Read other articles

The 6 Types of Threat Actors You Need to Know

Posted on July 19, 2018

If you’ve ever seen a true-crime documentary, you know that the first thing the detectives do
upon discovering a crime is postulate the identity of the perpetrator.

To understand the motive, not to mention how the crime was committed, investigators play a game of psychological
“what-ifs” to determine what sort of personality they are dealing with. The more they understand the criminal,
the more likely they are not only to catch the villain, but also to prevent the crime from repeating.

The exploration of what sort of person commits cyber-crimes is still in its infancy. So much is made of the types
of security we use to bottle up our assets, data, and infrastructures, that we don’t often think about who is
behind the seemingly relentless stream of attacks that assault businesses, governments, and other web

As is known, eventually even the best lock can be picked, the best fortress penetrated, and the nastiest guard
dog appeased by a delicious Porterhouse steak.

Cyber-criminals of all shapes and sizes are out there looking for loopholes in your system. A key component of
any threat intelligence platform should be a who-is-who gallery of the kinds of threat actors perpetrating those
attacks, their motives, their methods, and best practices for shutting them down.

This blog explores the six established types of actors, including their motivations and mindsets.

Government sponsored threats

Non-aggressive warfare between countries used to involve trade embargoes, saber-rattling, and sabotage. Now it’s
into cyber warfare, which is far less bloody, far less traceable, and much more efficient at disrupting
the infrastructure of your opponent’s key systems. In the aftermath of 9/11, everyone was waiting for another
plane to strike a high-profile target, but terrorist organizations like Hamas and Hezbollah were already
shifting their ideology towards using cyber attacks against key parts of the US government. In 2015, the Chinese
government used its “Great Firewall of China” to take down Github, sending a message about its thoughts on
platforms where anyone can host, share, build, and manage coding. In 2017, US President Donald trump made it official
that his own intelligence agents were allowed to use DDoS attacks against North Korea’s military spy
branch, the Reconnaissance General Bureau.

The idea of hackers drawing government paychecks sounds like a contradiction of terms, but it’s becoming more and
more common. In North Korea, recruitment is a scene straight out of Ender’s Game, in which promising students as
young as 11 years old are sent to special academies where they are taught how to hack systems and concoct
computer viruses to use against the enemy.

In countries more seasoned in non-aggressive warfare, like US and Russia, these hackers are often professionals
who have been contracted by the same government they spent years or decades causing mayhem in, or those who were
caught hacking a system and then offered the chance to work for the government to wipe out criminal charges.

Government-funded hackers are an interesting dichotomy, as they are usually the most well-funded, which makes
them particularly dangerous. However, since they usually have a singular goal, dictated from their employer,
they often don’t do as much damage as a free agent in the same system might. This makes it more easy to predict
their likely targets by using threat intelligence feeds such as human intelligence (HUMINT), signal intelligence
(SIGINT), and open-source intelligence (OSINT). As countries clash diplomatically and economically, their
hackers are usually at work on a deeper level pursuing points of attack.

Organized crime

Organized crime hackers have the most transparent of all goals among the six types of threat actors: they want to
steal your money or something they can sell afterwards.

This might take the form of data breaches, DDoS attacks, or the planting of ransomware, three things that every
threat intelligence platform must maintain constant vigilance against. The organized crime hacker is usually a
veteran criminal who has added hacking to his resume or had started as a hacker and was recruited by a crime
syndicate to expand its reach. Organized crime hackers are probably the most dangerous because they are the most
efficient – flush with funds but not needing the clunky infrastructure of a government; they divvy up the tasks
and go to work. Ransomware is the real killer here because most companies have no idea how to respond to it if
they don’t already have the proper threat intelligence tools in place to stop it in its tracks. Do they call the
police? The FBI? The end result is either losing everything – a death knell for most small-to-medium sized
businesses (SMBs) or paying the ransom and having to take a criminal’s word that the data will be restored.


Hacktivism often comes across as being somewhat generally positive. Hacktivists are seen as protesting social
issues, government controversies, or corporate initiatives that threaten civil rights, the environment, etc.
Hacktivists are usually involved in activities that take down websites or replace web content with their own
propaganda. Because their cause is typically ideological, they aren’t usually motivated by money, which often
means that they are not professionals, but closer to novice and intermediate-level hackers. Open-source
intelligence (OSINT) is a great threat intelligence feed to use when watching out for hacktivists, as news
reports and social media are primary breeding grounds for anti-government or anti-corporation movements to

Inside Threats

Inside threats are usually the toughest to defend against because they can come from so many different locations.
Not only are we talking about attempts by the competition to shake down their business rivals, but also
ambitious ex-employees as well as people who misplace their credentials, their work-issued devices, and those
employees who look for ways to line their own pockets.

A well-rounded intelligence threat platform will surely include all of your company’s competition information.
Who they are, where they’re based, how their market share compares to your own, and how they move online. For
some industries, cyber attacks are like fights in the NHL – illegal, but everyone knows they’re coming. In fact,
when DDoS attacks first became commonplace, some of their chief proponents were gambling companies that operate
offshore of the US. Those sites would turn their own hired cyber guns on each other in the minutes and hours
before a major sporting event like a boxing prize fight or the Super Bowl to take them offline, costing them
thousands or millions of lost bets. Threat intelligence feeds that must be closely monitored against inside
threats include:

  • Market intelligence (MARKINT) to understand your company’s industry and that of your competitors.
  • Financial intelligence (FININT) to understand the financial capabilities or motivation of would-be
  • Open-source intelligence (OSINT) particularly on social media with regard to former and current employees.
    Some might view this as a large step towards 1984 tendencies, but Facebook and Twitter are breeding grounds
    for discontent, both external, and internal, and must be monitored.
  • Human intelligence (HUMINT): Direct and indirect methods of communication can reveal intent as well as
    discovery if someone has lost a piece of company-issued equipment, but fears reprisal if they admit to it.


The earliest days of computer hacking in the 1980s were born of curiosity and the need to show off one’s skills.
Most of the time the intent was “to see what’s out there” rather than “how much damage can I do?” With hackers
tending to gather in clusters, the desire to join a group is often largely based on a field test of what an
individual is capable of. Amateur hackers can either be given a task or simply pull one off in order to get a
group’s attention, in the hope of gaining an invitation to take part in bigger jobs, for profit or simply
“because it’s there.”

If it sounds like a street gang initiation requiring a potential member to steal the next passer-by’s wallet or
go rob the corner store, you’ve got the idea. Because this type of hacker is usually a novice and using other
hackers’ scripts or programs, they are often referred to as “script kiddies” or “skiddies”.

These amateur hackers are generally the easiest to trace, repel or identify because they have incomplete
strategies and/or lack experience to cover their tracks. It can be a bit like a bank robber successfully picking
the lock of the safe and then walking straight to his car, unaware of the security cameras recording him. The
inherent danger of the script kiddie attack is twofold: 1) when they do hack into a system, they often cause
more mischief than damage because of their inexperience and 2) there are always exceptions to the rule, and
every master hacker was one day in the same position, an amateur on the verge of discovering a major flaw or
developing new code that will earn them their reputation.

Because every year sees new hackers with new techniques, threat intelligence tools have to evolve as well. Threat intelligence
is not a field that can ever stand still.

Internal User Error

Here’s your horrifying stat for the day: Around 80% of cyber incidents start with internal user errors – meaning
that while your threat intelligence feeds are devouring data from every corner of the planet, the real problem
might be coming from inside your own walls. It’s a big reason why your threat intelligence platform has to start
with a deep dive into every nook and cranny of your system and perform that same search mission on a consistent
basis. If your system was run by one person for one user, this wouldn’t happen so much, but with all the people
involved in the architecture of your network, all the different users with different privileges, and with your
system evolving over time to include things like new routers, new servers, and new firewalls – anything could
result in a catastrophe if it were to be installed or configured incorrectly.

Read the other articles