Defining Threat Actors and Agents

Defining Threat Actors and Agents

A threat actor is an entity that negatively impacts a TARGET and causes an event or incident. Therefore, it is helpful to know the capabilities and impact of various example Threat Actors. This post will outline the significant attributes and how they can describe potential malicious agents.

The following Threat Actor attributes can be associated with any entity interacting with TARGET systems. For example, certain employee groups or teams like interns can be given attributes (see the examples at the bottom of the page). This will enable the security team and champions to model proper controls for that group.


Organised Threat Actor - represents advanced skills and planning and is adept at repudiation.

Disorganised Threat Actor - represents impulsive and opportunistic with little planning and low skills.


Internal Threat Actor - hard to find and prevent; they already have access control to internal systems.

External Threat Actor - traditional attacker; uses extensive reconnaissance to find weak entry points.


Unintentional Threat Actor - can inadvertently cause an unplanned/non-deliberate event or incident.

Intentional Threat Actor - will deliberately exploit a weakness to cause a malicious event or incident.


None - Threat Actor has no elevated permissions in TARGET.

Partial - Threat Actor has limited elevated permissions to access TARGET systems and functionality.

Full - Threat Actor has many elevated permissions on TARGET systems and functionality.

Full-non prod - This trust type indicates most of the access rights for TARGET employees.

CRUDE - Threat Actor has explicit and specific permissions on a TARGET system:






Here are some common Threat Actor entities with sample attributes

Cyber Criminals

[Effort] Organised - generally, criminal gangs are well organised and profit-oriented.

[Relationship] external - many gangs are external to their targets, but there have been cases of insider infiltration on high-value targets.

[Intent] intentional - criminals are usually deliberate in their actions.

[Trust] None - many gangs start their attacks from non-trust situations and spend time working on an elevation of privilege into a target system.


[Effort] Organised - hacktivist groups are generally highly motivated and knowledgeable.

[Relationship] internal - a common pattern for hacktivists is to infiltrate their targets.

[Intent] intentional - hacktivists usually have a plan of action to shame or cause financial harm to the targets.

[Trust] Partial - many hacktivist attackers will attempt to gain some elevated privileges before executing their attacks legitimately.

State-Sponsored attackers

[Effort] Organised - state-sponsored attackers are typically highly organised and disciplined.

[Relationship] internal - this entity plans for internal penetration of their targets for maximum effect.

[Intent] intentional - the state-sponsored attacks are generally multistaged and multi-period attacks.

[Trust] Full - many of the state-sponsored attacker's attempt to gain high trust in the target environments  for maximum effect.


[Effort] Disorganised - script-kiddies have many motivations and generally don't plan a full attack kill-chain; they use common published scripting attacks found on the web.

[Relationship] external - most script-kiddie attacks come from haphazard reconnaissance of targets.

[Intent] intentional - script-kiddie attacks are on-purpose.

[Trust] None - generally, this group has no starting elevated privileges into the system.

Internal User Error

[Effort] Disorganised - these users cause incidents or issues due to lack of planning or oversight.

[Relationship] internal - this type of user is largely an employee.

[Intent] unintentional - shortcomings in plans or organised activities yield unplanned detrimental outcomes.

[Trust] Full - many of these actors have high permission levels, which cause damage multipliers.