Threat Actors
Understanding Threat Actors
Threat actors are individuals, groups, or entities responsible for carrying out malicious activities that can harm systems, networks, or data. They are often motivated by financial gain, espionage, ideology, or disruption. Threat actors can range from lone hackers to organized crime groups, nation-states, or insider threats.
Key Metrics to Monitor
Critical Actors: Threat actors posing a high risk due to their capability and intent.
Active Actors: The total number of threat actors currently engaging in malicious activities.
Threat Activity Timeline: Tracks the frequency and volume of attacks over time (e.g., API hits).
Threat Actor Map: Geographically maps the origin of threat actors.
Threat Actor Attributes
Akto derives User threat actors directly from inbound API traffic observed during runtime analysis. Following attributes are presented in the actors list:
Actor ID
Unique identifier derived from the source IP address.
Enables correlation of attack activity across APIs and time.
Actor IP
Network address associated with the actor.
Supports blocking, rate limiting, and forensic analysis.
Country
Geolocation inferred from the actor IP.
Helps identify regional attack patterns.
IP Reputation
Reputation metadata associated with the actor IP.
Provides contextual risk signals for prioritization.
Latest Host
Hostname targeted by the actor.
Identifies the API surface under attack.
Latest API
Most recent API endpoint accessed by the actor.
Shows the affected API operation.
Latest Attack
Attack category detected for the request.
Indicates the security issue type observed.
Access Type
Exposure level of the API endpoint.
Differentiates public and restricted APIs.
Sensitive Data
Indicator of sensitive data involvement.
Highlights potential data exposure risk.
Status
Current state of the threat actor.
Shows whether the actor remains active.
Detected At
Timestamp of first detection.
Supports incident timeline reconstruction.
Note
IP reputation information is sourced from a third-party threat intelligence provider and includes contextual signals such as ISP, usage type, abuse reports, and whitelist status.
Akto consumes this data to enrich threat actor context and does not generate or modify reputation scores.
How to configure Threat Actors
By default Akto's Threat Protection module uses the client's IP address to identify a threat actor.
To configure threat actors, navigate to the Settings -> Threat Configuration section in left nav bar.
Example Configuration
Type:
hostnameHostname:
dev.*comHeader Name:
authorization
This configuration will monitor any requests from hostnames matching dev.*com (e.g., dev.example.com) that include an authorization header, identifying the threat actors uniquely based on the value of authorization header.
Last updated