Cyber Security Basics 📂 Foundation · 11 of 15 43 min read

Threat Actors — Who Are the Hackers? From Hobbyists to Criminal Organisations

A cybersecurity professional's guide to the modern threat actor spectrum. Walks through the classic hat taxonomy, the six modern actor categories (hobbyist, hacktivist, insider, criminal, nation-state, terrorist), and drills deep into the two extremes with real 2024–2025 cases: the LockBit takedown, the Change Healthcare ransomware attack, the MGM Resorts breach, and the PowerSchool hack by a 19-year-old that reached the White House Situation

Section 01

The Story That Explains Threat Actors

Who Just Broke Into My House?
Imagine you come home and find your front door forced open. Before you call the police, you look around. What kind of person did this? A bored teenager trying his shoulder against every door on the block for the thrill? A professional burglar who researched your schedule, jammed your alarm, and left with the jewellery in ninety seconds? A spurned ex-employee who still had a key? A foreign intelligence operative who wanted to photograph a document in your safe and leave no trace? Or a political protester who spray-painted your wall to send a message?

Each one leaves a different forensic footprint. Each one has different motives, skills, tools, tolerance for risk, and success criteria. The way you defend against the teenager (deadbolt, motion light) is nothing like how you defend against the intelligence operative (Faraday-shielded room, TSCM sweeps). Attribution tells you the threat model. The threat model tells you the defence.

Cybersecurity works the same way. The generic word "hacker" hides at least six very different kinds of adversary — and the FBI's Internet Crime Report 2024 documented $16.6 billion in reported losses last year, most of them from a handful of well-organised criminal groups. Knowing who is on the other side of the keyboard is the first step in stopping them.

As a Certified Ethical Hacker, the very first slide I show in any incident-response training is a threat actor taxonomy. Defenders who cannot name their adversary cannot model their adversary; and defenders who cannot model their adversary are, at best, playing whack-a-mole. This tutorial walks through the full spectrum of threat actors — with a deep dive into the two extremes: hobbyists (the bored, the curious, the reckless) and criminal organisations (the professionals, the ransomware-as-a-service operators, the billion-dollar syndicates) — using real, named cases from the last three years.

🎯
The Core Insight

"Hacker" is not one thing. It is a spectrum — from a 14-year-old running downloaded tools in a bedroom, to a Russian-national CEO running a $500 million ransomware corporation with affiliates, bug bounties, and marketing merchandise. Both are technically "threat actors." Neither is defended against the same way.


Section 02

What Is a Threat Actor?

A threat actor (also called a malicious actor or adversary) is any entity — individual, group, or organisation — that carries out or intends to carry out actions that harm digital systems, data, or people. The concept has three parts:

Capability
What They Can Do
Technical skill, tooling, infrastructure, and access to zero-day exploits or malware. Ranges from downloaded scripts to custom-built implants.
Intent
Why They Attack
The goal driving the operation — money, espionage, notoriety, disruption, ideology, or revenge. Different motivations produce different behaviour.
Opportunity
What's Exposed
Your attack surface — unpatched systems, weak credentials, careless employees, misconfigured cloud buckets. Even a skilled attacker with strong intent needs opportunity.
Risk Tolerance
What They'll Accept
Willingness to be noisy, get caught, or face jail. A teen may not care about attribution; a nation-state operates under strict "deniability" rules.
💡
Threat = Capability × Intent × Opportunity

The classic risk formula. Take any variable to zero and the threat vanishes. You almost never remove capability or intent — those live in the attacker's head. Your job as a defender is to shrink opportunity: patch, harden, segment, monitor, and train users. That's how threat-actor thinking translates into daily security work.


Section 03

The Classic Hat Taxonomy — And Its Limits

You've probably seen the "hat colour" model of hackers. It's the oldest and most well-known framework, and it's still useful — but it only describes ethics and authorisation, not motive or organisation. Real threat-actor analysis needs more.

🗽
White Hat
Ethical Hacker
Authorised security professional. Penetration testers, red-teamers, bug-bounty hunters. Works with permission and reports findings. Certifications like CEH, OSCP, CISSP. These are the good guys.
🔐
Grey Hat
Unauthorised but Non-Malicious
Hacks without permission but discloses findings responsibly (or publicly, to embarrass an owner into fixing them). Legally still a criminal in most jurisdictions — good intentions don't authorise the act.
🎭
Black Hat
Malicious & Unauthorised
Attacks for personal gain, disruption, or damage. The category that contains every ransomware operator, credential thief, and destructive actor discussed later in this tutorial.
🐝
Green Hat
Novice — Learning
A beginner earnestly trying to learn hacking properly — usually in a legal lab. Not to be confused with a script kiddie, who wants results without the learning.
👷
Blue Hat
External Consultant / Revenge
Two uses: (1) an external security consultant brought in before product launch (Microsoft coined this usage); (2) a revenge-motivated attacker with no wider criminal agenda.
🛡️
Red Hat
Vigilante
A hacker who attacks other hackers — typically illegally, but with the intent of stopping black-hat activity. Very rare in the wild, more common in fiction.
⚠️
Why the Hat Model Isn't Enough

A "black hat" could be a bored 15-year-old, a Russian ransomware CEO, an Iranian military officer, or a jealous ex-partner. The colour doesn't tell you their skill level, their organisation, their funding, or their goals. Modern threat intelligence teams use a motive-based taxonomy instead — the one we'll spend the rest of this tutorial on.


Section 04

The Modern Threat Actor Taxonomy

Real-world intelligence teams (Mandiant, CrowdStrike, Microsoft Threat Intelligence, and the FBI's Cyber Division) sort adversaries into six primary categories based on who they are and why they attack. Every threat actor you'll ever encounter fits somewhere on this map.

Animated Diagram — The Six Categories

👥 Live Animation — The Threat Actor Spectrum
→ SKILL / RESOURCES ↑ SOPHISTICATION HOBBYISTscript kiddie HACKTIVISTideology INSIDERaccess holder CRIMINALorganised, $$$ APT / STATEgovt-funded TERRORdisruption
Each category lights up in turn. Moving up and right, skill, funding, and organisational sophistication all increase — but so does the effort required to attribute the attack.

Quick Reference — The Six Modern Categories

CategoryPrimary MotiveSkill LevelTypical TargetNotable Example
Hobbyist / Script KiddieCuriosity, thrill, cloutLow → mediumWhatever's exposed2015 TalkTalk (17-yr-old)
HacktivistIdeology, protestLow → highPolitical / corporateAnonymous, LulzSec
InsiderRevenge, greed, ideologyAny (they have access)Their own employerEdward Snowden (2013)
Criminal OrganisationMoneyHighRich, insurable victimsLockBit, BlackCat, Scattered Spider
Nation-State / APTEspionage, sabotageVery highGovernment, critical infraFancy Bear, Lazarus, Volt Typhoon
Cyber-TerroristFear, disruptionMedium → highPublic / symbolic targetsRare in pure form — often overlaps with state or criminal

Section 05

Hobbyists — Who They Are and Why They Matter

The term "hobbyist" — often used interchangeably with "script kiddie" — describes someone who hacks without professional organisation, usually without deep technical knowledge, and typically without financial sophistication. They do it because it's interesting, or because it earns them clout, or because it briefly feels like power.

It is tempting to dismiss them as harmless. That is a mistake. According to the UK's National Crime Agency, 61% of hackers begin hacking before the age of 15 and the average age of suspects arrested in NCCU investigations is 17 years old.

The Hobbyist Profile

👨‍💻
Who
Overwhelmingly young — teens and early twenties. Predominantly male but not exclusively. Often technically curious kids who found hacking forums, Discord servers, or gaming-cheat communities before finding legitimate outlets.
🎯
Motive
Bragging rights, in-group status, thrill of the forbidden, revenge on a school or employer, sometimes money. Financial motivation is often secondary to peer validation.
🔧
Tools
Downloaded exploit kits, Kali Linux tutorials, Metasploit modules, YouTube guides, credential dumps bought on Telegram. They rarely write their own malware — they run other people's.
📩
Delivery
Website defacement, DDoS booter services, SIM-swapping, credential stuffing, phishing pages copied from tutorials. High volume, low sophistication — until it isn't.
Weakness
Almost zero operational security. Boast on Discord, screenshot the victim, log in from home broadband, brag under a pseudonym they've reused for years. Most are caught this way.
📈
Trajectory
A worrying number graduate. The "script kiddie" who defaced a school website at 13 is the same person indicted for $115M in ransomware at 19. Hobbyism is often the gateway drug of organised cybercrime.

Real Case — The TalkTalk Hack (2015)

A 17-Year-Old, a SQL Injection, and £42 Million in Damage
In October 2015, UK telecoms operator TalkTalk suffered a data breach affecting hundreds of thousands of customers. The attack was orchestrated by a 17-year-old who exploited known vulnerabilities using readily available tools leading to the exposure of personal data belonging to thousands of customers. The TalkTalk attack was estimated to have cost the company £42 million.

The attacker wasn't a nation-state or a criminal syndicate. He was a teenager who ran a tool he'd downloaded — a classic SQL injection scanner — against publicly exposed URLs. The vulnerability was a decade-old class of bug. The consequences were nine figures. It is the textbook case of why hobbyists deserve the same defensive seriousness as professionals.

Real Case — Matthew Lane and the PowerSchool Breach (2024–2025)

A College Freshman, 60 Million Children, and the White House Situation Room
In September 2024, 19-year-old Matthew D. Lane, a freshman at Assumption University in Massachusetts, found stolen credentials for a PowerSchool contractor on the dark web. He used them to walk into the systems of an education platform used by 80% of school districts in North America. Barely a year earlier, while still a teenager, he helped launch what's been described as the biggest cyberattack in U.S. education history — a data breach that concerned authorities so much, it prompted briefings with senior government officials inside the White House Situation Room. The breach pierced the education technology company PowerSchool — used by 80% of school districts in North America — and "put at risk the security of 60 million children and 10 million teachers," the Justice Department said.

PowerSchool paid roughly $3 million in ransom to keep the data private. In April 2025, Lane was arrested at his dorm room by FBI agents. He is expected to serve federal prison time. In a subsequent interview, "I think I need to go to prison for what I did," Lane told ABC News in an exclusive interview, speaking publicly for the first time about the headline-grabbing heist and his life as a cybercriminal.
⚠️
Why the "Just a Teenager" Frame Is Dangerous

Lane used no zero-days. He used stolen credentials with no MFA. That is technically the same technique used by every ransomware crew in this tutorial. The difference between a "hobbyist" and a "criminal organisation" is often not the technique — it's the organisation behind it. The technique itself belongs to whoever picks it up.


Section 06

The Hobbyist-to-Professional Pipeline — "The Com"

A striking finding in recent cybersecurity reporting is that many so-called "criminal organisations" today are staffed by young hobbyists who grew up in gaming and hacking Discord communities. The most infamous is a loose network known as "The Com" (short for "The Community").

What Makes The Com Unique
What makes The Com and these groups uniquely dangerous is both their sophistication, and in how they weaponize the youth of their own members. Their tactics exploit teenagers' greatest strengths, including their technical savvy, cleverness, and ease as native English speakers. But their blindness to consequences, and habit of having conversations in public leaves them vulnerable to law enforcement. Starting in 2024, a series of high-profile arrests and indictments of young men and teenagers ranging in age from 18 to 25 has exposed the significant risk of getting involved in The Com.

Animated Diagram — The Hobbyist-to-Professional Timeline

📈 Live Animation — How a Kid Becomes a Cybercriminal
Age 12–13gaming cheatsDiscord/Roblox Age 13–15DDoS booters,SIM swaps Age 15–17crypto theft,credential markets Age 17–20social engineering,enterprise breaches Age 20+RaaS affiliate,arrest or wealth
The yellow packet is one hacker's biography, following the empirically documented pipeline from gaming cheats at 12 to enterprise ransomware by 20 — with law enforcement waiting at the end.

Real Case — Thalha Jubair, 19

The Teenager Who Extorted $115 Million
In September 2025, UK teenager Thalha Jubair was arrested for his alleged role in Scattered Spider's attacks on Transport for London (TfL) and 47 US entities. According to the complaint, victims paid at least $115,000,000 in ransom payments. The incidents, the DoJ added, caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, in October 2024 and January 2025. If convicted, he faces a maximum penalty of 95 years in prison.

Jubair started, as most do, at the bottom of the pipeline shown above. He ended up with $36 million in cryptocurrency wallets law enforcement seized from a server allegedly under his control. This is not "just a teenager." This is the mature form of what happens when a hobbyist never faced consequences.

Section 07

Criminal Organisations — The Professional Adversary

If hobbyists are the mosquitoes of cybersecurity — annoying, occasionally dangerous, everywhere — criminal organisations are the wolves. Well-funded, well-staffed, well-tooled, and treating their operations exactly like the businesses they are.

How a Modern Cybercrime Organisation Is Structured

RoleWhat They DoCut of the Ransom
Operator / "Owner"Runs the platform, writes or maintains the malware, brands the operation20–30%
DeveloperWrites the encryption code, evasion techniques, data-exfiltration toolsSalary or profit share
Initial Access BrokerSells stolen credentials and network footholds on dark-web forumsFlat fee ($500 – $10k+) or share
AffiliateExecutes attacks using the operator's toolkit; picks targets60–80% of ransom
NegotiatorHandles the extortion chat; sometimes multilingual and professionalFixed cut per deal
Money launderer / MixerConverts crypto ransom to clean fiat via mixers, exchanges, mules5–20%
💼
Ransomware-as-a-Service (RaaS) Is the Business Model

Modern criminal groups don't personally hack every victim. They operate a platform — malware, dark-web leak site, negotiation infrastructure, payment tracking — and license it to affiliates who do the actual intrusions. This is exactly the SaaS model, applied to crime. It lets a small core team scale to thousands of victims, and it makes law-enforcement attribution far harder.

Animated Diagram — The RaaS Business

💼 Live Animation — How Ransomware-as-a-Service Works
RaaS OPERATOR (LockBit, BlackCat) DEVELOPERbuilds malware ACCESS BROKERsells footholds AFFILIATEruns attacks VICTIMpays ransom LAUNDERERcleans crypto
Every arm lights up in sequence — showing how the RaaS operator sits at the centre, coordinating a network of specialists rather than doing every job themselves.

Section 08

Case Study — LockBit and Operation Cronos

The World's Most Prolific Ransomware Group, Trolled by the Cops
LockBit was, until 2024, the single most prolific ransomware operation on Earth. LockBit has been operating since 2019, when it first called itself 'ABCD' ransomware, targeting thousands of victims around the world with ransomware attacks that have cost billions of dollars in terms of both ransom payments and recovery costs. LockBit essentially offered ransomware services to its global network of hackers or 'affiliates', giving them the malware and platform to carry out these attacks and collect ransoms from thousands of victims globally. Among the group's most prominent victims were the UK's Royal Mail, aeroplane maker Boeing, China's biggest bank ICBC and law firm Allen & Overy.

Then, on 19 February 2024, an international task force codenamed Operation Cronos — led by the UK's NCA and the US FBI — seized their infrastructure.

What the Takedown Actually Achieved

🛡️ The Scoreboard After Operation Cronos
Servers
Seizure of 34 servers across the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK
Arrests
Two immediate arrests in Poland and Ukraine; charges unsealed against Russian nationals Artur Sungatov and Ivan Kondratyev (aka "Bassterlord")
Crypto
Over 200 cryptocurrency accounts linked to the group have been frozen
Decryption
Approximately 1,000 potential decryption keys have been seized — allowing many victims to recover their data without paying
Identification
In May 2024, LockBitSupp was identified as Dmitry Yuryevich Khoroshev, a Russian national and senior leader of the LockBit ransomware group.
💬
The Novel "PsyOps" Approach

What set Operation Cronos apart wasn't just the technical takedown — it was the psychological warfare. The NCA repurposed LockBit's own leak site to publish decryption keys, indictments, screenshots of internal chats, and a rolling countdown timer that mirrored LockBit's own extortion tactic. It undermined trust in LockBit within the criminal ecosystem — and undermined affiliates' willingness to keep working with a brand that had clearly been infiltrated. That's a durable disruption; a pure technical takedown would have been recovered from in days.

🚫
Why the Ransom-Payment Argument Died in 2024

When the NCA examined LockBit's own servers, they found something devastating: "Some of the data on LockBit's systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised." That is the single most important message a security leader can carry to a boardroom.


Section 09

Case Study — BlackCat/ALPHV and Change Healthcare

One Missing MFA Rule, $22 Million Paid, 100 Million People Affected
Change Healthcare, a subsidiary of UnitedHealth Group, is the predominant source of more than 100 critical functions that keep the U.S. health care system operating. It annually processes 15 billion health care transactions — touching 1 in every 3 patient records.

On Feb. 21, 2024, an attack by the Russian ransomware group ALPHV BlackCat encrypted and incapacitated significant portions of Change Healthcare's functionality. This has been described as the most significant and consequential cyberattack against the U.S. healthcare system in history.

The Attack Timeline

Feb 12
Initial access via a missing MFA rule
According to Witty's testimony, the ransomware gang BlackCat used compromised credentials to remotely access a Change Healthcare Citrix portal, which enabled remote desktop access, on February 12. The portal was not utilizing multi-factor authentication.
Feb 12–21
Nine days inside the network
An affiliate of the BlackCat/ALPHV ransomware group breached Change Healthcare's network, then spent 9 days inside the network moving laterally and stealing data before ransomware was used to encrypt files. Up to 6 TB of data exfiltrated.
Feb 21
Ransomware detonates
Encryption fires across Change Healthcare's environment. Public disclosure follows on the same day. Pharmacies nationwide cannot process prescriptions; providers cannot bill.
Mar 3
$22 million ransom paid
On March 3, 2024, a bitcoin payment worth over $20 million was made to a wallet associated with the ALPHV/BlackCat ransomware group. UnitedHealth Group CEO Andrew Witty confirmed the payment in Congressional testimony on May 1.
Apr–Oct
Exit scam and second extortion
A $22 million ransom was paid to prevent the publication of the stolen data; however, the ransomware group pulled an exit scam, and the payment did not secure the stolen data. A second group, RansomHub, tried to extort UnitedHealth using the same stolen dataset.
💰
Cost to UnitedHealth: Over $1.5 Billion

UnitedHealth estimates that this breach could cost the company in excess of $1.5 billion. And that's before the class actions. All triggered by one Citrix portal that didn't require MFA — a control that costs almost nothing to enforce and would have almost certainly prevented the entire chain of consequences.


Section 10

Case Study — Scattered Spider and MGM Resorts

A 10-Minute Phone Call That Cost $100 Million
Scattered Spider, also referred to as UNC3944 and more recently identified as ShinyHunters, is a hacking group mostly made up of teens and young adults believed to live in the United States and the United Kingdom. The group is believed to be affiliated with cybercriminal network, "The Com".

On September 11, 2023, MGM Resorts put out a statement on X that a "cyber security incident" was impacting some of its systems. The incident would lead to a $100 million dollar loss for the third quarter of 2023.

The Attack — Vishing at Its Purest

📞 The 10-Minute Breach
1
Scattered Spider members researched MGM employees on LinkedIn, gathering information about their roles and identities
2
Using the gathered information, the attackers chose an MGM employee to impersonate
3
The hackers called MGM's IT help desk, posing as the employee and successfully convinced the help desk into providing them with login credentials
4
Using the obtained credentials, Scattered Spider gained administrator privileges to MGM's Okta and Azure tenant environments
5
Scattered Spider brought in ALPHV to deploy their ransomware-as-a-service (RaaS) software. They encrypted approximately 100 ESXi hypervisors within MGM's network.

The Two Casinos, Two Different Choices

💸 CAESARS — PAID
Ransom demanded~$30 million
Ransom paid~$15 million (half)
Data exposedDriver's license numbers & possible SSNs of "a significant number" of customers
Business impactOperations largely undisrupted; brand damage from disclosure
🛡️ MGM — REFUSED
Ransom demandedUndisclosed 8-figure sum
Ransom paidMGM Resorts chose not to pay the ransom demanded by the hackers
Data exposedScattered Spider claims to have stolen 6 terabytes of data from MGM Resorts
Business impactTen days of chaos on the Las Vegas Strip, ~$100M loss, $45M class-action settlement in January 2025

The Long Legal Tail

⚖️
Arrests and Consequences

In July 2024, a 17-year-old hacker from the United Kingdom was arrested in connection with the hack and attempted ransom. He has been released on bail pending trial. The arrest was coordinated by local and international law enforcement. In late 2024, the US Department of Justice indicted five suspected members of Scattered Spider in connection with the MGM cyberattacks, including four Americans and one from the UK, all men between the ages of 20 and 25. In January 2025, MGM agreed to pay a $45 million settlement to the victims of the breach.

🔔
Scattered Spider Isn't Slowing Down

Since the MGM attack, the group has hit Marks & Spencer (April 2025), Qantas (2025), and dozens of financial-services and airline targets. Weeks-long payment outages disrupting operations at British retail giant Marks & Spencer are now being blamed on Scattered Spider, the same ransomware group said to be responsible for the 2023 hack of the MGM Grand in Las Vegas. Arresting members has not dismantled the organisation — because it is, at heart, a decentralised community, not a corporation.


Section 11

Anatomy of a Modern Ransomware Attack

Combining every case above, we can extract the standard sequence a modern criminal organisation follows. This is the pattern to plan defence against — because it's how virtually every serious ransomware incident of the last three years has unfolded.

🚨 Live Animation — The Modern Ransomware Kill Chain
RECONLinkedIn OSINT ACCESSvishing / stolen creds ESCALATEOkta / AD abuse EXFILTBs of data ENCRYPTESXi & endpoints EXTORTchat + leak site
The kill chain: OSINT reconnaissance, initial access (usually social engineering or stolen creds), privilege escalation, data exfiltration, encryption, and finally extortion. Break the chain at any stage and the attack fails.

Section 12

Defensive Lessons — What Every Organisation Should Do

Every case in this tutorial — TalkTalk, PowerSchool, LockBit's 2,500 victims, Change Healthcare, MGM — had one thing in common: a small handful of basic controls, if in place, would have stopped or blunted the attack. The industry has been repeating these lessons for years, and the ransomware statistics show they still aren't universal.

🔑
MFA Everywhere
Change Healthcare was breached because one Citrix portal did not require MFA. Push-notification MFA is not enough — Scattered Spider defeats it with fatigue attacks. Use phishing-resistant methods: FIDO2 hardware keys, passkeys.
phishing-resistant
📞
Harden the Help Desk
MGM was breached in ten minutes over a phone call. Enforce call-back verification, out-of-band confirmation, and video-verification for high-privilege resets. Train agents to say "no" to executives.
vishing defence
🔋
Segment the Network
Nine days of dwell time at Change Healthcare turned an initial foothold into 6 TB of exfiltration. Network segmentation and privileged-access isolation shrink blast radius even after breach.
blast-radius control
📺
EDR + 24×7 Monitoring
Modern EDR/XDR catches the lateral movement, Kerberoasting, and NTDS.dit extraction techniques that Scattered Spider used against M&S. Detection matters as much as prevention.
detect early
💾
Immutable, Tested Backups
Backups are only useful if attackers cannot delete or encrypt them, and you have verified restoration works. Air-gapped or immutable object storage plus regular restore drills.
recovery first
📋
Incident Response Plan
Have a written playbook, tabletop-exercise it twice a year, and know the FBI / NCA / CERT contact you will call. In 2024, victims who worked with law enforcement gained access to LockBit decryptors for free.
practise before you need it

Section 13

Golden Rules — Threat Actors for the Security Professional

🎯 Non-Negotiable Takeaways
1
"Hacker" is not a single thing. Six distinct categories — hobbyist, hacktivist, insider, criminal, nation-state, terrorist — with different motives, skills, and defences. Model your adversary before you defend against them.
2
Hobbyists are a real threat. A 17-year-old with a downloaded tool cost TalkTalk £42 million. A 19-year-old exposed the data of 60 million children. Do not underestimate the "just a kid" attacker.
3
The pipeline from hobbyist to professional is real and short. Groups like The Com and Scattered Spider are staffed by teenagers who started with gaming cheats and ended up extorting $115 million by their late teens.
4
Criminal organisations are businesses. Ransomware-as-a-Service means a small core team plus dozens of affiliates. Defend against the model, not just any specific brand — because brands fall (LockBit) and new ones (DragonForce, RansomHub) immediately take their place.
5
Paying the ransom does not guarantee anything. Change Healthcare paid $22 million; the group exit-scammed and another criminal group extorted them again with the same data. The NCA found paid ransoms did not lead to data deletion on LockBit's own servers.
6
The initial vector is almost always boring. Missing MFA, help-desk vishing, stolen credentials, unpatched Citrix. Fix the boring controls before you buy the exotic tools.
7
Law enforcement can help — if you call. Operation Cronos handed out 1,000 LockBit decryption keys to victims who reported. Don't hide breaches; report them.
8
Attribution is the beginning, not the end. Knowing who attacked you helps you predict what they'll do next, what they've likely stolen, and which defences most urgently need improvement. Build threat-actor knowledge into your security team's core competencies.