Story 13 — The Rogues Gallery · Gary's Security Stories

Reading Progress

00 / 22

Story 13 · Domain 2 · Threat Actors

The Rogues Gallery.

Cipher Lane police station has a pinboard of known troublemakers. Each one is different. Understanding who they are changes everything about how you defend.

By The Editors Photography: Cipher Lane Observer 2 min read

The police inspector pins five photos on the board. "Know your enemies," he says. "Not just who they are — what they want, how patient they are, and how much they're willing to spend."

The government spy — dressed in an expensive suit, unlimited budget, team of fifty behind him. He's not after Gary's money. He wants Gary's secret recipes to give to his own country's coffee industry. He's patient — he'll spend months getting in. That's a Nation-State / APT. Highest sophistication, government-funded, motivated by espionage. Most dangerous threat actor.

The gang — three blokes in a van. They want the cash register. They'll smash, grab, and vanish. If they can't get cash, they'll padlock Gary's shop and demand ransom to give the key back. That's Organised Crime. High skill, financially motivated, ransomware and fraud.

The protester — marches up to Gary's shop with a megaphone because Gary uses non-recyclable cups. She spray-paints the window and posts it online. She doesn't want money — she wants attention and change. That's a Hacktivist. Medium skill, ideologically motivated, public disruption.

The angry ex-employee — Gary sacked him last week. He still knows the alarm code, the wifi password, and where the spare key is. He doesn't need to break in — he already has access. That's an Insider Threat. Varying skill, motivated by revenge or money, already inside the perimeter. The hardest to detect.

The teenager — found a YouTube video called "how to pick locks" and is trying it on every door on Cipher Lane. Doesn't really know what he's doing. Using someone else's tools. That's a Script Kiddie. Low sophistication, uses public tools, curiosity-driven.

The police describe each troublemaker with four attributes.

Internal or external? — the ex-employee is internal. Everyone else is external. Sophistication? — nation-state is highest, script kiddie is lowest. Resources? — government spy has unlimited budget. The teenager has none. Intent? — the teenager is mostly accidental. The gang is fully intentional. The insider could be either.

The insider threat is the hardest to defend against — not because they're the most sophisticated, but because they already have access. The perimeter that stops everyone else means nothing to them. — Story 13 · Threat Actors

// ON THE EXAM

Nation-state actors have the highest sophistication and resources. Organised crime is primarily financially motivated — ransomware is their tool. Insider threats are uniquely dangerous because they already have access. Script kiddies are low-skill and use existing tools. Match the motivation to the actor.

Check Yourself · Question 13

A threat actor encrypts Gary's accounts and demands Bitcoin. Motivated by profit, using high technical skill. Which actor type is most likely responsible?

Organised crime. Ransomware is the tool of choice for organised crime — financially motivated, high skill, operated like a business. Nation-states pursue espionage and long-term strategic objectives. Hacktivists want visibility and ideological impact. Script kiddies use existing tools without the sophistication to deploy and manage ransomware campaigns.

Terminology · Story 13

The Pinboard.

// Term · 01 / 04

Nation-State / APT

Tap to reveal

// Definition

Government-funded, highest sophistication, unlimited resources, patient (months/years). Motivated by espionage, strategic intelligence, disruption.

Domain 02

// Term · 02 / 04

Insider Threat

Tap to reveal

// Definition

Already has legitimate access. Motivated by revenge, financial gain, or ideology. Varying skill. The perimeter doesn't stop them — they're already inside.

Domain 02

// Term · 03 / 04

Hacktivist

Tap to reveal

// Definition

Ideologically motivated — political, environmental, social causes. Medium skill. Wants visibility and disruption rather than financial gain. Website defacement, DDoS.

Domain 02

// Term · 04 / 04

Script Kiddie

Tap to reveal

// Definition

Low sophistication, uses publicly available tools without deep understanding. Curiosity-driven rather than strategic. The teenager with a YouTube tutorial.

Domain 02

In the wild

A threat intelligence analyst profiles an active APT campaign.

A threat intelligence analyst at a European defence contractor opens her morning feed at 08:15. MISP has flagged a cluster of indicators — command-and-control domains with registration patterns consistent with a known nation-state group tracked internally as TI-CRANE-7. The group is assessed with high confidence as being state-sponsored, with a primary interest in aerospace supply chain data. Not ransomware. Not credentials for resale. Strategic, long-term exfiltration.

She pulls the MITRE ATT&CK mapping for the group. Initial access via spearphishing with weaponised documents. Persistence via scheduled tasks. Lateral movement using living-off-the-land binaries — legitimate Windows tools repurposed so that signature-based detection is largely blind to them. This is categorically different from organised crime groups, which optimise for speed-to-payout. APT groups optimise for dwell time and stealth. The distinction matters for how you hunt.

Separately, the security operations team has raised Jira ticket SEC-2841: a privileged user in the engineering division accessed twelve file shares outside their normal working hours over the past three weeks. The activity could be benign — a project deadline, remote work. It could be an insider threat, either malicious or a compromised account. The analyst notes that insider threats do not require any external actor at all. The hardest cases are where the credentials are legitimate and the behaviour deviates slowly enough to look like drift rather than intent.

She writes a TTP summary for the weekly threat brief. Nation-state at the top. Insider investigation open. The two cases have nothing to do with each other — and that is the point. Different actors, different motivations, different detection strategies.

THE ROGUESGALLERY.

The Rogues Gallery.

A threat actor encrypts Gary's accounts and demands Bitcoin. Motivated by profit, using high technical skill. Which actor type is most likely responsible?

The Pinboard.