Opening Framing
Behind every cyberattack is a human with objectives. Understanding who attacks organizations—and why—transforms security from defending against abstract threats to countering specific adversaries. A nation-state seeking intellectual property operates differently from a ransomware gang seeking quick profit. Defenses effective against one may fail against another.
Threat actor analysis goes beyond naming adversary groups. It examines motivations that drive behavior, capabilities that define what's possible, targeting patterns that indicate who's at risk, and operational patterns that reveal how they work. This understanding enables prediction—anticipating what adversaries will do before they do it.
This week explores threat actor categorization, motivation analysis, capability assessment, and profiling methodologies. You'll learn to analyze adversaries systematically, understand what drives their behavior, and apply this knowledge to defensive priorities.
Key insight: Adversaries are rational actors pursuing objectives. Understanding their goals reveals their likely actions.
1) Threat Actor Categories
Threat actors are typically categorized by their primary motivation, though many actors have multiple objectives:
Primary Threat Actor Categories:
┌─────────────────────────────────────────────────────────────┐
│ NATION-STATE ACTORS (APTs) │
│ │
│ Motivation: Strategic national interests │
│ - Espionage (political, military, economic) │
│ - Intellectual property theft │
│ - Critical infrastructure disruption │
│ - Influence operations │
│ │
│ Characteristics: │
│ - Well-resourced (government funding) │
│ - Sophisticated capabilities │
│ - Patient, persistent operations │
│ - Targeted victim selection │
│ - Custom malware development │
│ │
│ Examples: APT29 (Russia), APT41 (China), Lazarus (DPRK) │
├─────────────────────────────────────────────────────────────┤
│ CYBERCRIMINALS │
│ │
│ Motivation: Financial gain │
│ - Direct theft (banking trojans, BEC) │
│ - Extortion (ransomware, data theft) │
│ - Fraud (credit cards, identity) │
│ - Monetization (cryptomining, spam) │
│ │
│ Characteristics: │
│ - Profit-driven decision making │
│ - ROI-focused targeting │
│ - Ransomware-as-a-Service models │
│ - Affiliate structures │
│ - Opportunistic AND targeted operations │
│ │
│ Examples: LockBit, ALPHV/BlackCat, FIN7, Scattered Spider │
├─────────────────────────────────────────────────────────────┤
│ HACKTIVISTS │
│ │
│ Motivation: Ideological/political │
│ - Protest and disruption │
│ - Public embarrassment of targets │
│ - Data leaks for exposure │
│ - Website defacement │
│ │
│ Characteristics: │
│ - Cause-driven targeting │
│ - Public claims and communication │
│ - Variable technical sophistication │
│ - Often loosely organized │
│ - Symbolic target selection │
│ │
│ Examples: Anonymous, KillNet, IT Army of Ukraine │
├─────────────────────────────────────────────────────────────┤
│ INSIDER THREATS │
│ │
│ Motivation: Various │
│ - Financial gain (selling data) │
│ - Revenge (disgruntled employee) │
│ - Ideology (whistleblowing) │
│ - Coercion (recruited by external actor) │
│ - Negligence (unintentional) │
│ │
│ Characteristics: │
│ - Legitimate access to systems │
│ - Knowledge of internal processes │
│ - Difficult to detect technically │
│ - Behavioral indicators important │
│ │
│ Examples: Edward Snowden, Reality Winner │
├─────────────────────────────────────────────────────────────┤
│ TERRORIST ORGANIZATIONS │
│ │
│ Motivation: Terror, disruption, ideology │
│ - Critical infrastructure attacks │
│ - Propaganda distribution │
│ - Recruitment and fundraising │
│ - Operational communication │
│ │
│ Characteristics: │
│ - Generally lower technical sophistication │
│ - May purchase capabilities │
│ - High-impact targeting goals │
│ - Overlap with nation-state support │
└─────────────────────────────────────────────────────────────┘Blurring Lines:
Actor Category Overlap:
Modern threat landscape shows increasing overlap:
NATION-STATE + CRIMINAL:
┌─────────────────────────────────────────────────────────────┐
│ - State actors moonlighting for profit │
│ - Criminal groups doing state bidding │
│ - Plausible deniability operations │
│ - Ransomware with geopolitical targeting │
│ │
│ Example: APT41 conducts both espionage and financial crime │
│ Example: Sandworm (Russia) uses criminal tools │
└─────────────────────────────────────────────────────────────┘
HACKTIVIST + STATE:
┌─────────────────────────────────────────────────────────────┐
│ - State-aligned hacktivist groups │
│ - Patriotic hackers with state support │
│ - False flag operations │
│ │
│ Example: KillNet (Russia-aligned DDoS) │
│ Example: Iranian hacktivist personas │
└─────────────────────────────────────────────────────────────┘
INSIDER + EXTERNAL:
┌─────────────────────────────────────────────────────────────┐
│ - Recruitment of insiders by external actors │
│ - Social engineering targeting employees │
│ - Bribery and coercion │
│ │
│ Example: Lapsus$ social engineering and insider bribes │
└─────────────────────────────────────────────────────────────┘
Why This Matters:
- Attribution becomes more complex
- Single-category defenses insufficient
- Motivation analysis requires deeper investigation
- Response strategies must be flexibleKey insight: Categories help organize thinking, but real adversaries often defy neat classification. Focus on behavior and objectives, not just labels.
2) Understanding Motivations
Motivation analysis explains why actors behave as they do, enabling prediction of future actions:
Motivation Framework:
FINANCIAL MOTIVATION:
┌─────────────────────────────────────────────────────────────┐
│ Goal: Maximize profit, minimize risk │
│ │
│ Implications: │
│ - ROI-driven target selection │
│ - May abandon difficult targets │
│ - Responsive to increased costs (better defenses) │
│ - Will negotiate (ransomware payments) │
│ - Follows money (cryptocurrency, wire fraud) │
│ │
│ Targeting Logic: │
│ - Wealthy organizations (can pay ransoms) │
│ - Weak security (easy compromise) │
│ - Valuable data (sellable on dark web) │
│ - Critical operations (pressure to pay quickly) │
│ │
│ Defensive Implications: │
│ - Increase attacker costs (better detection, response) │
│ - Reduce attacker ROI (backups, no payment policy) │
│ - Make alternatives more attractive │
└─────────────────────────────────────────────────────────────┘
STRATEGIC/ESPIONAGE MOTIVATION:
┌─────────────────────────────────────────────────────────────┐
│ Goal: Obtain information advancing national interests │
│ │
│ Implications: │
│ - Persistent, patient operations │
│ - Specific targeting based on intelligence value │
│ - Stealth prioritized over speed │
│ - Will return after eviction │
│ - Resources not typically a constraint │
│ │
│ Targeting Logic: │
│ - Government agencies │
│ - Defense contractors │
│ - Technology companies (IP) │
│ - Research institutions │
│ - Political organizations │
│ │
│ Defensive Implications: │
│ - Assume persistent adversary │
│ - Focus on detection and hunting │
│ - Protect high-value data specifically │
│ - Plan for repeated targeting │
└─────────────────────────────────────────────────────────────┘
DESTRUCTIVE/DISRUPTIVE MOTIVATION:
┌─────────────────────────────────────────────────────────────┐
│ Goal: Cause damage, disruption, fear │
│ │
│ Implications: │
│ - May not care about detection │
│ - Impact-focused, not profit-focused │
│ - Symbolic targets often selected │
│ - May be one-time operations │
│ - Timing often significant (events, conflicts) │
│ │
│ Targeting Logic: │
│ - Critical infrastructure │
│ - High-visibility organizations │
│ - Symbolic targets (government, media) │
│ - Maximum disruption potential │
│ │
│ Defensive Implications: │
│ - Resilience and recovery capabilities │
│ - Detection may be too late │
│ - Focus on prevention │
│ - Business continuity planning │
└─────────────────────────────────────────────────────────────┘
IDEOLOGICAL MOTIVATION:
┌─────────────────────────────────────────────────────────────┐
│ Goal: Advance cause, embarrass opponents │
│ │
│ Implications: │
│ - Cause-aligned target selection │
│ - Public communication important │
│ - May leak data for exposure │
│ - Reputation damage often goal │
│ - Variable commitment and capability │
│ │
│ Targeting Logic: │
│ - Organizations opposing their cause │
│ - Government agencies │
│ - Corporations seen as unethical │
│ - Media and communications │
│ │
│ Defensive Implications: │
│ - Monitor for targeting indicators │
│ - Prepare for public disclosure │
│ - Crisis communication planning │
│ - Understand current events driving targeting │
└─────────────────────────────────────────────────────────────┘Motivation-Based Prediction:
Predicting Adversary Behavior:
Financial Actor Facing Strong Defenses:
- Will likely move to easier target
- May attempt different attack vector
- Unlikely to invest heavily in bypass
- Negotiable on ransom amounts
Nation-State Facing Strong Defenses:
- Will invest in bypass development
- Will try alternative access methods
- Will return after eviction
- Patient, long-term perspective
Questions to Ask:
1. What does success look like for this actor?
2. What constraints do they operate under?
3. What would cause them to abandon this target?
4. What alternative targets might they choose?
5. How does timing affect their operations?
Example Analysis:
Scenario: Ransomware group targets hospital
Motivation Analysis:
- Financial motivation primary
- Hospitals seen as likely to pay (critical operations)
- Timing may align with weekends (reduced staff)
- Public attention is risk (increased scrutiny)
Prediction:
- Will demand payment quickly (urgency leverage)
- May lower demands if resistance (profit > principle)
- Will move on if detection is quick (cost/benefit)
- May leak data if payment refused (secondary monetization)Key insight: Motivation explains behavior. An actor pursuing profit behaves differently from one pursuing ideology, even using identical techniques.
3) Capability Assessment
Capability assessment evaluates what an adversary can do, informing what defenses are necessary:
Capability Dimensions:
TECHNICAL CAPABILITY:
┌─────────────────────────────────────────────────────────────┐
│ Indicators: │
│ - Custom vs. commodity malware │
│ - Zero-day vs. known vulnerability use │
│ - Operational security sophistication │
│ - Infrastructure complexity │
│ - Detection evasion techniques │
│ │
│ Levels: │
│ Low: Public tools, known exploits, basic tradecraft │
│ Medium: Modified tools, some custom code, decent OPSEC │
│ High: Custom tooling, zero-days, advanced evasion │
│ Elite: Novel techniques, hardware implants, supply chain │
└─────────────────────────────────────────────────────────────┘
RESOURCE CAPABILITY:
┌─────────────────────────────────────────────────────────────┐
│ Indicators: │
│ - Team size (single operator vs. large group) │
│ - Funding level (affects tooling, infrastructure) │
│ - Time investment (quick ops vs. multi-year) │
│ - Infrastructure scale │
│ │
│ Levels: │
│ Limited: Individual or small team, limited funding │
│ Moderate: Organized group, sustainable operations │
│ Extensive: Large team, significant funding, global reach │
│ State: Government resources, unlimited budget │
└─────────────────────────────────────────────────────────────┘
OPERATIONAL CAPABILITY:
┌─────────────────────────────────────────────────────────────┐
│ Indicators: │
│ - Planning and reconnaissance depth │
│ - Coordination across operations │
│ - Adaptability when detected │
│ - Operational security discipline │
│ - Intelligence gathering sophistication │
│ │
│ Levels: │
│ Basic: Opportunistic, reactive, poor OPSEC │
│ Competent: Some planning, coordination, decent OPSEC │
│ Advanced: Careful planning, good OPSEC, adaptive │
│ Elite: Extensive recon, excellent OPSEC, highly adaptive│
└─────────────────────────────────────────────────────────────┘Capability Assessment Framework:
Assessing Actor Capability:
Evidence Sources:
- Observed TTPs in incidents
- Malware analysis
- Infrastructure analysis
- Historical operations
- Industry reporting
Assessment Matrix:
│ Low │ Med │ High│ Elite│
────────────────────┼─────┼─────┼─────┼──────┤
Custom Malware │ │ │ ● │ │
Zero-Day Use │ │ │ │ ● │
OPSEC Quality │ │ ● │ │ │
Infrastructure │ │ ● │ │ │
Persistence │ │ │ ● │ │
Target Selection │ │ │ ● │ │
────────────────────┴─────┴─────┴─────┴──────┘
Overall Assessment: HIGH capability actor
Comparative Analysis:
Script Kiddie:
- Public exploit kits
- No custom development
- Poor operational security
- Opportunistic targeting
- Low persistence
Organized Criminal Group:
- Purchased or developed tools
- Some custom malware
- Moderate operational security
- ROI-based targeting
- Moderate persistence
APT / Nation-State:
- Extensive custom tooling
- Zero-day capability
- Excellent operational security
- Strategic targeting
- High persistence, will returnCapability vs. Intent:
Capability and Intent Matrix:
LOW CAPABILITY HIGH CAPABILITY
┌─────────────────┬─────────────────┐
│ │ │
HIGH INTENT │ ASPIRATIONAL │ CRITICAL │
│ Monitor for │ Highest │
│ capability │ priority │
│ growth │ threat │
│ │ │
├─────────────────┼─────────────────┤
│ │ │
LOW INTENT │ LOW PRIORITY │ LATENT │
│ Monitor │ Could become │
│ periodically │ threat if │
│ │ intent changes│
│ │ │
└─────────────────┴─────────────────┘
Prioritization:
1. High Capability + High Intent = Immediate threat
2. Low Capability + High Intent = Emerging threat
3. High Capability + Low Intent = Potential threat
4. Low Capability + Low Intent = Background noise
Intent Indicators:
- Stated objectives and threats
- Previous targeting patterns
- Geopolitical context
- Industry/sector focus
- Current events alignmentKey insight: Capability without intent is potential; intent without capability is aspiration. Threats require both.
4) Threat Actor Profiling
Threat actor profiles compile what is known about an adversary into actionable intelligence:
Threat Actor Profile Template:
┌─────────────────────────────────────────────────────────────┐
│ THREAT ACTOR PROFILE │
├─────────────────────────────────────────────────────────────┤
│ NAME/ALIASES: │
│ Primary: APT29 │
│ Aliases: Cozy Bear, The Dukes, NOBELIUM, Midnight Blizzard │
│ │
│ ATTRIBUTION: │
│ Confidence: High │
│ Nation: Russia │
│ Agency: SVR (Foreign Intelligence Service) │
├─────────────────────────────────────────────────────────────┤
│ MOTIVATION: │
│ Primary: Espionage (political, diplomatic) │
│ Secondary: Economic espionage │
│ Objectives: Intelligence collection on foreign governments, │
│ policy organizations, COVID-19 research │
├─────────────────────────────────────────────────────────────┤
│ CAPABILITY ASSESSMENT: │
│ Technical: Elite (custom malware, zero-days) │
│ Resources: State-level (unlimited) │
│ Operational: Elite (excellent OPSEC, patient) │
├─────────────────────────────────────────────────────────────┤
│ TARGET PROFILE: │
│ Sectors: Government, think tanks, technology, healthcare │
│ Geography: US, Europe, NATO countries │
│ Selection: Strategic value to Russian intelligence │
├─────────────────────────────────────────────────────────────┤
│ TACTICS, TECHNIQUES, PROCEDURES (TTPs): │
│ │
│ Initial Access: │
│ - Spearphishing (T1566.001, T1566.002) │
│ - Supply chain compromise (T1195.002) - SolarWinds │
│ - Valid accounts via password spray (T1078) │
│ - Trusted relationship abuse (T1199) │
│ │
│ Execution: │
│ - PowerShell (T1059.001) │
│ - Windows Management Instrumentation (T1047) │
│ │
│ Persistence: │
│ - Web shells (T1505.003) │
│ - Scheduled tasks (T1053.005) │
│ - Registry run keys (T1547.001) │
│ │
│ Defense Evasion: │
│ - Masquerading (T1036) │
│ - Indicator removal (T1070) │
│ - Process injection (T1055) │
│ │
│ Credential Access: │
│ - LSASS memory (T1003.001) │
│ - Kerberoasting (T1558.003) │
│ │
│ Command and Control: │
│ - HTTPS (T1071.001) │
│ - Domain fronting (T1090.004) │
│ - Encrypted channel (T1573) │
├─────────────────────────────────────────────────────────────┤
│ MALWARE/TOOLS: │
│ Custom: WellMess, WellMail, SUNBURST, TEARDROP │
│ Public: Mimikatz, Cobalt Strike, SDelete │
├─────────────────────────────────────────────────────────────┤
│ INFRASTRUCTURE: │
│ - Compromised legitimate websites │
│ - Cloud services for C2 │
│ - Domain fronting via CDNs │
│ - Frequently rotated domains │
├─────────────────────────────────────────────────────────────┤
│ NOTABLE OPERATIONS: │
│ - 2016: DNC breach │
│ - 2020: SolarWinds supply chain (SUNBURST) │
│ - 2020: COVID-19 vaccine research targeting │
│ - 2021: Microsoft 365 targeting via resellers │
├─────────────────────────────────────────────────────────────┤
│ DETECTION OPPORTUNITIES: │
│ - Monitor for anomalous cloud authentication │
│ - Detect known malware families │
│ - Hunt for LDAP queries and service account abuse │
│ - Monitor for domain fronting indicators │
├─────────────────────────────────────────────────────────────┤
│ RECOMMENDED MITIGATIONS: │
│ - MFA on all accounts, especially privileged │
│ - Restrict PowerShell and WMI │
│ - Monitor cloud service provider logs │
│ - Implement least privilege │
│ - Supply chain security review │
└─────────────────────────────────────────────────────────────┘Building Actor Profiles:
Profile Development Process:
Step 1: COLLECT
┌─────────────────────────────────────────────────────────────┐
│ Gather all available information: │
│ - Vendor threat reports │
│ - Government advisories │
│ - Academic research │
│ - Internal incident data │
│ - OSINT │
└─────────────────────────────────────────────────────────────┘
Step 2: CORRELATE
┌─────────────────────────────────────────────────────────────┐
│ Link activity to actor: │
│ - Infrastructure overlaps │
│ - Malware code similarities │
│ - TTP patterns │
│ - Targeting consistency │
│ - Timing patterns │
└─────────────────────────────────────────────────────────────┘
Step 3: ANALYZE
┌─────────────────────────────────────────────────────────────┐
│ Derive meaning: │
│ - What motivates this actor? │
│ - What are their capabilities? │
│ - Who do they target and why? │
│ - How do they operate? │
│ - What is their likely next action? │
└─────────────────────────────────────────────────────────────┘
Step 4: DOCUMENT
┌─────────────────────────────────────────────────────────────┐
│ Create structured profile: │
│ - Use consistent template │
│ - Cite sources │
│ - Note confidence levels │
│ - Identify gaps │
│ - Plan for updates │
└─────────────────────────────────────────────────────────────┘
Step 5: OPERATIONALIZE
┌─────────────────────────────────────────────────────────────┐
│ Make profile actionable: │
│ - Extract detection rules │
│ - Develop hunt hypotheses │
│ - Inform defensive priorities │
│ - Brief stakeholders │
│ - Update as new information emerges │
└─────────────────────────────────────────────────────────────┘Key insight: Profiles are living documents. They should be updated as new operations are observed and as adversary behavior evolves.
5) Attribution Challenges
Attribution—determining who is behind an attack—is one of the most challenging aspects of threat intelligence:
Attribution Levels:
TECHNICAL ATTRIBUTION:
┌─────────────────────────────────────────────────────────────┐
│ "This malware/infrastructure was used in the attack" │
│ │
│ Evidence: Hashes, IPs, domains, code similarities │
│ Confidence: Can be high with good evidence │
│ Limitation: Doesn't prove who used it │
└─────────────────────────────────────────────────────────────┘
OPERATIONAL ATTRIBUTION:
┌─────────────────────────────────────────────────────────────┐
│ "This threat group conducted the attack" │
│ │
│ Evidence: TTP patterns, targeting, timing, infrastructure │
│ Confidence: Moderate to high with multiple indicators │
│ Limitation: Groups can share tools, copy techniques │
└─────────────────────────────────────────────────────────────┘
STRATEGIC ATTRIBUTION:
┌─────────────────────────────────────────────────────────────┐
│ "This nation-state/organization is responsible" │
│ │
│ Evidence: Intelligence sources, geopolitical context │
│ Confidence: Varies widely │
│ Limitation: Often based on classified intelligence │
└─────────────────────────────────────────────────────────────┘Attribution Challenges:
Why Attribution Is Difficult:
FALSE FLAGS:
┌─────────────────────────────────────────────────────────────┐
│ Adversaries deliberately mislead: │
│ - Using another group's tools │
│ - Mimicking known TTPs │
│ - Leaving false clues (language, metadata) │
│ - Compromising infrastructure of other actors │
│ │
│ Example: Olympic Destroyer (2018) │
│ - Initially attributed to North Korea │
│ - Code contained false flags │
│ - Actually Russian operation (Sandworm) │
└─────────────────────────────────────────────────────────────┘
SHARED TOOLING:
┌─────────────────────────────────────────────────────────────┐
│ Many tools are widely available: │
│ - Cobalt Strike used by many actors │
│ - Mimikatz is ubiquitous │
│ - Public exploit frameworks │
│ - Leaked nation-state tools │
│ │
│ Tool presence alone insufficient for attribution │
└─────────────────────────────────────────────────────────────┘
CONTRACTOR/PROXY OPERATIONS:
┌─────────────────────────────────────────────────────────────┐
│ Attribution to ultimate sponsor difficult: │
│ - Private contractors doing state work │
│ - Criminal groups with state tolerance │
│ - Patriotic hackers with unofficial support │
│ - Plausible deniability by design │
└─────────────────────────────────────────────────────────────┘
INFRASTRUCTURE COMPLEXITY:
┌─────────────────────────────────────────────────────────────┐
│ Infrastructure doesn't equal actor: │
│ - Compromised infrastructure (victim ≠ actor) │
│ - Shared infrastructure across groups │
│ - Infrastructure purchased from third parties │
│ - Bulletproof hosting serving multiple customers │
└─────────────────────────────────────────────────────────────┘Attribution Best Practices:
Responsible Attribution:
DO:
- State confidence levels explicitly
- Describe evidence supporting attribution
- Acknowledge alternative explanations
- Update attribution as evidence evolves
- Separate technical from strategic attribution
- Consider cui bono (who benefits)
DON'T:
- Attribute based on single indicator
- Ignore false flag possibilities
- Over-rely on geopolitical assumptions
- Claim certainty without evidence
- Attribute publicly without strong evidence
Evidence Hierarchy (Strongest to Weakest):
1. SIGINT/HUMINT (classified intelligence)
2. Multiple independent technical indicators
3. TTP pattern matching across campaigns
4. Infrastructure overlap with known actor
5. Targeting pattern consistency
6. Malware code similarities
7. Geopolitical context alone
8. Language or timezone artifacts
When Attribution Matters:
For Response:
Often doesn't matter - respond to behavior
For Strategy:
Matters for long-term defense investment
For Policy:
Matters for diplomatic/legal action
For Intelligence:
Matters for tracking and predictionKey insight: Perfect attribution is often impossible and sometimes unnecessary. Focus on behavior and defense—you can counter techniques without knowing who uses them.
Real-World Context
Case Study: APT41 - The Blurred Line
APT41 exemplifies the blurring of threat actor categories. Attributed to China, the group conducts both state-sponsored espionage AND financially-motivated cybercrime. Their espionage operations target healthcare, telecommunications, and technology sectors for strategic intelligence. Their criminal operations target video game companies for virtual currency theft. Same group, same tools, different motivations depending on the operation. This dual nature complicates defense—organizations must prepare for both espionage-style persistence AND criminal smash-and-grab tactics.
Case Study: Ransomware Evolution
Ransomware operators demonstrate how threat actors evolve. Early ransomware was opportunistic spray-and-pray. Modern groups like LockBit operate as sophisticated businesses with affiliate programs, negotiation teams, and PR strategies. They conduct careful reconnaissance, target organizations that can pay, time attacks for maximum leverage, and adapt tactics based on victim response. Understanding this evolution— from opportunistic to targeted, from technical to business- focused—enables better defensive strategies than treating all ransomware the same.
Major Threat Actor Reference:
Key Nation-State Actors:
RUSSIA:
- APT28 (Fancy Bear/GRU): Military intelligence
- APT29 (Cozy Bear/SVR): Foreign intelligence
- Sandworm (GRU): Destructive operations
- Turla (FSB): Espionage
CHINA:
- APT1 (Unit 61398): Economic espionage
- APT10 (Stone Panda): MSP targeting
- APT40 (Leviathan): Maritime/naval
- APT41 (Wicked Panda): Dual espionage/crime
NORTH KOREA:
- Lazarus Group: Financial theft, espionage
- APT38: Bank heists (SWIFT)
- Kimsuky: Espionage, think tanks
IRAN:
- APT33 (Elfin): Aerospace, energy
- APT34 (OilRig): Middle East focus
- APT35 (Charming Kitten): Espionage
- MuddyWater: Government targeting
Key Criminal Groups:
- LockBit: Ransomware-as-a-Service
- ALPHV/BlackCat: Ransomware, data theft
- FIN7/Carbanak: Financial theft
- Scattered Spider: Social engineering, SIM swapTracking threat actors is an ongoing effort. Groups rebrand, split, merge, and evolve. Focus on behaviors and TTPs that persist across name changes.
Guided Lab: Threat Actor Profiling
In this lab, you'll build a comprehensive threat actor profile using open source intelligence and vendor reports.
Lab Environment:
- Web browser for OSINT research
- MITRE ATT&CK Navigator
- Profile template
- Access to vendor threat reports
Exercise Steps:
- Select a threat actor (assigned or chosen from list)
- Gather reports from at least 3 different sources
- Document known aliases and naming conventions
- Analyze motivation and objectives
- Assess capabilities using framework
- Map TTPs to MITRE ATT&CK
- Document known malware and infrastructure
- Develop detection recommendations
- Create ATT&CK Navigator layer for the actor
Reflection Questions:
- How did different sources describe the same actor?
- What gaps exist in available intelligence?
- How confident are you in the attribution?
Week Outcome Check
By the end of this week, you should be able to:
- Categorize threat actors by type and motivation
- Analyze adversary motivations to predict behavior
- Assess threat actor capabilities systematically
- Build comprehensive threat actor profiles
- Understand attribution challenges and limitations
- Apply the capability/intent framework for prioritization
- Map threat actors to relevant MITRE ATT&CK techniques
- Develop defensive recommendations based on actor TTPs
🎯 Hands-On Labs (Free & Essential)
Build threat actor profiles before moving to reading resources.
🎮 TryHackMe: MITRE ATT&CK
What you'll do: Explore ATT&CK structure and map techniques to adversaries.
Why it matters: ATT&CK is the backbone of actor profiling.
Time estimate: 1.5-2 hours
🧠 Threat Actor Profile: MITRE + Mandiant
What you'll do: Build a profile using MITRE ATT&CK Groups and Mandiant intel.
Why it matters: Cross-source analysis improves attribution confidence.
Time estimate: 60-90 minutes
🧭 ATT&CK Navigator: Actor Technique Layer
What you'll do: Build a technique layer for a selected actor.
Why it matters: Visual layers clarify detection gaps and priorities.
Time estimate: 45-60 minutes
🧩 Lab: Supply Chain Actor Profile
What you'll do: Profile an actor known for supply chain activity.
Deliverable: One-page profile with targets, access methods, and TTPs.
Why it matters: Supply chain actors use different access paths than typical
intruders.
Time estimate: 60-90 minutes
💡 Lab Tip: Note where multiple sources disagree; uncertainty is part of attribution.
🧩 Supply Chain Adversaries
Some actors specialize in supplier compromise and downstream access. Profiling these groups helps prioritize third-party risk.
Supply chain actor signals:
- Targeting of build systems or update pipelines
- Abuse of trusted vendor access
- Long-dwell, low-noise campaigns
- Focus on widespread downstream impact📚 Building on CSY101 Week-13: Threat model upstream dependencies and shared services.
Resources
Lab
Complete the following lab exercises to practice threat actor analysis and profiling.