Explaining Threat Actors and

Threat Intelligence
Presentation Outline

1 2

Explain Threat Actor Types and Attack Explain Threat Intelligence Sources
Attack Vectors Discover where cybersecurity professionals gather
Delve into the various classifications of malicious information about emerging threats and attacker
entities and the methods they employ to compromise tactics.
systems.
Understanding Vulnerability, Threat, and Risk
As part of security assessment and monitoring, security
teams must identify ways in which their systems could be
attacked. These assessments involve understanding
vulnerabilities, threats, and risks.

Vulnerability
Asset value •
Ease of exploit •

Threat
Internal/external • Risk (Impact * Likelihood)
Malicious/accidental •
The combination of impact and likelihood quantifies the
Threat actor • potential harm. A robust security posture requires proactive
Threat vector • identification and mitigation of these elements to safeguard
digital assets.
Defining Vulnerability: Weaknesses in Your Defenses
A vulnerability is a weakness that could be triggered accidentally or
exploited intentionally to cause a security breach.

Examples of vulnerabilities include:

Improperly configured or installed hardware or software
Delays in applying and testing software and firmware patches
Untested software and firmware patches
The misuse of software or communication protocols
Poorly designed network architecture
Insecure password usage
Threats and Risks: Exploitation and Impact

Threat Risk
The potential for someone or something to exploit a The likelihood and impact (or consequence) of a threat
vulnerability and breach security. A threat may be actor exploiting a vulnerability. To assess risk, you
intentional or unintentional. The person or thing that identify a vulnerability and then evaluate the likelihood
poses the threat is called a threat actor or threat agent. of it being exploited by a threat and the impact that a
The path or tool used by a malicious threat actor can be successful exploit would have.
referred to as the attack vector.
Attributes of Threat Actors: Internal vs. External

External Threat Actors Internal Threat Actors (Insiders)

No authorized access: Operates from outside the target Granted permissions: Has authorized access to the system.
system.
Infiltration methods: Must use malware and/or social Common sources: Typically employees, but also
engineering to bypass security. contractors and business partners.
Remote or on-premises: Can attack remotely or physically Risk: Their existing access can make them particularly
infiltrate the company's location. dangerous, even if actions are unintentional.
Definition of external: Refers to the actor's relationship to
the system, not the attack method.
Intent and Motivation Behind Cyber Attacks
Intent: What an Attacker Hopes to Achieve Motivation: The Attacker's Reason
Achieve
Greed (financial gain) •
Vandalize and disrupt a system • Curiosity or intellectual challenge •
Steal sensitive information or assets • Grievance or revenge •
Gain unauthorized access or control • Political or ideological agenda (Hacktivism) •
Cause financial damage •

Understanding the difference between intent and motivation helps in anticipating threat actor behavior and developing
targeted defenses. Both malicious and accidental actions can lead to security incidents.
Categories of Threat Actors: From Script Kiddies to State Actors

Hackers Script Kiddies

Individuals with skills to gain unauthorized access. Defined by their Use pre-made hacking tools without full understanding, often for attention
motivations: black hat (unauthorized), white hat (authorized), and gray rather than specific goals.
hat (semi-authorized).

Hacker Teams & Hacktivists State Actors & APTs

Organized groups that collaborate to develop sophisticated attacks, often Nation-states using cyber warfare for espionage, strategic advantage, or
driven by political or social agendas (e.g., Anonymous). commercial gain. Often characterized by Advanced Persistent Threats
(APTs).
Common Attack Vectors: Paths to Exploitation
An attack vector is the path a threat actor uses to gain access to a secure system, typically to run malicious code.

Direct Access
Physical or local attacks, e.g., exploiting an unlocked workstation or using a
boot disk.

Removable Media
Malware concealed on USB drives or memory cards, tricking users into
connecting them.
Email & Communications
Malicious attachments sent via email or other messaging, relying on social
engineering.
Remote & Wireless
Gaining credentials or cracking protocols for remote/wireless network
access, or spoofing trusted resources.
Web & Social Media
Malware hidden in posts, downloads, or compromised sites leading to drive-
by downloads.
Cloud
Targeting weak credentials in cloud services or compromising Cloud Service
Providers (CSPs).
THREAT RESEARCH SOURCES
• Threat research is a counterintelligence gathering effort in which security
companies and researchers attempt to discover the tactics, techniques, and
procedures (TTPs) of modern cyber adversaries.
• There are many companies and academic institutions engaged in primary
cybersecurity research.
• Security solution providers with firewall and anti-malware platforms derive a lot
of data from their own customers' networks.
• As they assist customers with cybersecurity operations, they are able to analyze
and publicize TTPs and their indicators.
• These organizations also operate honeynets to try to observe how hackers
interact with vulnerable systems.
THREAT RESEARCH SOURCES
• Another primary source of threat intelligence is the dark web.
• The deep web is any part of the World Wide Web that is not indexed by a search
engine.
• This includes pages that require registration, pages that block search indexing,
unlinked pages, pages using nonstandard DNS, and content encoded in a
nonstandard manner.
• Within the deep web, are areas that are deliberately concealed from "regular"
browser access.
THREAT RESEARCH SOURCES
THREAT RESEARCH SOURCES
• Dark net—a network established as an overlay to Internet infrastructure by
software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize
usage and prevent a third party from knowing about the existence of the network
or analyzing any activity taking place over the network, Onion routing, for
instance, uses multiple layers of encryption and relays between nodes to achieve
this anonymity.

• Dark web—sites, content, and services accessible only over a dark net, While
there are dark web search engines, many sites are hidden from them, Access to a
dark web site via its URL is often only available via "word of mouth" bulletin
boards