5.1.1 They Don't Wear Balaclavas

The people who carry out cyber attacks are largely anonymous figures – famously caricatured in thousands of media stock photos as faceless youths in hoodies, wearing ‘Anonymous’ Guido Fawkes masks or balaclavas, and typing fiendishly at computer keyboards in black burglars' gloves.

The reality is that cyber hacking has progressed from its early stereotype as a hobby for amateur teenagers in their bedrooms to a professionalized, informal but well-organized, international industry with a hierarchy of participants, a set of guilds with niche specializations, its own social networks, cryptocurrencies, trading networks, e-commerce markets, communication systems, and vocabulary. Cyber attackers are commonly referred to as ‘threat actors’ (by theoreticians), ‘hackers’ (by us), ‘black hats’ (by the security community), ‘the red team’ (by company IT staff), ‘perpetrators’ (by the law enforcement community), and the ‘bad guys’ (by everyone else). Cyber attacks are criminal acts, so it is also correct to call them ‘cyber criminals’. In general we prefer the term ‘hackers’, with no disrespect to the many ethical hackers who work on the side of the angels, and are sometimes called ‘white hats’ or ‘the blue team’. We will generally mean criminals when we refer to hackers.

In addition to the threat of external attack, businesses and organizations are vulnerable to cyber compromise from their own employees and internal ...