Question 1: An attack has been in progress for 11 months. The attackers use custom-built malware and only exfiltrate data on weekdays during business hours to blend with legitimate traffic. No ransomware has been deployed β only classified R&D documents have been stolen. What type of threat actor is most likely responsible?
Question 2: A company's security team discovers an employee in the finance department has been photographing financial reports with their personal phone and sending them to a competitor. The employee has no IT skills and used no technical attack tools. Which threat actor category applies?
Question 3: What is the PRIMARY characteristic that makes a negligent insider different from a malicious insider?
Question 4: A hacktivist group targets a corporation's public website with a DDoS attack and leaks internal emails to journalists. What is their most likely goal?
Question 5: Which threat actor characteristic best explains why an APT's initial intrusion is often discovered through a supply chain compromise rather than a direct attack?
Matching: Threat Actor Motivations
Match each threat actor type to its primary motivation and method.
ACTOR TYPE
MOTIVATION
Analysis Question
A bank's CISO receives a threat intelligence report stating: "A financially motivated criminal group is scanning financial institutions for unpatched VPN vulnerabilities." Simultaneously, an HR manager reports receiving suspicious emails asking them to verify their company credentials. Should the CISO treat these as related? What threat actor type is involved and what should be prioritized?
Yes β highly likely related. This is a classic organized crime attack pattern combining two simultaneous initial access vectors:
Why they're related: Ransomware and fraud groups typically attempt multiple initial access vectors in parallel. Scanning for VPN vulnerabilities provides an automated technical entry point. Credential phishing against HR (who often have broad system access for onboarding/offboarding) provides a social engineering entry point. Either vector alone might fail β running both simultaneously increases the probability of gaining a foothold.
Threat actor type: Organized crime β financial motivation (ransomware or fraud), broad targeting of financial institutions (not targeted espionage), dual-vector approach typical of RaaS affiliate operations.
Priority 1: Emergency patching of all internet-facing VPN appliances. If a patch is not immediately available, consider temporary restrictions on VPN access or enhanced authentication requirements while patching is expedited.
Priority 2: Alert HR and all staff immediately about the active credential phishing campaign. Enforce MFA on all systems β even if credentials are phished, MFA prevents account takeover. Report the phishing emails to the security team for analysis.
Priority 3: Enhance monitoring on VPN authentication logs for unusual login patterns (off-hours logins, logins from unusual geographies, logins from Tor exit nodes), and watch for lateral movement indicators on systems accessible via VPN.
Performance Task
Your organization has hired 50 new contractors who will have access to sensitive engineering designs for 6 months. The security team is concerned about insider threats β both malicious (theft of IP) and negligent (accidental data exposure). Design a set of controls specifically for this contractor population.
Privileged Access Management: Contractors receive minimum-necessary permissions β only the specific systems, project folders, and data required for their contract scope. No broad access to unrelated engineering projects. Time-limited accounts automatically expire on the contract end date β no manual offboarding required to disable access.
Separation of Duties: Contractors cannot approve their own work, merge code to production branches without review, or access systems outside their assigned project scope. No single contractor controls any critical process end-to-end.
Behavioral Monitoring (UEBA): Baseline normal access patterns for each contractor during the first week. Configure alerts for: access to systems outside their assigned project, access outside normal work hours, bulk file downloads (more than X files in Y minutes), data movement to USB or personal cloud storage, access to data repositories outside their stated project role.
Data Loss Prevention (DLP): DLP rules preventing sensitive engineering documents from being emailed to external addresses, uploaded to personal cloud storage services, or copied to removable media unless specifically authorized in writing for each instance.
Physical Controls: Contractors work in designated areas. Personal mobile devices are prohibited in areas where sensitive engineering documents are accessed. Screen privacy filters on workstations. Clean-desk policy enforced.
Onboarding Security Training: Mandatory security training on day 1 covering: data handling requirements, acceptable use policy, reporting requirements, consequences of policy violations. Acknowledgment signed and documented.
Offboarding Procedure: On the last day of the contract, accounts are immediately disabled (not just expired β immediate disable). All issued devices are recovered and forensically imaged before being reused. Access logs for the final 30 days are reviewed for any unusual activity. Data transferred by the contractor during the contract is audited against project scope.
Negligent Insider Mitigation: USB access disabled by default on contractor workstations. Endpoint monitoring for data transfer activity. Regular reminders about phishing β contractors are frequent targets for social engineering because they have access to valuable IP but may be less security-aware than full employees.