Threat actors’ motivations and methods can be classified into three areas:

1. Access vectors: These are the ways in which a threat actor gains access to a system or resource. The most common approach is using a spear phishing technique via email. This typically includes either a malware attachment or embedded link to an external malware service that a user inadvertently clicks on. People are the weakest link in the security chain and constitute a preferred route to gaining access to systems and networks.

The next most common access vector is exploitation of public facing applications. Web applications are increasingly providing us with convenient access to useful but often highly sensitive information. Organizations and policy makers continue to balance the convenience of access to data and services with the sensitivity of those services and the size and number of access vectors. Exploitation of public facing applications can occur as a result of software bugs or misconfiguration. Exploited applications often include web and application servers, but can also include databases and network services that are inadvertently exposed to the internet.

2. Actions of objectives: Once threat actors have gained a foothold via an initial access vector, they may gain even greater access to resources or engage further actions such as installing malware (backdoors and ransomware), server and remote tool access, and compromising business emails. Ransomware attacks are not restricted to an individual or organization’s data, but may target disruption to organizational network services that include authentication, authorization, virtual compute, storage and networking. Side note: In 2019 the average time to deploy ransomware was two months, in 2021 it was only four days, a reduction of 94%.

3. Impact: In addition to cybercrime being a significant area of growth, exploitation of vulnerabilities and the harvesting of large amounts of sensitive data is happening more rapidly than ever before. Notable data breaches from 2023 include the ancestry data of 6.9m users at 23andMe, attributed to customers reusing passwords, which allowed hackers to brute-force logins by using publicly known passwords released in other companies’ data breaches.

While one could argue that brute-force attempts to crack passwords should be detectable with the authentication services of an application, and accounts temporarily suspended to thwart threat actors, this could inadvertently result in a denial of service for users whose accounts are under attack. While the reuse of passwords across multiple accounts is arguably a problem created by users, publicly accessible applications — especially those that can expose sensitive data — should enforce two-factor authentication.

Another example from 2023 includes the ransomware attack on UK postal service Royal Mail that had led to months of disruption in the dispatch of letters or parcels to destinations outside of the United Kingdom. It had also resulted in the theft of sensitive data (personally identifiable information or PII in short) including technical information, human resource and staff disciplinary records, details of salaries and overtime payments, and even one staff member’s COVID-19 vaccination records.

The PII is then frequently sold on the Dark Web or other forums to conduct further operations against targets. While some of the data breaches may be attributed to organizations failing to meet the guidelines outlined in regulations and policies, many have fallen prey to threat actors silently gaining access to a user account or service with privileged access. In this case, threat actors are detected through their unusual behavior or by a notification or demand from the threat actor in order to extort money from the individual or organization.