Chapter 19 Β· Quiz

Threat Actors Quiz

Select your answer, then click Reveal Answer to check immediately β€” or grade all at once at the bottom.

Question 1: An attack has been in progress for 11 months. The attackers use custom-built malware and only exfiltrate data on weekdays during business hours to blend with legitimate traffic. No ransomware has been deployed β€” only classified R&D documents have been stolen. What type of threat actor is most likely responsible?

Correct answer: B. Nation-state APT. Three indicators confirm this: (1) 11-month persistence β€” "Persistent" is definitional for APT; criminal groups deploy ransomware within days of gaining access, not months. (2) Targeted exfiltration of R&D documents β€” espionage motivation, not financial. (3) Custom malware β€” nation-state resources fund custom tooling development. A ransomware group (A) would have monetized months ago. Hacktivists (C) seek disruption and visibility, not quiet document theft. Script kiddies (D) use off-the-shelf tools and are opportunistic, not patient.

Question 2: A company's security team discovers an employee in the finance department has been photographing financial reports with their personal phone and sending them to a competitor. The employee has no IT skills and used no technical attack tools. Which threat actor category applies?

Correct answer: C. Malicious insider. The employee is intentionally stealing data and sending it to a competitor β€” this is deliberate, not accidental. The lack of technical skill is irrelevant to the threat actor category: insiders misuse their authorized access, and their access to physical financial reports is itself the attack vector. A negligent insider (D) would cause harm accidentally (clicking a phishing link, misconfiguring a system) β€” photographing reports and sending them to a competitor is clearly intentional. Script kiddies (A) are external attackers using tools, not insiders with authorized access.

Question 3: What is the PRIMARY characteristic that makes a negligent insider different from a malicious insider?

Correct answer: A. Intent is the defining distinction. A malicious insider deliberately causes harm β€” they know what they're doing and intend the outcome. A negligent insider causes harm accidentally through carelessness, poor security hygiene, or lack of awareness. Both can cause significant damage. Access level (B) is not the distinguishing factor β€” a high-privilege admin can be either malicious or negligent. Detection difficulty (C) actually often favors negligent insiders being easier to detect because their actions look like accidents. Technical sophistication (D) is not determinative β€” a malicious insider may have no technical skills at all.

Question 4: A hacktivist group targets a corporation's public website with a DDoS attack and leaks internal emails to journalists. What is their most likely goal?

Correct answer: B. Hacktivists are motivated by ideology and political causes β€” disruption and embarrassment ARE the goals. A DDoS brings the target into the news; leaking internal emails to journalists maximizes the reputational damage and public attention. There is no financial motivation (A) β€” hacktivists don't ransom or sell data for profit. Long-term persistence (C) describes APT espionage operations, not hacktivists who want immediate visible impact. Testing tools (D) describes script kiddies, not organized hacktivist campaigns with a political message.

Question 5: Which threat actor characteristic best explains why an APT's initial intrusion is often discovered through a supply chain compromise rather than a direct attack?

Correct answer: C. Supply chain attacks are used specifically when direct attacks are blocked by strong perimeter defenses. If the target organization has mature detection capabilities, every direct attack attempt risks detection and attribution. But if the attacker can compromise a trusted software vendor and inject a backdoor into a legitimate update β€” as APT29 did with SolarWinds Orion β€” the malicious code arrives already trusted, signed, and expected. It enters through a channel organizations deliberately allow. This is not simpler (B) β€” supply chain attacks require compromising a second organization β€” it is stealthier against hardened targets.

Matching: Threat Actor Motivations

Match each threat actor type to its primary motivation and method.

ACTOR TYPE

Nation-State APT
Hacktivist
Organized Crime
Unskilled Attacker

MOTIVATION

Financial gain via ransomware and credential theft
Espionage and intellectual property theft with long dwell time
Uses pre-built tools against opportunistic targets
Disruption and embarrassment for political causes

Analysis Question

A bank's CISO receives a threat intelligence report stating: "A financially motivated criminal group is scanning financial institutions for unpatched VPN vulnerabilities." Simultaneously, an HR manager reports receiving suspicious emails asking them to verify their company credentials. Should the CISO treat these as related? What threat actor type is involved and what should be prioritized?

Model Answer:

Yes β€” highly likely related. This is a classic organized crime attack pattern combining two simultaneous initial access vectors:

Why they're related: Ransomware and fraud groups typically attempt multiple initial access vectors in parallel. Scanning for VPN vulnerabilities provides an automated technical entry point. Credential phishing against HR (who often have broad system access for onboarding/offboarding) provides a social engineering entry point. Either vector alone might fail β€” running both simultaneously increases the probability of gaining a foothold.

Threat actor type: Organized crime β€” financial motivation (ransomware or fraud), broad targeting of financial institutions (not targeted espionage), dual-vector approach typical of RaaS affiliate operations.

Priority 1: Emergency patching of all internet-facing VPN appliances. If a patch is not immediately available, consider temporary restrictions on VPN access or enhanced authentication requirements while patching is expedited.

Priority 2: Alert HR and all staff immediately about the active credential phishing campaign. Enforce MFA on all systems β€” even if credentials are phished, MFA prevents account takeover. Report the phishing emails to the security team for analysis.

Priority 3: Enhance monitoring on VPN authentication logs for unusual login patterns (off-hours logins, logins from unusual geographies, logins from Tor exit nodes), and watch for lateral movement indicators on systems accessible via VPN.

Performance Task

Your organization has hired 50 new contractors who will have access to sensitive engineering designs for 6 months. The security team is concerned about insider threats β€” both malicious (theft of IP) and negligent (accidental data exposure). Design a set of controls specifically for this contractor population.

Model Answer:

Privileged Access Management: Contractors receive minimum-necessary permissions β€” only the specific systems, project folders, and data required for their contract scope. No broad access to unrelated engineering projects. Time-limited accounts automatically expire on the contract end date β€” no manual offboarding required to disable access.

Separation of Duties: Contractors cannot approve their own work, merge code to production branches without review, or access systems outside their assigned project scope. No single contractor controls any critical process end-to-end.

Behavioral Monitoring (UEBA): Baseline normal access patterns for each contractor during the first week. Configure alerts for: access to systems outside their assigned project, access outside normal work hours, bulk file downloads (more than X files in Y minutes), data movement to USB or personal cloud storage, access to data repositories outside their stated project role.

Data Loss Prevention (DLP): DLP rules preventing sensitive engineering documents from being emailed to external addresses, uploaded to personal cloud storage services, or copied to removable media unless specifically authorized in writing for each instance.

Physical Controls: Contractors work in designated areas. Personal mobile devices are prohibited in areas where sensitive engineering documents are accessed. Screen privacy filters on workstations. Clean-desk policy enforced.

Onboarding Security Training: Mandatory security training on day 1 covering: data handling requirements, acceptable use policy, reporting requirements, consequences of policy violations. Acknowledgment signed and documented.

Offboarding Procedure: On the last day of the contract, accounts are immediately disabled (not just expired β€” immediate disable). All issued devices are recovered and forensically imaged before being reused. Access logs for the final 30 days are reviewed for any unusual activity. Data transferred by the contractor during the contract is audited against project scope.

Negligent Insider Mitigation: USB access disabled by default on contractor workstations. Endpoint monitoring for data transfer activity. Regular reminders about phishing β€” contractors are frequent targets for social engineering because they have access to valuable IP but may be less security-aware than full employees.