Threat Actors | CompTIA Security+ SY0-601 | 1.5a

In this video you will learn about threat actors such as: advanced persistent threats, insider threats, state actors, hacktivists, script kiddies, criminal syndicates, hackers, shadow IT, & corporate espionage.

Advanced Persistent Threat (APT)

An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1]  In recent times, the term may also refer to non-state-sponsored groups conducting large-scale intrusions for specific goals.[2]  Such threat actors’ motivations are typically political or economic.[3]  Every major business actor has recorded instances of cyberattacks by advanced actors with specific goals, whether to steal, spy, or disrupt.  These targeted sectors include government, defense, financial services, legal services, industrial, telecoms, consumer goods & many more.[4]  Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks.  The purpose of these attacks is to install custom malware.[5]

Insider Threats

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.  The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.  The insider threat comes in 3 categories:

  • Malicious Insiders:  people who take advantage of their access to inflict harm on an organization.
  • Negligent Insiders:  people who make errors & disregard policies, which place their organizations at risk.
  • Infiltrators:  external actors that obtain legitimate access credentials without authorization.

Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization.  Insiders are often familiar with the organization’s data and intellectual property as well as the methods that are in place to protect them.  This makes it easier for the insider to circumvent any security controls of which they are aware.  Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls; rather they are in the building already, often with direct access to the organization’s internal network.  Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization’s information and assets.[6]  An insider may attempt to steal property or information for personal gain or to benefit another organization or country.[6]  The threat to the organization could also be through malicious software left running on its computer systems by former employees, which are called logic bombs.

State Actors

State actors are hackers that work for a government to disrupt or compromise target governments, organizations or individuals to gain access to valuable data or intelligence, and can create incidents that have international significance.  They might be part of a semi-hidden “cyber army” or “hackers for hire” for companies that are aligned to the aims of a government or dictatorship.  State actors know exactly what they’re getting into, and know full well that the mayhem they’re spreading is supported by their state.[7]


In Internet activism, hacktivists use computer-based techniques such as as hacking as a form of civil disobedience to promote a political agenda or social change.[8]  With roots in hacker culture and hacker ethics, its ends are often related to free speech, human rights, or freedom of information movements.[9]  Hacktivist activities span many political ideals and issues.  Hacking as a form of activism can be carried out through a network of activists, such as Anonymous and WikiLeaks, or through a singular activist, working collaboration toward common goals without an overarching authority figure.[10]  ‘Hacktivism’ is a controversial term with several meanings.  The word was coined to characterize electronic direct actions as working toward social change by combining programming skills with critical thinking.  But just as ‘hack’ can sometimes mean cyber crime, ‘hacktivism’ can be used to mean activism that is malicious, destructive, and undermining the security of the Internet as a technical, economic, and political platform.[11]

Script Kiddies

A script kiddie is a relatively unskilled individual who uses scripts or programs developed by others to attack computer systems and networks and deface websites, according to the programming and hacking cultures.  It is generally assumed that most script kiddies are juveniles who lack the ability to write sophisticated programs or exploits on their own and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities.[12]  However, the term does not necessarily relate to the actual age of the participant.  Script kiddies have at their disposal a large number of effective, easily downloadable programs capable of breaching computers and networks.  Script kiddies vandalize websites both for the thrill of it and to increase their reputation among their peers.[12]  Script kiddies often lack, or are only developing, programming skills sufficient to understand the effects and side effects of their actions.  As a result, they leave significant traces which lead to their detection, or directly attack companies which have detection and countermeasures already in place, or in some cases, leave automatic crash reporting turned on.[13]  One of the most common types of attack utilized by script kiddies involves a form of social engineering, whereby the attacker somehow manipulates or tricks a user into sharing their information.  This is often done through the creation of fake websites where users will input their login (a form of phishing), thus allowing the script kiddie access to the account.[14]

Criminal Syndicates

Another threat actor is a criminal syndicate (organized crime) which is a centralized enterprise run by people motivated mainly by money.  Individuals who are part of an organized crime group are often well funded and can have a high level of sophistication.[15]  Criminal groups that engage in cyber organized crime also provide services that facilitate crimes and cybercrimes such as data and identity theft, malware, DDoS and botnet attacks, keylogger attacks, phishing.  They also are known to provide hacking tutorials where they sell information about vulnerabilities and exploits with instructions on how to take advantage of these vulnerabilities and exploits.[16]


A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.  Though the term ‘hacker’ has become associated in popular culture with a security hacker, hacking can also be utilized by legitimate figures in legal situations.  For example, law enforcement agencies sometimes use hacking techniques in order to collect evidence on criminals and other malicious actors.  The three types of hackers you need to be concerned about for the CompTIA Security+ SY0-601 certification exam are:[15]

  • Authorized Hacker:  also known as a white hat hacker or ethical hacker.  These are hackers who have been granted permission to hack a system or network.
  • Unauthorized Hacker:  also known as a black hat hacker or malicious hacker.  These are hackers who may have a wide range of skills, but this category is used to describe hackers involved with criminal activities or malicious intent.
  • Semi-Authorized Hacker:  also known as a gray hat hacker.  These are hackers who fall somewhere in the middle of authorized and unauthorized.  This hacker doesn’t typically have malicious intent but often runs afoul of ethical standards and principles.

Shadow IT

A shadow IT is an employee or a group of employees that use IT systems, network devices, software, applications, and services without the approval of the corporate IT department.  For example, an engineer may just deploy a physical or virtual server and host their own application on it.  Consequently, threat actors may easily compromise the vulnerable system or application in the process.[15]  In most organizations, the prevalence of shadow systems results in a heavily fragmented application landscape, where consistency, security and governability are sacrificed to achieve the necessary level of business agility, whether for the purpose of innovation or mere survival.

Corporate Espionage (Competitors)

Corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security.[17]  The purpose of corporate espionage is to gather knowledge about one or more organizations.  It may include the acquisition of intellectual property, such as information on industrial manufacturers, ideas, techniques and processes, recipes and formulas.  Or it could include sequestration of proprietary or operational information, such as that on customer datasets, pricing, sales, marketing, research and development, policies, prospective bids, planning or marketing strategies or the changing compositions and locations of production.  It may describe activities such as theft of trade secrets, bribery, blackmail and technological surveillance.


  1. What Is an Advanced Persistent Threat (APT)? Kaspersky.
  2. Maloney, S. (2018). What is an Advanced Persistent Threat (APT)? Cybereason.
  3. Cole, E. (2013). Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Syngress.
  4. M-trends 2021: Insights into Today’s Top Cyber Trends and Attacks. Mandiant.
  5. Advanced Persistent Threats: A Symantec Perspective. Symantec.
  6. FBI Counterintelligence: The Insider Threat. An Introduction to Detecting and Deterring an Insider Spy. FBI.
  7. The Nation State Actor. Bae Systems.
  8. Mikhaylova, G. (2014). The “Anonymous” Movement: Hacktivism as an Emerging Form of Political Participation.
  9. Johnson, A. (2017). Hackers Take Down Thousands of ‘Dark Web’ Sites, Post Private Data. NBC News.
  10. Milone, M. (2002). Hacktivism: Securing the National Infrastructure. The Business Lawyer. JSTOR.
  11. Krapp, P. (2011). Noise Channels: Glitch and Error in Digital Culture. University of Minnesota Press 2011.
  12. Lemos, R. (2000). Script Kiddies: The Net’s Cybergangs. ZD Net.
  13. Taylor, J. (2010). Hackers Accidentally Give Microsoft Their Code. ZD Net.
  14. Putman, P. (2018). Script Kiddie: Unskilled Amateur or Dangerous Hackers? United States Cybersecurity Magazine.
  15. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  16. Cyber Organized Crime Activities. United Nations Office on Drugs and Crime.
  17. Unusual Suspects: Cyber-Spying Grows Bigger and More Boring. The Economist.