1.5 Threat actors & motivations
📘CompTIA Security+ SY0-701
🔹 Overview
When studying threat actors, it’s important to understand their attributes — the key characteristics that define how dangerous they are and where they come from.
CompTIA focuses on three major attributes:
- Internal vs. External
- Resources / Funding
- Sophistication / Skill Level
Each of these helps security professionals identify how a threat might attack an organization and how to defend against it.
🧩 1. Internal vs External Threat Actors
🔸 Internal Threat Actors
- These are people inside the organization who already have access to systems, data, or networks.
- They can be:
- Employees
- Contractors
- Vendors
- Partners with access rights
✅ Characteristics:
- Already have legitimate credentials (username/password, badges, VPN access, etc.).
- Can bypass many security layers like firewalls or intrusion detection systems, since they work inside.
- Threat can be intentional or accidental:
- Intentional: A disgruntled employee stealing data or sabotaging systems.
- Accidental: A careless user clicking on phishing links or misconfiguring cloud storage.
⚙️ IT Example:
An employee with access to a company’s file server copies sensitive project data to personal storage before leaving the company.
This is a malicious insider attack.
🔸 External Threat Actors
- These are individuals or groups outside the organization.
- They have no authorized access to internal systems.
- They attack by exploiting vulnerabilities in software, networks, or user behavior.
✅ Characteristics:
- Must gain access first — through hacking, phishing, malware, social engineering, or exploiting public-facing systems.
- Usually more visible in network logs because their activity comes from outside IP addresses or unknown sources.
- Can include hacktivists, organized crime groups, nation-states, or random attackers.
⚙️ IT Example:
A hacker scans the company’s web server for vulnerabilities and launches an SQL injection attack to steal customer information.
This is an external threat actor.
🧩 2. Resources (Funding / Capabilities)
“Resources” mean the amount of money, tools, time, and people a threat actor can use to carry out an attack.
🔸 Low-Resource Threat Actors
- Often individuals or small groups with limited tools and basic skills.
- Rely on publicly available tools, free hacking software, or “script kiddie” kits.
- Focus on easier targets with poor security.
- Motivation: Usually curiosity, fame, or small profit.
⚙️ IT Example:
An amateur attacker downloads a free password-cracking tool from the internet and tries to break into random accounts.
🔸 High-Resource Threat Actors
- Usually well-funded organizations or governments.
- Have dedicated teams, advanced equipment, and even zero-day exploits (unknown software vulnerabilities).
- Can develop their own tools and malware, and perform long-term, targeted attacks.
- Motivation: Espionage, sabotage, national interest, or large-scale profit.
⚙️ IT Example:
A government-sponsored team develops a custom malware that secretly steals information from a rival country’s defense network.
🔸 Medium-Resource Threat Actors
- Organized crime groups often fall here.
- Have financial backing and technical expertise, but not as powerful as nation-states.
- They use commercial-grade tools or buy exploits on the dark web.
⚙️ IT Example:
A criminal group buys ransomware from a dark web marketplace and uses it to encrypt company files for ransom payments.
🧩 3. Sophistication (Skill Level / Techniques)
“Sophistication” means how advanced or skilled a threat actor is — how complex their attacks are and how well they can hide their actions.
🔸 Low Sophistication
- Use simple attacks or automated tools created by others.
- Often lack deep technical knowledge.
- Rely heavily on trial and error or copy-paste scripts.
- Easier to detect and stop with basic security controls.
⚙️ IT Example:
A beginner attacker uses a ready-made phishing email template to trick users into revealing passwords.
🔸 Medium Sophistication
- Have moderate technical skills.
- Understand how to modify tools, exploit known vulnerabilities, and evade basic detection.
- Can perform targeted attacks and adapt when blocked.
⚙️ IT Example:
A hacker customizes an open-source malware program to bypass antivirus detection and installs it on a company network.
🔸 High Sophistication
- Highly trained and skilled professionals or teams.
- Create custom exploits, zero-day attacks, advanced persistent threats (APTs).
- Use social engineering, encryption, and multi-stage attacks to remain undetected for long periods.
- Difficult to detect or remove even with strong defenses.
⚙️ IT Example:
An APT group uses custom malware and encrypted communication channels to stay hidden inside a company network for months while collecting confidential data.
🔹 Summary Table
| Attribute | Low Level / Basic | Medium Level | High Level / Advanced |
|---|---|---|---|
| Threat Actor Type | Often external, individuals | Organized groups | Nation-state, advanced teams |
| Resources | Free tools, minimal budget | Purchased exploits, paid access | Custom tools, full-time staff |
| Sophistication | Simple attacks, limited skill | Moderate skill, adaptable | Highly skilled, stealthy |
| Example IT Attack | Basic phishing | Targeted ransomware | Custom zero-day malware |
🧠 Exam Tips (SY0-701 Focus)
- Internal vs. External – Know which threats have legitimate access (internal) and which must break in (external).
- Resources – The more resources, the more complex and dangerous the threat.
- Sophistication – Ties closely to resources; advanced attackers can stay hidden longer.
- CompTIA loves comparisons – Be ready to compare:
- Internal vs. External
- Low-resource vs. high-resource
- Low-skill vs. high-skill
- Link attributes to threat actor types (nation-state = high resource/sophistication, insider = internal, etc.).
✅ Quick Recap
- Internal threat actors: Work within the organization; trusted access.
- External threat actors: Attack from outside; must gain entry.
- Resources: The tools, time, and money available to the attacker.
- Sophistication: The attacker’s skill level and ability to hide or adapt.
