Threat Actors and Attack Vectors Explained for Security+

Nation-state actors are government-sponsored groups with essentially unlimited resources and long operational timelines. Their goal is usually intelligence collection or sabotage, not quick financial gain. They use advanced persistent threat (APT) techniques: quiet, patient, long-term access that can go undetected for months or years. When a question describes an attacker who maintained access to a critical infrastructure network for 18 months without detection, that is a nation-state profile.

Organized crime groups are profit-driven and run attacks like businesses. They deploy ransomware for payment, conduct fraud, steal financial data, and sell compromised credentials on dark web markets. High sophistication, financially motivated. They will not waste resources on targets with low payoff.

Hacktivists are motivated by ideology or politics rather than money. Variable sophistication. Common tactics include defacement, DDoS, and data leaks intended to embarrass or publicize a cause. Anonymous is the most well-known hacktivist collective.

Script kiddies lack technical knowledge and use pre-built tools, exploit kits, and scripts created by others. They are opportunistic rather than targeted, scanning for known vulnerabilities and attacking whatever responds. Low sophistication does not mean low risk: they generate enormous volumes of attacks against unpatched systems.

Insider threats are current or former employees, contractors, or partners with authorized access. They are uniquely dangerous because they already have legitimate credentials and know which systems are valuable. Insider threats can be malicious (intentional data theft, sabotage) or unintentional (accidentally clicking phishing links, losing devices).

An attack vector is the path the attacker uses to get into your environment. Direct access means physical presence and hands on the hardware. Wireless attacks exploit unprotected or poorly protected Wi-Fi, including rogue access points and evil twin attacks. Email remains the most common initial access vector for enterprises, delivering phishing and malware directly to users.

Supply chain attacks are among the most dangerous vectors because they compromise something you already trust. The SolarWinds attack embedded malware in a legitimate software update that was cryptographically signed and automatically distributed to thousands of organizations. The victims had no reason to distrust a signed update from a vendor they depended on. Supply chain attacks exploit that trust relationship.

Shadow IT, employees using unauthorized cloud applications or personal devices for work, is not a malicious actor but creates serious attack surface. Data goes into services that are not monitored, not patched, and not compliant with corporate policy. The attacker does not need to breach the corporate network if the data is sitting in a personal Dropbox.

Motivation mapping: espionage, long-term access, critical infrastructure, government target = nation-state. Financial gain, ransomware, fraud = organized crime. Ideological, public disruption, defacement = hacktivist. Uses pre-built tools, opportunistic scanning = script kiddie. Has legitimate credentials, internal access = insider threat.

Attack vector identification: phishing email = email vector. Infected USB drive left in parking lot = removable media, also baiting. Compromised software update = supply chain. Rogue access point = wireless. Physical access to server room = direct physical.

Shadow IT is not a threat actor. It is a risk category created by users operating outside official IT channels. Treat it as an attack surface management issue, not an adversary.