Chapter 19 Β· Glossary

Threat Actors Glossary

16 key terms for the exam.

Threat Actor
Any individual, group, or organization responsible for a security incident or threat. Characterized by motivation, sophistication, resources, and access level. Understanding the threat actor type behind an attack determines the appropriate response strategy and defensive priorities.
Nation-State Actor
Government-sponsored threat actor with significant resources, high technical sophistication, and long-term strategic goals β€” espionage, sabotage, intellectual property theft, or pre-positioning in critical infrastructure. Also called Advanced Persistent Threat (APT) groups. Examples: APT29 (Cozy Bear, Russia), Lazarus Group (North Korea), APT1 (China).
APT (Advanced Persistent Threat)
Sophisticated, long-duration targeted attack, typically attributed to nation-states or highly organized criminal groups. Advanced: uses custom tools, zero-day exploits, and living-off-the-land techniques. Persistent: maintains access for months or years, survives credential rotations and partial remediation. Threat: deliberate, targeted, goal-oriented β€” not opportunistic.
Hacktivist
Attacker motivated by political, ideological, or social causes β€” using hacking as a form of protest or activism. NOT financially motivated. Tactics include DDoS to disrupt services, website defacement to spread messages, and data leaks to embarrass targets. Goal is visibility and disruption. Example: Anonymous (Operation Payback, Operation Tunisia).
Organized Crime
Profit-motivated criminal groups conducting cyberattacks for financial gain. Highly professionalized β€” ransomware-as-a-service operations with developers, testers, negotiators, and money launderers. Primary methods: ransomware, credential theft, bank fraud, BEC. Will avoid attacks that invite nation-state retaliation. Examples: Conti, Evil Corp, LockBit.
Insider Threat
A threat originating from within the organization β€” employees, contractors, or partners with authorized access. Includes malicious insiders (intentional harm) and negligent insiders (unintentional harm). Uniquely dangerous because insiders bypass perimeter defenses entirely, have knowledge of systems and data locations, and their activity initially resembles normal authorized work.
Malicious Insider
An authorized user who intentionally misuses their access to cause harm β€” data theft, sabotage, fraud. Includes disgruntled employees seeking revenge, employees bribed or coerced by outside parties, and planted operatives hired specifically to steal data. Example: an employee copying customer records before resigning to join a competitor.
Negligent Insider
An authorized user who unintentionally causes security incidents through carelessness or poor security hygiene β€” clicking phishing links, misconfiguring cloud storage, losing unencrypted devices, reusing passwords. Statistically responsible for more security incidents than malicious insiders. Harder to detect because the actions appear as normal human error.
Unskilled Attacker
Low-skill attacker (also called a script kiddie) who uses pre-built tools, exploit kits, and scripts written by others β€” Metasploit modules, leaked ransomware frameworks, automated credential stuffers. Runs pre-made scripts without any knowledge of how they work. Usually external, with no formal funding or backing. Opportunistic rather than targeted: scans the internet for any vulnerable system. Dangerous at scale because automated tools can compromise many unpatched systems regardless of the operator's skill level β€” organizations with exposed, unpatched systems are the "low hanging fruit."
Shadow IT
Technology systems, applications, or cloud services deployed by employees without IT department knowledge or approval. Creates unmonitored attack surface outside security controls β€” no patching, no monitoring, no access controls, no DLP. Risk exists regardless of employee intent: well-meaning employees syncing work files to personal cloud storage create real data exposure.
TTP (Tactics, Techniques, Procedures)
The behavioral profile of a threat actor β€” the behaviors, methods, and tools they use to conduct attacks. Tactics: high-level goals (initial access, persistence, exfiltration). Techniques: specific methods to achieve each tactic. Procedures: exact implementation details unique to the actor. TTPs are used to attribute attacks to specific groups and predict future behavior.
MITRE ATT&CK
A globally accessible knowledge base of real-world adversary TTPs organized by tactic (columns) and technique (rows). Based on observed real-world attacks, not theoretical scenarios. Used for threat modeling, detection gap analysis, red team planning, and security control prioritization. Allows organizations to map their defenses against known attacker behaviors.
Attribution
The process of identifying who conducted a cyberattack β€” which individual, group, or nation-state is responsible. Difficult because: attackers use VPNs, Tor, and compromised intermediary systems; false flag operations deliberately mimic other groups' TTPs; tools are shared or leaked across groups. High-confidence attribution typically requires multiple independent intelligence sources.
Threat Intelligence
Evidence-based knowledge about threats including context, mechanisms, indicators of compromise, and actionable defensive guidance. Used to identify, understand, and respond to threats before or during an attack. Sources include commercial threat intelligence feeds, government sharing (CISA, FS-ISAC), open-source research, and internal forensic investigation findings.
Persistence (Attack)
An attacker's ability to maintain long-term access to a compromised environment despite reboots, credential changes, and partial remediation attempts. APTs plant multiple persistence mechanisms (scheduled tasks, registry run keys, implants in legitimate software) so that removing one does not evict the attacker. A defining characteristic of nation-state APT operations.
Living Off the Land (LOTL)
Attack technique where adversaries use legitimate built-in system tools β€” PowerShell, WMI, certutil, PsExec, scheduled tasks β€” rather than deploying custom malware. Blends attack activity into normal system administration traffic, evades signature-based antivirus and EDR detection, and leaves fewer forensic artifacts. Heavily used by nation-state APT groups to maintain stealth over long-duration intrusions.