Identifying the Four Main Threat Actor Types

In order to develop best practices for threat intelligence, enterprises must be aware of the four most common types of primary threat actors.

In today’s cybersecurity climate, data breaches are more common than ever before. Over the past five years, security breaches have increased by 67 percent, with ransomware attacks occurring every 14 seconds.

In our last article, we advised CIOs to invest in threat intelligence solutions to keep their networks safe against this slew of incoming attackers. If IT teams are to continue developing best practices in threat intelligence, they must be able to identify the primary threat actors who target their enterprises.

Each actor has their own tactics, techniques, and procedures, and it’s vital that security teams develop an understanding of what those are so CIOs can implement more effective methods of proactive defense.

Cyber Criminals 

Generally speaking, cybercriminals make up the largest number of attackers targeting enterprises. They are motivated by money and they want to steal your valuable data. In fact, 50 percent of data breaches were carried out by organized criminal groups in 2018. Industry forecasters predict that cybercriminals will steal an estimated 33 billion records in 2023, indicating a steep and steady growth following the 12 billion records that were swiped in 2018.

Cybercriminals utilize many tactics, but the most popular method is phishing — the act of sending fraudulent emails with hidden malware payloads to their targets. As cybercriminals become more talented, these emails are harder for IT teams to flag. What’s more, phishing is a low-cost hack, so attackers can operate quickly and at high volume with this tactic.

Luckily, enterprises can thwart phishing with more proactive email filtering and authentication systems. Because built-in filtering protocols offer pedestrian scanning tools, IT teams can use threat intelligence to better monitor incoming emails that may have malicious content.



Unlike criminals who are driven by profit, hacktivists primarily want to undermine your reputation or disrupt your operations for political reasons. This means they will usually steal data for the purpose of incriminating or embarrassing your enterprise. These attacks often may look like vandalism rather than cybercrime, but just because hacktivists aren’t chasing dollars doesn’t mean their attacks can’t be costly.

Hacktivists frequently target websites using a distributed denial of service (DDoS) attack which overwhelms a target’s infrastructure with floods of Internet traffic. To execute this attack effectively, hackers must gain control of a large number of computers. As a result, hackers will often run a spam malware campaign first. Even if no data is being stolen, a DDoS attack can crash major sites, which can cost enterprises an average of $2.5 million to repair.

Creating a defense against DDoS attacks is not easy. Spikes in server logs need to be identified immediately, and even then, IT teams need to ensure their incident response protocols are operating at elite speeds. Enterprises would be smart to invest in DDoS threat intelligence tools to improve their defenses. DDoS threat intelligence uses data aggregated from repeating attack agents and combines this with the knowledge of vulnerable IP addresses and hosts.


Cyber Spies: State-Sponsored Attackers

State-sponsored attackers, sometimes known as cyberspies, also seek to steal information. They don’t account for many data breaches — only 12 percent of last year’s totals — but they are persistent, difficult to identify, and can cause more damage than the average cybercriminal. Additionally, cyberspies seek sustained access to proprietary data, meaning sensitive industries like tech, pharma, and finance are at a greater risk of being targeted.

Usually, cyberspies will use the umbrella tactic of an advanced persistent threat (APT) to carry out their attacks. These are prolonged incidents during which an intruder gains access to a network while remaining undetected. Although these threats won’t damage or disrupt your network (since that would draw attention), more data can be compromised without IT teams noticing. It can be difficult to carry out an APT — common tactics include phishing, zero-day attacks, or social engineering. These methods involve manipulating workers into unknowingly breaking their own security protocols.

Because of the myriad of vectors utilized during APT attacks, there’s no obvious security solution. Instead, IT teams should be prepared to have advanced patch management practices in place. To improve this practice, it’s advisable for IT teams to use advanced threat intelligence in their vulnerability testing.


Insider Threats

It’s not always external attackers gunning for your data: sometimes insiders — whether malicious or just negligent — pose the biggest threat to your security. In fact, 28 percent of breaches last year were caused by internal actors.

Sometimes disgruntled insiders might commit an act of vandalism as a form of vendetta, while other times an employee who simply lacks technical literacy might unknowingly damage a private network. Unfortunately, either incident can be equally costly to an enterprise.

The best way to defend against these breaches is to make sure current employees are trained to be disciplined with their accessed-permissions. Attackers might target a well-intentioned employee to gain passwords or access to private networks. To address malicious insiders, it’s advisable for IT teams to deploy a few honeypots around their networks and invest in their user analytics tools. This way, they can monitor any suspicious activity from within their organization.


The Turn-key Solution

Understanding your adversaries is the key to developing best practices for threat intelligence. Not all attackers will use the same tactics or target the same data. As such, IT teams need to keep their heads on a swivel and stay one step ahead of incoming hackers. For enterprises that need support in strengthening their security, Turn-key Technologies (TTI) is here to help.

With nearly three decades of experience helping enterprises build defensive tools to stay abreast of emerging attackers, both of the present and the future, TTI offers the tools and capabilities that enterprises need to implement a proactive defense. Get in touch with us today to learn more about our network support offerings.

By Craig Badrick


Sign up for the TTI Newsletter