OBJECTIVE 2.1 Compare and contrast
Compare and contrast common threat actors and motivations
Understanding who’s attacking you determines how you defend. A script kiddie and a nation-state APTAdvanced Persistent Threat — Sophisticated, long-term targeted attack (usually nation-state) require fundamentally different defensive postures. The exam expects you to profile threat actors by their attributes and predict behavior based on motivation.
Threat Actor Types
Nation-State
Government-sponsored or government-affiliated actors conducting cyber operations.
- Resources: Virtually unlimited budget, custom zero-day exploits, dedicated teams
- Sophistication: Highest. Custom malware, supply chain attacks, long-term persistent access
- Motivation: Espionage (intelligence gathering), disruption (critical infrastructure), political influence
- Timeframe: Months to years of persistent access (APTAdvanced Persistent Threat — Sophisticated, long-term targeted attack (usually nation-state) = Advanced Persistent Threat)
- Examples: Stuxnet (US/Israel → Iran nuclear program), SolarWinds (Russia → US government agencies), Pegasus (NSO Group, used by multiple states)
Unskilled Attacker (Script Kiddie)
Low-skill individual using pre-built tools and scripts without understanding the underlying mechanics.
- Resources: Minimal. Uses freely available tools (Metasploit, downloaded exploit kits)
- Sophistication: Low. Follows tutorials, can’t adapt when tools fail
- Motivation: Curiosity, bragging rights, minor disruption
- Danger: Don’t underestimate volume. Automated scanning means even unskilled attackers find unpatched systems. They don’t need to be sophisticated if your defenses are weak.
Hacktivist
Ideologically motivated attacker targeting organizations that conflict with their beliefs.
- Resources: Low to moderate. Often organized loosely (Anonymous-style)
- Sophistication: Varies widely. DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources and website defacement are common; some groups execute sophisticated breaches
- Motivation: Political/social change, embarrassment of target, data leaks for public exposure
- Tactics: DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources, defacement, doxxing, data dumps
Insider Threat
Someone with legitimate access who misuses it — deliberately or accidentally.
- Intentional: Disgruntled employee, corporate espionage, sabotage
- Unintentional: Employee who clicks a phishing link, misconfigures a system, or loses a device
- Why it’s dangerous: Already past your perimeter controls. Has legitimate credentials. Knows where the valuable data is.
- Detection: User behavior analytics (UBA), DLPData Loss Prevention — Prevents unauthorized data exfiltration, privileged access monitoring, separation of duties
Organized Crime
Criminal groups treating cybercrime as a business operation.
- Resources: Significant. Reinvest profits into better tools and talent
- Sophistication: Moderate to high. Ransomware-as-a-Service (RaaS), bulletproof hosting, money laundering infrastructure
- Motivation: Financial gain — ransomware, data theft for sale, credit card fraud, business email compromise (BECBusiness Email Compromise — Impersonating executives to authorize fraudulent transfers)
- Business model: Some groups offer customer support, SLAs on decryption keys, and affiliate programs
Shadow IT
Not a traditional threat actor, but employees or departments deploying unauthorized technology.
- Unapproved SaaSSoftware as a Service — Cloud: provider manages everything, you configure apps, personal cloud storage, rogue wireless access points
- Creates unmonitored attack surface outside security team’s visibility
- Exam context: Organizational risk, not malicious intent — but the security impact is real
Competitor
Business rivals engaging in corporate espionage or competitive disruption.
- Motivation: Trade secrets, customer data, strategic advantage
- Methods: May hire third parties, exploit insiders, or conduct targeted social engineering
- Less common on the exam but worth knowing
Threat Actor Attributes
The exam asks you to compare actors across these dimensions:
| Attribute | Low | High |
|---|---|---|
| Resources/Funding | Script kiddie, hacktivist | Nation-state, organized crime |
| Sophistication | Script kiddie | Nation-state APTAdvanced Persistent Threat — Sophisticated, long-term targeted attack (usually nation-state) |
| Capability | Unskilled (uses existing tools) | Custom zero-days, supply chain |
| Intent | Unintentional insider | Nation-state espionage |
Internal vs. External
- Internal: Insiders, shadow ITInformation Technology — Broad term for computing infrastructure and services. Already have legitimate access.
- External: Nation-states, hacktivists, organized crime, script kiddies. Must breach the perimeter first.
Level of Sophistication/Capability
- Low: Pre-built tools, known exploits, no ability to adapt
- Moderate: Can customize tools, chain exploits, conduct targeted phishing
- High: Custom malware, zero-day exploits, supply chain compromise, operational security to avoid detection
Motivations
| Motivation | Typical Actors | Example |
|---|---|---|
| Data exfiltration | Nation-state, organized crime, competitor | Stealing trade secrets, PIIPersonally Identifiable Information — Data that can identify an individual for sale |
| Financial gain | Organized crime | Ransomware, BECBusiness Email Compromise — Impersonating executives to authorize fraudulent transfers, credit card fraud |
| Disruption/chaos | Hacktivist, nation-state | DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources on critical infrastructure |
| Espionage | Nation-state, competitor | Long-term intelligence gathering |
| Philosophical/political | Hacktivist | Website defacement, document leaks |
| Revenge | Insider | Sabotage after termination |
| War | Nation-state | Cyberattacks as component of military operations |
| Ethical (authorized) | Penetration testers | Contracted security testing |
Attack Vectors by Actor
Different actors prefer different entry points:
- Nation-state: Supply chain, zero-day exploits, spear-phishing of specific individuals
- Organized crime: Phishing at scale, exploiting known vulnerabilities, RDPRemote Desktop Protocol — Port 3389. Microsoft remote access brute force
- Hacktivist: DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources, web application attacks, social engineering
- Insider: Direct access abuse, data exfiltration via USBUniversal Serial Bus — Standard connector for peripherals or cloud upload
Threat Actor Identification — Scenario Decision Logic
CompTIA describes a scenario and asks you to identify the threat actor. Use these clues:
| If the scenario mentions… | The actor is likely… |
|---|---|
| Custom malware, zero-day exploits, months of undetected access | Nation-state |
| Ransomware demand, BECBusiness Email Compromise — Impersonating executives to authorize fraudulent transfers wire transfer, credit card data for sale | Organized crime |
| Website defacement, data dump with political message, DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources during protest | Hacktivist |
| Publicly available exploit tools, no adaptation when blocked | Unskilled attacker |
| Employee downloading customer data to USBUniversal Serial Bus — Standard connector for peripherals before resignation | Insider (intentional) |
| Employee clicking phishing link, misconfiguring firewall rule | Insider (unintentional) |
| Targeting trade secrets of a specific competitor | Competitor |
| Unauthorized SaaSSoftware as a Service — Cloud: provider manages everything, you configure app, personal cloud storage with company data | Shadow ITInformation Technology — Broad term for computing infrastructure and services |
| Supply chain compromise affecting thousands of downstream customers | Nation-state (usually) |
| RaaS affiliate using purchased tools with moderate skill | Organized crime |
Key Differentiators
| Clue | Distinguishes Between |
|---|---|
| Sophistication of tools | Nation-state (custom) vs. unskilled (off-the-shelf) |
| Persistence and patience | Nation-state (months/years) vs. organized crime (quick profit) |
| Motivation stated | Political = hacktivist, financial = organized crime, intelligence = nation-state |
| Internal access used | Insider (already inside) vs. external (must breach perimeter) |
| Monetary demand | Organized crime (ransomware, extortion) vs. nation-state (no demand, just steals) |
Offensive Context
Profiling works both directions. Just as a defender profiles attackers, an attacker profiles defenders — what’s the org’s security maturity? How fast do they patch? Do they monitor lateral movement? Threat intelligence isn’t just consuming IOCs — it’s understanding adversary tradecraft well enough to predict their next move based on who they are. A nation-state actor who gets detected will retool and come back; a script kiddie will move to an easier target.