Threat Actors – SY0-601 CompTIA Security+ : 1.5

here are many different sources of threats with many different motivations for attacking your network. In this video, you’ll learn about threat actors and the differences between these different types of attacker.

<< Previous Video: Malicious Scripts Next: Attack Vectors >>


The definition of a threat actor is an entity responsible for an event that has an impact on the safety of another entity. Sometimes you’ll hear this referred to as a malicious actor. This is usually the entity that you’re trying to protect your network and your data from. This is the bad guy.

There are many different categories of threat actors. And in this video, we’ll step through some of those major categories and examine some of the motivations they use behind their attacks. In many of these examples, you’ll find that the threat actors are looking to implement an APT, that is an advanced persistent threat.

It is a threat that’s able to get into your network because it is advanced. It’s persistent because once they get into your network, they are there until you take them out. And obviously, the threat part of this means that they are after something that’s on the inside of your network. What’s interesting about this is how long it takes to finally identify that one of these threat actors has infiltrated and is living inside of your network.

In a report from FireEye in 2018, they showed the average is 71 days in North and South America for attackers to be in the network and undetected. This goes up to 177 days in Europe, the Middle East, and Africa. And in Asia-Pacific, 204 days before anyone realizes that the attacker is now inside of the network.

Some of the most dangerous threat actors are the ones that are inside of your network already. These may be employers or contractors that work for your organization. And these are the insiders that have a lot of control and a lot of reign over what they can do inside of your network. It’s unlikely that a threat actor who’s an insider is someone who works at being a hacker 24 hours a day, seven days a week. They probably have a different job that they’re doing inside of your organization, and therefore, the attacks they use may not be as sophisticated as perhaps a more advanced attacker.

But the insider knows things that the hacker doesn’t. They know where your data center is located. They know how your network is designed. They understand the security tools that you already are using inside of your network. So they can direct their efforts towards the most vulnerable systems or the systems that they may have the most access to. This is a huge advantage that an insider has over someone who may be trying to get in from the outside. And because the insider is walking through the front door every day and connecting to your network, they have a huge number of resources available to try to find data and exfiltrate that information from your organization.

A threat actor who is a nation state is usually a government. This is an organization, usually in charge of national security. And it’s almost always an external government entity. Governments tend to have many resources available so they can hire the smartest technologists and gather the security experts in that particular area.

A good example of a nation state being a threat entity is the United States and Israel team together, to destroy about 1,000 nuclear centrifuges with a worm that was sent to Iran. This worm was able to get inside of these centrifuge facilities, and its entire goal was to connect to a very specific type of centrifuge and cause that centrifuge to work incorrectly. This is just one example of a government using an APT to gain access, and in some cases, destroy equipment that may be inside of another government facility.

A Hacktivist is a threat actor that is both a hacker and an activist. This is a hacker who has a purpose or goal in performing these threats or attacks against a third party. This is commonly associated with a political or social message, but it doesn’t have to be limited to those particular areas. These attacks can be very sophisticated, and they’re very focused on a single message or a single theme. It may be that the hacker is trying to perform a denial of service or deface a website or find private information that can then be released to the public. There’s not usually a financial gain to this hacktivism, so often the hacktivist has to go outside of the organization to try to raise funds to keep going.

A Script Kiddie is a threat actor who may not necessarily be a kiddie, but they may be focused on running very simple scripts to be able to gain access to someone’s network. The script kiddie is usually someone who’s on the outside who’s trying to gain access to internal resources. But they just don’t have the knowledge or experience to know exactly what to do to gain that access.

We often call them a script kiddie, because what they’re doing is simply throwing a lot of different scripts and a lot of different attacks at a system. And they’re hoping that one of them is going to find a way in. Even though they don’t know exactly how these scripts work, they’re hoping that one of them is going to give them the access they need. This is also a threat actor who doesn’t necessarily have a financial gain as the result of this, so often there are limited resources for the script kiddie. But they’re motivated by the process itself. They’re looking to brag that they gained access to someone’s network or they were able to exfiltrate some data.

Organized crime is a threat actor that certainly transcends computers, but they certainly have made a name in information technology. This is a set of professional criminals. This is what they do for a living, and they are almost always motivated by a financial gain. Because there’s usually significant financial benefit to these types of hacks, there’s usually enough money to purchase the best hackers.

And this group may be structured just like any other business. There may be someone who’s hacking, another person managing the exploits that they use, another person selling the data that is gathered from all of these efforts, and someone else handling, for example, customer support. From the outside this may look like a normal company, but of course, this is a threat actor that has access to a lot of funds and a lot of resources to be able to keep these threats going.

The term hacker has a very broad definition, but it usually refers to an expert with technology. This may be an expert who’s working for good, or it may be an expert who’s being malicious. There are many ethical hackers. These are people who are hired to look at a network try to gain access, find the weak points, and then help resolve those weak points to make the network even stronger. This is usually someone who has permission to perform these hacking functions because they’re going to help make the entire system much more secure.

The other end of the spectrum is a hacker who is simply malicious. They’re looking to cause problems. They’re looking to gain access to your data, and they’re looking to cause the most amount of mayhem as possible. There are hackers that are in the middle of these two extremes. These are semi-authorized hackers who may be looking for vulnerabilities, but don’t necessarily act on those vulnerabilities. This is a hacker who is more of a researcher and trying to find access to someone’s network without necessarily taking advantage of that access.

You may work in an organization that has an IT department, but you may not be part of that IT department. And there may be times when you need to get something done with technology, but the IT department is not able to do that for you. So instead of going through the IT professionals at your organization, you would instead start creating your own separate IT entity. This would be the shadow it of your organization.

This is a case where you’re performing your own it functions without interacting with your internal information technology department. People who don’t work in IT often don’t understand some of the restrictions and the policies that are in place. They feel that those types of policies are roadblocks that restrict them from doing their job. So to work around these restrictions, they might create their own Cloud Infrastructure, they might purchase their own equipment. But they’re doing this outside the purview of the IT processes and procedures.

Although there may be some short-term benefits that would allow an organization to move very quickly without being encumbered, they are very often significant disadvantages for being a shadow IT group. For example, you’ve probably wasted time and money because IT department can do things usually faster and less expensive. There are also security risks associated with this. And if you’re not an expert in it security, you may be creating risks that you had no idea even existed.

Of course, there can be significant compliance issues. And depending on your organization and where your organization might be, there might be some significant legal requirements. And of course internal infighting creates dysfunction. And that dysfunction usually costs money, efficiency, and time.

The competitors to your business would love to see you out of the market. They might be interested in causing a denial of service to your company. They might be performing espionage against you, or just making your reputation one that is tarnished or harmed in the industry. Since this type of threat actor can be a for-profit company, there are usually significant financial resources they can apply towards these types of threats.

And you can imagine the disruption that would occur if a competitor was to gain access to your network. They could shut down your organization while you’re having a big event, or maybe they steal all of your customers’ data. They could also corrupt the manufacturing process and prevent you from creating any new product. Or they might take all of your financial information and use that for their own purposes.