.jpg)
Technology Tap
Technology Tap
Cybersecurity Fundamentals: Understanding Threat Actors Chapter 2 Part 1
Dive deep into the world of cybersecurity threat actors with Professor J-Rod as we unpack the essential definitions from Chapter 2 of the Security+ 701 certification exam. This knowledge-packed episode breaks down the critical foundation of information security risk management through clear, actionable explanations.
We start by exploring the trinity of cybersecurity concepts: vulnerability (weaknesses in systems or processes), threats (potential causes of unwanted incidents), and risk (the potential impact when threats exploit vulnerabilities). Understanding the relationship between these concepts—and the formula Risk = Threat × Vulnerability × Impact—provides the framework for all security planning and mitigation strategies.
The heart of this episode focuses on threat actors—who they are, what motivates them, and how they operate. From script kiddies to sophisticated nation-state actors, from financially-motivated cybercriminals to ideologically-driven hacktivists, we examine the full spectrum of adversaries organizations face today. You'll learn to distinguish between white hat, black hat, and gray hat hackers, understand the dangerous capabilities of Advanced Persistent Threats (APTs), and recognize the unique challenges posed by insider threats who already have legitimate access to your systems.
Whether you're studying for your Security+ certification or working to strengthen your organization's cybersecurity posture, this episode provides the foundational knowledge needed to identify, classify, and respond to the diverse threat landscape. Complete with practice questions to test your understanding, this guide will help you think like both defender and attacker—a crucial skill in today's digital battlefield. Follow Professor J-Rod on TikTok or email your cybersecurity questions directly to continue your learning journey.
If you want to help me with my research please e-mail me.
Professorjrod@gmail.com
If you want to join my question/answer zoom class e-mail me at
Professorjrod@gmail.com
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
And and welcome to Technology Tap. I'm Professor J-Rock In this episode Security Plus 701, chapter 2. Let's get into it All right. Welcome everyone to Technology Tap. For those of you who don't know me, my name is Professor J-Rod and I'm professor of cybersecurity and I'm here to help students pass their A-plus, network-plus and Security-plus exams. So on this episode we're going to do Security-plus exam, the 701, chapter 2. And, as I stated before, this is mostly a definition class exam for the most part. So we're going to go over a lot of definitions today.
Speaker 1:First we're going to talk about the three terms form of the foundation of information security risk management, which is vulnerability, threat and risk. Number one is vulnerability a weakness in a system, application process or control that can be explained, can exist in software, unpatched software, hardware, for example, open ports, or human behavior, weak passwords. The example that they give is outdated operating systems with known security flaws, misconfigured firewalls and lack of employment training. Threat is a potential case of an unwanted incident which may result in harm. Can be intentional by a hacker or unintentional, natural disaster, or human error. Human error is possible. I've seen it. Somebody clicks on something they're not supposed to. Examples malware spreading via email, insider leaking data, ransomware targeting a known exploit, an earthquake damaging a data center. Next is risk the potential impact, damage or loss when a threat exploits a vulnerability Express the combination of likelihood and impact. There's actually a formula for it Risk equals threat times multiplied by vulnerability multiplied by impact. Example if a threat actor exploits unknown vulnerability in an unpatched web server, the risk is of data being breached. If an employee falls for a phishing scam, the risk of credential theft and system compromise. A real world example a hospital has an outdated Windows machine. That's the vulnerability. A criminal group launches a ransomware campaign that's the vulnerability. A criminal group launches a ransomware campaign that's the threat. And the outdated system gets infected and shuts down patient records. That's the risk.
Speaker 1:Attributes of threat actors. Understanding the attributes of threat actors help cybersecurity professionals identify, classify and respond to different types of cyber threats more efficiently. Internal versus external Internal has legitimate access you employ your contractor. External operates outside the organization. Hacker or competitor. There are attributes. It's level of sophistication the description ranges from low script kiddies to high nation state actors. High sophistication may include custom malware, zero-day exploits. The attribute resource and funding. The description threat actors with available tools. Commodity malware versus custom built tool kits.
Speaker 1:Motivation financial, political, ideological or personal. Like revenge is the description. The attribute capability and skill set. The description technical skills, knowledge of systems and the ability to exploit weakness. Affiliation is the attribute. The description is independent, lone hacker or affiliated with a group, cyber gang, nation state, union activist, collective Targeting behavior opportunistic attacks with known vulnerabilities. Targeted chooses a specific victim CEO, companies, government. And the last attribute is tactics, techniques and procedures, and the description is patterns of behavior and tools used during an attack.
Speaker 1:Helps in attribution and defense Used in cyber defense. Knowing the attributes of a threat actor helps you tailor security controls, prioritize threats by potential impact, develop effective incident response, improve attribution or who is behind the attack. Next, motivation of threat actors understanding why threat actors launch attacks is crucial for building risk assessments, designing security controls and develop incident response strategies. Threat actors' motivations directly influence their tactics, targets and level of persistence. Motivation is financial gain the description is profit-driven activities such as theft, fraud and extortion. Example ransomware, credit card theft.
Speaker 1:Right Motivation is political Description promote political agendas, conduct espionage or disrupt opponents. Examples nation-state attacks, cyber warfare, sabotage. Motivation ideological Description driven by facts, I'm sorry, driven by beliefs or causes right Religion, environmental right, animal rights activists. The example hacktivist right. Anonymous right Is an example.
Speaker 1:Motivation revenge, personal Description, retaliation, perceived wrongdoing or personal grievance. The example disgruntled employee Leaking or destroying data. Motivation reputational Challenge Description seeking fame, recognition or skill. The examples of bug bounty and white hat or website defamation defacement. Listen, if you're going to go out there in Times Square in the middle of Times Square and say my website cannot be hacked, by the time you get to the office it's hacked, right. It's like that guy from LifeLock who said here's my social security number, try to hack it. And people did. They didn't buy outrageous stuff. I think the most that they bought was cell phones. That was the number one thing, but LifeLock didn't protect it 100%, so I don't know what he did. I wonder how many people use the social security number for work.
Speaker 1:Strategic advantage description long-term surveillance or control to gain geopolitical strategic advantage. Description long-term surveillance or control to gain geopolitical, economic or military edge. Examples is your APTs, your advanced, persistent threats, cyber espionage. Motivation disruption and chaos. Description cause confusion, downtime or disorder without a clear financial or ideological goal. Example disruptive or disorder without a clear financial or ideological goal. Example disruptive malware or wiper attacks.
Speaker 1:Accidental or unintentional actions without malice intent. Malicious intent but still cause harm. Example employees misconfiguration of weak password usage. Motivation by actor type Cyber criminals are going to have financial gain. Nation state actors are, for political reasons, espionage activists, ideological political insiders, revenge personal gain insiders. Accidental, non-unintentional script kiddies, reputational fun and challenge. Why motivation matters. Understanding motivation helps security teams predict behavior, who, how and when, prioritize high value assets and align defense strategy with threat models. Hacktivists there are two distinctive types of threat actors, each with different skill, goals and ethical boundaries. Understanding their behavior helps tailor organizational defenses accordingly.
Speaker 1:Who are hackers? A hacker is someone who's skilled in technology, who explores, manipulates or exploits systems and networks. Hackers fall into various categories based on intent and authorization. You have white hat hackers, black hat hackers, gray hat script kitties, blue hat, red team, green hat, right. Those are your type of hackers. White hat is our ethical hackers who test systems with permission. Black hat malicious hackers who break into system without authorization for personal gain. Gray hat operating in between may exploit flaws without permission, but not always. Malicious. Script kiddies inexperienced individuals who use pre-made tools or script without full understanding. Blue hat team security professionals hired to test software for bugs before public release. Red hat team offensive security experts simulating real-world attacks to improve defense. Green hat hackers in training, who are learning to become skilled in ethical hacking. Who are hacktivists? Hacktivists is hacker plus.
Speaker 1:Activists Use hacking technologies to promote political, social, ideological agendas. Their goal isn't personal, but to make a statement or drive awareness. Characteristics of hacktivists are often target governments, corporations or institutions they view as corrupt or unjust use. Techniques like website defacement, data leaks and DDoS attacks operate under a moral or ethical justification Right. The example that they give is the group Anonymous. Let's see. They do a comparison hackers versus hacktivists, right? Hackers their motivation is profit, curiosity, challenge, fame.
Speaker 1:Hacktivists is political, ideological beliefs. Targets for hackers are broad personal, corporate, public Hacktivists they're very specific or political entities they're very specific or political entities. Techniques for hackers there's widely different ways. For hacktivists. They use website defacements and DDoS, of course, if it's legal, various white hats are legal. Black hats are not For hacktivists. It's generally not legal right. They're all illegal. Black hats are not Generally not For hacktivists. It's generally not legal right. They are all illegal. Let's see.
Speaker 1:Next we talk about nation-state actors and advanced persistent threats. Nation-state actors and APTs are the most dangerous and sophisticated threat actors in the cybersecurity landscape. They are capable of long-term, stealthy and highly targeted operations designed to serve the strategic, political, economic or military interests of a country. Nation-state actors. Threat actors sponsored, funded or directed by national government. The objectives is espionage, steal sensitive government, corporate or research data. Disruption, cripple critical infrastructures, power grades, hospitals. Sabotage, dismantle rival capabilities, nuclear defense, propaganda and influence, spread disinformation or manipulate public opinion. Cyber warfare, prepare digital battlegrounds for geopolitical advantage.
Speaker 1:Characteristics operate with a lot of money. Right, these guys have a lot of money because they're backed by a state. Often have legal and political immunity. Highly skilled teams with access to zero-day vulnerabilities. Use of false flag operations May operate via front companies or third-party contractors.
Speaker 1:Advanced persistent threat a prolonged and targeted cyber attack in which an intruder gains access and remains undetected for extended period, usually backed by a nation state. Their lifecycle initial access spear phishing, exploiting zero-day vulnerabilities. They establish a foothold by deploying malware and creating backdoors. They escalate privileges. They gain admin root access, internal reconnaissance, map the network and identify valuable assets. Lateral movement spread across the system, undetected Data extradition, steal sensitive data over time, maintain persistence, leave hidden tools for future access. Key attributes stealthy and adaptive. And they have a long, long term premise, usually months or years. To this day, notable APT groups Fancy Bear, which are Russian. Alleged Cozy Bear allegedly Russian, comet Crew allegedly is China, lazarus Group, which is North Korean, and APT33 is allegedly Iran. All right, why they're dangerous? They're difficult to detect and remove.
Speaker 1:Long-term espionage and sabotage, strategic impact on national security, economy and critical infrastructure. Then you have organized crime and competitors as threat actors. In the cybersecurity world. Organized crime groups and corporate competitors represent distinctive but highly dangerous threats, often motivated by financial gain, intellectual property theft and strategic disruption.
Speaker 1:Organized crime threat actors Criminal organizations that use cyberattacks to conduct illegal activities for profit. They operate like a business, with hierarchies, resources and long-term plans. Key characteristics they're well-funded and structured like a cartel or mafia. Operate across multiple jurisdictions, making prosecution difficult. Offer crime as a service model. Ransomware as a service. Highly collaborative work with brokers, launderers and malware developers. Use social engineering, ransomware, phishing and fraud as primary tactics. Common activity ransomware, financial fraud on credit card companies. Data breach and identity theft and cryptojacking. Hijacking computing resources to mine cryptocurrency.
Speaker 1:Corporate competitors or cyber espionage is business rivals who engage in unauthorized access to sensitive data or sabotage for competitive advantage, often linked to industrial espionage. Key characteristics many use insider threats, bribes or malware to obtain proprietary information. More common in high-value sectors tech, farm, aerospace finance. Tactics that can be subtle data theft, supply chain compromise, disinformation campaigns. Common targets are trade secrets, patents, proprietary algorithms, employee credentials for lateral movement.
Speaker 1:Internal threat actors are individuals within an organization who pose a risk to data systems and operations, either intentionally or unintentionally. Unlike external attackers, insiders have legitimate access, making the actions harder to detect and stop Got to worry about. It's the guy inside? It's the guy who has access already right? It's not the guy sitting in the basement. It's this guy, right, either by purpose or by accident, right. You never know when this might happen. This is the. This the one guy you got to. You got to be worried about the most types of internal threat actors. You have your malicious actors.
Speaker 1:Intentional threat actors within the organization may act out of revenge, greed, ideology, ideology or coercion. Ideology or coercion. Examples of disgruntled employee deleting critical files. An insider selling customer data to competitors. A contractor installing spyware to steal trade secrets. Two unintentional insiders cause harm without malicious intent, often due to lack of training, negligence or mistakes. Example an employee clicking on a phishing link, misconfiguring a cloud storage bucket and exposing data or sending sensitive data to the wrong recipients. Then you have your shadow IT users. Employee using unauthorized hardware apps or services. Bypass official IT policies. Increasing risk using personal Dropbox for company files, setting up rogue wireless access point I've seen that and installing unapproved browser extensions.
Speaker 1:Indicators of insider threats unusual login times or location, high volume of file transfers. Assessing data unrelated to job duties, sudden changes in behavior or performance and attempting to disable monitoring tools. Mitigating insider threats use least privilege. Not only give users access to what they need user activity monitoring, log and review actions. Security awareness training. Teach users about phishing policies and risk. Background checks. Vet employees and contractors during onboarding. Incident response planning. Establish protocol for insider incidents. Separations of duties split crucial tasks to avoid abuse of authority. All right, that takes care of part one of chapter two.
Speaker 1:Let's go on to the questions, all right? Question one which attribute describes the level of expertise and technical knowledge a threat actor brings to an attack? A resources, b capabilities, c sophistication, d motivation. Which attribute describes the level of expertise and technical knowledge a threat actor brings to an attack? A resources, b capability, c sophistication, d motivation Right, so the level of expertise and tech and technical knowledge. So the answer is what? The answer is C sophistication, right, he knows all these, all of this stuff, all right.
Speaker 1:Next number two a threat actor backed by government and capable of developing zero day exploits demonstrates which attributes low resource, a low resources, b high resources and funding. C Opportunistic, targeting, d Accidental affiliation. I'll read it again A threat actor backed by government and capable of developing zero-day exploits demonstrates which attribute A Low resources, b High resources and funding. C Opportunistic, targeting, d Accidental affili. Think about it for a second. Which one you think it is? The answer is B high resources and funding. The clue is backed by government, right? Government has a lot of money.
Speaker 1:Which attribute explains why threat actor conducts malicious activity? A motivation, b affiliation, c ttp. Again, which attribute explain why threat actor conducts a malicious activity? A motivation, b affiliation, c targeting, d ttps. And the answer is what guys? What do you think? The answer is a motivation, right. When he's doing malicious activity, there's a reason why there's a motivation for that.
Speaker 1:A hacktivist group launching a DDoS attack against a financial institution for ideological reasons best illustrates which threat actor attributes A motivation and targeting. B sophistication and funding, c capabilities and resources. A, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, aation and funding, c capabilities and resources, and D affiliation and tactics, techniques and procedures. The answer is A motivation and targeting Right hacktivists. They're motivated by something. They have a specific target in mind. All right, last one, which attributes refers to techniques and operational methods. A threat actor commonly employs A motivation B targeting C TTPs, tactics, techniques and procedures, and D resources. Read it again which attributes refers to techniques and operation methods. A threat actor commonly employs A motivation B targeting C TTPs, employees, a motivation be targeting C TTPs and D resources. Think about it for a minute and the answer is C tactics, techniques and procedures. All right, hope you got them all right, if you did put your patches up on the back.
Speaker 1:This is back. This is going to be it for chapter two. This is part A of the Security Plus 701 exam. Until next time, thanks. This has been a part of Little Trash Productions. Art by Sarah, music by Jo Kim. You can follow me on TikTok at ProfessorJRod. That's P-R-O-F-E-S-S-O-R-J-R-O-D, and you can email me at ProfessorJRod at gmailcom.