The Threat Landscape and Threat Actors

Nation-state actors are intelligence or military units operating on behalf of a government, or criminal groups that receive protection, tasking, or resources from a state in exchange for conducting operations aligned with state interests. They are grouped under the APT designation. As of 2024, tracking organisations including Mandiant, CrowdStrike, and national cybersecurity agencies in the US (CISA), UK (NCSC), EU (ENISA), and India (CERT-In) have publicly named and characterised dozens of distinct APT groups, attributing them to China, Russia, North Korea, Iran, and other states.

State actors are distinguished by four characteristics. First, their objectives are strategic: economic espionage, intellectual property theft, pre-positioning for disruption of critical infrastructure, or gathering intelligence on foreign government and military activities. Second, their resources are substantial: dedicated teams, custom malware, zero-day vulnerability research, and significant operational security tradecraft. Third, their dwell times are long: once inside a network, they work to maintain persistent access, sometimes for years, before taking any visible action. Fourth, their targeting is specific: they research their targets in advance, select individuals for spear-phishing campaigns, and customise their tools to evade the specific defences deployed by the target.

For auditors, the presence of state-sponsored threat actors in the relevant sector elevates certain control requirements. Supply-chain integrity, multi-factor authentication, privileged access management, network segmentation, and endpoint detection and response capabilities all become higher priority when the anticipated adversary can sustain a long campaign and has the resources to defeat basic perimeter defences.

Financially motivated criminal groups are the most common source of intrusions affecting mid-size and large organisations globally. Their primary goals are direct financial gain through fraud, ransomware extortion, and business email compromise; and secondary gain through the sale of stolen credentials, personal data, and intellectual property on criminal marketplaces. Unlike nation-state actors, criminal groups optimise for return on investment: they reuse tools and techniques that work, move quickly, and do not invest heavily in stealth once they have achieved their objective.

Ransomware as a Service (RaaS) has industrialised the criminal threat. A small number of ransomware developers create and maintain the malware and the payment infrastructure, then license it to affiliate groups who conduct the intrusions. This separation of development from operations has expanded the pool of capable attackers well beyond those with the technical skills to write ransomware. The FBI, Europol, and national law enforcement agencies have dismantled several major RaaS operations in recent years, including LockBit in 2024, but the model has proven resilient and groups re-emerge under new names.

From an audit perspective, financially motivated attackers make certain controls non-negotiable: offline or immutable backups, tested recovery procedures, email filtering and anti-phishing training, and multi-factor authentication on all externally accessible accounts. PCI-DSS compliance requirements, which apply across many jurisdictions wherever payment card data is processed, address a significant share of the attack surface that criminal groups exploit.

Insider threats are categorised into two distinct sub-types that require different controls. Malicious insiders intentionally misuse their authorised access to steal data, sabotage systems, or assist external attackers. They may be motivated by financial gain, grievance, coercion, or ideological alignment with an external actor. Their defining characteristic is that they use legitimate credentials and often know how logging and monitoring works, which allows them to evade controls designed to detect external intruders.

Negligent insiders cause harm through carelessness rather than intent. They misconfigure storage buckets, fall for phishing emails, use weak passwords, install unauthorised software, or send sensitive data to personal email accounts for convenience. The Verizon Data Breach Investigations Report consistently shows that a large proportion of confirmed data breaches involve human error. The negligent insider is not an adversary, but the harm they cause can be as serious as a deliberate attack, particularly for compliance purposes under GDPR in the EU, the Digital Personal Data Protection Act 2023 in India, or HIPAA in the United States.

Controls for the two sub-types differ. Malicious insider controls focus on least-privilege access, separation of duties, privileged access monitoring, user and entity behaviour analytics (UEBA), and background screening. Negligent insider controls focus on security awareness training, technical guardrails such as data loss prevention, configuration management, and phishing simulations. Both sub-types require audit procedures: access review, log analysis, and offboarding procedures that revoke access promptly when employment ends.

Hacktivists attack organisations to advance a political, social, or environmental cause. Their preferred methods include website defacement, distributed denial of service (DDoS) attacks, and leaking stolen data to embarrass a target. Groups such as Anonymous and its various affiliates have targeted governments, financial institutions, and corporations across multiple countries in campaigns tied to specific political events. The technical capability of hacktivist groups varies widely, but most rely on public exploit tools and coordinated DDoS rather than custom malware.

Script kiddies are low-skill attackers who use pre-packaged exploit tools without deep understanding of how they work. They are opportunistic, scanning for known vulnerabilities across large IP ranges and attacking whatever responds. Their volume can be significant even if their individual capability is low: a web application with an unpatched common vulnerability is quickly found and exploited by automated scanners regardless of whether the organisation is a target of any sophisticated actor.

Two further actor types warrant separate mention. Cyber terrorists seek to cause fear, economic disruption, or physical harm through attacks on systems, particularly critical infrastructure such as power grids, water treatment, and transport control systems. Their attacks are rare but receive significant legislative and regulatory attention; the EU's NIS2 Directive (2022) and the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) both address this threat category specifically. Corporate spies, sometimes operating as contractors or through business relationships, target trade secrets, pricing strategies, and client lists for competitive advantage. They may use both digital intrusion and physical means.

Supply-chain attacks target an organisation's suppliers, software vendors, or managed service providers rather than the organisation directly, using that access as a stepping stone. The 2020 SolarWinds compromise, in which attackers inserted malicious code into a legitimate software update distributed to approximately 18,000 customers including multiple US government agencies, demonstrated that even organisations with strong internal controls can be compromised through a trusted third party. The 2021 Kaseya VSA incident used a remote management tool to deploy ransomware to over 1,000 businesses through managed service providers.

Supply-chain risk sits at the intersection of threat actor analysis and third-party risk management. The threat actors most likely to invest in supply-chain compromises are nation-state groups targeting wide victim sets and criminal groups seeking an efficient multiplier: compromise one supplier, gain access to dozens of customers. The audit response includes vendor security assessments, contract security requirements, software composition analysis, and monitoring of third-party access within the organisation's own environment.

Regulatory frameworks are increasingly explicit about third-party risk. ISO/IEC 27001:2022 Annex A includes controls specifically addressing supplier relationships (A.5.19 to A.5.22). The DPDP Act 2023 in India holds data fiduciaries responsible for breaches caused by their data processors, mirroring the position taken by GDPR Article 28 in the EU. PCI-DSS v4.0 requires organisations to assess the security of third parties who store, process, or transmit cardholder data. These regulatory requirements give auditors clear scope for third-party risk testing.

Threat intelligence converts raw information about adversaries into actionable knowledge. It is divided by time horizon and audience. Strategic intelligence addresses trends in actor motivation and capability over months to years, and is consumed by senior leadership and board-level governance. Operational intelligence covers current campaigns, active groups, and recent incidents in the relevant sector, and is consumed by security operations and audit teams. Tactical intelligence covers specific indicators of compromise (IoCs): IP addresses, domain names, file hashes, and attack signatures that can be fed directly into detection tools.

MITRE ATT&CK provides the most widely used common vocabulary for operational threat intelligence. Its matrix organises adversary behaviour into 14 tactical categories (from initial access through exfiltration and impact) and maps specific techniques and sub-techniques within each. Many named APT groups have published profiles in ATT&CK listing the techniques attributed to them. An auditor can take the ATT&CK techniques associated with actor groups relevant to their client's sector and map them against the client's control coverage, producing a gap analysis grounded in real adversary behaviour rather than generic best practice.

Intelligence sources include open-source reporting from vendors such as Mandiant, CrowdStrike, and Recorded Future; government publications from CISA (US), NCSC (UK), ENISA (EU), and CERT-In (India); sector-specific Information Sharing and Analysis Centers (ISACs); and an organisation's own incident history. The audit planning process should include a threat intelligence review step before scope is finalised: if ransomware targeting the client's sector has recently adopted a new initial access technique, the audit should include testing of the controls relevant to that technique.