ELI5: What is Threat Actor Profiling?
Profiling means building a description of who the attacker is — what they want, how skilled they are, and what tricks they prefer. It is like writing a scouting report on a rival sports team.
Definition
Threat actor profiling is the process of developing detailed knowledge of specific adversary groups — including their motivations, technical capabilities, preferred targets, typical tactics and techniques, and historical campaigns. By understanding who is most likely to attack an organization and why, security teams can prioritize defenses against the most relevant threats.
Key Details
- Motivation: financial gain, espionage, hacktivism, disruption, competitive intelligence
- Capability: skill level (script kiddie vs. nation-state APT), resources, tooling sophistication
- Intent: what does the attacker want to achieve? Data theft, disruption, destruction, extortion?
- Common threat actor categories: nation-state (APT), organized crime, insider threat, hacktivist, opportunistic attackers
- MITRE ATT&CK Groups database documents known threat actors and their documented TTPs
Connections
- Parent: threat-intelligence — threat actor profiling is a key component of threat intelligence analysis
- See also: tactical-intelligence