Threat Actors
What Is a Threat Actor?
Any individual, group, or entity that poses a risk to the confidentiality, integrity, or availability of information systems.
Threat Actor Categories
| Type | Motivation | Sophistication | Resources |
|---|---|---|---|
| Nation-State | Espionage, sabotage, political disruption | Very High | Very High |
| Organized Crime | Financial gain | High | High |
| Hacktivists | Ideology, political agenda | Medium | Low–Medium |
| Insider Threats | Revenge, financial gain, accidental | Varies | Internal access |
| Script Kiddies | Notoriety, curiosity | Low | Low |
| Competitors | Economic advantage | Medium | Medium |
| Terrorists | Fear, disruption, ideology | Varies | Varies |
Nation-State Actors (APTs)
APT (Advanced Persistent Threat) — long-term, stealthy intrusion campaigns sponsored by governments.
Characteristics:
- Long dwell time (months to years undetected)
- Custom malware / zero-day exploits
- Multi-stage attack chains
- Targets: government, defense, critical infrastructure, financeNotable APT groups:
- APT28 (Fancy Bear) — Russia, political/military espionage
- APT41 — China, dual espionage + cybercrime
- Lazarus Group — North Korea, financial theft + espionage
- APT34 (OilRig) — Iran, Middle East targets
Organized Crime
Goals: Financial theft, ransomware, fraud, data exfiltration for sale
TTPs:
- Ransomware-as-a-Service (RaaS)
- Banking trojans
- Credential theft + resale on dark web
- Business Email Compromise (BEC)Hacktivists
Individuals or collectives using hacking to promote a political or social agenda.
Common tactics:
- DDoS attacks (disrupt websites/services)
- Website defacement
- Data leaks ("doxing")
Examples: Anonymous, LulzSecInsider Threats
Threats from people with authorized access to systems.
| Type | Description |
|---|---|
| Malicious insider | Intentional harm — sabotage, theft, espionage |
| Negligent insider | Accidental misuse — clicking phishing links, misconfiguration |
| Compromised insider | Credentials stolen; attacker acts as them |
Indicators of insider threat:
- Accessing data outside normal role
- Downloading large volumes of data
- Off-hours logins
- Disgruntled behavior + privileged accessShadow IT
Unauthorized systems, services, or software used by employees without IT approval.
Risk:
- Unpatched, unmonitored assets
- Data stored in unapproved cloud services
- Bypasses security controls
Examples:
- Personal Dropbox for work files
- Unauthorized SaaS tools
- Personally installed apps on work devicesThreat Actor Attributes
| Attribute | Description |
|---|---|
| Sophistication | Skill level — script kiddie vs. nation-state |
| Resources | Budget, personnel, tooling |
| Motivation | Financial, political, ideological, personal |
| Intent | Targeted vs. opportunistic |
| Attack Surface Targeting | What they’re going after (data, systems, people) |
Threat Intelligence
Sources:
- OSINT (public threat feeds, CVE databases)
- ISAC (Information Sharing and Analysis Centers)
- Commercial threat intel (CrowdStrike, Recorded Future)
- Dark web monitoring
- MITRE ATT&CK framework (TTPs per threat group)