Table 2 Characterizing threat actors based on gained insights

Questions regarding the relevant INFRASTRUCTURE:

∙ Was the victim specifically selected or likely hit by chance? (e.g., Was there a mechanism for target validation?)

∙ Where other target infrastructures attacked in parallel?

∙ Was insider knowledge likely required to break in effectively?

∙ What external infrastructure (Cloud, DNS etc.) was utilized to carry out the attack?

Questions regarding the CAPABILITIES of a threat actor:

∙ What special skills were required in order to build the payload?

∙ How rare are these skills and who is known to have them?

∙ What budget and time resources were likely required?

∙ Who has the facilities and access to certain components (in case of CPS) to re-build the target environment and test exploits accordingly? (if applicable)

∙ Where there any beginner’s mistakes made?

∙ Where certain actions sloppy compared to other steps in the whole process?

∙ Was the operation successful in general?

Questions regarding the MOTIVATION of a threat actor:

∙ Who has a clear benefit to breach into the target organization?

∙ Who or what has most harm, also considering side- and long-term effects?

∙ Who or what was damaged most and which impact can be predicted for the future?

∙ Can any current political developments be associated to this attack?