In the world of cyber security, the more you know about threat actors, the better placed you are to counteract and manage cyber threats and attacks. But what is a threat actor?

We can define a threat actor as a person, group, or entity that performs a cyber-attack designed to negatively impact an organisation.

In other words, someone who wants to harm you or your organisation’s IT infrastructure.

There are many types of cyber attacks and threats, from a disgruntled team member trying to gain unauthorised access to steal sensitive data to nation-states attempting to interfere in political elections.

There are ways to keep cyber secure.

For example, threat intelligence is a resource organisations can leverage to provide information about current or emerging threats that could negatively impact their security. Combining available threat intelligence on threat actors and existing and emerging threats, we have a formidable defence against attacks.

Threat Intelligence also allows us to anticipate and pre-empt cyber risks and attacks, making us proactive rather than reactive.

Different Types of Threat Actors

According to a report (a collaboration based on research provided by the cyber security authorities of five nations: Australia, Canada, New Zealand, the UK and the USA) on publicly available hacking tools:

Today, hacking tools, with a variety of functions, are widely and freely available for use by everyone, from skilled penetration testers, hostile state actors and organised criminals to amateur hackers.

Joint report on publicly available hacking tools – NCSC.GOV.UK

Organised Crime/Cyber Criminals

A cyber criminal is the most common type of threat actor, and one most people tend to read or see on the news.

An attack is intended to steal data and make it inaccessible until an organisation or individual pays a ransom. Whether working alone or as a group, money is the cybercriminals’ primary motivation.

Cyber attacks comprise phishing attacks, ransomware, malware and other tactics and techniques.


Insider attacks, or insider threats, are typically related to an organisation when a team member, former team member, third-party contractor, or partner wants to get at organisational network, systems, or data.

The reasons for doing so are varied. Disgruntled employees could do so for financial gain, or a threat actor may use an organisation’s system to expose confidential information.

An insider cyber threat actor sometimes maliciously and intentionally damages an organisation’s cyber security foundations, yet sometimes, this is not intentional.

Not every insider threat is motivated by greed or revenge.

Some attacks can be due to a lack of understanding of cyber security. One such example is when a staff member falls prey to a phishing cyber attack and, unfortunately, shares sensitive information.


A nation-state attack refers to countries that target institutions within other countries to influence elections, disrupt or affect their security, economy, the electoral process, and government departments. Access to significant financial backing and the necessary tools makes a nation-state one of the most dangerous cyber threat actors.


Hacktivists are a form of threat actor often noted in the media. Groups such as Anonymous, for example, have carried out cyberattacks on terrorist organisations.

The reason for a hacktivist cyber-attack is for them to expose their target entity and disrupt their actions.

There is often a social, political, or ideological reason for the hacktivist to undertake an attack on an organisation, government, or individuals.

Script Kiddies

Script kiddies refer to those individuals with basic hacking skills.

These bad actors may launch existing scripts to deface a website for their cheap thrills.

Organisations targeted by script kiddies can incur severe costs to repair their systems and recover data.

Why Threat Actors Matter

As written above, the type of threat actor varies from motivations, skills, and resources to their reasons and how they attack. Understanding this is an essential step in planning and executing your defence.

Threat actors are continuously looking for ways and means to infiltrate organisations. Your systems can be the conduit they can use. For example, a phishing message may trick you into sharing sensitive credentials through a cleverly worded statement.

Protection Against Threat Actors

An important point is that while a threat actor may intend to harm, this should be balanced against their capability to do so.

For example, cyber criminals can hack your customer database but may lack the intent because they cannot gain financially.

Understanding and categorising threat actors allows to focus on your cyber security plan.

How does Sapphire Counteract Threat Actors?

Sapphire’s Managed Threat Intelligence Service provides organisations with actionable intelligence.

We work closely with organisations to understand their sector, employees, and systems. Sapphire’s analysts then use this information as a guide to fix vulnerabilities, uncover new ones, and implement internal security policies.

How does Sapphire collect IOCs (Indicators of compromise) about threat actors?

Since cyber security is ever-evolving, we must constantly learn and adapt to new security threat trends and proactively seek answers.

One of our main objectives as a SOC (Security Operations Centre) and an MSSP (Managed Security Service Provider) is collecting data from various threat intelligence sources and indicators of compromise.

These sources include past incidents from the open web, the dark web, and technical sources. Our primary source of collections is threat intelligence platforms, both from open-source and the intelligence platforms we use.

In addition, Sapphire actively gathers via the SOC, where the SOC proactively looks for any significant or minor threat information. 

We use our platforms to go through a series of different triggered alerts that notify the SOC of any threat news. Additionally, we check a variety of threat posts, threat reports, vulnerability advisories and vulnerability posts. We then extract any available threat data.

Threat data is usually thought of as lists of IoCs, such as:

• Malicious IP addresses.
• Domains.
• File hashes.
• Vulnerability information: such as the personally identifiable information of customers.
• Raw code from paste sites.
• Text from online sources or social media.

How does SIEM, EDR detect and defend against threats?

Threat intelligence data can take many forms, but the idea is to convert it into a format that we can use in our SIEM, EDR, and CTI services. Most of our platforms can parse information into relevant fields for easy human comprehension.

The threat data or IoCs are manually analysed and reviewed. Based on the collected IoCs, we create customised rules, alerts, dashboards, reports, investigations, and more.

Not all IoC information is reviewed manually. IoC data integrated into specific rules to alarm certain things will likely have gone through a manual review process.

Most IoCs will be identified and processed automatically before getting pulled into the SIEM/EDR platform, where that information can then trigger alerts.

At Sapphire, we also write reports on a specific circumstance whenever a threat or vulnerability affects our customer(s). We then proceed with providing recommendations whilst enhancing our detection and defence against those threats.

Let’s talk

If you would like to learn more about how Sapphire can support your organisation’s cyber resilience, get in touch with us.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *