Mod 07 · Adversary Ecosystem

Six archetypes. One ladder.

Threat actors come in stable archetypes — long-lived shapes that outlast specific group names, campaigns, and CVEs. The capability ladder runs from automated opportunists (most of the volume) up to nation-state operators (the smallest set, the most patient). Insiders sit outside the ladder: they're authorized, which is why they don't need any of it.

Tier 0

Opportunistic / commodity

Resources / capability

Minimal — automated scanning, known exploits, reused credentials from public dumps. No targeting; whoever's exposed gets hit.

Typical targets

Anyone with an exposed surface. Mid-market without basic hygiene gets selected for them automatically.

Most relevant defenses
  • MFA
  • EDR
  • email security
  • patching / exposure basics
  • backup

Note · Most attacks worldwide are this — the baseline most orgs need to defend against first.

Tier 1

Commodity ransomware / RaaS affiliates

Resources / capability

Moderate — purchased initial access from access brokers, RaaS kits with playbooks. Some targeting (sector preference, size).

Typical targets

Under-resourced mid-market — healthcare systems, school districts, manufacturing, municipalities.

Most relevant defenses
  • MDR
  • EDR
  • identity
  • backup / recovery
  • exposure management

Note · The breach class that makes the news in mid-market. Recovery cost dominates the loss, not data theft.

Tier 2

Hacktivist / ideological

Resources / capability

Variable — defacement, DDoS, document leaks. Sporadic but reputation-damaging.

Typical targets

Politically or reputationally salient organizations — government, energy, controversial brands.

Most relevant defenses
  • DDoS defense
  • web / app security
  • exposure management
  • IR retainers

Note · Often spikes around news events. Not the durable threat for most orgs.

Tier 3

Organized cybercrime

Resources / capability

Well-resourced — BEC at scale, sophisticated ransomware ops, data theft for resale on dark markets.

Typical targets

Financial gain at scale. Financial services, retail, large enterprise.

Most relevant defenses
  • identity / ITDR
  • email / BEC defense
  • DSPM / DLP
  • MDR
  • SIEM / SOC

Note · Where most named ransomware crews sit. Modern affiliates blur the line into nation-state TTPs.

Tier 4

Nation-state / APT

Resources / capability

Top-tier — custom tooling, stealth, espionage, pre-positioning, destructive operations. Patient.

Typical targets

Government, defense industrial base, critical infrastructure, high-value IP holders.

Most relevant defenses
  • threat intelligence
  • advanced detection engineering
  • BAS / validation
  • identity governance
  • OT security
  • IR retainers

Note · Most orgs are not in this threat model. If you are, you know.

Insider

Insider (malicious + negligent)

Resources / capability

Variable — legitimate access, mishandled or misused. Negligent insiders (most cases) bypass technical controls by being authorized.

Typical targets

From within — wherever the insider has access. Disgruntled departures, third-party contractors with broad permissions, careless privileged users.

Most relevant defenses
  • DLP
  • data access governance
  • UEBA
  • identity governance
  • DSPM

Note · Quietly the largest class of incidents by count, dwarfed in headlines by nation-state and ransomware.