Threat Actor Types and Motivations

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations A — Threat Landscape 10–14 minutes

What the Exam Is Really Testing

The biggest mistake candidates make with threat actors is treating this as a vocabulary quiz. They memorize the list — nation-state, hacktivist, insider, organized crime — and assume they are done. But the exam gives you a scenario and asks you to work backward from the evidence.

Given a scenario, identify the threat actor type based on their behavior, resources, and motivation — then choose the appropriate defensive response.

Who is behind an attack shapes everything that follows. A nation-state campaign and a disgruntled employee require completely different responses, and the exam expects you to connect the dots between behavior, resources, and the defensive strategy that fits.

Threat Actor Categories

Nation-State Actors

Nation-state actors are government-sponsored or government-affiliated groups. They represent the highest tier of threat sophistication.

Key characteristics:

Virtually unlimited funding and resources
Access to zero-day exploits and custom tooling
Long-term persistent campaigns (months or years)
Targets include critical infrastructure, defense contractors, and intellectual property

Motivations: espionage, data exfiltration, war, service disruption of rival nations.

On the exam, nation-state scenarios often involve advanced persistent threats (APTs), highly targeted attacks, and situations where standard defenses are insufficient.

Unskilled Attackers

Previously called "script kiddies," unskilled attackers use pre-built tools and publicly available exploit code without understanding the underlying mechanics.

Low sophistication, low funding
Rely on automated scanners and downloadable exploit kits
Opportunistic rather than targeted
Can still cause significant damage through volume

Motivations: curiosity, reputation, thrill-seeking, revenge.

Do not underestimate them on the exam. A question might describe an automated attack hitting thousands of systems. The attacker is unskilled, but the impact is real.

Hacktivists

Hacktivists attack systems to promote a political, social, or philosophical cause.

Moderate sophistication — ranges from basic defacement to coordinated DDoS campaigns
Often operate in loose collectives
Target visibility matters more than data theft
Website defacement, data leaks, and service disruption are common tactics

Motivations: philosophical or political beliefs, disruption as protest.

Insider Threats

Insider threats originate from people who already have legitimate access: employees, contractors, partners, or former staff whose credentials remain active.

Internal positioning bypasses perimeter defenses entirely
May be intentional (malicious insider) or unintentional (negligent employee)
Hardest threat type to detect because activity appears normal
Access to sensitive data, systems, and physical infrastructure

Motivations: financial gain, revenge, coercion, or simple carelessness.

The exam frequently tests insider threats in scenarios involving data loss prevention, privilege management, and behavioral monitoring.

Organized Crime

Criminal organizations treat cybercrime as a business. They invest in infrastructure, hire skilled operators, and pursue profit systematically.

High sophistication and significant funding
Ransomware, business email compromise, credit card fraud, and identity theft
Operate ransomware-as-a-service (RaaS) platforms
Use money laundering through cryptocurrency

Motivations: financial gain, blackmail.

Shadow IT

Shadow IT refers to technology deployed within an organization without the knowledge or approval of the IT or security team.

Not a traditional "threat actor" but creates significant risk
Employees use unapproved cloud services, personal devices, or unauthorized applications
Bypasses security controls, compliance requirements, and monitoring
Expands the attack surface without visibility

Shadow IT appears on the exam as a governance and risk management issue. The correct response usually involves discovery and policy — not punishment.

Threat Actor Motivations

The exam expects you to match motivations to actor types. Here is the complete list:

Data exfiltration — stealing sensitive information for intelligence, resale, or leverage
Espionage — gathering intelligence on governments, competitors, or organizations
Service disruption — taking down systems or services to cause harm or send a message
Blackmail — threatening to release stolen data or maintain system access unless paid
Financial gain — direct profit through fraud, ransomware, or theft
Philosophical/political beliefs — activism-driven attacks to further a cause
Ethical hacking — authorized testing to identify and fix vulnerabilities
Revenge — personal grievance against an individual or organization
War — cyberattacks as part of national military or geopolitical strategy

Threat Actor Attributes

Beyond type and motivation, the exam tests three key attributes that help you classify an actor:

Internal vs. External

Internal actors have legitimate access. External actors must breach defenses to gain access. This distinction determines which controls apply. Internal threats require monitoring, least privilege, and access reviews. External threats require perimeter security, authentication strength, and intrusion detection.

Resources and Funding

Nation-states and organized crime have deep resources. Unskilled attackers and lone hacktivists operate on minimal budgets. Resource level predicts attack persistence, tooling sophistication, and the difficulty of defense.

Sophistication Level

Sophistication ranges from using pre-built tools (low) to developing custom zero-day exploits (high). Higher sophistication means longer dwell times, better evasion, and more targeted attacks.

On the exam, you might see a scenario describing an attack and be asked to identify the most likely threat actor. Use these three attributes as your framework.

Pattern Recognition

When a question describes a threat scenario, filter through this checklist:

Is the attacker internal or external?
What is their apparent motivation?
What level of resources does the attack suggest?
How sophisticated is the technique?
Is the attack targeted or opportunistic?

These five questions will lead you to the correct actor type almost every time.

Pattern shortcuts:

Zero-day exploit + espionage target = nation-state
Ransomware + financial demand = organized crime
Website defacement + political message = hacktivist
Data leak + disgruntled employee = insider threat
Mass scanning with public tools = unskilled attacker

Trap Patterns

Watch for these common traps on the exam:

Confusing motivation with actor type. Financial gain can drive insiders, organized crime, and even nation-states. Do not assume a single motivation maps to one actor.
Underestimating unskilled attackers. The exam will present scenarios where automated tools cause serious damage. Low skill does not mean low impact.
Treating shadow IT as malicious. Shadow IT is a risk, but the exam frames it as a governance gap, not an attack. The answer involves policy and discovery, not incident response.
Assuming insiders are always malicious. Negligent insiders cause more incidents than malicious ones. The exam distinguishes between intent and carelessness.

Scenario Practice

Question 1

A security analyst discovers that an attacker has maintained persistent access to the organization's defense research servers for eight months. The attacker used a previously unknown vulnerability and custom-built malware that evades all commercial detection tools.

Which threat actor type is MOST likely responsible?

Answer & reasoning

Answer: Nation-state actor

The combination of zero-day exploitation, custom malware, extended dwell time, and defense-sector targeting strongly indicates a nation-state advanced persistent threat.

Organized crime typically seeks faster financial returns. Hacktivists prefer visible disruption. Unskilled attackers lack the capability for custom tooling.

Question 2

An organization experiences a surge of login attempts against its public-facing web application. The attack uses a well-known automated brute-force tool and targets default credentials. No specific data or systems appear to be targeted.

Which threat actor type is MOST likely responsible?

Answer & reasoning

Answer: Unskilled attacker

The use of a known automated tool, targeting default credentials, and lack of specific targeting all indicate an unskilled attacker conducting opportunistic attacks.

Nation-states and organized crime would use more targeted and sophisticated approaches. Hacktivists would typically aim for visible disruption rather than credential brute-forcing.

Question 3

A terminated employee's credentials were not disabled during offboarding. Two weeks after departure, the former employee accessed the company file server and deleted project files related to the team that recommended their termination.

What is the PRIMARY motivation for this attack?

Answer & reasoning

Answer: Revenge

The targeted deletion of files belonging to the team that recommended termination directly indicates revenge as the motivation. This is a malicious insider threat enabled by poor offboarding procedures.

Financial gain, espionage, and philosophical beliefs do not align with the targeted, destructive nature of this action.

Key Takeaway

Threat actor classification is not trivia — it is the first step in every defensive decision. The actor type tells you how sophisticated your response needs to be, the motivation tells you what they are targeting, and the attributes (internal vs. external, funding level, sophistication) tell you where to focus your defenses. When you see a threat scenario on the exam, classify first and respond second. The right defensive strategy always follows from correctly identifying who is attacking and why.