What is a Threat Actor? 

A threat actor is an individual or group that launches attacks against specific targets, typically employing a particular style in an attempt to gain notoriety. Threat actor is a broad term for a person that is looking to cause damage to a company’s reputation, financial standing, and/or overall security posture.

A Forrester podcast noted the emergent connection between threat actors and artificial intelligence (AI), detailing how threat actors are increasingly using AI to create very convincing fake identities that can lead organizations to take potentially damaging actions.

Threat Actor Targets

It's no secret why top threat actors continually target large enterprise organizations: they have deeper pockets than small to midsize enterprises. It’s a bigger risk to go after bigger targets, but the greater the risk, the greater the financial reward.

The only reason a threat actor might target a smaller enterprise could be that the organization is a vendor that is part of a supply chain linked to a larger organization – the threat actor’s actual target. All that said, some industries that continue to be prime targets of threat actors are finance, healthcare, and pharmaceuticals.

These are big-time industry verticals featuring some blue-chip brands from which threat actors dream of exploiting millions or potentially billions of dollars. Those brands employ robust security operations centers (SOCs) to protect their sensitive data, so the bar is set high for threat actors who would go after such lofty targets.

What Motivates Threat Actors? 

Threat actors are motivated by money, first and foremost. But what are the ways in which threat actors earn money? By selling information. Thus data becomes the primary target when a threat actor attempts a breach. Let's take a look at how money and perhaps some less illustrious forms of motivation can keep a threat actor's eyes on the prize. 

Financial Gain

As previously discussed, companies in heavily regulated industries like healthcare and financial services are some of the wealthiest in the world. If a threat actor is able to compromise the security protocols of such a company, the prize could be an astounding sum of money.

Insider Espionage

Insider threats arise when an employee or contractor seeks a way to potential financial gain or has a vendetta against the company for whom they work or partner. This could be most troublesome in the form of the employee stealing customer data, proprietary financial information on the company, or identity and access management (IAM) tools – passwords, encryption keys, etc. – to sell to bad actors.


Ransomware is nefarious code or actions attackers leverage to hold a company’s data hostage, with the ultimate goal of forcing a business to pay a ransom for the return of its stolen data. While a security organization can never be fully impenetrable to ransomware attacks, they can take steps to defend their attack surface or mitigate the effects of such an attack.

Political Influence

As the world has experienced in the recent past, the growing influence of state-sponsored threat actors on elections and political activities around the globe has seen exponential growth in the past decade. These types of threat actors are looking to influence elections and target country’s voting citizens by leveraging AI, social media, and the electronic apparatus tied to the voting process itself.

Types of Threat Actors

While we've discussed certain categories of activities and the motivations that spark a threat actor to action, let's now take a look at some of the more rigid definitions of the types of threat actors currently operating at a large scale. 

Nation-State Actors

These threat actors may be directly employed by an arm of a national government or may be from an organized crime entity employed by a national government. They generally have deep resources and their collective motivations run across the spectrum.

Because nation-state actors are funded extremely well relative to small groups and individuals, they can be particularly formidable adversaries for other countries and for commercial industries. Nefarious nation-state-sponsored cyber activity can have devastating effects on a country’s national security and its economy.


According to the National Institutes of Health (NIH), "an act of cyberterrorism involves using the internet and other forms of information and communication technology to threaten or cause bodily harm to gain political or ideological power through threat or intimidation." 

This is particularly true with regard to essential services of state and federal governments all over the world. If a group of cyberterrorists had the proper motivation, targeting essential services such as power grids, hospital infrastructure, and city management services could have devastating effects.


Hacker activists – or hacktivists – typically are not motivated by financial gain when waging their attacks. In this way, they're closely related to open-source projects and are similarly constrained by the talent they attract. Since anyone can contribute to an open-source project it would seem like their resources are infinite, but in reality hacktivist groups have the arduous task of convincing people to work for them for free.

For this reason, hacktivists typically don’t display the level of operational sophistication as other types of threat actors. Hacktivist groups typically have less of an actual attack path when waging an attack, therefore they're perfectly fine trying low-overhead attacks that are less targeted and more opportunistic.


Cybercriminals are, perhaps, the most common threat-actor archetype when one thinks of someone targeting a company over the internet. Many cybercriminals are not only interested in obtaining personal information but also seek corporate information that could be sold to the highest bidder.

They deploy ransomware to hold data hostage, perpetrate social engineering and/or phishing attacks, and will seek out exploitable network vulnerabilities in an attempt to gain access to information deemed valuable either to the company, another threat actor group – or both.

Threat Actor Tactics

Of course, different types of threat actors are going to have different tactics, techniques, and procedures (TTPs) they leverage to achieve their ultimate goals. Modern threat-actor outfits are now finding ways to keep an organization in their grip for longer, creating a sort of nightmare scenario for higher-profile companies.

  • Double extortion: Threat actors not only demand a ransom for the data they've stolen and encrypted but also extort organizations for a second time — pay an additional fee, or they'll leak the data.
  • Phishing: Posing as a legitimate business or internal employee is an increasingly effective way to deploy malware onto a network. This methodology attempts to trick targets into divulging sensitive information like passwords or customer data.
  • Ransomware as a service (RaaS): With RaaS, threat actors can simply purchase malicious software from a provider, who takes a cut of the payout. The result is a broader and more decentralized network of ransomware attackers.
  • Access brokers: A kind of mirror image to RaaS, access brokers give a leg up to bad actors who want to run ransomware on an organization's systems but need an initial point of entry.
  • Lateral movement: Once a ransomware attacker has infiltrated an organization's network, they can use lateral movement techniques to gain a higher level of access and ransom the most sensitive data.
  • Distributed-denial-of-service (DDoS): A basic DoS attack involves a single system attacking another system. A DDoS attack typically involves a number of systems (even into the hundreds of thousands) under an attacker’s control, all simultaneously attacking a target.

How to Protect Yourself from Threat Actors

Remember, the term "threat actor" can encompass many different types of perpetrators committing many different types of criminal acts on enterprise networks. But there are a few common tactics SOC analysts and practitioners can leverage to successfully thwart cyber criminals.

Security Awareness Training 

Security awareness training can encompass many different topics of network defense methodologies, but the overall point of this type of educational program is really to train the type of employee that doesn’t work in cybersecurity.

Whether it’s educating a workforce on malware, desktop security, wireless networks, or phishing, enterprise leaders should understand what goes into building a security awareness training program, get involved, and offer feedback throughout the process.

Network Security and Endpoint Defenses

There are many components of an enterprise “network.” A lot are digital, but there may be a larger amount of physical components – or endpoints – than you may think. Network security is the in-depth practice of building a defensive and offensive framework around an organization’s physical and cloud environments.

Network security processes can include reviewing active directory groups, enabling multi-factor authentication (MFA), and maintaining a strong cloud security posture. At the same time, a network is only as strong as its weakest endpoint (laptops, mobile devices, servers, etc.). Because the vulnerabilities on that endpoint could be exactly what a threat actor needs to breach the network and begin lateral movement to their ultimate goal.

Identity and Access Management

Requiring an employee or system user to authenticate their identity through multiple steps of verification is a best practice to ensure they’re not actually a threat actor posing as someone who has a right to be on the network.

IAM protocols implement a security layer between users and on-premises or cloud-based servers and applications. Components of IAM can include password management, security policy enforcement, MFA, and/or access monitoring and alerting.

Read More

Threat Intelligence: Latest Rapid7 Blog Posts