Domain 2 · 2.1 Threat Actors & Motivations

2.1.2 Attributes of Actors

Internal/external, resources, sophistication.

14 min

Threat actor attributes define the nature of risk by categorizing the origin, capability, and intent of individuals or groups attempting to compromise organizational resources.

Internal vs. External - Internal (Insider Threat): Actors operating within the organization’s trust boundary, such as employees or contractors. They possess institutional knowledge and authorized access, making their actions difficult to detect. - External: Actors outside the perimeter with no authorized access. They must bypass security controls like firewalls and MFA to reach internal systems.

Resource and Funding Levels - Financial Constraints: Security and functionality are often limited by available resources. Actors with high funding can sustain long-term operations. - Criminal Syndicates: Highly funded via illegal activities (ransomware, extortion). They prioritize monetary gain and operate like professional businesses. - State Actors (Nation States): Possess the highest level of resources, including specialized personnel and massive budgets. They prioritize intelligence gathering and long-term strategic advantage. - Competitors: External organizations seeking trade secrets or customer lists to gain a market advantage through competitive intelligence gathering.

Sophistication and Capability - Low Sophistication: Actors who rely on pre-made tools (script kiddies) or lack deep technical knowledge. - High Sophistication: Actors capable of developing custom exploits, conducting advanced reconnaissance, and bypassing multi-factor authentication. - OSINT (Open-Source Intelligence): Highly sophisticated actors use publicly available information from media, government reports, and academic journals to profile targets before an attack.

Motivation and Intent - Intellectual Property (IP) Theft: Common among competitors and state actors targeting research and development. - Financial Gain: The primary driver for criminal syndicates and many insider threats. - Espionage: Information gathering performed by state actors to gain political or military advantages.

Balancing Security and Functionality - Inverse Relationship: As security measures increase, system functionality and ease of use typically decrease. - Resource Prioritization: Organizations must identify mission-essential functions and prioritize recovery resources for these systems during an incident.

Quick recall - Internal actors have an advantage due to existing access and "insider" knowledge. - State actors are the most sophisticated and well-funded threat category. - Criminal syndicates are primarily motivated by profit. - CIA Triad: Confidentiality, Integrity, and Availability remain the core goals when protecting resources from actors. - Functionality vs. Security: Adding more security often hinders user convenience.