Threat Actor

Bart Lenaerts-Bergmans - February 28, 2023

What Is a Threat Actor?

A threat actor, also known as a malicious actor, is any person or organization that intentionally causes harm in the digital sphere. They exploit weaknesses in computers, networks and systems to carry out disruptive attacks on individuals or organizations.

Most people are familiar with the term “cybercriminal.” It brings to mind thieves behind a ransomware attack, or murky images of personal information laid bare on the dark web. The term “threat actor” includes cybercriminals, but it is much broader. Idealogues such as hacktivists (hacker activists) and terrorists, insiders and even internet trolls are all considered threat actors.

Threat Actor Targets

Most threat actors are indiscriminate in choosing their targets. They look for vulnerabilities to exploit rather than individual people. In fact, mass scammers and automated hackers attack as many systems as possible and spread between networks like an infection.

Some cybercriminals go by the name “big game hunters” or “advanced persistent threats.” They intentionally attack specific high-value targets. They take time to study their target and conduct a specialized attack that is more likely to succeed.

Causes for Concern

No one is safe from becoming a threat actor’s target. Businesses and individuals alike face this risk. In fact, one study from the University of Maryland estimates a cyberattack occurs every 39 seconds.

In addition, threat actors advance just as fast as cybersecurity does. Your company’s malware security software may be up to date, but cybercriminals create new methods of attack every day. However, you can use threat intelligence to make faster, better-informed security decisions that strike back against threat actors.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

Types of Threat Actors

There are several types of malicious actors. Most fall under the standard cybercriminal umbrella, such as scammers, thrill seekers, and ideologues. However, two types are unique: insider threat actors and nation-state threat actors.

Insider Threats

Insider threats are difficult to identify and prevent because they originate inside the targeted network. An insider threat doesn’t have to break down defenses to steal data or commit other cybercrimes. They may be an employee, consultant, board member or any other individual with privileged access to the system.

According to the 2021 Verizon Data Breach Investigations Report, insider threats perpetrated over 20% of data breaches. Most of these breaches come from privilege abuse, which is the type of threat that takes the longest to identify. Insider threats don’t need to force access to the system, so they don’t always set off cybersecurity alerts.

Click here to learn more about Insider Threat Indicators.

Nation-state Threat Actors

Nation-state threat actors work at a national level; they generally target intelligence in the nuclear, financial or technology sectors. This type of threat usually refers to government intelligence agencies or military, meaning they are highly trained, extremely stealthy and protected by their nation’s legal system. Sometimes, states make use of outside organizations. Outside organizations don’t always have the expertise to get past a security operations center (SOC), but the state is able to deny responsibility.

In addition to collecting intelligence, a nation state threat actor may attack critical infrastructure or attempt sabotage.

Motivations for Threat Actors

A threat actor or advanced persistent threat usually seeks monetary gain. They do this by retrieving data that they can sell to a third party or by directly exploiting a victim through a ransomware attack.

Insider threats may be following the lead of other cybercriminals by selling information to competitors. They may also be more personally motivated; if they have a grudge against their company or boss, they could attempt to compromise the network in retaliation. According to Verizon, 17% of insider threats are motivated simply by fun. Finally, insider threats who plan to start a competing business may steal data to give themselves an edge.

Nation-state threat actors are politically or nationalistically motivated. They primarily seek to improve their nation’s counterintelligence. However, they may have more disruptive goals as well, such as espionage, spreading disinformation and propaganda, and even interfering with key companies, leaders or infrastructure. Regardless of their specific goal, nation-state threat actors receive state support and protection for their crimes.

Terrorists and hacktivists are also politically motivated but do not act at the state level. Hacktivists want to spread their individual ideas and beliefs, usually rooted in a social or political issue. Terrorists, on the other hand, aim to spread mayhem and fear to accomplish their goals.

How to Stay Ahead of Threat Actors

Most threat actors gain access through phishing. This takes the form of official-looking emails requesting a password change or fake login pages that steal credentials. Your employees may be past the days of falling for the “Nigerian prince” scam, but phishing methods continue to grow more sophisticated with time. As long as the possibility for human error exists, your company could fall prey to a cyberattacker.

Avoiding Threat Actors

The best practices for avoiding threat actors include the following:

  • Educate employees on cybersecurity to reduce human error.
  • Use multifactor identification and change passwords frequently to keep data safe.
  • Monitor employee activity to identify possible insider threats.
  • Install cybersecurity software to block malicious actors.

You also need to avoid all kinds of phishing attacks. Treat emails that ask for a quick reaction with suspicion. In addition, be sure to keep all devices up-to-date and on protected networks; any internet-enabled device could be a weak point in your defenses.

Systems to Put in Place

Some simple defensive systems you can use to protect yourself against threat actors include VPNs and guest networks that limit visitor access to sensitive data and devices. You should also have a response plan in place in case an attack succeeds.

The best defense is a good offense. Instead of responding to attacks after your system is compromised, take an active approach by threat hunting. Threat hunting is a human-powered approach in which threat hunters proactively seek out, investigate and destroy malware as soon as they detect unusual activity. A security team can stop cyberattacks before irreparable damage can take place.

2023 Threat Hunting Report

In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches. 

Download Now

Protect Yourself from Threat Actors

Malicious threat actors could be targeting you right now; target them right back. To protect yourself from all kinds of cyberattacks, learn about the different types of threats around you and put effective active security measures into place immediately.

Learn how CrowdStrike CROWDSTRIKE FALCON® INTELLIGENCE™ provides an automated solution to threat intelligence, including threat hunting and preventing cyberattacks.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.