Cyber Security Basics
📂 Foundation
· 11 of 15
43 min read
Threat Actors — Who Are the Hackers? From Hobbyists to Criminal Organisations
A cybersecurity professional's guide to the modern threat actor spectrum. Walks through the classic hat taxonomy, the six modern actor categories (hobbyist, hacktivist, insider, criminal, nation-state, terrorist), and drills deep into the two extremes with real 2024–2025 cases: the LockBit takedown, the Change Healthcare ransomware attack, the MGM Resorts breach, and the PowerSchool hack by a 19-year-old that reached the White House Situation
Section 01
The Story That Explains Threat Actors
📖 Real World Analogy
Who Just Broke Into My House?
Imagine you come home and find your front door forced open. Before you call the police,
you look around. What kind of person did this? A bored teenager
trying his shoulder against every door on the block for the thrill? A
professional burglar who researched your schedule, jammed your alarm,
and left with the jewellery in ninety seconds? A spurned ex-employee
who still had a key? A foreign intelligence operative who wanted to
photograph a document in your safe and leave no trace? Or a political
protester who spray-painted your wall to send a message?
Each one leaves a different forensic footprint. Each one has different
motives, skills, tools, tolerance for risk, and success criteria. The way you defend
against the teenager (deadbolt, motion light) is nothing like how you defend against
the intelligence operative (Faraday-shielded room, TSCM sweeps). Attribution
tells you the threat model. The threat model tells you the defence.
Cybersecurity works the same way. The generic word "hacker" hides at least six very
different kinds of adversary — and the FBI's Internet Crime Report 2024
documented $16.6 billion in reported losses last year, most of them from a handful of
well-organised criminal groups. Knowing who is on the other side of the keyboard is
the first step in stopping them.
As a Certified Ethical Hacker, the very first slide I show in any incident-response
training is a threat actor taxonomy. Defenders who cannot name their
adversary cannot model their adversary; and defenders who cannot model their adversary
are, at best, playing whack-a-mole. This tutorial walks through the full spectrum of
threat actors — with a deep dive into the two extremes: hobbyists (the
bored, the curious, the reckless) and criminal organisations (the
professionals, the ransomware-as-a-service operators, the billion-dollar syndicates) —
using real, named cases from the last three years.
🎯
The Core Insight
"Hacker" is not one thing. It is a spectrum — from a 14-year-old running downloaded
tools in a bedroom, to a Russian-national CEO running a $500 million ransomware
corporation with affiliates, bug bounties, and marketing merchandise. Both are
technically "threat actors." Neither is defended against the same way.
Section 02
What Is a Threat Actor?
A threat actor (also called a malicious actor or
adversary) is any entity — individual, group, or organisation — that carries
out or intends to carry out actions that harm digital systems, data, or people. The
concept has three parts:
Capability
What They Can Do
Technical skill, tooling, infrastructure, and access to zero-day exploits or malware. Ranges from downloaded scripts to custom-built implants.
Intent
Why They Attack
The goal driving the operation — money, espionage, notoriety, disruption, ideology, or revenge. Different motivations produce different behaviour.
Opportunity
What's Exposed
Your attack surface — unpatched systems, weak credentials, careless employees, misconfigured cloud buckets. Even a skilled attacker with strong intent needs opportunity.
Risk Tolerance
What They'll Accept
Willingness to be noisy, get caught, or face jail. A teen may not care about attribution; a nation-state operates under strict "deniability" rules.
💡
Threat = Capability × Intent × Opportunity
The classic risk formula. Take any variable to zero and the threat vanishes. You
almost never remove capability or intent — those live in the attacker's head. Your
job as a defender is to shrink opportunity: patch, harden, segment,
monitor, and train users. That's how threat-actor thinking translates into daily
security work.
Section 03
The Classic Hat Taxonomy — And Its Limits
You've probably seen the "hat colour" model of hackers. It's the oldest and most
well-known framework, and it's still useful — but it only describes ethics and
authorisation, not motive or organisation. Real threat-actor analysis
needs more.
🗽
White Hat
Ethical Hacker
Authorised security professional. Penetration testers, red-teamers, bug-bounty hunters. Works with permission and reports findings. Certifications like CEH, OSCP, CISSP. These are the good guys.
🔐
Grey Hat
Unauthorised but Non-Malicious
Hacks without permission but discloses findings responsibly (or publicly, to embarrass an owner into fixing them). Legally still a criminal in most jurisdictions — good intentions don't authorise the act.
🎭
Black Hat
Malicious & Unauthorised
Attacks for personal gain, disruption, or damage. The category that contains every ransomware operator, credential thief, and destructive actor discussed later in this tutorial.
🐝
Green Hat
Novice — Learning
A beginner earnestly trying to learn hacking properly — usually in a legal lab. Not to be confused with a script kiddie, who wants results without the learning.
👷
Blue Hat
External Consultant / Revenge
Two uses: (1) an external security consultant brought in before product launch (Microsoft coined this usage); (2) a revenge-motivated attacker with no wider criminal agenda.
🛡️
Red Hat
Vigilante
A hacker who attacks other hackers — typically illegally, but with the intent of stopping black-hat activity. Very rare in the wild, more common in fiction.
⚠️
Why the Hat Model Isn't Enough
A "black hat" could be a bored 15-year-old, a Russian ransomware CEO, an Iranian
military officer, or a jealous ex-partner. The colour doesn't tell you their skill
level, their organisation, their funding, or their goals. Modern threat intelligence
teams use a motive-based taxonomy instead — the one we'll spend the
rest of this tutorial on.
Section 04
The Modern Threat Actor Taxonomy
Real-world intelligence teams (Mandiant, CrowdStrike, Microsoft Threat Intelligence, and
the FBI's Cyber Division) sort adversaries into six primary categories
based on who they are and why they attack. Every threat actor you'll ever
encounter fits somewhere on this map.
Animated Diagram — The Six Categories
👥 Live Animation — The Threat Actor Spectrum
Each category lights up in turn. Moving up and right, skill, funding, and organisational sophistication all increase — but so does the effort required to attribute the attack.
Quick Reference — The Six Modern Categories
Category
Primary Motive
Skill Level
Typical Target
Notable Example
Hobbyist / Script Kiddie
Curiosity, thrill, clout
Low → medium
Whatever's exposed
2015 TalkTalk (17-yr-old)
Hacktivist
Ideology, protest
Low → high
Political / corporate
Anonymous, LulzSec
Insider
Revenge, greed, ideology
Any (they have access)
Their own employer
Edward Snowden (2013)
Criminal Organisation
Money
High
Rich, insurable victims
LockBit, BlackCat, Scattered Spider
Nation-State / APT
Espionage, sabotage
Very high
Government, critical infra
Fancy Bear, Lazarus, Volt Typhoon
Cyber-Terrorist
Fear, disruption
Medium → high
Public / symbolic targets
Rare in pure form — often overlaps with state or criminal
Section 05
Hobbyists — Who They Are and Why They Matter
The term "hobbyist" — often used interchangeably with "script
kiddie" — describes someone who hacks without professional organisation, usually
without deep technical knowledge, and typically without financial sophistication. They
do it because it's interesting, or because it earns them clout, or
because it briefly feels like power.
It is tempting to dismiss them as harmless. That is a mistake. According to the UK's
National Crime Agency, 61% of hackers begin hacking before the age of 15 and the
average age of suspects arrested in NCCU investigations is 17 years old.
The Hobbyist Profile
👨💻
Who
Overwhelmingly young — teens and early twenties. Predominantly male but not exclusively. Often technically curious kids who found hacking forums, Discord servers, or gaming-cheat communities before finding legitimate outlets.
🎯
Motive
Bragging rights, in-group status, thrill of the forbidden, revenge on a school or employer, sometimes money. Financial motivation is often secondary to peer validation.
🔧
Tools
Downloaded exploit kits, Kali Linux tutorials, Metasploit modules, YouTube guides, credential dumps bought on Telegram. They rarely write their own malware — they run other people's.
📩
Delivery
Website defacement, DDoS booter services, SIM-swapping, credential stuffing, phishing pages copied from tutorials. High volume, low sophistication — until it isn't.
⛔
Weakness
Almost zero operational security. Boast on Discord, screenshot the victim, log in from home broadband, brag under a pseudonym they've reused for years. Most are caught this way.
📈
Trajectory
A worrying number graduate. The "script kiddie" who defaced a school website at 13 is the same person indicted for $115M in ransomware at 19. Hobbyism is often the gateway drug of organised cybercrime.
Real Case — The TalkTalk Hack (2015)
📰 Case File
A 17-Year-Old, a SQL Injection, and £42 Million in Damage
In October 2015, UK telecoms operator TalkTalk suffered a data breach affecting
hundreds of thousands of customers. The attack was orchestrated by a 17-year-old who exploited known vulnerabilities using readily available tools leading to the exposure of personal data belonging to thousands of customers. The TalkTalk attack was estimated to have cost the company £42 million.
The attacker wasn't a nation-state or a criminal syndicate. He was a teenager who ran a
tool he'd downloaded — a classic SQL injection scanner — against publicly exposed
URLs. The vulnerability was a decade-old class of bug. The consequences were nine
figures. It is the textbook case of why hobbyists deserve the same defensive
seriousness as professionals.
Real Case — Matthew Lane and the PowerSchool Breach (2024–2025)
📰 Case File — April 2025 Arrest
A College Freshman, 60 Million Children, and the White House Situation Room
In September 2024, 19-year-old Matthew D. Lane, a freshman at Assumption University
in Massachusetts, found stolen credentials for a PowerSchool contractor on the dark
web. He used them to walk into the systems of an education platform used by 80% of
school districts in North America. Barely a year earlier, while still a teenager, he helped launch what's been described as the biggest cyberattack in U.S. education history — a data breach that concerned authorities so much, it prompted briefings with senior government officials inside the White House Situation Room. The breach pierced the education technology company PowerSchool — used by 80% of school districts in North America — and "put at risk the security of 60 million children and 10 million teachers," the Justice Department said.
PowerSchool paid roughly $3 million in ransom to keep the data private. In April 2025,
Lane was arrested at his dorm room by FBI agents. He is expected to serve federal
prison time. In a subsequent interview, "I think I need to go to prison for what I did," Lane told ABC News in an exclusive interview, speaking publicly for the first time about the headline-grabbing heist and his life as a cybercriminal.
⚠️
Why the "Just a Teenager" Frame Is Dangerous
Lane used no zero-days. He used stolen credentials with no MFA. That
is technically the same technique used by every ransomware crew in this tutorial. The
difference between a "hobbyist" and a "criminal organisation" is often not the
technique — it's the organisation behind it. The technique itself belongs to whoever
picks it up.
Section 06
The Hobbyist-to-Professional Pipeline — "The Com"
A striking finding in recent cybersecurity reporting is that many so-called "criminal
organisations" today are staffed by young hobbyists who grew up in gaming and
hacking Discord communities. The most infamous is a loose network known as
"The Com" (short for "The Community").
💬 From Fortune, January 2026
What Makes The Com Unique
What makes The Com and these groups uniquely dangerous is both their sophistication, and in how they weaponize the youth of their own members. Their tactics exploit teenagers' greatest strengths, including their technical savvy, cleverness, and ease as native English speakers. But their blindness to consequences, and habit of having conversations in public leaves them vulnerable to law enforcement. Starting in 2024, a series of high-profile arrests and indictments of young men and teenagers ranging in age from 18 to 25 has exposed the significant risk of getting involved in The Com.
Animated Diagram — The Hobbyist-to-Professional Timeline
📈 Live Animation — How a Kid Becomes a Cybercriminal
The yellow packet is one hacker's biography, following the empirically documented pipeline from gaming cheats at 12 to enterprise ransomware by 20 — with law enforcement waiting at the end.
Real Case — Thalha Jubair, 19
📰 September 2025 Arrest
The Teenager Who Extorted $115 Million
In September 2025, UK teenager Thalha Jubair was arrested for his alleged role in
Scattered Spider's attacks on Transport for London (TfL) and 47 US entities. According to the complaint, victims paid at least $115,000,000 in ransom payments. The incidents, the DoJ added, caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, in October 2024 and January 2025. If convicted, he faces a maximum penalty of 95 years in prison.
Jubair started, as most do, at the bottom of the pipeline shown above. He ended up
with $36 million in cryptocurrency wallets law enforcement seized from a server
allegedly under his control. This is not "just a teenager." This is the mature form of
what happens when a hobbyist never faced consequences.
Section 07
Criminal Organisations — The Professional Adversary
If hobbyists are the mosquitoes of cybersecurity — annoying, occasionally dangerous,
everywhere — criminal organisations are the wolves. Well-funded,
well-staffed, well-tooled, and treating their operations exactly like the businesses
they are.
How a Modern Cybercrime Organisation Is Structured
Role
What They Do
Cut of the Ransom
Operator / "Owner"
Runs the platform, writes or maintains the malware, brands the operation
20–30%
Developer
Writes the encryption code, evasion techniques, data-exfiltration tools
Salary or profit share
Initial Access Broker
Sells stolen credentials and network footholds on dark-web forums
Flat fee ($500 – $10k+) or share
Affiliate
Executes attacks using the operator's toolkit; picks targets
60–80% of ransom
Negotiator
Handles the extortion chat; sometimes multilingual and professional
Fixed cut per deal
Money launderer / Mixer
Converts crypto ransom to clean fiat via mixers, exchanges, mules
5–20%
💼
Ransomware-as-a-Service (RaaS) Is the Business Model
Modern criminal groups don't personally hack every victim. They operate a platform —
malware, dark-web leak site, negotiation infrastructure, payment tracking — and
license it to affiliates who do the actual intrusions. This is exactly the SaaS
model, applied to crime. It lets a small core team scale to thousands of victims,
and it makes law-enforcement attribution far harder.
Animated Diagram — The RaaS Business
💼 Live Animation — How Ransomware-as-a-Service Works
Every arm lights up in sequence — showing how the RaaS operator sits at the centre, coordinating a network of specialists rather than doing every job themselves.
Section 08
Case Study — LockBit and Operation Cronos
📰 Real Case — February 2024
The World's Most Prolific Ransomware Group, Trolled by the Cops
LockBit was, until 2024, the single most prolific ransomware operation on Earth.
LockBit has been operating since 2019, when it first called itself 'ABCD' ransomware, targeting thousands of victims around the world with ransomware attacks that have cost billions of dollars in terms of both ransom payments and recovery costs. LockBit essentially offered ransomware services to its global network of hackers or 'affiliates', giving them the malware and platform to carry out these attacks and collect ransoms from thousands of victims globally. Among the group's most prominent victims were the UK's Royal Mail, aeroplane maker Boeing, China's biggest bank ICBC and law firm Allen & Overy.
Then, on 19 February 2024, an international task force codenamed Operation
Cronos — led by the UK's NCA and the US FBI — seized their infrastructure.
What the Takedown Actually Achieved
🛡️ The Scoreboard After Operation Cronos
Servers
Seizure of 34 servers across the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK
Arrests
Two immediate arrests in Poland and Ukraine; charges unsealed against Russian nationals Artur Sungatov and Ivan Kondratyev (aka "Bassterlord")
Crypto
Over 200 cryptocurrency accounts linked to the group have been frozen
Decryption
Approximately 1,000 potential decryption keys have been seized — allowing many victims to recover their data without paying
Identification
In May 2024, LockBitSupp was identified as Dmitry Yuryevich Khoroshev, a Russian national and senior leader of the LockBit ransomware group.
💬
The Novel "PsyOps" Approach
What set Operation Cronos apart wasn't just the technical takedown — it was the
psychological warfare. The NCA repurposed LockBit's own leak site to publish decryption
keys, indictments, screenshots of internal chats, and a rolling countdown timer that
mirrored LockBit's own extortion tactic. It undermined trust in LockBit
within the criminal ecosystem — and undermined affiliates' willingness
to keep working with a brand that had clearly been infiltrated. That's a durable
disruption; a pure technical takedown would have been recovered from in days.
🚫
Why the Ransom-Payment Argument Died in 2024
When the NCA examined LockBit's own servers, they found something devastating: "Some of the data on LockBit's systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised." That is the single most important message a security leader can carry to a boardroom.
Section 09
Case Study — BlackCat/ALPHV and Change Healthcare
📰 Real Case — February 2024
One Missing MFA Rule, $22 Million Paid, 100 Million People Affected
Change Healthcare, a subsidiary of UnitedHealth Group, is the predominant source of more than 100 critical functions that keep the U.S. health care system operating. It annually processes 15 billion health care transactions — touching 1 in every 3 patient records.
On Feb. 21, 2024, an attack by the Russian ransomware group ALPHV BlackCat encrypted and incapacitated significant portions of Change Healthcare's functionality. This has been described as the most significant and consequential cyberattack against the U.S. healthcare system in history.
The Attack Timeline
Feb 12
Initial access via a missing MFA rule
According to Witty's testimony, the ransomware gang BlackCat used compromised credentials to remotely access a Change Healthcare Citrix portal, which enabled remote desktop access, on February 12. The portal was not utilizing multi-factor authentication.
Feb 12–21
Nine days inside the network
An affiliate of the BlackCat/ALPHV ransomware group breached Change Healthcare's network, then spent 9 days inside the network moving laterally and stealing data before ransomware was used to encrypt files. Up to 6 TB of data exfiltrated.
Feb 21
Ransomware detonates
Encryption fires across Change Healthcare's environment. Public disclosure follows on the same day. Pharmacies nationwide cannot process prescriptions; providers cannot bill.
Mar 3
$22 million ransom paid
On March 3, 2024, a bitcoin payment worth over $20 million was made to a wallet associated with the ALPHV/BlackCat ransomware group. UnitedHealth Group CEO Andrew Witty confirmed the payment in Congressional testimony on May 1.
Apr–Oct
Exit scam and second extortion
A $22 million ransom was paid to prevent the publication of the stolen data; however, the ransomware group pulled an exit scam, and the payment did not secure the stolen data. A second group, RansomHub, tried to extort UnitedHealth using the same stolen dataset.
💰
Cost to UnitedHealth: Over $1.5 Billion
UnitedHealth estimates that this breach could cost the company in excess of $1.5 billion. And that's before the class actions. All triggered by one Citrix portal that didn't require MFA — a control that costs almost nothing to enforce and would have almost certainly prevented the entire chain of consequences.
Section 10
Case Study — Scattered Spider and MGM Resorts
📰 Real Case — September 2023 & onward
A 10-Minute Phone Call That Cost $100 Million
Scattered Spider, also referred to as UNC3944 and more recently identified as ShinyHunters, is a hacking group mostly made up of teens and young adults believed to live in the United States and the United Kingdom. The group is believed to be affiliated with cybercriminal network, "The Com".
On September 11, 2023, MGM Resorts put out a statement on X that a "cyber security incident" was impacting some of its systems. The incident would lead to a $100 million dollar loss for the third quarter of 2023.
The Attack — Vishing at Its Purest
📞 The 10-Minute Breach
1
Scattered Spider members researched MGM employees on LinkedIn, gathering information about their roles and identities
2
Using the gathered information, the attackers chose an MGM employee to impersonate
3
The hackers called MGM's IT help desk, posing as the employee and successfully convinced the help desk into providing them with login credentials
4
Using the obtained credentials, Scattered Spider gained administrator privileges to MGM's Okta and Azure tenant environments
5
Scattered Spider brought in ALPHV to deploy their ransomware-as-a-service (RaaS) software. They encrypted approximately 100 ESXi hypervisors within MGM's network.
The Two Casinos, Two Different Choices
💸 CAESARS — PAID
Ransom demanded
~$30 million
Ransom paid
~$15 million (half)
Data exposed
Driver's license numbers & possible SSNs of "a significant number" of customers
Business impact
Operations largely undisrupted; brand damage from disclosure
🛡️ MGM — REFUSED
Ransom demanded
Undisclosed 8-figure sum
Ransom paid
MGM Resorts chose not to pay the ransom demanded by the hackers
Data exposed
Scattered Spider claims to have stolen 6 terabytes of data from MGM Resorts
Business impact
Ten days of chaos on the Las Vegas Strip, ~$100M loss, $45M class-action settlement in January 2025
The Long Legal Tail
⚖️
Arrests and Consequences
In July 2024, a 17-year-old hacker from the United Kingdom was arrested in connection with the hack and attempted ransom. He has been released on bail pending trial. The arrest was coordinated by local and international law enforcement. In late 2024, the US Department of Justice indicted five suspected members of Scattered Spider in connection with the MGM cyberattacks, including four Americans and one from the UK, all men between the ages of 20 and 25. In January 2025, MGM agreed to pay a $45 million settlement to the victims of the breach.
🔔
Scattered Spider Isn't Slowing Down
Since the MGM attack, the group has hit Marks & Spencer (April 2025), Qantas
(2025), and dozens of financial-services and airline targets. Weeks-long payment outages disrupting operations at British retail giant Marks & Spencer are now being blamed on Scattered Spider, the same ransomware group said to be responsible for the 2023 hack of the MGM Grand in Las Vegas. Arresting members has not dismantled the organisation — because it is, at heart, a decentralised community, not a corporation.
Section 11
Anatomy of a Modern Ransomware Attack
Combining every case above, we can extract the standard sequence a modern criminal
organisation follows. This is the pattern to plan defence against — because it's how
virtually every serious ransomware incident of the last three years has unfolded.
🚨 Live Animation — The Modern Ransomware Kill Chain
The kill chain: OSINT reconnaissance, initial access (usually social engineering or stolen creds), privilege escalation, data exfiltration, encryption, and finally extortion. Break the chain at any stage and the attack fails.
Section 12
Defensive Lessons — What Every Organisation Should Do
Every case in this tutorial — TalkTalk, PowerSchool, LockBit's 2,500 victims, Change
Healthcare, MGM — had one thing in common: a small handful of basic controls, if in
place, would have stopped or blunted the attack. The industry has been repeating these
lessons for years, and the ransomware statistics show they still aren't universal.
🔑
MFA Everywhere
Change Healthcare was breached because one Citrix portal did not require MFA. Push-notification MFA is not enough — Scattered Spider defeats it with fatigue attacks. Use phishing-resistant methods: FIDO2 hardware keys, passkeys.
phishing-resistant
📞
Harden the Help Desk
MGM was breached in ten minutes over a phone call. Enforce call-back verification, out-of-band confirmation, and video-verification for high-privilege resets. Train agents to say "no" to executives.
vishing defence
🔋
Segment the Network
Nine days of dwell time at Change Healthcare turned an initial foothold into 6 TB of exfiltration. Network segmentation and privileged-access isolation shrink blast radius even after breach.
blast-radius control
📺
EDR + 24×7 Monitoring
Modern EDR/XDR catches the lateral movement, Kerberoasting, and NTDS.dit extraction techniques that Scattered Spider used against M&S. Detection matters as much as prevention.
detect early
💾
Immutable, Tested Backups
Backups are only useful if attackers cannot delete or encrypt them, and you have verified restoration works. Air-gapped or immutable object storage plus regular restore drills.
recovery first
📋
Incident Response Plan
Have a written playbook, tabletop-exercise it twice a year, and know the FBI / NCA / CERT contact you will call. In 2024, victims who worked with law enforcement gained access to LockBit decryptors for free.
practise before you need it
Section 13
Golden Rules — Threat Actors for the Security Professional
🎯 Non-Negotiable Takeaways
1
"Hacker" is not a single thing. Six distinct categories — hobbyist,
hacktivist, insider, criminal, nation-state, terrorist — with different motives,
skills, and defences. Model your adversary before you defend against them.
2
Hobbyists are a real threat. A 17-year-old with a downloaded tool
cost TalkTalk £42 million. A 19-year-old exposed the data of 60 million children.
Do not underestimate the "just a kid" attacker.
3
The pipeline from hobbyist to professional is real and short. Groups
like The Com and Scattered Spider are staffed by teenagers who started with gaming
cheats and ended up extorting $115 million by their late teens.
4
Criminal organisations are businesses. Ransomware-as-a-Service means
a small core team plus dozens of affiliates. Defend against the model, not just any
specific brand — because brands fall (LockBit) and new ones (DragonForce, RansomHub)
immediately take their place.
5
Paying the ransom does not guarantee anything. Change Healthcare paid
$22 million; the group exit-scammed and another criminal group extorted them again with the same data. The NCA found paid ransoms did not lead to data deletion on LockBit's own servers.
6
The initial vector is almost always boring. Missing MFA, help-desk
vishing, stolen credentials, unpatched Citrix. Fix the boring controls before you buy
the exotic tools.
7
Law enforcement can help — if you call. Operation Cronos handed out
1,000 LockBit decryption keys to victims who reported. Don't hide breaches; report
them.
8
Attribution is the beginning, not the end. Knowing who attacked you
helps you predict what they'll do next, what they've likely stolen, and which
defences most urgently need improvement. Build threat-actor knowledge into your
security team's core competencies.