Cybersecurity Foundations Series (part 3)
Lesson 2-Threat Actors, Threat Intelligence, and Threat Hunting
In Lesson 1, we focused on why cybersecurity programs exist—governance, risk management, policy, and organizational decision-making. Security starts with leadership choices, not tools.
In Lesson 3, we move into what we are protecting—operating systems, cloud environments, identity, logging, and Zero Trust architectures.
This lesson sits between those two for a reason.
Before we talk about systems and architecture, we need to understand who is attacking them and how defenders identify malicious activity. That is the purpose of Lesson 2.
This lesson introduces the human and intelligence-driven side of cybersecurity: attackers, their motivations, their behaviors, and the methods defenders use to detect and stop them.
But, First I want to Introduce Watch . The Spokesman to go over this Lesson with you.
Threat Actor Types
The Technical definition of A threat actor is an individual or group that conducts malicious activity against systems, networks, or data.
Now we can keep this in a simple definition Threat actors are the people behind cyberattacks.
Threat intelligence is not just about malware signatures or IP addresses. It is about understanding who is attacking, why they are attacking, and how they tend to operate.
Opportunistic vs Targeted Attacks
Attacks generally fall into two categories:
Opportunistic attacks
Low sophistication
Little planning
Use publicly available tools
No specific target
Targeted attacks
Highly planned and researched
Often use custom tools
Backed by funding and skilled personnel
Focus on a specific organization or sector
Exam reminder:
Targeted attacks = higher risk, higher sophistication, higher impact
Common Threat Actor Categories (Know These)
Here are the 6 main Threat Actors that are dealt with and are on many CompTIA Security Tests.
The First is a Nation-State Actors
Technical definition:
Nation-state actors are government-sponsored groups that use cyber capabilities to achieve political, military, or economic objectives.
Simple definition:
Nation-states are countries hacking for power, espionage, or advantage.
Key traits:
Extremely well-funded
Long-term campaigns
Focus on espionage, disruption, or strategic gain
Often associated with Advanced Persistent Threats (APTs)
Exam focus:
Nation-state is not a random hacker. Think patience, persistence, and resources.
Moving on to Organized Crime
Technical definition:
Organized cybercrime groups conduct attacks primarily for financial gain.
Simple definition:
Organized crime = hacking for money.
Common activities:
Financial fraud
Ransomware
Extortion and blackmail
These groups often operate across borders, making prosecution difficult.
Hacktivists
Technical definition:
Hacktivists use cyberattacks to promote political, ideological, or social causes.
Simple definition:
Hacktivists = hacking to send a political message.
Common tactics:
Website defacement
Data leaks
Denial-of-service (DoS) attacks
Phishing
Insider Threats
Technical definition:
An insider threat originates from an individual who has legitimate access to an organization’s systems.
Simple definition:
Insiders are already inside the building.
Types:
Intentional insiders – malicious actions
Unintentional insiders – mistakes, phishing, misconfigurations
Exam tip:
Unintentional insiders are one of the most common causes of breaches.
Script Kiddies
Technical definition:
A script kiddie uses existing tools or scripts without fully understanding how they work.
Simple definition:
Script kiddies = push-button attackers.
Low skill does not mean low impact. Poor defenses can still be exploited.
Supply Chain Threats
Technical definition:
Supply chain attacks compromise trusted vendors, software, or services to gain access to a target organization.
Simple definition:
Supply chain attacks = attacking who you trust.
Examples include:
compromised software updates
malicious vendor access
infected hardware or firmware
Advanced Persistent Threats (APT)
Technical definition:
An APT describes long-term, stealthy, and well-resourced cyber campaigns, often conducted by nation-states or organized groups.
Simple definition:
APTs are quiet, patient attackers who want to stay hidden.
Key characteristics:
Custom tools
Anti-forensics
Long dwell time
Strong focus on persistence
Exam reminder:
“Persistent” means they want to stay, not smash and grab.
Tactics, Techniques, and Procedures (TTPs)
Technical definition:
TTPs describe how threat actors plan, execute, and maintain attacks.
Simple definition:
TTPs are an attacker’s playbook.
Security teams use TTPs to:
identify attackers
attribute activity
improve detection
The MITRE ATT&CK Framework organizes TTPs and is heavily referenced in CySA+.Tactics, Techniques, and Procedures (TTPs)
TTPs? (Simple Breakdown)
Tactics – What the attacker is trying to achieve
(example: gaining access, stealing data)Techniques – How the attacker tries to achieve it
(example: phishing, credential theft)Procedures – The exact steps or tools used
(example: a specific phishing email or script)
Tactics = goal, Techniques = method, Procedures = steps
Cybersecurity analysts analyze and document TTPs used by known threat actors to create attack fingerprints. These fingerprints help defenders:
Identify who may be attacking
Predict the attacker’s next move
Strengthen defenses against common attack patterns
TTPs also help security teams connect attacks to known groups and prioritize defenses.
MITRE ATT&CK and TTPs
The MITRE ATT&CK framework organizes real-world attacker TTPs into a structured matrix. It shows:
Common attacker goals (tactics)
The techniques used to reach them
Security teams use ATT&CK to track attacks across multiple stages instead of viewing alerts in isolation.
TTPs and Behavior Detection
Modern security tools focus on behavior, not just files. Tools like UEBA use TTPs to detect abnormal activity and identify potential attacks by comparing actions against known attacker patterns.
Exam & Real-World Takeaway
For Security+ and CySA+:
Attackers follow patterns
TTPs help defenders recognize those patterns
Understanding TTPs helps detect and stop attacks earlier
If you understand how attackers behave, you can defend against them more effectively
Open-Source Intelligence (OSINT)
Now we are going to get into OSNIT.
Technical definition:
OSINT is intelligence collected from publicly available sources.
Simple definition:
OSINT is what attackers learn about you online.
Common sources:
social media
public records
DNS and WHOIS
metadata in documents
OSINT works both ways: attackers use it to plan attacks, and defenders use it to understand threats.
Defensive OSINT is about finding threats before they turn into attacks. It helps organizations understand who might attack them and how those attacks could happen, so defenses can be prepared early.
Common Defensive OSINT Sources
Government alerts – Warnings and guidance about current cyber threats
CERT / CSIRT teams – Share information about active and trending attacks
Dark web monitoring – Reveals stolen data, malware sales, and attack planning
Internal logs – System and user activity that may show early signs of an attack
Simple Takeaway
Defensive OSINT helps defenders stay ahead of attackers instead of reacting after damage is done.
Threat Intelligence Sources
Threat intelligence can be:
Open-source (free, public)
Closed-source (paid, proprietary)
Key Attributes of Good Threat Intelligence
Timeliness – up to date
Relevancy – applicable to your environment
Accuracy – reliable and validated
Exam focus:
Threat intelligence must be actionable, not just interesting.
Threat Intelligence Sharing and ISACs
Information Sharing and Analysis Centers (ISACs) allow organizations in the same sector to share threat data safely.
Why this matters:
Faster detection
Better incident response
Reduced attacker success
This collective defense model is critical for critical infrastructure sectors like healthcare, finance, energy, and aviation.
Threat Hunting Concepts…
Now look I got some real hunting to do I like to keep it simple but my partner insist on give you more technical examples….what a drag.
Technical definition:
Threat hunting is a proactive, systematic process of searching for malicious activity inside a network.- “ bunch of jargon “
Simple definition:
Threat hunting = assuming the attacker is already inside.
Threat hunting:
is largely manual
relies on analyst skill
focuses on behavior, not alerts
Assume breach is a core CySA+ mindset.
Threat Hunting Focus Areas
Misconfiguration hunting – weak passwords, open ports, missing patches
Isolated network hunting – air-gapped or restricted environments
Business-critical asset hunting – high-value systems and processes
Indicators of Compromise (IoCs)
Technical definition:
IoCs are pieces of forensic data that suggest a potential intrusion.
Simple definition:
IoCs are clues that something bad may have happened.
Examples:
suspicious IPs or domains
unusual login behavior
unexpected system changes
Exam reminder:
IoCs ≠ proof of breach. They require validation.
Decoy Methods and Honeypots
I am setting up some decoys. Honey pots to be exact to capture potential threats.
Technical definition:
Decoy systems intentionally attract attackers to observe their behavior.
Simple definition:
Honeypots are fake targets to catch attackers early.
Why they matter:
early detection
attacker intelligence
training defenders
They supplement detection — they do not replace it.
What to Remember for the Exams
If you remember nothing else from Lesson 2, remember this:
Threat actors differ by motivation and resources
APTs = persistent and stealthy
TTPs describe how attackers operate
OSINT is public information weaponized
Threat hunting assumes breach
IoCs are signals, not certainty
Sharing intelligence improves defense speed
Closing the Gap to Lesson 3
Lesson 2 explains who attacks and how defenders detect them.
Lesson 3 builds on this by explaining what systems exist and how they are secured.
Together, these lessons bridge the gap between policy, people, and technology—which is exactly how cybersecurity works in the real world. Thank you for your time and see you in the next part of this series.
Intellectual Property & Creative Disclaimer
All characters, names, visuals, concepts, and story elements featured in this blog—including Netizen, Watch, and the associated cybersecurity universe—are original creative works and are the intellectual property of the author.
These characters and visual representations are created for educational and creative purposes and are not affiliated with, endorsed by, or representative of any real organization, company, government entity, or individual.
Unauthorized reproduction, redistribution, or commercial use of the characters, artwork, or unique creative concepts presented here without explicit permission is not permitted.
Educational references (such as cybersecurity frameworks, tools, and terminology) are used for instructional purposes only and remain the property of their respective owners.
© [Anthony Velazquez/ Netizen.Watch LLC] – All Rights Reserved.

















Solid approach to explaining these concept. I like the use of characters to personify the principles around various threats.