SkarpSkarp

Chapter 6 of 27

Threat Landscape: Threat Actors, Motivations, and Capabilities

Step into the adversary’s shoes by classifying who the attackers are, what they want, and how their resources and sophistication shape the threats you must defend against.

27 min readen

Seeing Like an Attacker: Threat Actors and the Modern Landscape

Why Threat Actors Matter

To defend systems and pass SY0-701, you must know who is attacking, why, and how. That mental map is called understanding the threat landscape.

Link to Previous Modules

Change management affects attack paths; cryptography affects what attackers must bypass or misuse. Now we zoom out to look at the adversaries themselves.

What You Will Learn

You will classify threat actors, map their motivations and capabilities, and apply basic threat modeling to real systems, then reinforce it with quizzes and flashcards.

Core Definitions: Threat, Threat Actor, Capability, Intent

Threats, Vulns, and Risk

Threat is a possible cause of harm, vulnerability is a weakness, and risk is the likelihood and impact of a threat exploiting that weakness.

Threat Actor Defined

A threat actor is an individual or group that is capable of carrying out a threat. On the exam, this is the formal term for the attacker.

Intent and Capability

Always pair intent (why they attack) with capability (what they can realistically do). Same intent plus different capability equals very different threats.

Major Threat Actor Types (External and Internal)

Nation-state Actors

Nation-state actors are government-backed groups focused on espionage, strategic advantage, and disruption, with very high funding and technical capability.

Cybercriminals and Hacktivists

Cybercriminals seek financial gain from almost any victim. Hacktivists are driven by ideology or causes and aim for publicity, embarrassment, or disruption.

Insiders and Script Kiddies

Insiders already have authorized access and knowledge of systems. Script kiddies have low skills but use prebuilt tools to attack easy or random targets.

Matching Scenarios to Threat Actor Types

Hospital Ransomware

A hospital is hit with ransomware demanding cryptocurrency after mass-scanning for a known RDP flaw. This points to a cybercriminal group seeking money.

Power Grid Intrusion

A long-term, stealthy supply-chain attack on an electric utility with no quick cash-out strongly suggests a nation-state or state-sponsored actor.

Hacktivist and Insider Cases

Political website defacement fits hacktivists. An employee exfiltrating customer data before resigning is a malicious insider abusing legitimate access.

Motivations: Why Threat Actors Attack

Money and Espionage

Financial gain drives cybercriminals and some insiders. Espionage motivates nation-states and competitors, focusing on stealthy, long-term data theft.

Ideology and Disruption

Hacktivists pursue ideological goals with defacement, leaks, and DDoS. Sabotage and disruption target operations, often in critical infrastructure or employers.

Revenge and Curiosity

Insider revenge may involve data deletion or leaks. Script kiddies act from curiosity or for bragging rights, attacking easy, visible targets.

Capabilities and Resources: From Script Kiddies to APTs

What Capability Means

Capability includes technical skill, funding, infrastructure, time, and access. It determines how sophisticated and persistent an attacker can be.

Advanced Persistent Threats

An APT uses advanced techniques and maintains long-term, stealthy access, often backed by nation-states and aimed at strategic, high-value targets.

Low-Capability Actors

Script kiddies use public tools, scan widely, and go after easy wins. They are noisy but still able to cause serious damage if defenses are weak.

Insider vs External Threats in Modern Hybrid Environments

Hybrid Environments and Threats

A hybrid environment mixes cloud, mobile, IoT, OT, and on-premises. Both external and insider threats operate across these boundaries.

External vs Insider Actors

External actors must break in; insiders already have some authorized access. Insiders may be malicious, negligent, or coerced by outsiders.

Why Insiders Are Risky

Insiders know systems and can bypass some controls. On exams, abuse of legitimate access usually signals an insider threat answer.

Threat Intelligence: Sources and How to Use Them

What Is Threat Intelligence?

Threat intelligence is information about adversaries, their tools, and campaigns, used to understand and prioritize defenses.

Sources and Types

Sources include OSINT, vendor feeds, sharing communities, and internal logs. Intelligence can be strategic, operational, or tactical/technical.

Using Intel in Defense

Use intel to prioritize patching, harden attack paths favored by active groups, and feed IOCs into firewalls, EDR, and SIEM for detection.

Threat Modeling Basics: STRIDE, Assets, and Attack Paths

What Is Threat Modeling?

Threat modeling is a structured way to ask: who might attack this system, what do they want, and how could they get it?

Simple Process

Steps: identify assets, describe the system, identify threat actors, list threats and attack paths, then prioritize and mitigate the most serious ones.

STRIDE Overview

STRIDE helps classify threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.

Thought Exercise: Model the Threats to a Small Online Store

Apply basic threat modeling to a concrete system. Imagine you are securing a small e-commerce site that sells custom T‑shirts.

System description (simplified):

  • Public web front-end hosted in the cloud.
  • Backend database with customer PII and order history.
  • Payments handled by a third-party payment gateway (you do not store card numbers).
  • Admin portal used by staff to manage orders and inventory, accessible over the internet with MFA.

Your tasks (think or jot notes before revealing the sample answers in your head):

  1. Identify 3 important assets in this system.
  2. List at least 3 likely threat actors.
  3. For each actor, name one motivation and one likely attack path.
  4. Pick one STRIDE category and give an example threat.

Pause for a minute and actually do it. Then compare to this reference solution:

  • Assets: customer PII, order history, admin credentials, site availability.
  • Threat actors:
  • Cybercriminals: financial gain; phishing staff to steal admin credentials.
  • Script kiddies: curiosity/reputation; scanning for known web CMS vulnerabilities.
  • Malicious insider (staff): financial gain/revenge; exporting customer list to sell or take to a competitor.
  • STRIDE examples:
  • Spoofing: attacker uses stolen credentials to log into the admin portal.
  • Information disclosure: SQL injection exposes customer PII.
  • Denial of service: DDoS knocks the site offline during a sale.

Use this pattern whenever an exam scenario describes a system: quickly think through assets → actors → motivations → attack paths.

Quiz 1: Identify the Threat Actor and Motivation

Test your ability to map scenarios to threat actors and motivations.

A manufacturing company discovers that design files for a new product have been quietly exfiltrated over several months. No systems were destroyed, and there were no ransom demands. The attacker used spear phishing against engineers and then moved laterally to the file servers. Which threat actor and primary motivation best fit this scenario?

  1. Script kiddie motivated by curiosity
  2. Nation-state actor motivated by espionage
  3. Hacktivist motivated by ideology
  4. Malicious insider motivated by revenge
Show Answer

Answer: B) Nation-state actor motivated by espionage

The long-term, stealthy exfiltration of valuable intellectual property, with no ransom or destruction, fits **espionage**. The sophistication (spear phishing, lateral movement) and focus on design files point to a **nation-state** or state-sponsored actor. Script kiddies lack this persistence; hacktivists usually seek publicity; insiders would typically be identified by explicit insider clues.

Quiz 2: Threat Intelligence and Response

Check your understanding of threat intelligence sources and how to act on them.

Your security team receives a commercial threat intelligence report indicating that a ransomware group is actively exploiting an unpatched VPN appliance used in your organization. What is the MOST appropriate immediate action?

  1. Publish a high-level summary to the company blog for transparency
  2. Disable all VPN access permanently and force staff to work on-site
  3. Prioritize patching and configuration review of the VPN appliance and increase monitoring for related IOCs
  4. Wait for confirmation from law enforcement before taking any technical action
Show Answer

Answer: C) Prioritize patching and configuration review of the VPN appliance and increase monitoring for related IOCs

Threat intelligence should drive **prioritized defensive actions**. Here, the correct response is to patch and harden the vulnerable VPN appliance and enhance monitoring for indicators of compromise related to the campaign. Public blogs, permanent VPN shutdown, or waiting for law enforcement do not address the immediate technical risk.

Key Term and Concept Review

Use these flashcards to reinforce core terms and distinctions from this module.

Threat actor
An individual or group that is capable of carrying out a threat.
Nation-state / state-sponsored actor
A threat actor backed or directed by a government, typically with high capability and strategic motivations such as espionage and disruption.
Cybercriminal group
A threat actor focused on financial gain, often using ransomware, fraud, and data theft against a wide range of targets.
Hacktivist
An ideologically motivated threat actor seeking publicity or disruption for a political or social cause, often via defacement, DDoS, or data leaks.
Insider threat
A threat arising from individuals with authorized access (employees, contractors, partners) who may act maliciously, negligently, or under coercion.
Script kiddie
A less-skilled attacker who uses tools or scripts written by others to exploit easy or well-known vulnerabilities.
Advanced Persistent Threat (APT)
A well-resourced, highly skilled adversary that uses advanced techniques and maintains long-term, stealthy access to achieve strategic goals.
Financial motivation
An attacker goal focused on money, often leading to ransomware, fraud, data theft for resale, or extortion.
Espionage motivation
An attacker goal focused on stealthy collection of sensitive information for strategic or competitive advantage.
Threat intelligence
Information about adversaries, their tools, infrastructure, and campaigns that helps defenders understand and prioritize threats.
STRIDE
A threat modeling mnemonic: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
Hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

Key Terms

STRIDE
A threat modeling mnemonic: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
Hacktivist
An ideologically motivated threat actor seeking publicity or disruption for a political or social cause, often via defacement, DDoS, or data leaks.
Threat actor
An individual or group that is capable of carrying out a threat.
Script kiddie
A less-skilled attacker who uses tools or scripts written by others to exploit easy or well-known vulnerabilities.
Insider threat
A threat arising from individuals with authorized access (employees, contractors, partners) who may act maliciously, negligently, or under coercion.
Hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
Cybercriminal group
A threat actor focused on financial gain, often using ransomware, fraud, and data theft against a wide range of targets.
Threat intelligence
Information about adversaries, their tools, infrastructure, and campaigns that helps defenders understand and prioritize threats.
Espionage motivation
An attacker goal focused on stealthy collection of sensitive information for strategic or competitive advantage.
Financial motivation
An attacker goal focused on money, often leading to ransomware, fraud, data theft for resale, or extortion.
Advanced Persistent Threat (APT)
A well-resourced, highly skilled adversary that uses advanced techniques and maintains long-term, stealthy access to achieve strategic goals.
Nation-state / state-sponsored actor
A threat actor backed or directed by a government, typically with high capability and strategic motivations such as espionage and disruption.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself