Compare and contrast common threat actors and motivations
Understanding who’s attacking you determines how you defend. A script kiddie and a nation-state APT require fundamentally different defensive postures. The exam expects you to profile threat actors by their attributes and predict behavior based on motivation.
Threat Actor Types
Nation-State
Government-sponsored or government-affiliated actors conducting cyber operations.
- Resources: Virtually unlimited budget, custom zero-day exploits, dedicated teams
- Sophistication: Highest. Custom malware, supply chain attacks, long-term persistent access
- Motivation: Espionage (intelligence gathering), disruption (critical infrastructure), political influence
- Timeframe: Months to years of persistent access (APT = Advanced Persistent Threat)
- Examples: Stuxnet (US/Israel → Iran nuclear program), SolarWinds (Russia → US government agencies), Pegasus (NSO Group, used by multiple states)
Unskilled Attacker (Script Kiddie)
Low-skill individual using pre-built tools and scripts without understanding the underlying mechanics.
- Resources: Minimal. Uses freely available tools (Metasploit, downloaded exploit kits)
- Sophistication: Low. Follows tutorials, can’t adapt when tools fail
- Motivation: Curiosity, bragging rights, minor disruption
- Danger: Don’t underestimate volume. Automated scanning means even unskilled attackers find unpatched systems. They don’t need to be sophisticated if your defenses are weak.
Hacktivist
Ideologically motivated attacker targeting organizations that conflict with their beliefs.
- Resources: Low to moderate. Often organized loosely (Anonymous-style)
- Sophistication: Varies widely. DDoS and website defacement are common; some groups execute sophisticated breaches
- Motivation: Political/social change, embarrassment of target, data leaks for public exposure
- Tactics: DDoS, defacement, doxxing, data dumps
Insider Threat
Someone with legitimate access who misuses it — deliberately or accidentally.
- Intentional: Disgruntled employee, corporate espionage, sabotage
- Unintentional: Employee who clicks a phishing link, misconfigures a system, or loses a device
- Why it’s dangerous: Already past your perimeter controls. Has legitimate credentials. Knows where the valuable data is.
- Detection: User behavior analytics (UBA), DLP, privileged access monitoring, separation of duties
Organized Crime
Criminal groups treating cybercrime as a business operation.
- Resources: Significant. Reinvest profits into better tools and talent
- Sophistication: Moderate to high. Ransomware-as-a-Service (RaaS), bulletproof hosting, money laundering infrastructure
- Motivation: Financial gain — ransomware, data theft for sale, credit card fraud, business email compromise (BEC)
- Business model: Some groups offer customer support, SLAs on decryption keys, and affiliate programs
Shadow IT
Not a traditional threat actor, but employees or departments deploying unauthorized technology.
- Unapproved SaaS apps, personal cloud storage, rogue wireless access points
- Creates unmonitored attack surface outside security team’s visibility
- Exam context: Organizational risk, not malicious intent — but the security impact is real
Competitor
Business rivals engaging in corporate espionage or competitive disruption.
- Motivation: Trade secrets, customer data, strategic advantage
- Methods: May hire third parties, exploit insiders, or conduct targeted social engineering
- Less common on the exam but worth knowing
Threat Actor Attributes
The exam asks you to compare actors across these dimensions:
| Attribute | Low | High |
|---|---|---|
| Resources/Funding | Script kiddie, hacktivist | Nation-state, organized crime |
| Sophistication | Script kiddie | Nation-state APT |
| Capability | Unskilled (uses existing tools) | Custom zero-days, supply chain |
| Intent | Unintentional insider | Nation-state espionage |
Internal vs. External
- Internal: Insiders, shadow IT. Already have legitimate access.
- External: Nation-states, hacktivists, organized crime, script kiddies. Must breach the perimeter first.
Level of Sophistication/Capability
- Low: Pre-built tools, known exploits, no ability to adapt
- Moderate: Can customize tools, chain exploits, conduct targeted phishing
- High: Custom malware, zero-day exploits, supply chain compromise, operational security to avoid detection
Motivations
| Motivation | Typical Actors | Example |
|---|---|---|
| Data exfiltration | Nation-state, organized crime, competitor | Stealing trade secrets, PII for sale |
| Financial gain | Organized crime | Ransomware, BEC, credit card fraud |
| Disruption/chaos | Hacktivist, nation-state | DDoS on critical infrastructure |
| Espionage | Nation-state, competitor | Long-term intelligence gathering |
| Philosophical/political | Hacktivist | Website defacement, document leaks |
| Revenge | Insider | Sabotage after termination |
| War | Nation-state | Cyberattacks as component of military operations |
| Ethical (authorized) | Penetration testers | Contracted security testing |
Attack Vectors by Actor
Different actors prefer different entry points:
- Nation-state: Supply chain, zero-day exploits, spear-phishing of specific individuals
- Organized crime: Phishing at scale, exploiting known vulnerabilities, RDP brute force
- Hacktivist: DDoS, web application attacks, social engineering
- Insider: Direct access abuse, data exfiltration via USB or cloud upload
Offensive Context
Profiling works both directions. Just as a defender profiles attackers, an attacker profiles defenders — what’s the org’s security maturity? How fast do they patch? Do they monitor lateral movement? Threat intelligence isn’t just consuming IOCs — it’s understanding adversary tradecraft well enough to predict their next move based on who they are. A nation-state actor who gets detected will retool and come back; a script kiddie will move to an easier target.