Cybersecurity is not only about defending systems, but also understanding how attackers think and operate.
A security assessment always revolves around 3 connected concepts:
[Vulnerability] ---> exploited by ---> [Threat Actor]
\ /
\ /
-------- creates ---------------
|
[Risk]
- Vulnerability = weakness
- Threat = possibility of exploitation
- Risk = likelihood + impact
1. Vulnerability, Threat, and Risk
Vulnerability
A vulnerability is a weakness in security that can be abused.
Examples:
- Weak passwords
- Unpatched software
- Misconfigured firewall
- Poor physical security
- Software bugs
- Bad network design
Important Idea
Not all vulnerabilities are equally dangerous.
Risk depends on:
- How easy exploitation is
- Value of the asset
- Exposure to attackers
Threat
A threat is the potential for a vulnerability to be exploited.
The attacker or source is called:
Threat Actor / Threat Agent
The method used is called:
Threat Vector
Examples:
- Malware
- Phishing
- USB attack
- Exploit kit
- Social engineering
Risk
Risk combines:
Risk = Likelihood × Impact
Example:
Weak password
+
Internet-facing login page
+
Known brute-force tools
--------------------------------
HIGH RISK
Core Relationship
Weakness exists
|
v
[Vulnerability]
|
Threat actor discovers it
|
v
[Threat]
|
Attack succeeds
|
v
[Impact]
|
v
[Risk]
2. Threat Actor Attributes
Modern attackers are analyzed by:
+ Access Level
+ Capability
+ Resources
+ Motivation
A. Internal vs External Threat Actors
External Threat Actor
No authorized access.
Must break in through:
- Hacking
- Phishing
- Physical intrusion
- Exploits
Internet ---> Firewall ---> Company
^
|
External attacker
Examples:
- Hackers
- Cybercriminals
- Nation-state groups
Internal Threat Actor (Insider Threat)
Already has access.
Examples:
- Employees
- Contractors
- Vendors
- Business partners
Employee account
|
v
Internal systems
Danger:
- Already trusted
- Knows systems
- Can bypass controls easier
3. Threat Actor Capability Levels
Threat actors vary in sophistication.
Low Capability
Uses ready-made tools.
Examples:
- Script kiddies
- Beginner hackers
Download tool --> Launch attack
Medium Capability
Can modify tools and combine attacks.
Examples:
- Organized cybercriminals
- Hacktivist groups
High Capability
Creates custom exploits and campaigns.
Examples:
- Nation-state APTs
Capabilities:
- Zero-day exploits
- Espionage
- Military coordination
- Supply-chain attacks
4. Resources and Funding
Capability requires money and infrastructure.
More Funding
|
v
Better tools + Better people + Longer attacks
Low Resources
- Free tools
- Random attacks
High Resources
- Dedicated teams
- Malware developers
- Social engineers
- Infrastructure
- Intelligence gathering
Typical high-resource actors:
- Organized crime
- Nation-states
5. Threat Actor Motivations
Motivation explains WHY the attack happens.
Main Attack Goals
1. Service Disruption
2. Data Exfiltration
3. Disinformation
A. Service Disruption
Goal:
Stop operations.
Examples:
- DDoS
- Ransomware
- Destroy systems
Targets:
- Availability
Users ---> Service
X
Service unavailable
B. Data Exfiltration
Goal:
Steal information.
Examples:
- Customer databases
- Trade secrets
- Credentials
Targets:
- Confidentiality
Company DB ---> Attacker server
C. Disinformation
Goal:
Spread false or manipulated information.
Examples:
- Fake websites
- Social media bots
- Website defacement
Targets:
- Integrity
Trusted info --> Manipulated info
CIA Triad Connection
Confidentiality <-- Data Exfiltration
Integrity <-- Disinformation
Availability <-- Service Disruption
6. Motivation Categories
A. Chaotic / Revenge Motivations
Goal:
Cause chaos or retaliation.
Examples:
- Website defacement
- Worm outbreaks
- Angry ex-employee
"I want to damage them."
B. Financial Motivations
Most common modern motivation.
Methods
Blackmail
Threaten to release data.
Pay us or we leak data
Extortion
Threaten operations.
Example:
Ransomware
Pay us or systems stay encrypted
Fraud
Manipulate records for money.
Examples:
- Fake invoices
- Fake accounts
- Stock manipulation
C. Political Motivations
Goal:
Influence society or governments.
Examples:
- Hacktivism
- Cyberwarfare
- Espionage
7. Threat Actor Types
A. Hackers
A hacker is someone skilled at accessing systems.
Two broad categories:
Authorized (ethical)
Unauthorized (malicious)
B. Unskilled Attackers
Also called:
Script Kiddies
Characteristics:
- Use public tools
- Little understanding
- Opportunistic attacks
Low sophistication but still dangerous because tools are powerful.
C. Hacktivists
Hackers with political/social agendas.
Goals:
- Leak information
- DDoS services
- Spread messages
Targets:
- Governments
- Corporations
- Media organizations
Cyber attack
+
Political agenda
-------------------
Hacktivism
8. Nation-State Actors
Most advanced category.
Also associated with:
APT = Advanced Persistent Threat
APT Concept
Gain access
|
Stay hidden
|
Maintain persistence
|
Steal/disrupt over time
Characteristics:
- Long-term operations
- Custom malware
- Zero-days
- Espionage
- False flag attacks
Nation-State Goals
Espionage
Steal secrets.
Examples:
- Military plans
- Research
- Intellectual property
Disinformation
Manipulate public opinion.
Examples:
- Election interference
- Fake news campaigns
Financial Gain
Some states steal money directly.
Example:
North Korean-linked attacks.
9. Organized Crime
Modern cybercrime is highly organized.
Activities:
- Ransomware
- Financial fraud
- Identity theft
- Extortion
Cybercrime = Business model
Why dangerous:
- International operations
- Hard to prosecute
- Professional infrastructure
10. Competitor Threats
Businesses may attack competitors through:
- Espionage
- Sabotage
- Insider recruitment
Example:
Former employee joins competitor and leaks secrets.
11. Insider Threats
One of the most dangerous threats.
Why?
Trusted access
+
System knowledge
-------------------
High damage potential
Types of Insider Threats
Malicious Insider
Intentional harm.
Motivations:
- Revenge
- Financial gain
Examples:
- Data theft
- Fraud
- Sabotage
Opportunistic Insider
Sees opportunity and abuses it.
Example:
Trying to access payroll files.
Unintentional Insider
No malicious intent.
Examples:
- Weak passwords
- Falling for phishing
- Sending wrong email
Most common source of breaches.
Shadow IT
Employees using unauthorized technology.
Examples:
- Personal cloud storage
- Unauthorized apps
- Personal devices
Problem:
Unmanaged systems
|
Unknown vulnerabilities
|
New attack surface
Threat Actor Comparison
| Threat Actor | Capability | Resources | Motivation |
|---|---|---|---|
| Script Kiddie | Low | Low | Attention/Chaos |
| Hacktivist | Medium | Medium | Political |
| Organized Crime | High | High | Financial |
| Nation-State | Very High | Very High | Strategic/Political |
| Insider | Variable | Internal Access | Revenge/Money |
| Competitor | Medium-High | Medium-High | Commercial Espionage |
Big Picture Summary
[Threat Actor]
|
--------------------------------
| | |
Motivation Capability Resources
|
v
Chooses attack strategy
|
+--> Service Disruption
+--> Data Exfiltration
+--> Disinformation
|
v
Exploits Vulnerability
|
v
Creates Risk
|
v
Impacts CIA Triad
Easy Memory Chain
Vulnerability = Weakness
Threat = Possible attack
Threat Actor = Who attacks
Threat Vector = How they attack
Risk = Chance + Damage
And:
Confidentiality --> Data theft
Integrity --> Fake/modified data
Availability --> Service disruption