Hour 3 of 8

Threat Actors & Attack Vectors

Script kiddies · Hacktivists · Crime · Insiders · APTs

~60 min3 interactive labs

CEH Objectives ▸ Classify threat actors by capability, intent, resources, and motivation · Map common attack vectors to actor classes · Use threat-actor profiles to prioritise controls

Maps to Module 01 · Introduction to Ethical Hacking

OP. KNOW-THY-ENEMY

Mission Brief

Glasshouse Bank's risk register lists 'cyber attack' as a single line item. The CISO wants you to decompose it into named adversaries with realistic playbooks so the defence budget can be aimed, not sprayed.

▸Profile 4 threat-actor classes most relevant to a regional bank

▸Match 8 real-world incidents to the actor type behind them

▸Recommend the top control per actor based on their preferred vector

Story · Three breaches, three very different attackers

In one month Glasshouse's industry peers suffered three incidents. A small credit union was crippled by LockBit ransomware demanding $2.1M. A government-owned bank in a neighbouring country had wire-transfer instructions silently altered for 11 days — fingerprints pointed to a state-sponsored APT. A fintech lost a confidential merger memo: posted to a leak forum by a contractor who'd been let go the prior Friday.

Same word — 'breach'. Three completely different attackers, with different goals, tools, patience, and tells. A defence built only for ransomware would have missed the APT and the insider entirely.

Threat-actor literacy is what turns generic security spending into targeted spending. By the end of this hour you'll read an incident summary and name the likely actor class within thirty seconds.

Trainer · Core Concepts

Script Kiddie

Low skill, runs off-the-shelf tooling (Metasploit modules, leaked exploit kits). Motivation: bragging rights, curiosity. Targets are opportunistic — whoever is exposed. Defends easily with patching, MFA, basic hygiene. They are noisy and unsubtle, which makes them the most common reason for a SOC alert.

Hacktivist

Skill ranges low to medium. Motivation is ideological (political, environmental, religious). Common vectors: web defacement, DDoS, doxxing, hack-and-leak. Anonymous, LulzSec, and modern groups like KillNet are archetypes. They want visibility, so attacks are public-facing and timed to events (elections, conflicts, protests).

Organised Cybercrime

Skilled, well-resourced, financially motivated. Ransomware-as-a-Service crews (LockBit, BlackCat, Cl0p), business-email-compromise rings, banking trojan operators, initial-access brokers. They run businesses — affiliates, ransom negotiators, leak sites. Their preferred vectors: phishing, exposed RDP/VPN, exploited public CVEs, MSP supply chain.

Insider Threat

Has legitimate access already. Sub-types: MALICIOUS (disgruntled, espionage-for-hire, ideological), NEGLIGENT (clicks the phishing link, misconfigures the S3 bucket), COMPROMISED (account taken over without their knowledge). Hardest class to detect because their behaviour starts inside the trust boundary. UEBA, DLP, least-privilege, and offboarding rigor are the main controls.

Advanced Persistent Threat (APT)

Nation-state or state-sponsored. Highest skill, long-term resources, willing to spend months staging an operation. Goals: espionage, IP theft, sabotage, financial gain for the state (e.g. DPRK's Lazarus stealing crypto). Operate slowly, blend with legitimate admin activity, use zero-days when needed. Detection requires threat-intel-driven hunting and high-fidelity telemetry.

Cyber Terrorist & state-aligned hybrid

Aim to cause physical or societal disruption (power grids, transport, hospitals). Often state-tolerated or state-aligned. Vectors blur with APTs: spear-phish into OT environments, then destructive payloads. CEH groups them under 'cyber terrorism' but their tradecraft overlaps with both hacktivists and APTs.

Knowledge Map · drag to explore

asset

Script Kiddie

Low skill · off-the-shelf tools · opportunistic

adv

Hacktivist

Ideological · public-facing · timed to events

adv

Cybercrime

Financial · RaaS / BEC / IABs

weak

Insider

Legitimate access · malicious / negligent / compromised

risk

APT

Nation-state · persistent · stealthy

ctrl

Phishing

Top initial vector for crime + APT

ctrl

Public CVE

Exposed unpatched service

ctrl

Exposed RDP/VPN

Cred-stuffed → ransomware

ctrl

Supply Chain

Vendor / MSP / library compromise

ctrl

Zero-Day

Unknown vulnerability — APT signature

Micro Labs

CLASSIFY

Lab 7 · Profile the Actor

Read each incident summary. Tag with the most likely threat-actor class.

Items · drag to a bucket

Bank's homepage defaced with anti-globalisation slogans during a G20 summit

Ransomware encrypts 400 servers; affiliate of LockBit cartel claims responsibility

Departing relationship manager downloads client list to personal Dropbox on last day

Stealth implants in the SWIFT terminal silently re-routing wires for 9 months

Defaced WordPress site running a 2-year-old exploit; attacker left 'pwned by xX' tag

Spear-phish to CFO's assistant; malware blends with admin tools and exfiltrates M&A docs over months

Initial-access broker sells working VPN credentials on a dark-web forum for $4,800

DBA emails customer table to wrong vendor address by accident

0/8 placed

MATCH

Lab 8 · Map Actor → Preferred Vector

Match each actor class to the attack vector that statistically appears most in their playbooks.

Vulnerability

Risk statement

0/5 matched

DECISION

Lab 9 · Pick the High-Leverage Control

For each threat-actor profile, which single control gives the most defensive leverage per dollar?

SCENARIO 1

Regional bank's biggest risk is ransomware (organised cybercrime). Limited budget for one initiative this quarter.

SCENARIO 2

Threat model now adds APT (state-sponsored economic espionage). Top single investment?

SCENARIO 3

Insider risk is rising — three contractor terminations next month. Single biggest control?

0/3 decided

Knowledge Check

1. Which actor class is MOST likely to use a zero-day exploit?

2. An attack defaces a corporate site with political slogans during an election week. Most likely actor?

3. A negligent employee misconfiguring an S3 bucket counts as a…

4. Initial-access brokers (IABs) primarily serve…

5. The single biggest distinguishing trait of an APT vs. cybercrime is…

0/5 answered

Challenge · The 30-Second Triage

Pick any one of Lab 7's scenarios. In ≤30 seconds, state: (1) actor class, (2) probable next move, (3) the ONE control that would have stopped them earliest in the kill chain.

CEH v13 Exam Focus

★★★★☆

Frequently tested

·Threat-actor classes and distinguishing motivations
·Mapping actor → typical TTPs / vectors
·Insider sub-types: malicious vs. negligent vs. compromised
·Why zero-days correlate with APTs

Memory tricks

·SHCIA — Script-kiddie, Hacktivist, Cybercrime, Insider, APT (low → high capability).
·MNC insiders — Malicious, Negligent, Compromised: three flavours, one access path.

Common traps

⚠Equating 'sophisticated attack' with 'APT' — ransomware crews are sophisticated too.
⚠Forgetting that negligent insiders count even without intent.
⚠Calling state-aligned hacktivists 'just hacktivists' — tradecraft may overlap APT.

Rapid revision

▸Lone wolf / vandal = script kiddie
▸Ideology + public = hacktivist
▸Money + business model = cybercrime
▸Already inside = insider
▸Stealth + state = APT

Interview Prep

Hour 2: Ethical Hacking Foundations Hour 4: CIA / DAD & Security Controls