One of the more important subjects to develop some insight into in cybersecurity is why threat actor groups, at a general level, try to go after the targets they do using the tools & techniques that they do. Part of that involves understanding the economics of intrusions. A :

When I talk about the economics of intrusions, I'm not just talking about the costs of exploits or infrastructure or profitability of stealing cryptocurrency; I'm talking more broadly about whether hacking a target successfully is worth the investment required to achieve that.

There are a lot of potential complexities here, of course. Many of which are specific to a given threat actor and/or a given target. But there are also very powerful and more general insights to be gained about how attacks most often work. And that's why I made this:

The chart shows you the field of targets of potential interest to a hypothetical cyber threat actor. It divides that field into 25 squares, considering (1) the potential value of targets to the actor and (2) the cost of successful intrusions driven by how defended targets are.

As you can see, the squares on the chart are grouped into seven categories. I'm going to argue to you that each category comprises a set of targets that have roughly the same degree of justification--meaning: the same degree of attractiveness--for a threat actor to go after.

So, let's talk about them. Category I (gold) is the most important group of targets for most threat actors. It lies at the intersection of low defensive strength and high potential value if hacked. It is the bread and butter of most cyber threat actors. It is where they thrive.

This is where the vast majority of cyber threat groups in existence wish they could operate, or do actually try to operate, all the time. Targets are minimally-to-weakly defended, yet if fully compromised bring significant-to-enormous value to the attacker.

(Whatever that value means to any given threat actor. Money, intelligence haul, etc.) This is the PRC breaching Equifax with an N-day Struts exploit campaign. It's a ransomware affiliate password spraying a privileged account at a mid-sized company. It's a botnet of crap routers.

The vast bulk of successful intrusions we read about happen against category I targets. This is where (along with Category 3) we on the defensive side are most acutely losing.

Category 2 (green) pretty much rounds out the targets that a cyber threat entity can successfully and profitably attack with "low-equity" (ie. non-custom + very simple custom) offensive cyber capabilities alone. Why go after these? -value adds up -useful infrastructure

Category III (sky blue) encompasses the highest return on investment targets that a threat entity can go after if it is willing and able to expand the quality of some of its personnel, tools, etc. to be able to breach some high value targets that have "decent" or "good" defenses.

Important note here: If you take Categories I, II, and III you have almost all the targets a cyber threat entity can go after with strongly attractive return on investment considerations. You also have almost the entirety of the body of public intrusion reports covered.

A mid-sized state with substantial cyber operations going after targets with "minimal" and "fragile" security plus a few smaller, better teams to go after carefully targeted entities who would be expected to have "decent" or even "good" defenses can be extremely successful.

Category IV (royal blue) is where we start to move into the province of APT state groups who are worth the label going after targets that are actually (more or less) reasonably well-defended. Substantial and high value targets, but ones presenting some real challenges.

Category V (purple, the color of kings) is where a few Apex threat actors go after high and very high value targets that are very capably defended indeed. Formidable stuff. (That, alas, we so rarely get public insight into.)

Category VI is a set of targets that threat actors should generally avoid trying to go after with higher end offensive capabilities. Because, well, even if they succeed the juice frequently won't be worth the squeeze.

And then there's Category VII (black). Category VII targets are simply highly unlikely to be worth targeting in any concerted way. They are too well-defended, for too little potential return.

Now, one final point to make in this thread, and it is a vital one. How do threat actors actually *know* the defensive qualities of these targets? And even their potential value with any confidence, for that matter?

Well, proprietary intelligence collection, OSINT, etc. can of course be of great value in shedding light on such questions. Or. You can throw attacks-- especially lower investment atracks--against the targets and watch whether they succeed and, if so, what they return.

So, at the end of the day, we gain better understanding not just of why cyber actors tend to go after targets they believe are less well-defended but why they may throw commodity attacks at targets of all varieties to better understand how defended and valuable they actually are.

[/fin]