Threat Actors

Posted on by Gary Ackerman

A post for students in my network security course

In the domain of network security, while the mastery of technical controls such as firewalls, encryption protocols, and intrusion detection systems is paramount, a foundational understanding of potential adversaries and origins of compromise is equally important. This foundational knowledge pertains to the identification and classification of threat actors, also known as threat sources. The primary objective of any robust cybersecurity program is to safeguard the Confidentiality, Integrity, and Availability (CIA Triad) of information and information systems. Consequently, an essential initial step in developing a comprehensive defense-in-depth security architecture involves conducting thorough risk assessments that account for various threat actors, as these entities inherently seek to undermine the aforementioned CIA objectives. The National Institute of Standards and Technology (NIST) offers a widely utilized framework, specifically NIST Special Publication (SP) 800-30, that guides organizations in systematically identifying and categorizing these diverse threat sources as a cornerstone of cybersecurity risk analysis.

The National Institute of Standards and Technology (NIST) provides a framework for understanding these threat sources, dividing them into distinct categories. Let’s break them down.

The Different Faces of Threat Actors

Cybersecurity threats can originate from several different places:

Adversarial Threats

These are the ones we often think of first: individuals, groups, or organizations that are deliberately attempting to undermine the security of an organization. Their actions are intentional and often malicious.

Adversaries can range widely, including:

  • Trusted insiders (yes, your own employees can be a threat!).
  • Competitors.
  • Suppliers and customers.
  • Business partners.
  • Even nation-states (governments running sophisticated cyber operations, often called Advanced Persistent Threats or APTs).

When evaluating an adversarial threat, cybersecurity analysts consider their capability (what can they do?), their intent (what do they want to do?), and the likelihood that they will actually target the organization. For example, a global financial crime syndicate has different capabilities and intentions than a disgruntled former employee.

Accidental Threats

These threats happen when individuals, during their routine work, mistakenly perform an action that undermines security. There’s no malice here, just human error.

A common example is a system administrator who accidentally deletes a critical disk volume, which could lead to a loss of availability for important systems. Or imagine misconfiguring a firewall rule, inadvertently opening a door to the internet.

When assessing accidental threats, analysts think about the possible range of effects such a mistake might have on the organization. These are often overlooked but can cause significant damage.

Structural threats

These emerge when equipment, software, or environmental controls fail. This failure can be due to:

  • Exhaustion of resources (like a server running out of disk space).
  • Exceeding operational capability (a system overheating due to heavy load).
  • Simply failing due to age or wear-and-tear.

Structural threats can come from various IT components, such as storage devices, servers, and network devices, or from environmental controls like power and cooling infrastructure. They also include software issues like operating system bugs or application failures. Like accidental threats, these aren’t malicious, but a server crash (a loss of availability) can be just as impactful as a targeted denial-of-service attack.

Environmental Threats

These are caused by natural or man-made disasters that are outside the control of the organization.

Examples include:

  • Fires.
  • Flooding.
  • Severe storms.
  • Widespread power failures.
  • Telecommunications disruptions.

An environmental threat, like a fire destroying a datacenter, could lead to a loss of availability of services.

Considering the possible range of effects is key here as well. This is where disaster recovery and business continuity planning come in.

The Critical “Insider Threat”

It’s vital to recognize that threats come from both external and internal sources. While external hackers make headlines, rogue employees, disgruntled team members, and even incompetent administrators pose a significant threat to enterprise cybersecurity. When designing security controls, organizations must consider both internal and external threats equally. An insider, whether malicious or simply careless, often has a level of access and knowledge that external attackers don’t, making them particularly dangerous.

Connecting Threats to Risks and Vulnerabilities

Understanding threat actors is the fundamental step in cybersecurity risk analysis, which is the cornerstone of any information security program. This is where the concept of vulnerability comes in. A vulnerability is a weakness in a device, system, application, or process that a threat might exploit.

A risk exists only when there is both a threat and a corresponding vulnerability. This is often summarized as:

Risk = Threat × Vulnerability

This isn’t a math problem, but a conceptual equation: if either the threat (the actor) or the vulnerability (the weakness) is missing, then there is no risk. For example, if a hacker (threat) tries to exploit a website, but the website’s server has been patched and is no longer vulnerable, there’s no risk from that specific attack. Similarly, a datacenter might be vulnerable to an earthquake, but if it’s located in an area with no seismic activity, the risk is negligible.

Cybersecurity analysts begin their risk assessment by identifying all the types of threats an organization might face. Then, they identify vulnerabilities and determine the likelihood of a threat exploiting a vulnerability and the impact that would have on the organization’s confidentiality, integrity, or availability.

Why This Matters for Your Career

As future network security professionals, understanding these diverse threat actors isn’t just academic – it’s foundational to designing effective defenses.

  • Knowing the motivations and methods of adversarial threats allows you to anticipate their attacks and implement specific countermeasures, like intrusion prevention systems or strong authentication.
  • Recognizing the prevalence of accidental threats emphasizes the need for strong internal controls, comprehensive training, and clear operational procedures to prevent mistakes.
  • Being aware of structural and environmental threats highlights the importance of robust infrastructure, redundancy, maintenance, and disaster recovery planning to ensure continuous availability.

Your ability to assess these varied “who” and “what” factors will directly influence how well you can protect an organization’s valuable information and systems. It’s about building a defense-in-depth security architecture, using multiple layers of security to account for different types of threats and potential failures. So, as you delve deeper into the technical skills, remember to keep the diverse world of threat actors firmly in mind – it’s the key to truly effective network security.