Lesson 2-Threat Actors, Threat Intelligence, and Threat Hunting

In Lesson 1, we focused on why cybersecurity programs exist—governance, risk management, policy, and organizational decision-making. Security starts with leadership choices, not tools.

In Lesson 3, we move into what we are protecting—operating systems, cloud environments, identity, logging, and Zero Trust architectures.

This lesson sits between those two for a reason.

Before we talk about systems and architecture, we need to understand who is attacking them and how defenders identify malicious activity. That is the purpose of Lesson 2.

This lesson introduces the human and intelligence-driven side of cybersecurity: attackers, their motivations, their behaviors, and the methods defenders use to detect and stop them.

But, First I want to Introduce Watch . The Spokesman to go over this Lesson with you.

Threat Actor Types

The Technical definition of A threat actor is an individual or group that conducts malicious activity against systems, networks, or data.

Now we can keep this in a simple definition Threat actors are the people behind cyberattacks.

Threat intelligence is not just about malware signatures or IP addresses. It is about understanding who is attacking, why they are attacking, and how they tend to operate.

Opportunistic vs Targeted Attacks

Attacks generally fall into two categories:

• Opportunistic attacks
  

  • Low sophistication
    

  • Little planning
    

  • Use publicly available tools
    

  • No specific target
    

• Targeted attacks
  

  • Highly planned and researched
    

  • Often use custom tools
    

  • Backed by funding and skilled personnel
    

  • Focus on a specific organization or sector
    

Exam reminder:

Targeted attacks = higher risk, higher sophistication, higher impact

Common Threat Actor Categories (Know These)

Here are the 6 main Threat Actors that are dealt with and are on many CompTIA Security Tests.

The First is a Nation-State Actors

Technical definition:
Nation-state actors are government-sponsored groups that use cyber capabilities to achieve political, military, or economic objectives.

Simple definition:
Nation-states are countries hacking for power, espionage, or advantage.

Key traits:

• Extremely well-funded

• Long-term campaigns
  

• Focus on espionage, disruption, or strategic gain
  

• Often associated with Advanced Persistent Threats (APTs)
  

  Exam focus:
  Nation-state is not a random hacker. Think patience, persistence, and resources.

Moving on to Organized Crime

Technical definition:
Organized cybercrime groups conduct attacks primarily for financial gain.

Simple definition:
Organized crime = hacking for money.

Common activities:

• Financial fraud
  

• Ransomware
  

• Extortion and blackmail
  

  These groups often operate across borders, making prosecution difficult.

Hacktivists

Technical definition:
Hacktivists use cyberattacks to promote political, ideological, or social causes.

Simple definition:
Hacktivists = hacking to send a political message.

Common tactics:

• Website defacement
  

• Data leaks
  

• Denial-of-service (DoS) attacks
  

• Phishing
  

Insider Threats

Technical definition:
An insider threat originates from an individual who has legitimate access to an organization’s systems.

Simple definition:
Insiders are already inside the building.

Types:

• Intentional insiders – malicious actions
  
  

• Unintentional insiders – mistakes, phishing, misconfigurations
  

  Exam tip:
  Unintentional insiders are one of the most common causes of breaches.

Script Kiddies

Technical definition:
A script kiddie uses existing tools or scripts without fully understanding how they work.

Simple definition:
Script kiddies = push-button attackers.

Low skill does not mean low impact. Poor defenses can still be exploited.

Supply Chain Threats

Technical definition:
Supply chain attacks compromise trusted vendors, software, or services to gain access to a target organization.

Simple definition:
Supply chain attacks = attacking who you trust.

Examples include:

• compromised software updates
  

• malicious vendor access
  

• infected hardware or firmware
  
  

Advanced Persistent Threats (APT)

Technical definition:
An APT describes long-term, stealthy, and well-resourced cyber campaigns, often conducted by nation-states or organized groups.

Simple definition:
APTs are quiet, patient attackers who want to stay hidden.

Key characteristics:

• Custom tools
  

• Anti-forensics
  

• Long dwell time
  

• Strong focus on persistence
  

Exam reminder:

“Persistent” means they want to stay, not smash and grab.

Tactics, Techniques, and Procedures (TTPs)

Technical definition:
TTPs describe how threat actors plan, execute, and maintain attacks.

Simple definition:
TTPs are an attacker’s playbook.

Security teams use TTPs to:

• identify attackers
  

• attribute activity
  

• improve detection
  

The MITRE ATT&CK Framework organizes TTPs and is heavily referenced in CySA+.Tactics, Techniques, and Procedures (TTPs)

TTPs? (Simple Breakdown)

• Tactics – What the attacker is trying to achieve
  (example: gaining access, stealing data)

• Techniques – How the attacker tries to achieve it
  (example: phishing, credential theft)

• Procedures – The exact steps or tools used
  (example: a specific phishing email or script)

Tactics = goal, Techniques = method, Procedures = steps

Cybersecurity analysts analyze and document TTPs used by known threat actors to create attack fingerprints. These fingerprints help defenders:

• Identify who may be attacking

• Predict the attacker’s next move

• Strengthen defenses against common attack patterns

TTPs also help security teams connect attacks to known groups and prioritize defenses.

MITRE ATT&CK and TTPs

The MITRE ATT&CK framework organizes real-world attacker TTPs into a structured matrix. It shows:

• Common attacker goals (tactics)

• The techniques used to reach them

Security teams use ATT&CK to track attacks across multiple stages instead of viewing alerts in isolation.

TTPs and Behavior Detection

Modern security tools focus on behavior, not just files. Tools like UEBA use TTPs to detect abnormal activity and identify potential attacks by comparing actions against known attacker patterns.

Exam & Real-World Takeaway

For Security+ and CySA+:

• Attackers follow patterns

• TTPs help defenders recognize those patterns

• Understanding TTPs helps detect and stop attacks earlier

If you understand how attackers behave, you can defend against them more effectively

Open-Source Intelligence (OSINT)

Now we are going to get into OSNIT.

Technical definition:
OSINT is intelligence collected from publicly available sources.

Simple definition:
OSINT is what attackers learn about you online.

Common sources:

• social media
  

• public records
  

• DNS and WHOIS
  

• metadata in documents
  

OSINT works both ways: attackers use it to plan attacks, and defenders use it to understand threats.

Defensive OSINT is about finding threats before they turn into attacks. It helps organizations understand who might attack them and how those attacks could happen, so defenses can be prepared early.

Common Defensive OSINT Sources

• Government alerts – Warnings and guidance about current cyber threats

• CERT / CSIRT teams – Share information about active and trending attacks

• Dark web monitoring – Reveals stolen data, malware sales, and attack planning

• Internal logs – System and user activity that may show early signs of an attack

Simple Takeaway

Defensive OSINT helps defenders stay ahead of attackers instead of reacting after damage is done.

Threat Intelligence Sources

Threat intelligence can be:

• Open-source (free, public)
  

• Closed-source (paid, proprietary)
  

Key Attributes of Good Threat Intelligence

• Timeliness – up to date
  

• Relevancy – applicable to your environment
  

• Accuracy – reliable and validated
  Exam focus:
  Threat intelligence must be actionable, not just interesting.

Threat Intelligence Sharing and ISACs

Information Sharing and Analysis Centers (ISACs) allow organizations in the same sector to share threat data safely.

Why this matters:

• Faster detection
  

• Better incident response
  

• Reduced attacker success
  

  This collective defense model is critical for critical infrastructure sectors like healthcare, finance, energy, and aviation.

Threat Hunting Concepts…

Now look I got some real hunting to do I like to keep it simple but my partner insist on give you more technical examples….what a drag.

Technical definition:
Threat hunting is a proactive, systematic process of searching for malicious activity inside a network.- “ bunch of jargon “

Simple definition:
Threat hunting = assuming the attacker is already inside.

Threat hunting:

• is largely manual
  

• relies on analyst skill
  

• focuses on behavior, not alerts
  

Assume breach is a core CySA+ mindset.

Threat Hunting Focus Areas

• Misconfiguration hunting – weak passwords, open ports, missing patches
  

• Isolated network hunting – air-gapped or restricted environments
  

• Business-critical asset hunting – high-value systems and processes
  
  

Indicators of Compromise (IoCs)

Technical definition:
IoCs are pieces of forensic data that suggest a potential intrusion.

Simple definition:
IoCs are clues that something bad may have happened.

Examples:

• suspicious IPs or domains
  

• unusual login behavior
  

• unexpected system changes
  

Exam reminder:
IoCs ≠ proof of breach. They require validation.

Decoy Methods and Honeypots

I am setting up some decoys. Honey pots to be exact to capture potential threats.

Technical definition:
Decoy systems intentionally attract attackers to observe their behavior.

Simple definition:
Honeypots are fake targets to catch attackers early.

Why they matter:

• early detection
  

• attacker intelligence
  

• training defenders

They supplement detection — they do not replace it.

What to Remember for the Exams

If you remember nothing else from Lesson 2, remember this:

• Threat actors differ by motivation and resources
  

• APTs = persistent and stealthy
  

• TTPs describe how attackers operate
  

• OSINT is public information weaponized
  

• Threat hunting assumes breach
  

• IoCs are signals, not certainty
  

• Sharing intelligence improves defense speed
  

Closing the Gap to Lesson 3

Lesson 2 explains who attacks and how defenders detect them.
Lesson 3 builds on this by explaining what systems exist and how they are secured.

Together, these lessons bridge the gap between policy, people, and technology—which is exactly how cybersecurity works in the real world. Thank you for your time and see you in the next part of this series.

Intellectual Property & Creative Disclaimer

All characters, names, visuals, concepts, and story elements featured in this blog—including Netizen, Watch, and the associated cybersecurity universe—are original creative works and are the intellectual property of the author.

These characters and visual representations are created for educational and creative purposes and are not affiliated with, endorsed by, or representative of any real organization, company, government entity, or individual.

Unauthorized reproduction, redistribution, or commercial use of the characters, artwork, or unique creative concepts presented here without explicit permission is not permitted.

Educational references (such as cybersecurity frameworks, tools, and terminology) are used for instructional purposes only and remain the property of their respective owners.

© [Anthony Velazquez/ Netizen.Watch LLC] – All Rights Reserved.