Ethical Hacking Lesson 2 – Hacker Types & Motivations | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Foundations & Hacking Mindset · Lesson 2

Hacker Types & Motivations

Not every hacker is trying to steal something. Some are paid to break in. Some are making a political point. Some are just bored teenagers running tools they found online. Knowing who is on the other side of an attack completely changes how you respond to it.

The Colour-Coded System Everyone Uses

The security industry borrowed a simple shorthand from old Western films. Heroes wore white hats, villains wore black. It stuck because it works — the hat colour tells you two things at once: whether the person has permission and what their intention is. Those two factors — and only those two — determine which side of the law someone stands on.

The skill level is irrelevant to the classification. A world-class security researcher who probes a system without permission is still operating illegally, regardless of how well-intentioned they are.

White Hat — The Ethical Hacker

Has a signed contract, a defined scope, and reports everything back to the client. This is the professional path. Every technique in this course is taught with this hat in mind — authorised engagements only.

Black Hat — The Malicious Attacker

No permission, no defined boundaries, no intention to report findings to anyone except maybe a buyer on a dark web forum. Motivated by money, revenge, or disruption. The techniques are identical to a white hat — the missing authorisation is the crime.

Grey Hat — The Complicated Middle Ground

Breaks into systems without permission, then tells the target what they found — sometimes for free, sometimes for a fee. The intent looks helpful but the access was still unauthorised. Good intentions have never held up as a legal defence.

The Full Picture — Six Types of Threat Actors

Three hats don't cover everything. In real security work, threats come from very specific types of people with very different goals. Understanding who is behind an attack — before it happens — shapes every defensive decision your client will ever make.

Actor Type Core Motivation Typical Targets Skill Level
Pen Tester Paid to find holes before criminals do Client systems — in scope only High
Script Kiddie Thrill, bragging rights, boredom Anyone who hasn't patched Low — runs ready-made tools
Cybercriminal Money — ransomware, fraud, data sales Businesses, hospitals, banks Medium to High
Hacktivist Political or ideological statement Governments, large corporations Varies widely
Nation-State APT Espionage, sabotage, geopolitical gain Defence, pharma, energy, government Elite — state-funded resources
Insider Threat Revenge, financial pressure, coercion Their own employer's systems Low to High — already has access

Motivation Changes Everything About the Attack

The most dangerous thing about a nation-state group isn't the sophistication of their tools. It's their patience. A script kiddie runs a scan, hits a wall, and moves on within minutes. A well-funded government-backed group will sit quietly inside your network for months — reading emails, mapping systems, waiting for the right moment — without triggering a single alert.

Understanding that difference is what separates a security professional who builds the right defences from one who builds the wrong ones.

A Real Example — SolarWinds 2020

A sophisticated group inserted malicious code into a routine software update sent to around 18,000 organisations — including several US government agencies. Once inside, they moved slowly and quietly, mimicking normal administrator behaviour for months before anyone noticed. The attackers weren't smashing down doors. They were reading emails and mapping internal systems at a pace that looked completely normal. That level of patience is the defining characteristic of a nation-state level threat.

That single incident changed how the security industry thinks about detection. A firewall that catches 99% of opportunistic attacks is almost irrelevant against an adversary who is already inside and in no hurry at all.

Visualising the Threat Spectrum

Here is a simple way to picture where each actor type sits — plotted by skill level on one axis and intent on the other. The higher the bar, the higher the skill. The colour tells you whether they are operating with authorisation or not.

Pen Tester
Authorised
Bug Bounty
Scoped
Grey Hat
No Permission
Script Kiddie
Malicious
Hacktivist
Malicious
Cybercriminal
Malicious
Nation-State
State-backed
Authorised / Ethical Unauthorised / Criminal

Bar height = relative skill level

Notice something important in that chart. Skill and authorisation move completely independently. A nation-state group sits at the top of the skill axis and the far wrong end of the authorisation axis at the same time. A junior pen tester might be less technically polished — but they have full legal cover. That distinction is everything.

Matching Defences to the Right Threat

One of the most common mistakes in security is treating defence as a generic checklist. The organisations that genuinely improve their security connect every decision to a realistic threat actor. A recommendation that makes sense against a ransomware gang looks completely different from one aimed at an insider threat.

Against Script Kiddies

Regular patching and rate limiting cover the vast majority of automated low-skill attacks. These actors depend entirely on unpatched software — close that gap and they move to an easier target.

Against Ransomware Groups

Multi-factor authentication on every account, offline backups that can't be encrypted remotely, and email filtering that blocks phishing before it lands. Ransomware is a business model — remove the easy payout and most groups walk away.

Against Nation-State Groups

Network segmentation and behavioural anomaly detection on internal traffic. The perimeter conversation becomes almost irrelevant — assume they are already inside and design your systems to contain the damage.

Against Insider Threats

Least-privilege access — give people only the access they need for their role. Pair that with user behaviour monitoring so unusual activity gets flagged before significant damage is done.

Seeing It From the Inside — A Real Threat Intelligence Profile

Before a red team engagement even starts, good security professionals research the threat actor their client is realistically facing. That research gets structured into a profile — who the group is, what motivates them, how long they typically stay hidden, and what tactics they are known to use.

Here is what one of those profiles actually looks like. This format mirrors real threat intelligence reports used inside security operations centres around the world.

THREAT ACTOR PROFILE — Classified: Internal Use Only NATION-STATE
Group Name APT29 — also known as Cozy Bear
Attributed Origin Russia (assessed with high confidence)
Primary Motivation Espionage — government agencies, pharmaceutical companies, research institutions
Average Dwell Time 6 to 18 months undetected
Known Tactics Spearphishing emails with convincing lure documents
Supply chain compromise — hiding malicious code inside trusted software updates
Living off the land — using built-in system tools to avoid detection
Notable Incident SolarWinds supply chain attack — 2020. Affected 18,000+ organisations including US federal agencies.

That dwell time figure — six to eighteen months — is the one that should make any security professional stop and think. It means whatever detection you have needs to catch slow, quiet, patient behaviour over months. Not just the loud scans that trigger alerts in the first sixty seconds.

Teacher's Note: Every actor type you just read about uses a version of the same techniques you will learn in this course. The tools don't know who is holding them. What makes this a profession instead of a crime is the authorisation, the scope, and the report that lands on your client's desk at the end.

Practice Questions

Scenario:

A defence contractor brings your firm in for a threat modelling session. Their security lead says: "We found signs of a breach that has been active for over a year. Nothing has been taken yet, but whoever it is has fully mapped our internal network and appears to be using custom tools we have never seen documented publicly anywhere." Your team immediately begins narrowing down the category. What type of threat actor fits this profile?


Scenario:

Your client's server logs show 4,000 identical login attempts over 90 minutes, all trying common default passwords in alphabetical order. The attempts stop completely the moment the server returns a rate-limit response. The tool being used is identified as a well-known public scanner with its default settings unchanged. Based on what you see, what type of attacker is almost certainly behind this?


Scenario:

A bank's security system flags an alert at 11 PM on a Friday. A senior database administrator — passed over for promotion three days ago — is running bulk exports of customer records. The access is completely within their granted permissions. The exported files are being sent to a personal cloud storage account. No outside attacker is involved. What category of threat does this fall under?


Quiz

Scenario:

A security researcher finds a critical vulnerability in a popular business platform. Without contacting the company first, they log in through the flaw, confirm it works, take screenshots, then send a full technical write-up to the security team — no fee, no demands, just wanting it fixed. The company notifies law enforcement the same day. How should the researcher be correctly classified?

Scenario:

A government ministry hires your team for an engagement. The brief reads: "Simulate a nation-state APT targeting our classified document storage." You have three weeks and full written authorisation covering the entire internal infrastructure. Which approach best matches what the client is actually asking for?

Scenario:

Your post-engagement report for a logistics company identifies insider threat as the primary risk. Three employees have unrestricted database access they do not need for their roles, and there is no behavioural monitoring in place. The security lead asks for the single most impactful change they can make this quarter. Which recommendation directly addresses what was found?

Up Next · Lesson 3

Legal & Ethical Considerations

The laws that protect you as an ethical hacker — and the lines no client can ever ask you to cross.

← Previous Course Index Next →