Threat Actors and Attack Vectors
Who attacks systems, what motivates them, and the vectors they use to get in.
Security+ expects you to classify who is attacking, why they are doing it, and how they get in. The exam rarely asks for deep technical detail here — instead it hands you a scenario and asks you to name the actor type, infer the motivation, or identify the vector. Learn the attributes that separate one actor from another and the common paths into an environment, and these questions become quick points.
Core Idea
- Threat actors are classified by attributes: internal vs. external, resources/funding, and level of sophistication/capability. These attributes, not the label alone, drive most exam answers.
- Motivation predicts behavior. Financial, espionage, disruption, ideological (hacktivism), and revenge motives each point to a specific actor type in scenario questions.
- Attack vectors are the paths in; the attack surface is the sum of all those paths. Reducing the attack surface (closing ports, removing default credentials, patching software) shrinks the opportunities an actor can use.
Threat Actor Types and Attributes
- Nation-state / Advanced Persistent Threat (APT): external, extremely well-funded, and highly sophisticated. Motivated by espionage and disruption, they pursue long-term, stealthy access. APT signals the most capable adversary on the exam.
- Organized crime: external, well-resourced, and sophisticated, but almost always motivated by financial gain — ransomware, banking fraud, and data theft for resale.
- Hacktivist: external, moderate resources, motivated by ideology or a political/social message. Think website defacement, DDoS, and doxxing to make a statement.
- Insider threat: internal, with legitimate access and knowledge of where valuable data lives. Motivations include revenge (disgruntled employee), financial gain, or accidental error. Access — not sophistication — makes insiders dangerous.
- Unskilled attacker (script kiddie): external, low resources, low sophistication. Runs prebuilt tools and exploits they did not write; motivated by curiosity, thrill, or notoriety.
- Shadow IT: internal — employees deploying unsanctioned hardware, software, or cloud services. Not malicious, but it creates unmanaged, unmonitored attack surface.
Motivations
- Financial: ransomware, fraud, extortion — the hallmark of organized crime.
- Espionage: stealing secrets or intellectual property — the hallmark of nation-states and competitors.
- Disruption / chaos: taking systems down, often via DDoS — nation-states and hacktivists.
- Ideological / political: advancing a cause or belief — hacktivists.
- Revenge: a wronged individual, most often a disgruntled insider.
- Also test-worthy: data exfiltration, service disruption, blackmail, and war as scenario motivations.
Attack Vectors and Attack Surface
The attack surface is every point where an attacker could try to enter or extract data. Common vectors include:
- Message-based: email (phishing), SMS (smishing), voice (vishing), and instant messaging — the most common initial vector overall.
- Image and file-based: malicious files or images carrying embedded payloads.
- Removable media: USB drives used to bypass network defenses (the classic dropped-USB attack).
- Unsecured networks: open wireless, rogue access points, and unencrypted wired connections.
- Supply chain: compromising a trusted vendor, MSP, or software update to reach the real target.
- Vulnerable software: unpatched or misconfigured applications and operating systems.
- Open service ports and default credentials: exposed services and unchanged factory passwords are easy, high-value entry points.
Threat Intelligence Sources
- OSINT (Open-Source Intelligence): freely available public data — vendor advisories, news, social media, WHOIS, search engines.
- ISAC (Information Sharing and Analysis Center): industry-specific groups (for example, Financial Services or Health ISACs) that share threat data among members.
- Other sources: closed/proprietary feeds, the dark web, threat feeds/AIS, and vulnerability databases such as the CVE list.
High-Yield Exam Patterns
- A scenario emphasizing stealth, patience, and heavy funding points to a nation-state / APT.
- A scenario about ransomware or stolen data sold for profit points to organized crime with a financial motive.
- Website defacement, DDoS, or doxxing for a cause points to a hacktivist with an ideological motive.
- If the actor already has legitimate access or works for the company, it is an insider threat.
- Unsanctioned cloud apps or personal devices on the network describe shadow IT, not an external attacker.
- To reduce the attack surface, expect answers like patching software, closing open ports, changing default credentials, and disabling removable media.
Common Traps to Avoid
- Do not equate "internal" with "low skill." Insiders are dangerous because of access, and a script kiddie is external but unskilled — the two attributes are independent.
- Do not assume every attacker is financially motivated; match the stated behavior to the motivation.
- Do not confuse attack vector (the path used, e.g., a phishing email) with the attack surface (all possible paths).
- Do not treat shadow IT as an external threat actor — it is an internal, usually non-malicious, source of risk.
- Do not label sophisticated financial crime as a "nation-state"; organized crime is capable but profit-driven.
Flashcards
Card 1 of 14
Question
What three attributes are used to classify threat actors?
Click or press Space to reveal answer
Answer
Internal vs. external, level of resources/funding, and level of sophistication/capability.
Keyboard: Space/Enter to flip • Arrow keys to navigate
Ready to Test Your Knowledge?
This quiz has 8 questions and each one has 4 options.
Quiz Details
8 Questions
Multiple choice with instant self-check
Final Review
See correct answers and explanations at the end
Build your own lesson in minutes.
Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.