The Attribution Problem
Rania was a threat intelligence analyst at a global financial institution. For six months she had been tracking a sophisticated intrusion that began almost invisibly β a few unusual logins from a VPN exit node, then small batches of sensitive documents accessed outside business hours. No alarms went off. No ransomware. No disruption. Just a quiet, patient presence moving through the network.
Six months later, the attacker was still inside.
"Before we respond, we need to understand WHO is doing this," Rania told the incident response team. "Because the answer changes everything about how we proceed. If this is a ransomware gang, we call the backup team. If this is a nation-state, we call the FBI. If this is an insider, the investigation looks completely different. Attribution shapes the response."
She pulled up her threat intelligence platform and began building a profile. A threat actor is an entity that is the cause of an event that affects the security of others β often called a malicious actor because their actions tend to have a negative effect on the security of others. Who was behind this intrusion? What did they want? How patient were they willing to be?
Understanding Threat Actor Attributes
Rania explained to her junior analyst why classifying the attacker mattered before deciding on a response. Every threat actor has a set of attributes β characteristics that describe who they are and how they operate.
The first attribute is internal vs. external. Is the attacker inside the house β someone with authorized access to your systems β or are they outside, trying to get in through public-facing resources? This fundamentally changes where you look and what controls apply.
The second attribute is resources and funding. Some threat actors have no money and rely entirely on free tools. Others have extensive funding β the backing of a government budget, or the reinvested profits of a criminal organization. Resources determine the scale, sophistication, and persistence of the attack.
The third attribute is level of sophistication and capability. At one end: someone who blindly runs scripts or automated vulnerability scanners without understanding what they're doing. At the other end: someone who can write their own attack malware, develop custom tools, and adapt when defenses block their techniques. Most attackers sit somewhere in the middle.
Internal/External β the attacker is inside the house, or outside trying to get in.
Resources/Funding β no money and free tools, or extensive financial backing.
Sophistication/Capability β blindly runs scripts, or can build their own attack malware and scripts.
What Makes Them Tick: Motivations
"Why would somebody want to do that?" Rania heard this question constantly. The answer: many, many different reasons. Understanding motivation explains why an attack is happening, whether it is directed or random, and what the attacker's ultimate goal is. Motivation drives target selection and attack method.
The motivations Rania catalogued from her threat intelligence work:
- Data exfiltration β steal valuable information
- Espionage β collect intelligence on enemies or competitors
- Service disruption β take operations offline to cause pain
- Blackmail β threaten to release data unless paid
- Financial gain β ransomware, fraud, credential theft
- Philosophical/political beliefs β ideology as a weapon
- Ethical β whistleblowing, exposing wrongdoing
- Revenge β personal grievances against the target
- Disruption/chaos β cause damage for its own sake
- War β cyber operations as part of military conflict
"If we understand the motivation," Rania said, "we can then adjust our security to best prevent this type of attacker from gaining access to our systems."
Nation-State Actors: The Most Dangerous Adversaries
Rania started with the category she feared most. Nation-state actors are an external entity β government-sponsored groups operating with near-unlimited resources and extraordinary patience. Often referenced as an entire government or an arm of that government dealing with national security, they attack for many possible motivations: data exfiltration, philosophical reasons, political reasons, service disruption, and ultimately may even be trying to pull an adversary into a war.
A government has enormous resources available β constant attacks, multiple simultaneous operations, highly sophisticated developers creating advanced attack types. These attacks are referred to as APTs β Advanced Persistent Threats. They are especially dangerous because they have the resources of an entire government behind them. They target military control locations, utilities, and financial systems.
The best-documented example: if you want to see what a combination of governments working together can do, look into the Stuxnet worm. Created by the United States and Israel, it was specifically designed to destroy nuclear centrifuges. It destroyed approximately 1,000 nuclear centrifuges in Iran's Natanz facility β a physical cyber operation with no precedent.
What distinguished nation-state actors was their patience and discipline. They maintained access for months to years, using living-off-the-land techniques β PowerShell, WMI, certutil, built-in Windows tools β instead of custom malware that might trigger alerts. When defenders thought they had removed the attacker, the attacker was still there, waiting.
Advanced: sophisticated custom tools, zero-day exploits, living-off-the-land techniques, highest sophistication level.
Persistent: constant attacks, maintains access for months or years, survives credential rotations.
Threat: deliberate, targeted, goal-oriented β not opportunistic. Commonly nation-state actors.
Unskilled Attackers: Low Skill, Real Risk
We move from attackers that are very sophisticated to attackers that aren't sophisticated at all. Unskilled attackers run pre-made scripts without any knowledge of what's happening under the surface β anyone can do this. If the script works, the attacker was successful. If the script doesn't work, the unskilled attacker doesn't have the skills to understand why it failed or how to modify the scripts.
These attackers are motivated by the hunt: disruption, data exfiltration, sometimes philosophical or political reasons behind the attack. They can be internal or external β but usually external. They are not very sophisticated and have limited resources, if any. No formal funding. They're looking for low hanging fruit β unpatched, exposed systems that automated tools find automatically.
"The vulnerability doesn't know how skilled the person exploiting it is," Rania explained. "An unpatched system with a known CVE will be compromised by a Metasploit module whether it's a nation-state operator or someone who simply downloaded a tool. Automated scanners cover the entire internet. If you're exposed and unpatched, you're a target β not because they specifically chose you, but because the scanner found you."
Runs pre-made scripts without any knowledge of what's really happening. Limited or no resources. No formal funding. Looking for low-hanging fruit. Usually external. Dangerous because automated tools work at scale regardless of operator skill.
Hacktivists: Ideology as a Weapon
If you're a hacker motivated by political reasons, a philosophical difference, or a desire to disrupt or damage an organization, you might be categorized as a hacktivist β a hacker with a purpose, a hacker activist. Hacktivists are commonly considered to be outside the organization, but they could also work towards getting hired to be part of the organization and become an internal threat.
These are often very sophisticated technologists who use their knowledge to attack in specific ways: denial of service attacks, website defacement to put their own messages on existing sites, or finding private documents they can then release to the public. The attack is designed to be visible β visibility is the point.
Fortunately for defenders, hacktivists don't tend to have a large amount of finances available. But some organizations perform fundraising so they will have money to apply towards their hacktivism.
Anonymous was the defining example: Operation Payback targeted PayPal, Visa, and Mastercard after they froze WikiLeaks' donation accounts β coordinated DDoS attacks to make a political point. Operation Tunisia supported pro-democracy protesters during the Arab Spring. Their targets were chosen by ideology, not strategic business value.
Insider Threats: The Enemy Already Inside
An insider threat is an especially difficult problem to locate β and even more difficult to stop if they want to do something malicious. This is more than someone writing their password down on a yellow sticky and keeping it under their keyboard. An insider threat is someone who is out for revenge or financial gain against the organization.
With an insider threat, all of the resources already exist within the organization β this individual is simply taking advantage of those existing resources. This is why it's so important during the hiring process that proper vetting is done. You can think of this type of attacker as having a medium level of sophistication β but where they really excel is knowing exactly where in the organization the data might be and how to circumvent the existing security controls to gain access to that data. The insider has institutional knowledge. Attacks can be directed at vulnerable systems. The insider knows what to hit.
Rania distinguished two types. Malicious insiders intentionally cause harm β disgruntled employees seeking revenge, employees bribed by competitors. Edward Snowden, an NSA contractor, walked out with 1.5 million classified documents using credentials he legitimately possessed. Negligent insiders unintentionally cause harm β clicking phishing links, misconfiguring cloud storage, losing unencrypted laptops. Statistically, negligent insiders cause more incidents than malicious ones.
Insider threat is hardest to detect because authorized access doesn't look like an attack. Key behavioral anomaly indicators: accessing data outside normal role or hours, bulk downloads β especially before a resignation, emailing sensitive files to personal accounts, requesting access outside their normal scope, expressing grievances or unusual interest in data they don't need.
Organized Crime: Hacking as a Business
Our perception of organized crime may go back to old movies. But in reality, there is a great deal of organized crime in the cybersecurity arena. Threat actors categorized as organized crime are usually motivated by money β everything they do is to make a profit from their attacks. Almost always an external entity. Very sophisticated β the best hacking money can buy.
Since organized crime is in the business of making money, they often have significant resources available. These organizations might have a corporate structure, where: one person does the hacking, another person manages the exploits and creates new ones, somebody else sells the data to a third party β and you might even have somebody handling customer support, especially in cases where the organized crime group is targeting organizations with ransomware.
It's difficult to fight an attacker that has this much money available. Modern groups like Conti had separate teams: developers building ransomware code, testers, pentesters, negotiators handling ransom communications, and money laundering specialists. Ransomware-as-a-service had lowered the barrier further: groups rent their kits to affiliates, splitting payments. Double extortion β encrypting data AND threatening to publish it β became standard.
Shadow IT: Going Rogue Inside the Organization
A threat actor we don't often consider is one that's in our own organization and working around the existing policies and procedures of the IT department. We refer to this as Shadow IT β it's usually a group or department that is working around the rules put in place by the existing IT department. They might build their own infrastructure, install their own applications, and start using them without the IT department even realizing what's happening.
This is a group that doesn't have to deal with the limitations that come with an IT department β no change control, no budgeting constraints. Instead, they use their own budget or credit cards to purchase their own cloud-based services and access those from their browser. Information Technology can put up roadblocks; Shadow IT is unencumbered. In some cases, they might even be able to innovate β but without any security oversight.
Shadow IT groups are limited by the amount of budget they might have β but in many cases they can create quite an infrastructure using a small amount of budget, connecting to devices in the cloud. In some cases, none of these people have a background in information technology. They don't understand what's required for backups or change control. And this can obviously put a huge risk on the organization, especially if no one in the shadow IT department has any consideration for what security should be in place.
Rania's Conclusion: The Summary Table
Rania assembled the evidence. Six months of persistence β APT-level patience. Selective exfiltration: specifically merger documents and acquisition target analyses β not credit card numbers, not the kind of data criminals sell. No ransomware. No disruption. A deliberately quiet presence.
"This isn't organized crime. A ransomware group would have deployed their payload weeks ago. This is espionage β someone wants acquisition intelligence. That points to nation-state or a well-resourced competitor working at nation-state level."
The conclusion changed everything. A criminal ransomware incident means restore from backups, patch the entry point, move on. A nation-state espionage operation means months of forensic investigation, mandatory FBI notification, coordination with government agencies, and assuming multiple undiscovered entry points.
Knowing who your adversary was didn't just satisfy curiosity. It told you how to fight back.
| Threat Actor | Location | Resources | Sophistication | Possible Motivations |
|---|---|---|---|---|
| Nation State | External (government-sponsored) | Very high | Very high (APT-level) | Espionage, cyber warfare, political influence, disruption, revenge |
| Unskilled Attacker | Usually external | Very limited or none | Low (pre-built tools) | Disruption, curiosity, data theft, reputation |
| Hacktivist | Usually external | Limited to moderate | Medium to high | Political/philosophical beliefs, protest, disruption, revenge |
| Insider Threat | Internal | Access to internal systems | Medium (institutional knowledge) | Financial gain, revenge, sabotage |
| Organized Crime | External | High funding | High (professional) | Financial profit, data theft, fraud |
| Shadow IT | Internal (employees/departments) | Limited (unofficial budget) | Medium (often non-experts) | Convenience, productivity, bypassing IT restrictions |