3.1.2. Attributes and Motivations
š” First Principle: Attributes describe capability; motivations explain behavior. Together they predict what an attacker will target and how they'll attack. A financially motivated attacker targets assets they can monetize; a politically motivated attacker targets assets that generate attention.
Attributes characterize threat actor capability:
- Internal vs. external ā inside or outside the organization. Internal actors are particularly dangerous because they already have legitimate access and knowledge of systems.
- Resources/funding ā from minimal (unskilled attacker) to nation-state budgets
- Level of sophistication/capability ā script kiddie (low) to APT (very high)
Unskilled attackers (script kiddies) use pre-built tools and exploit kits without understanding the underlying technology. Despite low sophistication, they cause significant damage through volume ā automated scanning tools hit every internet-facing system. Shadow IT (unauthorized systems deployed by employees) creates unmanaged threat surfaces that even sophisticated security programs miss because they don't know the systems exist.
Motivations explain why they attack:
| Motivation | Typical Actor | Target Selection |
|---|---|---|
| Data exfiltration | Nation-state, organized crime | Intellectual property, PII, trade secrets |
| Espionage | Nation-state | Government, defense, critical infrastructure |
| Service disruption | Hacktivist, nation-state | Public-facing services, critical infrastructure |
| Blackmail | Organized crime | Anyone with sensitive data |
| Financial gain | Organized crime, insider | Payment systems, banking, crypto |
| Philosophical/political | Hacktivist | Government, corporations, media |
| Ethical | Ethical hacker | Any (with authorization) |
| Revenge | Insider | Former employer |
| Disruption/chaos | Various | Any high-visibility target |
| War | Nation-state | Military, infrastructure, economy |
ā ļø Exam Trap: Motivation drives method. Financial attackers use ransomware because it monetizes quickly. Nation-states use long-term persistent access because their goal is intelligence, not quick money. When the exam describes an attack pattern, the motivation should help you identify the actor.
