Threat Actors and Motivations
Key Takeaways
- Classify threat actors by four attributes: internal vs. external, resources/funding, sophistication/capability, and intent/motivation.
- Motivation is the strongest exam clue: financial gain, espionage, ideology (philosophical/political beliefs), revenge, disruption/chaos, blackmail, service disruption, war, and data exfiltration.
- Insiders are dangerous because they hold authorized access; nation-states are the best-resourced and most persistent actors.
- Skill level does NOT determine actor type. A nation-state can use phishing; a criminal can use zero-days. Judge by goal and target.
- Security+ SY0-701 lists six named actor types: nation-state, unskilled attacker, hacktivist, insider threat, organized crime, and shadow IT.
Why This Matters on SY0-701
Objective 2.1 of CompTIA Security+ (SY0-701) asks you to compare and contrast common threat actors and motivations. The exam is up to 90 questions in 90 minutes with a passing score of 750 on a 100-900 scale. Questions almost never name the actor outright. They describe behavior, and you must infer the actor from four attributes: whether the actor is internal or external, their resources and funding, their level of sophistication and capability, and their intent or motivation.
The Six SY0-701 Threat Actors
| Actor | Internal/External | Resources | Sophistication | Primary motivation |
|---|---|---|---|---|
| Nation-state / APT | External | Very high (gov funded) | Very high | Espionage, war, strategic disruption |
| Organized crime | External | High | Medium-high | Financial gain |
| Hacktivist | External | Low-medium | Variable | Ideology, political/philosophical beliefs |
| Insider threat | Internal | Varies | Varies | Revenge, financial gain, negligence |
| Unskilled attacker (script kiddie) | External | Low | Low | Curiosity, notoriety, opportunism |
| Shadow IT | Internal | Low | Low | Convenience, bypassing slow IT process |
Note that advanced persistent threat (APT) is a description of behavior (long dwell time, persistence, evasion), most often associated with nation-states. The term script kiddie was replaced by unskilled attacker in SY0-701 wording.
Motivation Decoder
The SY0-701 objectives spell out a specific motivation list. Memorize it and match it to scenario verbs.
| Motivation | Behavior you will see in the stem |
|---|---|
| Data exfiltration | Bulk copying of proprietary or personal data |
| Espionage | Quiet, long-term intelligence collection |
| Service disruption | DDoS, wiper malware, sabotage of availability |
| Blackmail / extortion | Ransom note, threat to leak stolen data |
| Financial gain | Ransomware, fraud, card/credential theft |
| Philosophical / political beliefs | Public defacement, leak tied to a cause |
| Ethical | Authorized penetration test, bug bounty |
| Revenge | Destructive acts, often by a departing insider |
| Disruption / chaos | Random, attention-seeking damage |
| War | State-directed attacks on critical infrastructure |
Trap Callout: Skill Does Not Equal Actor Type
The single most common SY0-701 trap is choosing nation-state simply because an attack is technically advanced. Resist it. Organized crime groups buy and operate highly advanced ransomware-as-a-service kits, and nation-states routinely begin with a one-line phishing email. Let the goal (money vs. intelligence vs. ideology) and the target (banks vs. defense contractors vs. a controversial company) drive your answer, not the cleverness of the tooling.
A second trap: the ethical motivation. If a scenario says the activity was authorized or part of a bug bounty / penetration test, the actor is acting ethically even though the techniques look identical to an attack.
Scenario Walkthrough
A defense-sector research lab finds a low-and-slow intrusion that evades detection, steals project documents over several months, and uses custom command-and-control infrastructure. There is no ransom demand and no public claim of responsibility. The strongest answer is nation-state / APT: long dwell time, stealth, custom tooling, and a strategic target with an espionage motive.
Now change one fact. If the same lab instead received a ransom note after its file shares were encrypted, the better answer becomes organized crime with a financial gain / blackmail motivation, because the goal shifted from quiet collection to monetization.
Quick Drill
| Clue in the stem | Most likely actor / motivation |
|---|---|
| Public website replaced with a political message | Hacktivist (philosophical/political beliefs) |
| Former employee downloads the customer list after resigning | Malicious insider (revenge / financial gain) |
| Broad noisy scanning using public exploit scripts | Unskilled attacker (curiosity/notoriety) |
| Ransom note plus a threat to leak stolen data | Organized crime (financial gain / blackmail) |
| Stealthy multi-month theft of defense project files | Nation-state / APT (espionage) |
| Team adopts an unsanctioned cloud app to move faster | Shadow IT (convenience) |
| Authorized testers exploit a flaw and write a report | Ethical motivation (penetration test) |
Work the attributes in order on test day: internal or external first, then resources, then sophistication, then motivation. Three of the four usually point to a single answer.
Deepening the Distinctions
Nation-states deserve special attention because they combine essentially unlimited funding with patience. Their hallmark is the advanced persistent threat lifecycle: gain a foothold, establish persistence, escalate privilege, move laterally, and exfiltrate quietly over weeks or months. They favor zero-day exploits, custom malware, and living-off-the-land techniques that abuse legitimate administrative tools so their activity blends into normal traffic.
Critical infrastructure such as energy grids, water systems, defense contractors, and government agencies are their classic targets, and the motivations of espionage, war, and strategic service disruption set them apart from profit-driven crime.
Organized crime, by contrast, is a business. Ransomware-as-a-service affiliates, initial-access brokers who sell footholds, and money-laundering networks all exist to convert intrusions into cash. When a scenario mentions a ransom demand, double-extortion (encrypt plus threaten to leak), payment fraud, or stolen-card resale, the actor is almost certainly organized crime regardless of how sophisticated the tooling appears.
Hacktivists operate for a cause rather than money. Website defacement, distributed denial-of-service against a controversial organization, and dumping leaked documents to embarrass a target are signature behaviors. The unskilled attacker, formerly called a script kiddie, lacks the ability to write original exploits and instead downloads ready-made tools, producing noisy scans and opportunistic exploitation of well-known vulnerabilities.
Finally, do not overlook the two internal actors. The insider threat carries authorized access and may act out of revenge, greed, or simple carelessness. Shadow IT is the unsanctioned use of cloud apps, personal devices, or workarounds that bypass slow procurement, creating unmonitored data flows that no security team has reviewed. Both are internal, both stem from convenience or grievance rather than external attack, and both are tested heavily because they are so common in real organizations.
An organization discovers a quiet, months-long intrusion focused on collecting proprietary research. There is no ransom demand and no public claim of responsibility. Which actor is most likely?
A penetration testing firm exploits a flaw in a client's application during a contracted engagement and documents it in a report. Which motivation best describes this activity?
Which clues point most strongly to an insider threat? Choose two.
Select all that apply