Chapter 19 Β· Concepts

Threat Actor Concepts

Comparison tables, motivation models, and the TTPs framework.

Threat Actor Comparison Table

Threat ActorLocationResourcesSophisticationPossible Motivations
Nation StateExternal (government-sponsored)Very highVery high (APT-level)Espionage, cyber warfare, political influence, disruption, revenge
Unskilled AttackerUsually externalVery limited or noneLow (pre-built tools)Disruption, curiosity, data theft, reputation
HacktivistUsually externalLimited to moderateMedium to highPolitical/philosophical beliefs, protest, disruption, revenge
Insider ThreatInternalAccess to internal systemsMedium (institutional knowledge)Financial gain, revenge, sabotage
Organized CrimeExternalHigh fundingHigh (professional)Financial profit, data theft, fraud
Shadow ITInternal (employees/departments)Limited (unofficial budget)Medium (often non-experts)Convenience, productivity, bypassing IT restrictions

Motivation β†’ Attack Pattern

ESPIONAGE

Who: Nation-states, competitors

Pattern: Long dwell time β€” months to years inside the target environment. Quiet, selective exfiltration of intelligence-value data. No disruption β€” the goal is to stay hidden and keep collecting. Custom tooling and living-off-the-land to avoid detection. Multiple persistence mechanisms.

Indicators: Unusual access to specific high-value data outside normal roles, slow outbound data movement during business hours to blend with normal traffic, use of legitimate admin tools for lateral movement.

FINANCIAL

Who: Organized crime

Pattern: Ransomware deployment, credential theft and resale, BEC (Business Email Compromise) fraud. Speed matters β€” move fast, monetize quickly, exit before detection triggers a comprehensive response. Double extortion: encrypt data AND threaten to publish it.

Indicators: Rapid lateral movement after initial access, mass encryption activity, bulk credential harvesting, unusual outbound connections to C2 infrastructure, ransom note deployment.

IDEOLOGICAL

Who: Hacktivists

Pattern: Public attention is the explicit goal β€” DDoS that disrupts visible services, website defacement with political messaging, embarrassing data dumps to journalists and social media. Success is measured in press coverage and public awareness, not data stolen or money earned.

Indicators: DDoS against public-facing services, defacement of web properties, data leaks posted to public forums, targets linked to a current political controversy.

DISRUPTION / SABOTAGE

Who: Nation-states in conflict contexts

Pattern: Destroy or degrade systems β€” ICS/SCADA attacks targeting industrial control systems, wiper malware destroying data and boot sectors, attacks designed to cause physical damage or long-term operational disruption. Not stealth β€” visible destruction is the point.

Examples: Industroyer/CrashOverride against Ukrainian power grid (2016), NotPetya wiper disguised as ransomware (2017, attributed to Sandworm/Russia), Stuxnet against Iranian nuclear centrifuges.

APT Attack Lifecycle

1
Reconnaissance
OSINT collection on the target β€” LinkedIn for employee names and roles, job postings revealing technology stack, public-facing infrastructure scanning. Identifies potential spear phishing targets and initial access vectors.
↓
2
Initial Access
Spear phishing with customized lures targeting specific employees, supply chain compromise (inserting malicious code into trusted vendor software), or exploitation of vulnerabilities in internet-facing services (VPN appliances, email gateways, web applications).
↓
3
Establish Foothold
Deploy a backdoor or implant on the compromised system. Create persistence mechanisms (scheduled tasks, registry run keys, startup scripts) so access survives reboots. Establish command-and-control (C2) channel, often using encrypted traffic over legitimate protocols (HTTPS, DNS) to blend with normal traffic.
↓
4
Lateral Movement
Credential harvesting (Mimikatz, pass-the-hash, pass-the-ticket), pivot from the initial compromised system to other internal systems. Map the network to identify high-value targets β€” domain controllers, file servers, databases, backup systems.
↓
5
Privilege Escalation
Escalate from standard user to local admin, then to domain admin in Active Directory environments. With domain admin, the attacker controls the entire Windows environment β€” can create new accounts, access all systems, and reset any password.
↓
6
Exfiltration
Slow, staged data theft to avoid triggering DLP alerts or anomalous bandwidth spikes. Data is staged on an internal system, compressed, encrypted, and exfiltrated in small batches β€” often during business hours to blend with legitimate traffic. Exfiltration channel may use cloud storage services that are whitelisted in firewall rules.
↓
7
Maintain Persistence
Plant multiple independent persistence mechanisms so that removing one backdoor does not evict the attacker. Survive credential resets by harvesting new credentials. APTs are often "re-discovered" months after initial remediation β€” because the remediation was incomplete.

Insider Threat Indicators

Malicious Insider IndicatorsNegligent Insider Indicators
Accessing data outside normal role or access scopeClicking unknown links or email attachments
Accessing systems or files outside normal working hoursUsing personal USB drives for work files
Bulk downloading files β€” especially before a resignation or terminationReusing passwords across personal and work accounts
Emailing sensitive data to personal email accountsIgnoring mandatory security training requirements
Expressing grievances, resentment, or unusual interest in unauthorized dataUsing unauthorized cloud storage to sync work files (Shadow IT)
Requesting elevated permissions outside normal job functionLeaving workstations unlocked and unattended in shared areas
Copying large volumes of data to removable mediaSharing credentials with colleagues for convenience