Threat Intelligence 101

4 Main Threat Actor Types Explained for Better Proactive Defense

Posted: 5th June 2024
By: Esteban Borges

Editor’s Note: The following blog post is a partial summary of a SANS webinar we co-hosted with Dave Shackleford.

Understanding the four main threat actor types is essential to proactive defense. Threat actors, the entities behind malicious activities, represent a significant cyber threat as they come in various forms, each with unique motivations and methods of operation.

As businesses and organizations increasingly rely on digital infrastructure, the importance of being proactive in cybersecurity cannot be overstated. This includes being prepared to defend against advanced persistent threats, which are highly sophisticated and long-term cyberattacks that require proactive measures to mitigate the associated risks, including those related to cyber espionage.

Most threat actors fall within four main groups, each with their own favorite tactics, techniques, and procedures (TTPs). By gaining a deeper understanding of threat actors through the lens of the cyber threat intelligence cycle, you’ll be able to assign your cyber security budget to fund the right activities.

Key Takeaways

  • Understanding the four main threat actor types is essential to proactive defense.
  • Cyber criminals are motivated by money, so they’ll attack if they can profit.
  • Hacktivists want to undermine your reputation or destabilize your operations. Vandalism is their preferred means of attack.
  • State-sponsored attackers are after information, and they’re in it for the long haul. They’re difficult to identify, so you’ll need to be on top of your security.
  • Insider threats could be malicious, but they could also be well-meaning people who have been led astray. Training and user behavior analytics are the way forward.

About Threat Actors

Cyber threat actors are individuals or groups that carry out malicious activities in cyberspace, targeting digital systems, networks, and data. These actors exploit vulnerabilities in technology to cause harm, steal data, disrupt services, or gain unauthorized access.

Cyber threat actors often target intellectual property, such as sensitive business information, leading to financial consequences and impacts on competitiveness. They can operate with a variety of motivations including financial gain, political objectives, or personal grievances.

Threat actors range from lone hackers to sophisticated groups and even state-sponsored entities, each employing different tactics and levels of expertise. Their activities, often described as cyber warfare, pose significant risks to both organizations and individuals, making cybersecurity a critical concern for everyone in the digital age.

The 4 Main Threat Actors

When building your cybersecurity capability, understanding your adversaries is essential. And of course, you can’t develop a security capability that only considers a single type of cyber threat actor.

The best cybersecurity capabilities in the world belong to organizations that take proactive steps to stay ahead of their attackers. They develop a detailed knowledge not only of their adversaries but also of the latest and greatest threat actor TTPs.

The main 4 types of threat actors organizations can encounter are cybercriminals, hacktivists, state-sponsored attacks, and insider threats. Let’s deep dive into each one of them.

Threat Actor Types


When thinking about cybercriminals, many imagine some nerdy hacker sitting in his mom’s basement eating potato chips. This couldn’t be further from the truth. Cybercriminals often target login credentials through phishing attacks. These days cybercrime is far more organized than ever before, and last year it even overtook the drug trade to become the most profitable illegal industry.

To give you some idea of scale, it’s estimated that victims in the U.S. paid over $24 million in 2015 to groups using ransomware trojans, and that’s just one attack vector. These groups are well-equipped, well funded, and they have the tools and knowledge they need to get the job done. Ransomware, in particular, has become a prevalent method for cybercriminals to extort money from individuals and businesses by encrypting their data and demanding payment for the decryption key.

Right now, cybercriminals are all about mass phishing campaigns. It’s low cost, easy to pull off, and promises a truly staggering return on investment. Typically these campaigns are used to deliver malware payloads (often ransomware), and emails usually include a strong social engineering component.

So what’s the best defense? Email filtering and authentication systems.

By scanning all incoming and outgoing emails for suspicious content (e.g., executable files, “spammy” language, or similarity to previously intercepted emails), you can block and quarantine the vast majority of malicious spam. High-quality threat intelligence is extremely beneficial here, as it can be used to constantly improve spam filters and prevent the latest phishing emails from finding their mark.

Some phishing emails can originate from domains and IPs that are easily blocked. Using technologies such as DNSSEC, Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) will help you avoid a lot of headaches.


Unlike cybercriminals, hacktivists are generally not motivated by money. Instead, they have a burning rage inside them that for whatever reason has been directed at you, leading to acts of cyber vandalism. Hacktivists often target government agencies for political reasons. Hacktivists aren’t interested in money, which makes their motive for cyber vandalism.

If they do aim to steal your data, it’s probably because they expect to find something incriminating, or simply wish to cause you embarrassment. And there’s no way of knowing in advance who they are or when they’ll strike.

How To Defend Against Hacktivist Attacks

Hacktivists mostly target the company’s public face - their websites. How do they do it? For many years, DDoS (distributed denial of service) attacks have been a firm favorite.

To initiate a DDoS attack, a hacktivist must first take control of a large number (usually thousands or tens of thousands) of computers, which they typically achieve by using malware spam campaigns. Once they have control, the hacktivist will use his “botnet” to repeatedly send simple requests (e.g., viewing a webpage) to a specific website over and over again.

The amount of traffic generated by a DDoS attack can be truly staggering and often leads to site crashes and large hosting bills for the website owner. Defending against DDoS attacks isn’t easy.

You’ll need your incident response planning to be spot on. Not only that, you’ll need to identify the signs of DDoS attacks early on and give yourself the best possible chance to mitigate the attack before it reaches its inevitable conclusion.

State-Sponsored Attackers

In recent years, there has been talk about state-sponsored attacks and cyber espionage. State-sponsored attackers often target critical infrastructure to cause widespread disruptions, safety risks, and economic damage. In reality, state-sponsored attacks are far less common than cybercrime and hacktivism, but they are one of the main threat actors organizations need to keep in mind.

Unsurprisingly, state-sponsored attackers aren’t usually interested in your money. At least, not directly.

Instead, they want your data, and that means gaining sustained access to your IT infrastructure. If your organization operates in a particularly sensitive market where proprietary data is jealously guarded (e.g., technology, pharmaceuticals, or finance), you’re at a greater risk of gaining the attention of a state-sponsored hacking group.

Since state-sponsored attackers need long-term access to your IT infrastructure, their preferred TTP is known as the advanced persistent threat (APT). Unfortunately, this term is less precise than you might hope. Organizations must be prepared to defend against advanced persistent threats and implement proactive security measures to mitigate the risks associated with such threats.

Where to Expect State-Sponsored Attacks?

Because so much is on the line, state-sponsored groups will often work on multiple attack vectors simultaneously, even if they already have access to your infrastructure. These attacks can disrupt critical infrastructure, leading to severe consequences for national security. In this way, they can collect sensitive data over a long time period, rather than simply performing a smash-and-grab operation.

Sadly, although the average time to detect a breach fell substantially in the past years, it’s still in the region of five months. Needless to say, nobody wants a state-sponsored hacking group intercepting their private data for even a day, so five months is clearly too long.

Since APTs make use of multiple attack vectors, there’s no single security silver bullet to keep your organization safe. Instead, you’ll need to build a strong, consistent, and ongoing security program that includes both the fundamentals (e.g., vulnerability and patch management) and the more advanced (threat intelligence).

Ultimately, even with state-sponsored groups, if you can make their job really difficult, there’s a good chance they’ll go elsewhere in search of easier targets. Focus on building up your cybersecurity program one piece at a time, and always look for ways to improve.

Insider Threat Actors

Insider threats happen when people (often with malicious intent) who have authorized access to an organization’s assets abuse that access, whether on purpose or by mistake, frequently with harmful intentions.

  1. Malicious Insider: that deliberately exploits their access for personal gain, to cause harm, or to steal information. Motivations can include financial gain, revenge, or espionage.
  2. Negligent Insider (employees or contractors): who unintentionally compromise security through careless actions, such as clicking on phishing emails, using weak passwords, or mishandling sensitive data.
  3. Compromised Insider: which is an external actor that might compromise an insider’s credentials, using their access to infiltrate the organization and carry out malicious activities.

Whatever their circumstances or motives, insider threats within workspaces are dangerous and often hard to spot. Insider threats can cause data breaches, monetary losses, damage to reputation, and legal penalties. They have been responsible for some of the most significant data breaches in history, making the protection of confidential information a top priority for your organization.

Can You Anticipate and Defend Against Insider Threats?

Defending against insider threats requires a multifaceted approach that combines technology, policies, and a culture of security awareness.

Limiting access to sensitive information is crucial. Around 62% of users have shared a password over email or text messages for whatever reason. Implementing role-based access controls (RBAC) will ensure that employees only have access to the data and systems necessary for their job functions.

Along with limited access, educating employees about security best practices and the importance of protecting sensitive information should be a must. Regular training sessions should cover topics such as recognizing phishing attempts, creating strong passwords, and following data handling protocols.

Continuous monitoring of user activities can also help detect unusual behavior that may indicate an insider threat. Implement tools that can track and analyze user actions, such as accessing sensitive files outside of normal working hours or downloading large amounts of data. And of course, regularly audit and assess your security measures to ensure they are effective in mitigating insider threats.

Defending Against Diverse Cyber Threats

In a world overwhelmed by a multitude of cyber threats, defense transcends being a responsibility—it becomes a necessity. To safeguard digital assets, organizations must develop robust strategies that encompass everything from the implementation of multi-factor authentication at key access points to comprehensive traffic monitoring and vulnerability patching. These measures are the bulwarks against unauthorized access, reducing the attack surface and allowing security teams to better detect and respond to potential exploits.

Proactive defense is a complex task, necessitating a collective effort to reduce exposure to attacks while also preparing for the inevitable breaches that will penetrate defenses. It’s about creating a dynamic security ecosystem that aligns with business objectives, one that can adapt to the evolving threat landscape and ensure business continuity even in the face of adversity.

Developing Robust Security Policies

The foundation of any cybersecurity strategy lies in the formulation and constant refinement of strong security policies. These policies are the playbook for defending against a myriad of threats, setting the standards for how organizations protect their critical systems and sensitive information. Negligence, incompetence, or simple inadvertence can all lead to breaches, making it critical to address not just technological vulnerabilities but also the human element within an organization.

Training and awareness programs are key to fortifying the human link in the security chain, ensuring that staff are not only cognizant of the risks but also equipped to act as vigilant sentinels against insider threats. Through a combination of technical safeguards and educated personnel, organizations can cultivate a security-conscious culture that stands as a formidable barrier against both deliberate and accidental compromises.

Enhancing Threat Intelligence and Response

Enhancing threat intelligence means using advanced technologies and real-time data to accurately anticipate and respond to threats. AI-powered models, ActiveEDR, and incident response planning form the vanguard of this effort, enabling security teams to identify and neutralize threats before they can wreak havoc. Such proactive measures are bolstered by international cooperation, underscoring the global nature of the challenge posed by cyber terrorism and other security issues.

The path to resilience is paved with the insights gleaned from threat intelligence feeds, vulnerability assessments, and cybersecurity training. By engaging managed detection and response providers, organizations can concentrate on fortifying their defenses, tailoring their security posture to the specific threats they face and ensuring that when an attack does occur, they are ready to respond with speed and efficacy.

Frequently Asked Questions

What are the main types of threat actors?

The main types of threat actors in the cyber threat landscape include:

  • Hacktivists: Individuals or groups driven by political or social motivations. They often use denial of service attacks and other disruptive tactics.
  • Cybercriminals: Attackers focused on financial gain through activities like ransomware attacks, fraud, or theft.
  • Insiders: Employees or associates with access to internal systems who may misuse their privileges to gain unauthorized access and cause harm.
  • Nation-State Actors: Government-affiliated groups targeting other nations for espionage, disruption, or sabotage. Nation-state threat actors often engage in advanced persistent threats (APTs).

How do threat actors choose their targets?

Threat actors select targets based on various factors such as the potential for financial gain, political or ideological impact, ease of access, or specific vulnerabilities in the target’s security posture. For instance, nation-state actors may target critical infrastructure or intellectual property, while cybercriminals may go after businesses with weak defenses. Threat actor targets often include financial institutions, critical systems, and computer systems with exploitable weaknesses.

What motivates different types of threat actors?

Different threat actors have varying motivations:

  • Hacktivists: Political or social causes, often aiming to make a public statement.
  • Cybercriminals: Financial profit from ransomware attacks, stealing data, or other malicious activities.
  • Insiders: Personal grievances, financial gain, or coercion.
  • Nation-State Actors: National interests, espionage, or strategic advantage over other nations.

How can organizations defend against different types of threat actors?

Organizations can defend against threat actors by implementing comprehensive cybersecurity measures such as:

  • Regular security training and awareness programs to mitigate insider threats and social engineering attacks (Recorded Future’s Cyber Intelligence Training is a great example of this)
  • Robust access controls and multi-factor authentication to prevent unauthorized access to sensitive information.
  • Advanced intrusion detection systems (IDS) to identify and respond to cyber threat activity.
  • Strong encryption and data protection practices to safeguard against espionage by nation-state actors.
  • Continuous security assessments and updates to stay ahead of threat actors and their evolving tactics.

How do threat actors use social engineering tactics?

Threat actors often use social engineering tactics, such as spear phishing, to deceive individuals into divulging sensitive information or granting access to secure systems. This method exploits the human element of cybersecurity, making it a common and effective strategy for gaining unauthorized access.

Whatever You Do, Be Proactive

Understanding the four main threat actor types and the various cyber threats they pose is crucial for building a robust cybersecurity defense. Protecting intellectual property is a vital part of a proactive defense strategy, as the theft of sensitive business information can have severe financial consequences and impact an organization’s competitiveness. Each type presents unique challenges and requires tailored strategies to mitigate their potential impact on your organization.

Proactive defense involves more than just implementing the latest security technologies. It requires a good security strategy that includes regular risk assessments, continuous monitoring, employee training, and the development of clear policies and procedures.

By taking a proactive stance, you can reduce the likelihood of successful attacks and minimize the damage if an incident does occur. Remember, the key to effective cybersecurity is not just reacting to threats as they arise but anticipating and preparing for them in advance.

Recorded Future provides organizations with solutions that prioritize and contextualize threat data and help with identifying potential threat actors. Book a demo today to see how our threat intelligence solutions can help you protect your organization.

Esteban Borges
Esteban Borges

Esteban is a seasoned security researcher and IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.