In Module 1, we built the theoretical foundation: CIA triad, AAA framework, and architectural principles. Now we apply that lens to the real world by profiling threat actors β the entities who actually attempt to violate confidentiality, integrity, and availability. Not all attackers are created equal. A script kiddie running a downloaded DDoS tool requires fundamentally different defenses than a nation-state APT with zero-day exploits and months of dwell time. Understanding who is attacking, and why, determines how you prioritize your limited security budget.
Script kiddies are unskilled attackers who use pre-written tools and exploits without understanding how they work. They scan for known vulnerabilities using tools like Metasploit or search Shodan for exposed RDP ports. Their attacks are opportunistic and noisy β they generate significant log volume but rarely succeed against patched, well-configured systems. However, their volume creates risk: a script kiddie scanning for CVE-2019-0708 (BlueKeep) might stumble upon an unpatched legacy system that was overlooked precisely because it was 'too obscure to be targeted.'
π‘ Script kiddies are your free penetration testers. If they find a vulnerability in your perimeter, your patch management process has failed. Treat high-volume, low-sophistication attack attempts as an automated audit of your external attack surface.
Insiders are current or former employees, contractors, or business partners with legitimate access to organizational systems. They bypass external defenses entirely β they already have credentials, network access, and knowledge of where sensitive data resides. Insider threats divide into malicious (intentional data theft or sabotage) and accidental (an employee pasting credentials into a public Slack channel). The 2022 Uber breach involved both: an attacker socially engineered an employee into approving an MFA push, effectively converting an accidental insider into an unwitting accomplice.
Insider threat detection is fundamentally a data science problem. You are looking for deviations from baseline behavior: a developer accessing HR records at 2 AM, a finance analyst downloading 50x their normal data volume, or an employee logging in from two geographically impossible locations within minutes.
Advanced Persistent Threats (APTs) are sophisticated, well-resourced groups β typically state-sponsored β that conduct prolonged, stealthy campaigns against specific targets. Unlike script kiddies, APTs operate with specific objectives (intellectual property theft, critical infrastructure disruption, geopolitical intelligence) and have the patience to maintain access for months or years. They develop custom malware, purchase or discover zero-day exploits, and conduct extensive reconnaissance before striking. APT29 (Cozy Bear), linked to Russia's SVR, maintained access to SolarWinds' build environment for months before injecting the SUNBURST backdoor into software updates.
| Threat Actor Type | Skill Level | Motivation | Typical Targets | Detection Difficulty |
|---|---|---|---|---|
| Script Kiddie | Low | Curiosity, ego, minor financial | Random β any vulnerable system | Easy (noisy, automated tools) |
| Hacktivist | Low-Medium | Political/social cause | Organizations opposing their ideology | Medium (DDoS, defacement are visible) |
| Organized Crime | Medium-High | Financial gain | Any with valuable data or ransomware leverage | Medium-High (financially motivated, persistent) |
| Insider (Malicious) | Variable | Revenge, financial, espionage | Their own employer | Hard (legitimate access; need behavioral analytics) |
| Insider (Accidental) | N/A | None (human error) | Their own employer | Hard (no malicious intent to detect) |
| Nation-State APT | Very High | Espionage, sabotage, geopolitical | Government, defense, critical infrastructure, IP-rich companies | Very Hard (custom tools, patience, OPSEC) |
β οΈ The most dangerous threat actor is the one you haven't profiled. If your threat model only considers external attackers and you have no insider threat program, you are blind to half your risk surface. Profile all relevant categories for your industry and data.
Verify exercises to earn β 120 XP and unlock next lab level.