Threat Actor Attributes
Characteristics that differentiate threat actors including their position (internal vs external), level of resources and funding, and degree of sophistication and technical capability. These attributes help assess the threat level and appropriate defenses.
Understanding Threat Actor Attributes
Threat actor attributes describe the characteristics that define an adversary's capabilities and position. While threat actor types tell you WHO the attacker is, attributes tell you WHAT they can do and WHERE they're coming from.
Key attributes include: • Internal vs. External — Is the threat inside or outside your organization? • Resources/Funding — What tools, infrastructure, and money do they have? • Sophistication/Capability — How skilled and technically advanced are they?
These attributes directly impact your risk assessment. A highly-funded, sophisticated external attacker requires different defenses than a low-resource, unsophisticated internal threat.
Why This Matters for the Exam
SY0-701 tests your ability to assess threats based on their attributes. Exam questions may describe an attack scenario and ask you to characterize the threat actor's attributes—or match attributes to actor types.
Understanding attributes helps with security planning. High-sophistication threats require advanced detection. Internal threats require access controls and monitoring. High-resource threats can sustain longer campaigns.
This knowledge also connects to risk assessment—likelihood and impact calculations depend on accurately characterizing threat actor attributes.
Deep Dive
Internal vs. External Threat Actors
Internal Threat Actors
Threats originating from within the organization.
Who They Are:
- •Current employees
- •Former employees (with lingering access)
- •Contractors and vendors
- •Partners with network access
- •Anyone with authorized access
Advantages Internal Actors Have:
- •Legitimate credentials and access
- •Knowledge of systems and processes
- •Physical access to facilities
- •Understanding of valuable assets
- •Trust from coworkers
Challenges Defending Against Internal Threats:
- •Hard to distinguish malicious from normal activity
- •Perimeter security doesn't help
- •May have elevated privileges
- •Can move laterally easily
- •Social engineering easier from inside
External Threat Actors
Threats originating from outside the organization.
Who They Are:
- •Hackers and criminal groups
- •Nation-state actors
- •Hacktivists
- •Competitors
- •Script kiddies
How They Must Operate:
- •Must gain initial access (phishing, exploitation)
- •Must bypass perimeter defenses
- •Must escalate privileges
- •Must maintain persistence
- •Must exfiltrate through defenses
Defense Advantages Against External Threats:
- •Perimeter security is effective
- •Access requires compromise
- •Anomalies may be more detectable
- •Zero trust principles help
- •Network segmentation limits movement
Comparison: Internal vs. External
| Attribute | Internal | External |
|---|---|---|
| Initial access | Already have it | Must obtain it |
| Detection difficulty | Harder (looks legitimate) | Easier (anomalous activity) |
| Perimeter security | Ineffective | Effective |
| Trust level | Higher default trust | Lower/no trust |
| System knowledge | High | Must discover |
| Defense focus | Monitoring, least privilege | Perimeter, detection |
Resources and Funding
The level of resources available to threat actors significantly affects their capabilities.
High-Resource Actors
Characteristics: • Can purchase or develop zero-day exploits • Custom malware development • Extensive infrastructure (C2 servers, VPNs) • Full-time dedicated personnel • Long-term sustained operations
Examples: Nation-states, well-funded organized crime
Medium-Resource Actors
Characteristics: • Can purchase exploit kits and malware • Rent infrastructure (botnets, hosting) • Part-time or small team operations • Can sustain weeks-to-months campaigns
Examples: Smaller criminal groups, some hacktivists
Low-Resource Actors
Characteristics: • Use freely available tools • Limited or no custom development • Shared or minimal infrastructure • Short-duration attacks
Examples: Script kiddies, most individual hackers
Resource Impact on Attacks:
| Resource Level | Tools | Duration | Targets |
|---|---|---|---|
| High | Custom, zero-days | Months-years | Specific, high-value |
| Medium | Commercial, kits | Weeks-months | Selected targets |
| Low | Free, downloaded | Days-weeks | Opportunistic |
Sophistication and Capability
Technical skill and operational ability of threat actors.
Sophistication Levels:
Very High Sophistication
- •Develop zero-day exploits
- •Create custom malware
- •Evade advanced detection
- •Conduct supply chain attacks
- •Long-term persistent access (APT)
- •Clean forensic trails
Examples: Nation-state APT groups
High Sophistication
- •Modify existing tools and exploits
- •Use advanced techniques
- •Conduct targeted attacks
- •Understand defensive tools
- •Some evasion capability
Examples: Organized crime, skilled hackers
Moderate Sophistication
- •Use commercial and open-source tools
- •Basic customization ability
- •Follow published attack methods
- •Limited evasion capability
Examples: Some hacktivists, mid-level criminals
Low Sophistication
- •Use pre-built tools as-is
- •Follow tutorials
- •No customization
- •Easily detected
- •Leave obvious traces
Examples: Script kiddies, novice attackers
Sophistication Impact:
| Sophistication | Attack Methods | Detection | Defense Required |
|---|---|---|---|
| Very High | Custom, novel | Very difficult | Advanced (behavioral, AI) |
| High | Modified tools | Difficult | Strong (EDR, SIEM) |
| Moderate | Standard tools | Moderate | Standard (AV, IDS) |
| Low | Basic tools | Easy | Basic (patching, hygiene) |
Combining Attributes
Threat actors are characterized by combinations of attributes:
| Actor Type | Position | Resources | Sophistication |
|---|---|---|---|
| Nation-State | External | Very High | Very High |
| Organized Crime | External | High | High |
| Hacktivist | External | Low-Medium | Variable |
| Malicious Insider | Internal | Low | Variable |
| Script Kiddie | External | Low | Low |
How CompTIA Tests This
Example Analysis
Scenario: Security analysts detect an attack using a previously unknown vulnerability (zero-day) combined with custom malware that evades the organization's endpoint detection. The attack appears to target intellectual property and has been ongoing undetected for several months.
Attribute Analysis:
Position: External • Attack required gaining access (wasn't insider) • Used exploitation techniques consistent with external actor • Needed to establish persistence
Resources: Very High • Zero-day exploit (expensive to develop or purchase) • Custom malware development requires significant investment • Long-term infrastructure for months of operation • Likely dedicated team
Sophistication: Very High • Zero-day indicates advanced capability • Custom malware evading detection shows skill • Months of undetected operation shows tradecraft • Targeting specific IP shows operational planning
Likely Actor Type: Nation-state APT
Key insight: The combination of zero-day, custom malware, long dwell time, and IP targeting indicates a very high-resource, very high-sophistication external actor—the hallmarks of nation-state operations.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
Attribute Assessment: "PIE-RS"
- •Position (Internal vs. External)
- •Intent (Malicious, Negligent, Compromised)
- •Expertise (Sophistication level)
- •Resources (Funding level)
- •Sustainability (How long can they operate?)
- •Resource Level Quick Check:
- •Zero-day + Custom malware = High resources
- •Exploit kits + Rented infrastructure = Medium resources
- •Downloaded tools + Free hosting = Low resources
- •Sophistication Quick Check:
- •Evades advanced detection = High sophistication
- •Uses standard techniques = Moderate sophistication
- •Runs scripts blindly = Low sophistication
- •Internal vs. External Defense Focus:
- •Internal → Inside controls (monitoring, least privilege)
- •External → Edge controls (perimeter, detection)
Test Your Knowledge
Q1.Which threat actor attribute makes insider threats particularly difficult to detect?
Q2.An attack uses a zero-day exploit and custom malware to target a specific organization for months. These characteristics indicate what level of resources?
Q3.A threat actor uses freely available tools to scan for known vulnerabilities and attempts default passwords. What is their likely sophistication level?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on threat actor attributes and other Objective 2.1 concepts.