Top Threat Actors TTPs
1. Nation-State Threat Actors

These groups are often state-sponsored and target governments, infrastructure, and large enterprises.

  • APT29 (Cozy Bear – Russia)
    • Tactics: Initial access, persistence, credential access
    • Techniques: Spear-phishing, stolen credentials, DLL side-loading
    • Procedures: Leveraging legitimate services for command and control (C2), slow and stealthy data exfiltration
  • APT28 (Fancy Bear – Russia)
    • Tactics: Credential access, execution, exfiltration
    • Techniques: Brute force, malware implants, PowerShell scripts
    • Procedures: Targeting political organizations and using zero-day exploits
  • Lazarus Group (North Korea)
    • Tactics: Resource development, initial access, collection
    • Techniques: Supply chain attacks, watering hole attacks, cryptocurrency theft
    • Procedures: Custom malware development and highly destructive payloads
  • APT41 (China)
    • Tactics: Privilege escalation, lateral movement, exfiltration
    • Techniques: Exploiting web-facing applications, remote access tools (RATs)
    • Procedures: Blending cyber espionage with financial crime

2. Cybercriminal Groups

These actors are financially motivated, targeting organizations and individuals for ransom, theft, or fraud.

  • Conti Ransomware Group
    • Tactics: Impact, data encryption, defense evasion
    • Techniques: RDP brute force, Cobalt Strike for lateral movement
    • Procedures: Double extortion — encrypting data and threatening to leak it
  • LockBit
    • Tactics: Discovery, execution, exfiltration
    • Techniques: Phishing, exploiting public-facing apps, file encryption
    • Procedures: Using custom-built ransomware to quickly encrypt networks
  • FIN7
    • Tactics: Persistence, collection, command and control
    • Techniques: Spear-phishing, script-based attacks, credential dumping
    • Procedures: Targeting point-of-sale systems for financial theft

3. Hacktivist Groups

These actors are motivated by ideology or political goals, often targeting organizations to make a public statement.

  • Anonymous
    • Tactics: Initial access, impact, availability disruption
    • Techniques: DDoS attacks, website defacement, information leaks
    • Procedures: Leveraging social media and public platforms for coordination
  • LulzSec (historical but relevant for CEH)
    • Tactics: Reconnaissance, discovery, impact
    • Techniques: SQL injection, exploiting known vulnerabilities
    • Procedures: High-publicity attacks for “lulz” or chaos

📚 Mapping TTPs to MITRE ATT&CK

The MITRE ATT&CK framework is a goldmine for learning real-world TTPs. For your CEH studies, get familiar with how attackers progress through the attack lifecycle:

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationImpact