Threats & Threat Actors

10 Threat Actor Motivations

The exam tests the full list — know all ten:

• →Data Exfiltration — stealing sensitive data for use or sale
• →Blackmail — leveraging stolen data to extort victims
• →Espionage — gathering intelligence on targets (governments, corporations)
• →Service Disruption — making systems unavailable (DoS/DDoS)
• →Financial Gain — direct monetary theft, ransomware, fraud
• →Philosophical or Political Beliefs — hacktivism, ideological agenda
• →Ethical Reasons — exposing wrongdoing (e.g. whistleblowing hackers)
• →Revenge — insider threats acting against a former or current employer
• →Disruption or Chaos — causing disorder without a specific financial goal
• →War — nation-state offensive cyber operations against adversaries

3 Threat Actor Attributes

Attributes differentiate threat actors from one another — the exam tests all three:

• →Internal vs External — insider threats are internal; most others are external
• →Resourcing and Funding — ranges from self-funded (unskilled) to government-funded (nation-state)
• →Sophistication and Capability — ranges from script kiddie (low) to nation-state (very high)

5 Threat Actor Types — Overview

Know the defining characteristic of each for scenario questions:

• →Unskilled Attacker — uses pre-built tools; lowest sophistication
• →Hacktivist — ideologically motivated; targets organizations for exposure/attention
• →Organised Crime — financially motivated; ransomware, identity theft, fraud
• →Nation-State — government-sponsored; espionage, sabotage, cyber warfare; highest resources
• →Insider Threat — within the org; malicious (revenge) or unintentional (carelessness)

4 Deception and Disruption Technologies

Used to detect attackers and gather intelligence — know the difference between each:

• →Honeypot — single decoy system/server; lures attackers and records their techniques
• →Honeynet — full network of decoy systems; captures multi-stage attack behavior
• →Honeyfile — decoy file; any access triggers an alert (no legitimate user touches it)
• →Honeytoken — fake data (e.g. fake credentials) in a real system; use of the token = breach indicator

Intent vs Motivation — Two Distinct Concepts

Intent = the specific goal (what the attacker wants to achieve). Motivation = the underlying reason (why they are attacking). The exam tests both as separate, distinguishable terms.

10 Threat Actor Motivations

The exam tests the full list — know all ten:

• →Data Exfiltration — unauthorized data theft; targets IP, PII, trade secrets
• →Financial Gain — most common motivation; ransomware, banking Trojans
• →Blackmail — leverage stolen/compromising info to extort; payment often in cryptocurrency
• →Service Disruption — overwhelm with DDoS to make services unavailable
• →Philosophical or Political Beliefs — hacktivism; website defacement, data leaks
• →Ethical Reasons — ethical hackers (pen testers, bug bounty hunters) improving security
• →Revenge — disgruntled/former employee; data breach, service disruption, leaking info
• →Disruption or Chaos — thrill-seeking or causing harm with no specific financial goal
• →Espionage — intelligence gathering against governments, corporations, or political targets
• →War — nation-state offensive cyber operations; geopolitical objectives

3 Forms of Cyber Blackmail

Blackmail uses compromising information as leverage — know all three forms:

• →Ransomware — encrypts victim's data; demands payment to restore access
• →Doxxing — threatens to publicly release personal/private information
• →Sextortion — threatens to release stolen intimate images unless payment is made

3 Threat Actor Attributes

Every threat actor is characterised by these three attributes — the exam tests all three:

• →Internal vs External — based on the actor's relationship to the targeted organization
• →Resources and Funding — tools, skills, personnel, and budget available to the actor
• →Sophistication and Capability — technical skill level and complexity of techniques used

Internal vs External — Key Distinctions

The defining difference is authorized access and organizational relationship:

• →Internal — has legitimate access; damage potential amplified by insider knowledge of systems and vulnerabilities
• →External — no authorized access; must use attack techniques (malware, social engineering) to penetrate
• →Internal motivations: revenge, financial gain, coercion by external entities

Sophistication Scale — Low to High

Two anchor points the exam tests:

• →Low: Script Kiddie — uses pre-made tools and scripts without understanding the underlying principles; common malware and phishing
• →High: Nation-State / APT — custom-developed malware, zero-day exploits, advanced evasion techniques, extended undetected presence

Unskilled Attacker Profile — 3 Characteristics

Know all three — the exam contrasts these against other actor types:

• →Low Skill — lacks the knowledge to develop their own hacking tools or exploits
• →Low Resources — self-funded; no organizational or government backing
• →Pre-built Tools Only — cannot create or modify tools; downloads and runs scripts written by others

Script Kiddie Motivations — 3 Types

Distinct from all other threat actor motivations — not financial, not political:

• →Recognition / Notoriety — seeking fame among peers by defacing websites or disrupting networks
• →Thrill / Disruption — excitement from causing disorder without a specific target
• →Curiosity — exploring and understanding digital systems through hacking

Opportunistic vs Targeted Nature

Script kiddies are opportunistic — they focus on easier, lower-value targets where success is more likely. They do not pursue specific high-value organizations the way hacktivists or nation-state actors do.

Why Unskilled Attackers Are Still Dangerous

Three factors make them a sizable threat despite low individual capability:

• →Volume — large numbers can coordinate; a collective DDoS can overwhelm a target
• →Readily Available Tools — no technical barrier; attack tools are freely downloadable
• →Unpatched Systems — exploit known, publicly disclosed vulnerabilities on systems that haven't been patched

4 Hacktivist Techniques

The exam may list these — know all four and what each achieves:

• →Website Defacement — altering a site's appearance to broadcast a message; a form of digital vandalism
• →DDoS — overwhelming systems so legitimate users cannot access them; causes service disruption
• →Doxxing — releasing private info publicly; intended to incite real-world harm against the target
• →Sensitive Data Leak — stealing and publicly releasing an organization's confidential data

Hacktivist Sophistication — Variable but Potentially High

Hacktivists range widely in skill. Some groups contain advanced members who can develop custom exploits and attack well-defended systems — higher sophistication than script kiddies but typically below nation-state level.

Hacktivist Target Selection

Targets are chosen based on perceived ethical violations — not randomly (unlike script kiddies). Common target categories:

• →Governments — censorship, surveillance, political oppression
• →Corporations — environmental damage, human rights abuses, unethical practices
• →Anti-piracy organizations — interference with open internet (e.g. Operation Payback)

Organized Cybercrime — 4 Key Characteristics

Know all four for scenario identification questions:

• →Well-structured — members assigned specific roles based on skill and expertise
• →High technical capability — custom malware, ransomware, sophisticated phishing campaigns
• →Highly adaptive — continuously evolve methods in response to new security measures
• →Transnational — operate across borders, increasing law enforcement complexity

Organized Crime Motivation — Financial Gain Only

Primary and near-exclusive motivation is financial gain. Common revenue methods:

• →Data breaches — stolen data sold or leveraged for fraud
• →Identity theft — PII used to open fraudulent accounts
• →Online fraud — scams, fake transactions
• →Ransomware attacks — encrypting systems and demanding payment

Organized Crime Target Profile

Targets are selected for financial value, not ideology. Preferred targets:

• →Small and medium-sized businesses — often under-defended relative to data value
• →High-net-worth individuals — substantial financial resources
• →Banks and financial institutions — direct access to money (e.g. Carbanak)

Evasion Technologies Used by Organized Crime

Three categories the exam may reference:

• →Cryptocurrencies — untraceable payment and money laundering
• →Dark web — anonymous marketplaces for stolen data and criminal services
• →Cellular collection devices (IMSI catchers) — intercept communications to evade detection

Nation-State Actor Capabilities

The highest technical tier — capabilities that define this actor type:

• →Custom malware — purpose-built tools tailored to specific targets
• →Zero-day exploits — attack vulnerabilities with no existing patch
• →APT operations — long-term, stealthy persistence in compromised networks
• →Complex coordinated campaigns — multiple techniques, stages, and vectors

Nation-State Motivations — Primarily Strategic, Not Financial

Motivations are geopolitical, with one key exception:

• →Intelligence gathering — cyber espionage to collect classified or strategic information
• →Disrupting critical infrastructure — destabilising adversary nations
• →Influencing political processes — election interference, disinformation campaigns
• →Stealing intellectual property — competitive advantage in key industries
• →Exception — North Korea: financially motivated due to sanctions and economic isolation; targets banks and cryptocurrency exchanges

APT vs Nation-State — Important Distinction

APT originally meant nation-state actor, but the term has expanded. Key distinction the exam tests:

• →APT = any prolonged, stealthy, targeted intrusion — nation-state OR sophisticated organized crime
• →Nation-State = always government-sponsored; always qualifies as APT-level
• →Organised Crime = may be classified as APT if they demonstrate long-term persistence and high sophistication

False Flag Attack — How It Works

Nation-state actors deliberately mimic the TTPs (tools, techniques, procedures) of another known actor group to redirect attribution. The 2018 Winter Olympics attack shows the pattern: Russian actors planted indicators pointing to North Korea to mislead forensic investigators.

2 Types of Insider Threat

The exam distinguishes these — know both and their signals:

• →Malicious — intentional; motivated by financial gain, revenge, or ideology; may steal data, install backdoors, or sabotage systems
• →Unintentional / Negligent — accidental; caused by carelessness, poor security hygiene, or lack of training (e.g. clicking phishing links)

Insider Threat Capability — 2 Determining Factors

Capability is not determined by access level alone — both factors interact:

• →Level of Access — higher privilege (e.g. sysadmin) increases potential damage scope
• →Personal Knowledge and Skill — a skilled attacker with a standard user account can cause more damage than an unskilled sysadmin with elevated access

4 Forms Insider Threats Can Take

Know all four — the exam may describe a scenario and ask which form applies:

• →Data Theft — stealing and exfiltrating sensitive organizational data
• →Sabotage — intentionally damaging systems, data, or operations
• →Misuse of Access Privileges — accessing resources beyond authorized scope
• →Facilitating External Attack — installing malware or creating backdoors for an external actor

Why Insider Threats Are More Dangerous Than External Threats

Three structural advantages insiders hold over external attackers:

• →Legitimate access — no need to breach perimeter defences
• →Institutional knowledge — aware of security processes, system layout, and vulnerabilities
• →Trust — actions are less scrutinised; anomalies are attributed to legitimate work

4 Controls to Mitigate Insider Threats

Core mitigations — exam may test which control addresses insider risk:

• →Zero Trust Architecture — never trust, always verify; no implicit trust based on network location or role
• →Robust Access Controls — least privilege; limit what each user can access to only what they need
• →Regular Audits — detect anomalous access patterns before damage escalates
• →Security Awareness Training — reduces unintentional insider incidents caused by negligence

3 Common Forms of Shadow IT

The exam may describe a scenario — identify which form applies:

• →Personal devices for work — BYOD; smartphones, tablets, laptops not managed by IT
• →Unapproved software / browser extensions — installed by users to improve efficiency without IT sanction
• →Unsanctioned cloud services — using Dropbox, Google Drive, or other cloud apps for work data without IT approval

Why Shadow IT Arises

Two root causes to know:

• →Security posture set too high — IT processes are too slow or complex, so employees bypass them to get work done
• →Desire for efficiency and convenience — employees self-select tools that suit their workflow better than approved options

3 Security Risks of Shadow IT

Know all three — the exam tests which risk shadow IT introduces:

• →Data breaches — unsanctioned devices or cloud services may expose sensitive data
• →Non-compliance with regulations — unmanaged assets may violate data handling requirements (GDPR, HIPAA, PCI-DSS)
• →System disruptions — unvetted software or hardware may introduce malware or instability

Core Security Problem — IT Cannot Secure the Unknown

The fundamental risk: if the IT department does not know a device, application, or cloud service exists on the network, it cannot patch it, monitor it, or respond to incidents involving it. Lack of visibility = inability to protect.

Threat Vector vs Attack Surface — Key Distinction

Threat Vector = HOW the attacker gets in (the method/pathway). Attack Surface = WHERE they could get in (all exploitable entry points). Reducing the attack surface limits available threat vectors.

6 Threat Vectors to Know

All six are testable — know each:

• →Messages — email, SMS, instant messaging; phishing, malicious links/attachments
• →Images — malicious code embedded in image files (steganography); executes on load
• →Files — disguised malicious documents or software via email, file sharing, or malicious sites
• →Voice Calls — vishing; impersonation over phone to extract sensitive information
• →Removable Devices — USB drives and external storage; baiting or direct physical insertion
• →Unsecured Networks — Wi-Fi, wired, Bluetooth; interception, rogue APs, Bluetooth exploits

3 Unsecured Network Sub-Vectors

Each network type has specific attack techniques the exam may reference:

• →Wireless (Wi-Fi) — evil twin / rogue access point; traffic interception on open networks
• →Wired — physical cable tapping; MAC address cloning; VLAN hopping
• →Bluetooth — BlueBorne (device takeover, on-path, no interaction); BlueSmack (DoS via L2CAP packet)

How to Reduce the Attack Surface

Three core controls — applied per network segment:

• →Restrict access — limit who and what can connect
• →Remove unnecessary software — eliminate unused applications and services
• →Disable unused protocols — close off protocol-level entry points not needed for operations

Honeypot — Purpose and Placement

Primary purpose is intelligence gathering, NOT blocking attacks. Key operational details:

• →Logs all interactions to reveal attacker TTPs, methods, and motives
• →Can detect insider threats — internal fraud, snooping, malpractice
• →Can run as a real system or emulated/simulated environment
• →Must be placed in a screened subnet or isolated segment accessible from the internet

Honeyfile — Technical Detail

More than a simple decoy file — it can actively respond:

• →Contains fake data with hidden metadata or digital watermarks for tracking if stolen
• →Deliberately placed under looser security than real sensitive files to appear accessible
• →Can embed code that enumerates the attacker's own network when the file is opened
• →Any file type can be used: documents, spreadsheets, images, databases, executables

Honeytoken — Use Cases

Three specific honeytoken forms the exam may reference:

• →Fake user account — e.g. an 'Admin' or 'Root' account no legitimate user would log into
• →Bogus URL — a link that should never be clicked by a legitimate user
• →Dummy database record — a fake entry that should never appear in legitimate queries

Honeynet — Purpose and Use

A network of honeypots mimicking an entire environment — servers, routers, switches. Key characteristics:

• →Used by large organizations and research institutions to study threat actor behavior at scale
• →Logs both successful and unsuccessful attacks to reveal patterns across multiple attack vectors
• →Provides richer TTP intelligence than a single honeypot — captures multi-stage, coordinated attack behavior
• →Can run as real hardware or emulated systems

Honeynet Risk — Double-Edged Sword

Honeynets carry a unique risk not present in single honeypots: an attacker who probes the honeynet can learn how the real production systems are configured if the honeynet too closely mirrors them. This intelligence can be used to attack the real environment.

5 Disruption Strategies

In addition to the 4 deception technologies, these active disruption methods hinder attacker reconnaissance and operations:

• →Bogus DNS entries — fake DNS records that waste attacker time and trigger alerts
• →Decoy directories — fake folders/files that alert on unauthorized access
• →Dynamic page generation — ever-changing web content defeats automated scrapers and bots
• →Port triggering — keeps services hidden from port scanners; opens only on valid outbound trigger
• →Fake telemetry data — false OS/service data returned to scanners defeats OS fingerprinting