Threat Actor Comparison Table
| Threat Actor | Location | Resources | Sophistication | Possible Motivations |
|---|---|---|---|---|
| Nation State | External (government-sponsored) | Very high | Very high (APT-level) | Espionage, cyber warfare, political influence, disruption, revenge |
| Unskilled Attacker | Usually external | Very limited or none | Low (pre-built tools) | Disruption, curiosity, data theft, reputation |
| Hacktivist | Usually external | Limited to moderate | Medium to high | Political/philosophical beliefs, protest, disruption, revenge |
| Insider Threat | Internal | Access to internal systems | Medium (institutional knowledge) | Financial gain, revenge, sabotage |
| Organized Crime | External | High funding | High (professional) | Financial profit, data theft, fraud |
| Shadow IT | Internal (employees/departments) | Limited (unofficial budget) | Medium (often non-experts) | Convenience, productivity, bypassing IT restrictions |
Motivation β Attack Pattern
ESPIONAGE
Who: Nation-states, competitors
Pattern: Long dwell time β months to years inside the target environment. Quiet, selective exfiltration of intelligence-value data. No disruption β the goal is to stay hidden and keep collecting. Custom tooling and living-off-the-land to avoid detection. Multiple persistence mechanisms.
Indicators: Unusual access to specific high-value data outside normal roles, slow outbound data movement during business hours to blend with normal traffic, use of legitimate admin tools for lateral movement.
FINANCIAL
Who: Organized crime
Pattern: Ransomware deployment, credential theft and resale, BEC (Business Email Compromise) fraud. Speed matters β move fast, monetize quickly, exit before detection triggers a comprehensive response. Double extortion: encrypt data AND threaten to publish it.
Indicators: Rapid lateral movement after initial access, mass encryption activity, bulk credential harvesting, unusual outbound connections to C2 infrastructure, ransom note deployment.
IDEOLOGICAL
Who: Hacktivists
Pattern: Public attention is the explicit goal β DDoS that disrupts visible services, website defacement with political messaging, embarrassing data dumps to journalists and social media. Success is measured in press coverage and public awareness, not data stolen or money earned.
Indicators: DDoS against public-facing services, defacement of web properties, data leaks posted to public forums, targets linked to a current political controversy.
DISRUPTION / SABOTAGE
Who: Nation-states in conflict contexts
Pattern: Destroy or degrade systems β ICS/SCADA attacks targeting industrial control systems, wiper malware destroying data and boot sectors, attacks designed to cause physical damage or long-term operational disruption. Not stealth β visible destruction is the point.
Examples: Industroyer/CrashOverride against Ukrainian power grid (2016), NotPetya wiper disguised as ransomware (2017, attributed to Sandworm/Russia), Stuxnet against Iranian nuclear centrifuges.
APT Attack Lifecycle
OSINT collection on the target β LinkedIn for employee names and roles, job postings revealing technology stack, public-facing infrastructure scanning. Identifies potential spear phishing targets and initial access vectors.
Spear phishing with customized lures targeting specific employees, supply chain compromise (inserting malicious code into trusted vendor software), or exploitation of vulnerabilities in internet-facing services (VPN appliances, email gateways, web applications).
Deploy a backdoor or implant on the compromised system. Create persistence mechanisms (scheduled tasks, registry run keys, startup scripts) so access survives reboots. Establish command-and-control (C2) channel, often using encrypted traffic over legitimate protocols (HTTPS, DNS) to blend with normal traffic.
Credential harvesting (Mimikatz, pass-the-hash, pass-the-ticket), pivot from the initial compromised system to other internal systems. Map the network to identify high-value targets β domain controllers, file servers, databases, backup systems.
Escalate from standard user to local admin, then to domain admin in Active Directory environments. With domain admin, the attacker controls the entire Windows environment β can create new accounts, access all systems, and reset any password.
Slow, staged data theft to avoid triggering DLP alerts or anomalous bandwidth spikes. Data is staged on an internal system, compressed, encrypted, and exfiltrated in small batches β often during business hours to blend with legitimate traffic. Exfiltration channel may use cloud storage services that are whitelisted in firewall rules.
Plant multiple independent persistence mechanisms so that removing one backdoor does not evict the attacker. Survive credential resets by harvesting new credentials. APTs are often "re-discovered" months after initial remediation β because the remediation was incomplete.
Insider Threat Indicators
| Malicious Insider Indicators | Negligent Insider Indicators |
|---|---|
| Accessing data outside normal role or access scope | Clicking unknown links or email attachments |
| Accessing systems or files outside normal working hours | Using personal USB drives for work files |
| Bulk downloading files β especially before a resignation or termination | Reusing passwords across personal and work accounts |
| Emailing sensitive data to personal email accounts | Ignoring mandatory security training requirements |
| Expressing grievances, resentment, or unusual interest in unauthorized data | Using unauthorized cloud storage to sync work files (Shadow IT) |
| Requesting elevated permissions outside normal job function | Leaving workstations unlocked and unattended in shared areas |
| Copying large volumes of data to removable media | Sharing credentials with colleagues for convenience |