CYB-200 · Cybersecurity Foundations
Threat Actor Detection and Response Framework
This project builds a structured decision aid for identifying, characterizing, and responding to insider and physical threat actors. It covers five threat actor types across seven institution categories, then develops a focused detection and response plan for credential stealers — one of the most consequential and underestimated threat vectors in enterprise environments.
Detection methods
Effective threat detection requires multiple overlapping approaches. No single method catches everything — detection depth mirrors the Defense in Depth principle applied to visibility.
| Method | Description |
|---|---|
| Awareness | Training employees to recognize suspicious behavior and understand security policies reduces the dwell time of undetected threats. |
| Auditing | Regular log and system activity reviews surface anomalies that automated tools may miss, especially for slow-and-low attacks. |
| Monitoring | Real-time tooling flags unusual access patterns, privilege escalations, and off-hours activity as they occur. |
| Testing | Penetration testing and vulnerability assessments find exploitable weaknesses before threat actors do. |
| Sandboxing | Isolated environments allow safe analysis of suspicious files or behavior without exposing production systems. |
Threat actor types
| Actor | Description | Primary motivation |
|---|---|---|
| Shoulder surfer | Observes screens or keyboards to capture credentials or sensitive data | Theft, fraud |
| Policy violator | Intentionally or unintentionally bypasses security policies | Convenience, negligence, sabotage |
| Credential stealer | Uses compromised credentials to gain unauthorized system access | Data theft, financial fraud |
| Tailgater | Follows authorized personnel into restricted physical areas | Asset theft, espionage |
| Asset thief | Physically removes hardware or sensitive documents from premises | Theft, competitive intelligence |
Assets at risk by sector
| Sector | High-value targets |
|---|---|
| Financial | Customer data, transaction records, financial statements |
| Medical | Patient records, research data, proprietary clinical processes |
| Educational | Student records, research data, intellectual property |
| Government | Classified information, citizen data, operational systems |
| Retail | Payment data, inventory systems, supplier information |
| Pharmaceutical | Drug formulas, clinical trial data, proprietary research |
| Entertainment | Unreleased content, intellectual property, customer data |
Focus: credential stealers
Credential theft was selected as the focus actor because it is the entry point for a disproportionate share of data breaches. Stolen credentials grant attackers legitimate-looking access, making them significantly harder to detect than external intrusion attempts and allowing dwell times that compound the damage.
Reactive response strategies
Strategy 1
Implement multi-factor authentication on all privileged accounts to block stolen password use at the login boundary.
Strategy 2
Deploy security awareness training focused specifically on phishing and credential hygiene to reduce initial compromise rates.
Strategy 3
Use intrusion detection systems tuned for anomalous login behavior — unusual hours, locations, or access patterns — to identify stolen credential use in progress.
Proactive prevention strategies
Strategy 1
Maintain a consistent patching schedule to close vulnerabilities that credential stealers use to escalate privileges after initial access.
Strategy 2
Enforce strict access controls and conduct regular permission reviews, applying least privilege so stolen credentials have limited blast radius.
Strategy 3
Continuously monitor network traffic for lateral movement patterns — credential stealers who successfully authenticate often pivot quickly to higher-value systems.
Why this project matters
Decision aids like this one are practical tools for security teams that need repeatable, structured processes for threat assessment. This project demonstrates the ability to categorize threat actors, map them to organizational assets, and develop both reactive and proactive response plans — analytical skills that apply directly to security operations and risk management roles.