Attributes and Capabilities of Threat Actors (Domain 2)
In this episode, we are going to examine the key attributes and capabilities that help define threat actors. Not all attackers operate the same way or pose the same level of danger. Their location, funding, and technical skill all influence how they approach targets and how defenders must respond. Understanding these characteristics will help you better analyze threats and choose the right defensive strategies.
Let’s start with internal versus external actors. An internal actor is someone who already has authorized access to the organization. This could be an employee, contractor, or business partner. Because they already operate within the trusted environment, they can access systems and data without raising immediate suspicion. Internal actors may act maliciously or may unintentionally cause harm through negligence.
In contrast, an external actor is someone outside the organization who has no authorized access. This includes cybercriminals, hacktivists, nation-state attackers, and other outsiders attempting to gain unauthorized entry through phishing, malware, or network exploitation. External actors typically must bypass perimeter defenses and authentication systems to reach their targets.
The key difference between these two groups lies in access and visibility. Internal actors already have credentials and understand how the environment works. External actors must find ways to break in. That difference has a major impact on how security teams build their defenses.
Case studies highlight this difference clearly. In one incident, a disgruntled employee copied sensitive files before resigning and leaked them to the public. Because the user had legitimate access, the breach went unnoticed until the files appeared online. In another case, an external group used a phishing campaign to steal login credentials, then used those credentials to move through the network and deploy ransomware. The first case illustrates an internal actor abusing trust. The second shows how external actors can break in and escalate privileges.
Now let’s examine the role of resources and funding. The amount of money, equipment, and personnel available to a threat actor significantly affects how dangerous they can be. Highly resourced attackers—such as nation-state groups and large cybercrime syndicates—can develop their own malware, buy access to zero-day vulnerabilities, and sustain long-term operations across multiple targets.
These attackers can afford to conduct detailed reconnaissance, build custom exploits, and test their tools against known security controls. Their attacks are often well-planned, stealthy, and hard to detect. In some cases, they may also have access to physical facilities or insider collaborators who help them bypass defenses.
On the other hand, low-resource attackers may rely on publicly available tools, recycled malware, or simple social engineering techniques. Their operations are often opportunistic rather than targeted. They may look for outdated software, exposed databases, or weak passwords that allow easy entry.
Despite their limitations, low-resource attackers can still cause serious damage—especially when organizations fail to maintain basic security hygiene. A misconfigured cloud storage bucket or an unpatched web server can become an easy target, regardless of the attacker’s funding or experience level.
Real-world examples reinforce this point. In one case, a large financial institution was hit by a nation-state actor using advanced persistent threat tactics. The attackers moved slowly, gathered intelligence, and exfiltrated data for months before being discovered. In another case, a small e-commerce site was breached by a lone attacker using a known vulnerability and a publicly available exploit script. Both incidents caused data loss and downtime, but the first required months of investigation, while the second could have been prevented with a simple patch.
Finally, let’s explore levels of sophistication and capability. A low-sophistication attacker may rely on brute-force password attempts, phishing emails, or web scans to find and exploit common vulnerabilities. These attackers often use point-and-click tools that require little technical knowledge.
At the mid level, attackers may demonstrate some ability to customize their tools, evade detection, or exploit less obvious weaknesses. They might chain vulnerabilities together, use obfuscation techniques, or conduct basic social engineering over phone calls or chat messages.
Highly sophisticated attackers take things even further. They use advanced techniques like memory injection, zero-day exploitation, encrypted command and control channels, and lateral movement across segmented networks. These attackers often research their targets extensively, using open-source intelligence and insider knowledge to craft precise, hard-to-detect attacks.
The sophistication level of an attacker affects how you plan your defense. For low-level threats, strong password policies, patch management, and basic awareness training may be enough. For mid-level threats, you’ll need network segmentation, endpoint detection, and behavioral monitoring. And for high-level threats, you’ll need threat hunting teams, advanced intrusion detection systems, and coordinated incident response procedures.
Practical scenarios illustrate this well. Suppose an attacker is using automated scripts to scan for open ports on random web servers. That’s a low-sophistication threat, and a firewall or intrusion prevention system might block it immediately. Now imagine a different attacker who gains access to an internal system, escalates privileges, disables logging, and silently exfiltrates data over several months. That’s a highly sophisticated threat, and it requires deep visibility and mature response capabilities to detect and stop.
As you study for the Security Plus exam, pay close attention to how threat actors are categorized by access, resources, and skill. Know the difference between internal and external actors, and understand how funding and sophistication influence the threat landscape. The exam may ask you to match scenarios to threat types, compare levels of capability, or recommend defenses based on the attributes of the attacker. Think critically about how different threat profiles demand different levels of preparation.
