Objective 2.1High Priority10 min read

Threat Actor Types

Categories of adversaries who may attack systems and data, including nation-states, unskilled attackers (script kiddies), hacktivists, insider threats, organized crime, and shadow IT. Understanding actor types helps predict attack methods and appropriate defenses.

Understanding Threat Actor Types

Threat actors are individuals or groups who attempt to exploit vulnerabilities in systems, networks, or people. Understanding the different types of threat actors helps security professionals anticipate attack methods, assess risk levels, and implement appropriate defenses.

Different actor types have vastly different capabilities, resources, and goals: • A nation-state might spend years infiltrating critical infrastructure • A script kiddie downloads tools to deface websites for fun • An insider already has legitimate access they can abuse

Knowing your likely adversaries shapes your entire security strategy—from the controls you implement to the incidents you prepare for.

Why This Matters for the Exam

Domain 2 is 22% of SY0-701, and threat actors are fundamental to understanding the threat landscape. Exam questions often present scenarios asking you to identify the likely threat actor based on attack characteristics.

Threat actor identification affects incident response, risk assessment, and security investment. A small business facing script kiddies needs different defenses than a defense contractor facing nation-states.

Understanding actors also helps with threat intelligence questions—knowing who your adversaries are enables proactive defense rather than reactive response.

Deep Dive

Nation-State Actors

Government-sponsored or government-affiliated attackers conducting cyber operations.

Characteristics:

  • Extremely well-funded and resourced
  • Highly sophisticated techniques
  • Long-term, persistent campaigns (APTs)
  • Access to zero-day vulnerabilities
  • May target critical infrastructure

Targets:

  • Government agencies
  • Defense contractors
  • Critical infrastructure (power, water, telecom)
  • Intellectual property
  • Political opponents

Examples:

  • APT groups (APT28, APT29, Lazarus Group)
  • Espionage campaigns
  • Infrastructure attacks (Stuxnet)

Unskilled Attackers (Script Kiddies)

Individuals with limited technical skills who use pre-made tools and scripts.

Characteristics:

  • Low technical sophistication
  • Use downloaded tools without understanding them
  • Motivated by curiosity, bragging rights, or mischief
  • Opportunistic rather than targeted
  • High volume, low success rate

Common Activities:

  • Website defacement
  • DDoS attacks using tools/botnets
  • Running automated vulnerability scanners
  • Attempting known exploits

Risk Level: Low individually, but numerous. Can still cause damage with automated tools.

Hacktivists

Attackers motivated by political, social, or ideological causes.

Characteristics:

  • Motivated by beliefs, not profit
  • Seek publicity for their cause
  • Targets chosen for symbolic value
  • Variable technical skill (some sophisticated)
  • Often operate in loose collectives

Common Tactics:

  • Website defacement with political messages
  • DDoS attacks against targeted organizations
  • Data leaks to embarrass targets
  • Doxing (exposing personal information)

Examples:

  • Anonymous collective
  • Attacks on organizations seen as unethical
  • Protests against government policies

Insider Threats

Individuals with authorized access who misuse it—intentionally or unintentionally.

Types of Insiders:

TypeDescriptionExample
MaliciousIntentionally causes harmDisgruntled employee stealing data
NegligentCareless actions cause harmEmployee falling for phishing
CompromisedAccount taken over by external actorCredentials stolen via social engineering

Why Insiders Are Dangerous:

  • Already have legitimate access
  • Know where valuable data is
  • Bypass perimeter security
  • May not trigger security alerts
  • Difficult to detect

Warning Signs:

  • Accessing data outside job function
  • Working unusual hours
  • Expressing grievances
  • Financial difficulties
  • Copying large amounts of data

Organized Crime

Criminal groups conducting cyberattacks for financial profit.

Characteristics:

  • Profit-motivated
  • Well-organized and funded
  • Professional operations
  • May use specialized roles (developers, operators)
  • Run as business enterprises

Common Operations:

  • Ransomware attacks
  • Business Email Compromise (BEC)
  • Credit card theft and fraud
  • Banking trojans
  • Cryptocurrency theft

Business Model:

  • Ransomware-as-a-Service (RaaS)
  • Affiliate programs for distribution
  • Money laundering through cryptocurrency
  • Underground marketplaces

Shadow IT

Unauthorized technology used within an organization without IT/security knowledge.

What It Includes:

  • Unapproved cloud services (Dropbox, personal Gmail)
  • Personal devices on corporate network
  • Unapproved software installations
  • Unauthorized servers or services

Why It's a Threat:

  • Bypasses security controls
  • No patching or monitoring
  • Data may leave secure environment
  • Compliance violations
  • Unknown attack surface

Note: Shadow IT isn't always malicious—often employees trying to be productive. But it creates unmanaged risk.

Threat Actor Comparison

Actor TypeResourcesSophisticationPersistencePrimary Goal
Nation-StateVery HighVery HighVery HighEspionage, disruption
Organized CrimeHighHighModerateFinancial profit
HacktivistLow-MediumVariableVariablePublicity, ideology
InsiderLowVariableVariableVaries (revenge, profit)
Script KiddieLowLowLowFun, reputation
Shadow ITN/AN/AN/AProductivity (unintentional risk)

How CompTIA Tests This

Example Analysis

Scenario: A hospital experiences a ransomware attack. The attackers demand $500,000 in Bitcoin, threatening to release patient data if not paid. The attack used a phishing email with a malicious attachment. What type of threat actor is MOST likely responsible?

Answer: Organized Crime

Why Organized Crime:Financial motivation — Ransom demand for profit • Ransomware — Common organized crime tactic • Healthcare target — High-value target likely to pay • Double extortion — Threatening data release shows sophistication • Phishing delivery — Standard organized crime technique

Why NOT other actors:Nation-state — Wouldn't demand ransom; would seek espionage • Hacktivist — Would make political statement, not demand money • Script kiddie — Lacks sophistication for double extortion • Insider — Would have easier methods than phishing

Key insight: The profit motive + ransomware + double extortion is the signature of organized crime operations.

Key Terms to Know

threat actorsnation-statescript kiddiehacktivistinsider threatorganized crimeshadow ITAPTunskilled attacker

Common Mistakes to Avoid

Thinking script kiddies aren't dangerous—while individually unsophisticated, automated tools can still cause real damage. Don't dismiss them entirely.
Assuming all insiders are malicious—negligent and compromised insiders cause many incidents without malicious intent.
Confusing hacktivists with other criminals—hacktivists are ideologically motivated, not profit-driven. This affects their targeting and methods.
Forgetting shadow IT as a threat category—it's often unintentional but creates real security gaps that other actors can exploit.

Exam Tips

Nation-state = Most sophisticated, long-term campaigns, espionage/infrastructure targets.
Organized crime = Profit-motivated, ransomware, financial fraud.
Hacktivist = Ideological motivation, publicity-seeking, symbolic targets.
Insider = Already has access, hardest to detect, can be malicious or negligent.
Script kiddie = Low skill, uses downloaded tools, opportunistic.
Shadow IT = Unintentional risk from unauthorized technology.

Memory Trick

"NOHISS" - Threat Actor Types

  • Nation-state (government-sponsored)
  • Organized crime (profit-driven)
  • Hacktivist (ideologically driven)
  • Insider (internal threat)
  • Script kiddie (unskilled)
  • Shadow IT (unmanaged technology)

Actor by Sophistication (High to Low): Nation-State → Organized Crime → Hacktivist → Insider → Script Kiddie

  • Motivation Quick Reference:
  • Nation-state = Power/espionage
  • Organized crime = Money
  • Hacktivist = Beliefs
  • Insider = Varies (revenge, money, accident)
  • Script kiddie = Fun/reputation
  • Insider Types: "MNC"
  • Malicious (intentional harm)
  • Negligent (careless accident)
  • Compromised (account taken over)

Test Your Knowledge

Q1.An attacker group targets a government defense contractor, spending months establishing persistence before slowly exfiltrating classified documents. Which threat actor type is MOST likely?

Q2.An employee uses a personal cloud storage service to share work files with a vendor, bypassing the company's approved file sharing system. This is an example of:

Q3.A group defaces a company website with political messages after the company makes a controversial statement. The attack uses known vulnerabilities and appears focused on publicity. Which threat actor is MOST likely?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Threat Actor AttributesThreat Actor Motivations

Ready to test your knowledge?

Practice questions on threat actor types and other Objective 2.1 concepts.

Start Practice
Back to Domain 2Threat Actor Attributes