SkarpChapter 5 of 25
Threat Actors and Motivations in the Real World
Put a face and motive behind the attacks by classifying threat actors, their capabilities, and what they’re really after in enterprise environments.
Threat Actors: Putting a Face to the Attack
Why Threat Actors Matter
A threat actor is any person or group with the intent, capability, and opportunity to carry out malicious activity against an information system. They are the human side behind "threats".
Link to Zero Trust
Because attacks can come from anywhere, including insiders and cloud, zero trust assumes no implicit trust and requires continuous verification, limiting access to only what is needed.
Three Big Questions
Always ask: 1) Who is attacking? 2) Why are they attacking? 3) What can they actually do? These guide how you classify threat actors and choose defenses.
Exam Connection
SY0-701 scenario questions often describe an incident and expect you to infer the likely threat actor type, motivation, and which part of the CIA triad is targeted.
Major Threat Actor Types in Enterprise Environments
Core Threat Actor Types
Key types: 1) Nation-state / state-sponsored, 2) Organized cybercriminals, 3) Hacktivists, 4) Insiders, 5) Script kiddies, 6) Competitors. Know these labels cold.
Nation-state Actors
Nation-state actors are government-backed, highly funded, patient, and capable of advanced attacks like supply chain compromises and zero-day exploitation.
Organized Cybercriminals
Organized cybercriminals focus on profit: ransomware, business email compromise, card fraud, and large-scale credential attacks against any paying victim.
Hacktivists and Script Kiddies
Hacktivists act for ideology or politics, often defacing or DDoSing. Script kiddies use pre-built tools with low skill, attacking easy, poorly secured targets.
Insiders and Competitors
Insiders already have access and can be malicious or careless. Competitors may seek trade secrets, often appearing as criminal or nation-state activity.
Motivations: What Are They Really After?
Core Motivations
Key motives: 1) Financial gain, 2) Espionage / intelligence, 3) Ideology / activism, 4) Curiosity / status, 5) Revenge / grievance.
Financial and Espionage
Financial gain drives most cybercrime: ransomware, fraud, selling data. Espionage focuses on stealing sensitive data for strategic or competitive advantage.
Ideology and Curiosity
Ideology motivates hacktivists to deface, leak, or disrupt. Curiosity or status motivates some individuals to hack for challenge or bragging rights.
Revenge and Insider Anger
Revenge attacks often come from insiders or ex-staff who delete data, leak secrets, or sabotage systems using their knowledge and access.
Exam Clue Words
Look for clues: ransom demands → financial; long-term stealth data theft → espionage; political message or protest → ideology; disgruntled employee → revenge.
Capabilities and Resources: How Dangerous Can They Be?
What Are Capabilities?
Capabilities include funding, skill level, time and patience, and access to information. These shape how sophisticated an attack can be.
High-End Actors
Nation-state actors have high funding, skill, and patience, enabling advanced persistent threats, zero-day exploits, and supply chain attacks.
Criminals and Hacktivists
Organized cybercriminals range from medium to high capability. Hacktivists vary widely, from simple DDoS users to highly skilled operators.
Low-End Actors
Script kiddies are low-skill and low-budget, using public tools and exploit kits against unpatched or poorly secured systems.
Insider Advantage
Insiders may not be technical, but they have legitimate access and internal knowledge, giving them powerful, hard-to-detect capabilities.
Real-World Style Scenarios: Who Is Most Likely Behind This?
Scenario 1: Hospital Ransomware
Hospital servers and cloud backups are encrypted. A known ransomware family is used, with a crypto ransom note. Entry via phishing emails to staff.
Who Is Scenario 1?
Most likely an organized cybercriminal group, motivated by financial gain, using medium-to-high capability ransomware-as-a-service techniques.
Scenario 2: Long-Term Stealth
A defense contractor sees 9 months of small, encrypted data transfers hidden in HTTPS to a cloud provider. No ransom or publicity appears.
Who Is Scenario 2?
This fits a nation-state actor focused on espionage, with high capability and patience to maintain long-term, stealthy access.
Scenario 3: Political Defacement
A government website is defaced with a political slogan and manifesto. No encryption or obvious data theft; attackers boast on social media.
Who Is Scenario 3?
This matches hacktivists driven by ideology, using web exploitation to embarrass and pressure the agency rather than to profit.
Insider vs External Threats: Key Differences
What Is an Insider Threat?
An insider threat is any threat actor with legitimate access: employees, contractors, vendors, or partners who can intentionally or accidentally cause harm.
Types of Insiders
Insiders can be malicious (abusing access), negligent (careless), or compromised (their accounts or devices are controlled by external attackers).
External Threats
External threats start with no access and must break in using exploits, phishing, credential stuffing, or physical intrusion to reach systems or data.
Key Differences
Insiders start inside your trust boundary and are harder to detect; externals start outside. Insiders are often driven by revenge or fraud.
Zero Trust and Insiders
Zero trust assumes no implicit trust, even for insiders, and uses least privilege and monitoring to limit the damage an insider can cause.
Mitigating Insider and External Threats: Practical Controls
Control Types Reminder
Security control types: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
Mitigating Insiders
Use least privilege, RBAC, separation of duties, strong IAM with MFA, user behavior analytics, training, and DLP to reduce insider risk.
Identity and Monitoring
Zero trust-style identity controls plus continuous monitoring make it harder for insiders to abuse access without detection.
Mitigating Externals
For external actors, focus on patching, segmentation, WAF/API security, email filtering, EDR/XDR, and threat intelligence-driven monitoring.
Exam Mindset
Insider scenario? Think IAM, monitoring, training. External scenario? Think perimeter defenses, patching, and endpoint/network detection.
Thought Exercise: Classify These Mini-Scenarios
Work through these mentally. Do not worry about being perfect; focus on your reasoning. After you think, compare with the suggested answers.
- Scenario A
A junior developer in your company runs a password-cracking tool they found on GitHub against the internal Wi-Fi network "just to see if it works." They accidentally cause a denial-of-service condition on the authentication server.
- What is the most likely threat actor type?
- What is the primary motivation?
- Insider or external?
- Scenario B
Your finance department receives a realistic email that appears to be from the CEO, urgently requesting a wire transfer to a new supplier. The email comes from a lookalike domain and references a recent real project.
- What is the most likely threat actor type?
- What is the primary motivation?
- Which control could best prevent this?
- Scenario C
A small non-profit’s website is taken offline by a large DDoS attack after it publishes a controversial report. Social media accounts using a political hashtag claim responsibility.
- What is the most likely threat actor type?
- What is the primary motivation?
- Which aspect of the CIA triad is primarily impacted?
Suggested reasoning (compare after you think):
- Scenario A: Script kiddie–like behavior, but as an insider (curiosity / challenge). They are low-skill, using public tools without authorization.
- Scenario B: Organized cybercriminals using business email compromise (BEC), motivated by financial gain. Controls: strong verification procedures, security awareness, email filtering.
- Scenario C: Hacktivists motivated by ideology / activism, targeting availability via DDoS to silence or punish the non-profit.
If any of these felt tricky, flag them in your notes. Similar patterns will appear in your spaced review queue and mock exams.
Quick Check: Threat Actor Types and Motivations
Answer this to confirm you can connect clues in a scenario to the right threat actor.
A global manufacturer discovers that proprietary design files have been slowly exfiltrated over a year to an IP address associated with a foreign cloud provider. There were no ransom demands, and the attacker carefully avoided disrupting operations. Which combination best describes the MOST likely threat actor type and primary motivation?
- Script kiddie motivated by curiosity
- Organized cybercriminal motivated by financial gain
- Nation-state actor motivated by espionage
- Hacktivist motivated by ideology
Show Answer
Answer: C) Nation-state actor motivated by espionage
Long-term, stealthy data exfiltration of proprietary designs with no ransom or disruption strongly suggests a nation-state actor focused on espionage. Script kiddies usually lack patience and stealth; cybercriminals typically monetize quickly via ransom or sale; hacktivists usually seek visible impact or embarrassment.
Quick Check: Insider vs External and Mitigations
Test your ability to pick appropriate mitigations for different threat types.
A disgruntled employee in the finance department copies hundreds of sensitive spreadsheets to a personal cloud storage account over several weeks, using their normal workstation and credentials. Which SINGLE control would MOST directly help detect or prevent this specific behavior?
- Implementing a web application firewall (WAF) on the public website
- Deploying data loss prevention (DLP) on endpoints and network egress points
- Requiring complex passwords to be changed every 30 days
- Installing a next-generation firewall at the internet perimeter
Show Answer
Answer: B) Deploying data loss prevention (DLP) on endpoints and network egress points
This is a malicious insider using legitimate access to exfiltrate data to personal cloud storage. Data loss prevention (DLP) controls on endpoints and egress points are specifically designed to detect and block unauthorized transfers of sensitive data. WAFs and next-generation firewalls help mainly with external web or network attacks; frequent password changes do not directly address deliberate data exfiltration.
Key Term and Concept Review
Use these flashcards to lock in the core vocabulary and mappings you will see on Security+ questions.
- Threat actor
- Any person or group that has the intent, capability, and opportunity to carry out malicious activity against an information system.
- Nation-state / state-sponsored actor
- A threat actor backed or directed by a government, typically with high funding, skill, and patience, often focused on espionage, disruption, or strategic advantage.
- Organized cybercriminal group
- A profit-driven threat actor that conducts activities such as ransomware, fraud, and data theft, often operating like a business with specialized roles.
- Hacktivist
- A threat actor motivated by ideology or political causes, using hacking techniques to protest, embarrass, or pressure organizations.
- Script kiddie
- An often inexperienced attacker who uses pre-built tools and exploit kits without deep understanding, typically targeting easy, poorly secured systems.
- Insider threat
- A threat that comes from someone with legitimate access to systems or data (employee, contractor, vendor), whether malicious, negligent, or compromised.
- Common attacker motivations
- Financial gain, espionage/intelligence collection, ideology/activism, curiosity/challenge/status, and revenge/personal grievance.
- Financially motivated attack examples
- Ransomware, business email compromise (BEC), credit card theft, cryptomining, selling stolen data or access.
- Espionage-focused attack characteristics
- Long-term, stealthy access, quiet data exfiltration, little or no overt disruption, often targeting sensitive or strategic information.
- Key difference: insider vs external threat
- Insiders start with legitimate access inside the trust boundary; external actors start with no access and must break in via exploits, phishing, or other vectors.
- Control types (full list)
- Technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
- Best controls for insider threats (examples)
- Least privilege, RBAC, separation of duties, strong IAM with MFA, user behavior analytics, security awareness training, data loss prevention (DLP).
Key Terms
- revenge
- A motivation based on personal grievance, often seen in malicious insiders or disgruntled ex-employees.
- ideology
- A motivation based on political, social, or religious beliefs that drives hacktivists and similar actors.
- espionage
- Stealthy collection of sensitive information, such as trade secrets or government data, often by nation-state actors or competitors.
- hacktivist
- A threat actor motivated by ideology or political causes, using hacking to protest or pressure organizations.
- zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- threat actor
- Any person or group that has the intent, capability, and opportunity to carry out malicious activity against an information system.
- script kiddie
- An inexperienced attacker using pre-built tools and exploit kits without deep understanding, usually targeting easy victims.
- insider threat
- A threat that originates from someone with legitimate access to systems or data, including employees, contractors, vendors, or partners.
- hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- nation-state actor
- A government-backed or directed threat actor with high funding, skill, and patience, often focused on espionage or strategic disruption.
- financial motivation
- Attacker goal focused on making money, for example through ransomware, fraud, or selling stolen data.
- data loss prevention (DLP)
- A set of technologies and processes designed to detect and prevent unauthorized transmission or disclosure of sensitive data.
- organized cybercriminal group
- A profit-driven threat group that conducts attacks such as ransomware, fraud, and data theft, often operating like a business.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
- user and entity behavior analytics (UEBA)
- Security analytics that model normal behavior of users and entities to detect anomalies that may indicate threats.