gangs are also known to have performed attacks including ransomware attacks, encrypting a victim organisation’s data, and then demanding substantial payments (often via payment forms such as Bitcoin) from victims in order to restore access.
In a modern-day version of espionage, hackers are often employed to perform corporate hacking and industrial espionage. Very often this can involve infiltrating competitors in order to steal trade secrets, secret corporate roadmaps, or documents such as bidding packs, the knowledge of which would provide a competitive advantage in negotiations. In larger enterprise, these deals can be worth billions of dollars, so the activities of these groups can often be extremely well-resourced.
The line between industrial espionage and nation-state actors can sometimes be very blurred, with state support provided to nationalized industries or domestic giants seeking to win enormously valuable international contracts.
“Blue hats” is not a universally accepted term and is used within Microsoft and a few other organisations in particular to refer to outside computer security consulting firms that are employed to bug test a system prior to its launch, looking for exploits. It can also be used to refer simply to any “defensive” security team, such as those operating security controls and protecting an organisation – and in contrast to “red teams” that may test those systems (such as penetration testers).
Organisations seeking to prevent hacks from being exploited against them will often employ penetration testers or ethical hackers to check their systems and report vulnerabilities to them so that they can be remediated before an adversary exploits them. Where this is limited to probing of technical systems only for technical exploits, it is commonly known simply as penetration testing. When granted a wider remit, to test all aspect of organisational security, the terms “sneakers” or “tiger teams” are more commonly used. These roles tend to be more “gloves off” and be granted explicit permission to test other aspects of security such as physical/site security measures and social engineering of employees.
The term “red team” or “red hats” is – similar to the term “crackers” – subject to fairly varied use and interpretation. In its broadest use, it is sometimes used to refer to hackers who are hired by organisations to spot vulnerabilities in security systems. In this sense, they are simply ethical hackers or penetration testers and the counterpart to the “blue teams” that operate security controls and attempt to detect and prevent attacks. However, the term is also used more specifically to refer to teams employed by government agencies in particular, with a focus on finding and disarming black hat hackers.
In the last decade or so, many organisations have begun to operate “Bug Bounty” schemes as an alternative to, or in order to supplement, contracted penetration testing. In traditional penetration testing, an individual or small team of ethical hackers is explicitly contracted for a set period (say a week) on a one-off or periodic (e.g., annual) basis to test an organisation’s security systems and present a report on any vulnerabilities found. The service is provided on a “fixed fee” basis, directly relating to test duration.
In contrast to this model, the “bug bounty” model allows organisations to simply allow any registered individual to test their systems (within a permitted and defined scope) at any time. The organisation, rather than paying a set fee upfront, then rewards hackers on a “no win no fee” basis, by paying out according to a pre-arranged fee schedule, only for new vulnerabilities that are found and reported to them.
Lastly, it is worth considering that sometimes a threat to an organisation doesn’t come from an external hacker at all. Rather an employee of the organisation can themselves present a risk. Whether seeking to defraud the company because of individual financial difficulty or motivated by revenge for a perceived slight or mistreatment, disgruntled current or ex-employees may abuse their often-privileged access permissions in order to hack the organisation. These attacks can be high threat to an organisation since the vector may be unexpected, and the individual better positioned to mask their activities, than an external hacker.
AppCheck can help you with providing assurance in your entire organisation’s security footprint, by detecting vulnerabilities and enabling organizations to remediate them before attackers are able to exploit them. AppCheck performs comprehensive checks for a massive range of web application and infrastructure vulnerabilities – including missing security patches, exposed network services and default or insecure authentication in place in infrastructure devices.
External vulnerability scanning secures the perimeter of your network from external threats, such as cyber criminals seeking to exploit or disrupt your internet facing infrastructure. Our state-of-the-art external vulnerability scanner can assist in strengthening and bolstering your external networks, which are most-prone to attack due to their ease of access.
The AppCheck vulnerability analysis engine provides detailed rationale behind each finding including a custom narrative to explain the detection methodology, verbose technical detail, and proof of concept evidence through safe exploitation.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the common vulnerabilities and exposures (CVE) program as a CVE numbering authority (CNA)
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please contact us: firstname.lastname@example.org
No software to download or install.
Contact us or call us 0113 887 8380