Liberty91
Abstract dossier or profile card with structured data visualisations and directional arrows on a deep navy background with orange accents
Industry9 min read

Threat Actor Profiling for Defenders: A Practical Framework.

You don't need to know a threat actor's name to defend against them. But you do need to know how they operate.

This post provides a practical framework for threat actor profiling that prioritises operational value over attribution. It's designed for CTI teams that need to answer “what should we defend against?” rather than “who attacked us?” — which, based on experience across law enforcement, consulting, and the private sector, is the question that matters for most organisations most of the time.

The framework covers threat actor categories, how to build a useful profile without chasing attribution, and how to connect threat actor intelligence to defensive action. Because the point of understanding your adversaries isn't to name them — it's to stop them.

The four categories and what they predict

Threat actors cluster into four categories that predict behaviour more reliably than individual group tracking. Understanding these categories tells you what to expect, how to prioritise, and where to invest.

Nation-state actors

Motivation: Strategic intelligence collection, intellectual property theft, pre-positioning for conflict, influence operations.

  • Well-resourced with access to custom tooling and zero-day exploits
  • Patient — willing to maintain access for months or years
  • Targeted — they choose victims based on strategic value, not vulnerability
  • Persistent — if evicted, they often return through different vectors
  • Increasingly using commercial tools alongside custom capability (blurring with other categories)

Who should care: Government, defence, critical infrastructure, advanced technology, organisations with strategically valuable IP, and the supply chain that connects to all of these.

Defensive implication: Assume the adversary is skilled, patient, and will adapt. Focus on detection of lateral movement, credential abuse, and data staging. Assume prevention will sometimes fail. Build detection depth.

Abstract layered defence structure with concentric geometric barriers, an arrow-like form penetrating outer layers but being caught by inner defences

Financially motivated actors

Motivation: Money. Through ransomware, BEC, credential theft, card fraud, cryptomining, or access brokerage.

  • Ranges from sophisticated (ransomware-as-a-service operations with dedicated teams) to unsophisticated (script kiddies with purchased tools)
  • Opportunistic — scanning for vulnerabilities at scale rather than targeting specific organisations
  • Fast-moving — the profitable window is short, so they act quickly after gaining access
  • Highly adaptive — rapidly adopting new techniques and tools
  • Specialised — the cybercrime ecosystem has division of labour (initial access brokers, ransomware operators, money launderers)

Who should care: Everyone. Financially motivated actors are the most common threat to the broadest range of organisations.

Defensive implication: Prioritise patching internet-facing assets, email security, and credential hygiene. Ransomware readiness (backups, segmentation, incident response planning) should be a baseline for every organisation.

Hacktivists

Motivation: Ideology, politics, social causes, or attention.

  • Technical capability varies wildly — from unsophisticated DDoS and defacement (most common) to sophisticated data leaks (rare)
  • Targeting driven by current events and political climate
  • Often announce intentions publicly before or during operations
  • Can be difficult to distinguish from state-sponsored actors who use hacktivist fronts

Who should care: Organisations in politically sensitive sectors, companies involved in controversial activities, government agencies, and organisations likely to become symbolic targets.

Defensive implication: Monitor for targeting signals in hacktivist communities. Ensure DDoS mitigation is in place. Protect public-facing web assets. The reputational damage from data leaks can exceed the technical impact.

Insider threats

Motivation: Financial gain, grievance, ideology, or coercion. Sometimes unintentional.

  • Already has legitimate access — the perimeter is irrelevant
  • Can be current employees, former employees with residual access, contractors, or partners
  • Often difficult to distinguish malicious activity from normal work behaviour
  • The “threat” might be a negligent employee rather than a malicious one

Who should care: Organisations handling sensitive data, government, defence, finance, and any organisation going through layoffs, restructuring, or other events that increase grievance risk.

Defensive implication:User behaviour analytics, data loss prevention, privileged access management, and offboarding processes. This is the one category where “who” genuinely matters operationally.

Building a threat actor profile: the practical framework

Here's a structured approach to profiling threat actors for defensive purposes. This framework deliberately avoids requiring attribution — it works whether you know the actor's name or not.

Element 1: Targeting pattern

Who does this actor target? Define across multiple dimensions:

  • Sector: Financial services, healthcare, government, technology, etc.
  • Geography: Region, country, or specific markets
  • Organisation size: Enterprise, mid-market, small business
  • Technology stack: Specific platforms, applications, or infrastructure they've targeted
  • Selection criteria: Opportunistic (scanning for vulnerabilities) or targeted (selecting specific victims)

Map this to your organisation. If there's significant overlap, this actor belongs in your threat model. If there's no overlap, they probably don't — regardless of how prominent they are in the news.

Element 2: Initial access methods

How does this actor get in? This is the most immediately actionable element of any threat actor profile.

  • Exploitation of public-facing applications (which CVEs?)
  • Phishing (what kind? Credential harvesting? Malware delivery? Targeted or bulk?)
  • Supply chain compromise
  • Purchased access from initial access brokers
  • Valid credentials (from prior breaches, brute force, etc.)
  • Removable media or physical access

For each method, assess: are we vulnerable? Do we have detection? Could we improve prevention?

Element 3: Post-access behaviour

Abstract timeline showing geometric shapes progressing through stages, each stage transforming the shape with increasing complexity

What does the actor do after gaining initial access? Map to MITRE ATT&CK tactics:

  • Execution: How do they run their tools?
  • Persistence: How do they maintain access?
  • Privilege escalation: How do they gain higher-level access?
  • Defence evasion: How do they avoid detection?
  • Credential access: How do they harvest credentials?
  • Discovery: How do they learn about the environment?
  • Lateral movement: How do they move between systems?
  • Collection: How do they gather target data?
  • Exfiltration/Impact: How do they achieve their objective?

This mapping connects directly to your detection engineering. Every technique in the actor's profile should have a corresponding detection rule in your environment. Gaps between the actor's techniques and your detections are your priority investments.

Element 4: Tooling

  • Custom malware: Unique to this actor. Detection is based on known signatures and behaviour.
  • Modified open-source tools: Cobalt Strike, Metasploit, Mimikatz variants. Detection focuses on tool behaviour patterns.
  • Living-off-the-land: PowerShell, WMI, legitimate admin tools. Detection requires baselining normal behaviour and identifying anomalies.
  • Commercial tools: Legitimate software repurposed for malicious use.

The trend in recent years is toward living-off-the-land and commercial tools, which makes tool-based detection harder and behaviour-based detection more important. This shift is one reason why TTP-focused profiling outperforms indicator-based tracking.

Element 5: Infrastructure patterns

Without attributing the actor, you can still profile their infrastructure:

  • Do they use compromised infrastructure, rented servers, or bulletproof hosting?
  • What registrars, hosting providers, and TLDs do they favour?
  • How frequently do they rotate infrastructure?
  • Do they use domain generation algorithms or static C2 addresses?

From profile to defence: closing the loop

A threat actor profile is only useful if it connects to defensive action. Here's how to make that connection:

Step 1: Map to your environment. For each element of the profile, assess your exposure. Do you use the technologies they target? Are you in their targeting geography and sector? Could their initial access methods work against you?

Step 2: Identify detection gaps.Map the actor's known TTPs to your detection coverage. Where you have coverage, validate it works. Where you don't, prioritise building it.

Step 3: Inform threat hunting.The profile gives your threat hunters specific hypotheses to investigate. “If this actor were in our environment, what evidence would we expect to find?” This is directly related to the ACH approach from Post 3.

Step 4: Update regularly.Threat actors evolve. Tooling changes. Targeting shifts. A quarterly review of your priority actor profiles ensures they stay current. Or better yet: set up ‘hooks’ or ‘trip-wires’, that will prompt a review of an actor's profile. A trip-wire is a detection you've set up in any of your sources or tools (for example: a live hunt rule in VirusTotal), or an alert in Liberty91 that will pick up any new reporting on your threat actor. If a trip-wire trips, that's the analyst's cue to evaluate if and how that evolves their understanding of how this threat actor operates. And if it does, they'll inform the relevant stakeholders with the relevant products. After all: quarterly updating is not useful if nothing has happened in relation to the actor, and if something did happen, you don't want to wait a full quarter to finally update your profile.

Where attribution fits in this framework

This framework isn't anti-attribution. It's anti-attribution-as-default.

Attribution is optional context here. If you know the actor is APT41, you can access extensive historical reporting to enrich your profile. If you don't know who they are, the profile still works — it's built on observable behaviour, not identity.

This connects to the broader theme of this series: intelligence is about supporting decisions. The decisions your defenders make — what to detect, what to patch, what to hunt for — are driven by TTPs, not by names. Attribution usually doesn't change the defensive playbook. A good threat actor profile gives you the playbook without requiring attribution.

At Liberty91, automated threat actor profiling is built into the platform precisely because this is where intelligence creates operational value. The platform maps observed and reported actor behaviours to your specific technology stack and generates prioritised detection recommendations — turning threat actor intelligence into something your security team can act on today.

Connecting forward

In the next post, the TTPs from threat actor profiles connect to the frameworks that organise and operationalise them — MITRE ATT&CK, the Diamond Model, and the detection engineering practices that bridge intelligence and operations. Because a threat actor profile without a framework to operationalise it is just a really detailed document that nobody uses.

This is Part 4 of the “CTI from the Trenches” series. ← Previous: Cognitive Biases in CTI | Next: The Framework Toolkit → (coming soon)

Related Blog.

Abstract optical illusion with geometric shapes that appear different from different angles, deep navy background with orange and amber light
Industry

Cognitive Biases in CTI: Structured Techniques for Sharper Analysis

How confirmation bias, anchoring, and the availability heuristic distort threat intelligence — and the structured analytic techniques intelligence agencies developed to counteract them.

Abstract decision tree with multiple branching pathways diverging from a single point, deep navy background with orange and amber illuminated paths
Industry

Analysis of Competing Hypotheses: A Step-by-Step Guide for CTI

A practical, step-by-step guide to using Analysis of Competing Hypotheses (ACH) in cyber threat intelligence — with a full worked example, matrix template, and tips for daily workflow.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.