Threat Actors and Motivations
Key Takeaways
- Threat actors are classified by capability, intent, resources, and target selection.
- Motivation is a major clue: money, ideology, espionage, revenge, disruption, or curiosity.
- Insiders can be malicious, negligent, or compromised; authorized access is the key clue.
- Nation-state and advanced persistent threat activity often emphasizes stealth, persistence, and strategic objectives.
- Organized crime commonly seeks financial gain through ransomware, fraud, credential theft, and extortion.
Threat Actors and Motivations
Security+ scenarios often describe behavior instead of naming the actor. Identify capability, motive, access, and target.
| Actor | Typical capability | Common motivation | Scenario clues |
|---|---|---|---|
| Nation-state or APT | High | Espionage, disruption, strategic advantage | Long dwell time, stealth, custom tooling, sensitive targets |
| Organized crime | Medium to high | Financial gain | Ransomware, payment fraud, credential resale, extortion |
| Hacktivist | Variable | Ideology or publicity | Defacement, data leak, DDoS tied to a cause |
| Insider threat | Variable | Revenge, financial gain, negligence, convenience | Authorized access used improperly |
| Competitor | Medium | Business advantage | Product plans, pricing, trade secrets |
| Script kiddie or unskilled attacker | Low | Curiosity, attention, opportunism | Public tools, noisy scanning, known exploits |
| Shadow IT user | Low to medium | Convenience or speed | Unsanctioned cloud app, unmanaged workflow |
Motivation Decoder
| Motivation | Likely behavior |
|---|---|
| Financial gain | Ransomware, fraud, card theft, credential theft |
| Espionage | Quiet collection, persistence, targeting sensitive data |
| Ideology | Public claims, defacement, disruption, leak campaigns |
| Revenge | Destructive actions, data theft before departure |
| Disruption | DDoS, wiper malware, sabotage |
| Curiosity or challenge | Opportunistic probing and noisy exploitation |
Trap Callout: Skill Does Not Equal Motivation
Do not choose "nation-state" just because an attack is technically complex. A criminal group can use advanced tooling, and a nation-state can use a simple phishing email. Let the goal and target drive the answer.
Scenario Walkthrough
A research lab finds a low-and-slow intrusion that avoids detection, steals project documents over months, and uses custom infrastructure. There is no payment demand. The strongest answer is nation-state or APT because the behavior suggests persistence, stealth, and intelligence collection. If the same lab received a demand note after encrypted file shares, organized crime would be more likely.
Quick Drill
| Clue | Most likely actor or motivation |
|---|---|
| Public website replaced with political message | Hacktivist |
| Former employee downloads customer list after resignation | Malicious insider |
| Broad scanning with known exploit scripts | Script kiddie or opportunistic attacker |
| Ransom note and data leak threat | Organized crime |
| Stealthy collection of defense project files | Nation-state or APT |
| Team uses personal file sharing to bypass procurement | Shadow IT risk |
An organization discovers a quiet, months-long intrusion focused on collecting proprietary research. There is no ransom demand or public claim. Which actor is most likely?
A public-facing site is defaced with a political message after the organization takes a controversial position. Which motivation is most likely?
Which clues point most strongly to an insider threat? Choose two.
Select all that apply