This article is a part of BG BrandLab’s Cybersecurity Special Report, meant to provide insights about today’s cyberthreats and the steps readers can take—as  individuals, employees, and decision-makers—to protect against them.

Hackers have organized.

This, many security experts say, has become one of the most important understandings in dealing with data theft. Far from the opportunistic attacks that once dominated digital crime, modern cybercriminals are calculated and coordinated. They recruit from among the best and the brightest in corners of the world with few better opportunities.

Today’s cybercriminals pursue clear, high-value agendas that land them into three unique profiles. Security experts say understanding these motives has become essential in stopping them.

“As a defender, you have to think about your threat profile,” says William Carter, deputy director of the Technology Policy Program at the Center for Strategic and International Studies. “Which types of attackers are you most likely to encounter? Because the way that you defend against them will be different.”

The nation state actor

The first adversary, and widely considered the most dangerous, is the nation state actor. While not new for governments to pursue civilian targets, it has accelerated now that spies can act without setting foot on foreign soil. A nation-state attack will typically take one of two forms. The first, Carter says, is conducted by the actual employees of a government such as, in the United States, the CIA or NSA.

“Then there’s what we call ‘proxies,’” he says, “which are people who do not work for the government but who conduct operations on behalf of the government.”

Proxy attacks have become a particularly well known tool of the Russian government, which often relies on Eastern European criminal organizations to attack foreign media, spread disinformation and launch malware campaigns. This is a tactic that the Putin government first widely employed during its 2008 invasion of Georgia, and much of the fake news articles and fraudulent social media accounts surrounding the 2016 and 2018 U.S. elections are attributed to government-aligned criminal groups as well.

Also a common tool among some east-Asian governments, proxies are relatively rarely employed by the United States or Western Europe.

Money-hungry hackers

Cybersecurity experts classify “criminals” as hackers motivated by money. Increasingly, most work as part of organizations dedicated to stealing cash, identities, and valuable data. These criminal syndicates operate all across the world and can range from small groups to large, mob-style syndicates.

“Typically,” says Tom Kellermann, chief cybersecurity officer for the digital security firm Carbon Black, “the more sophisticated cybercrimes and cyber events that have occurred need what’s called ‘a crew’.”

These crews meet and recruit on dark web forums (meaning forums accessed through a numeric IP address rather than an alphabetical URL). There’s a four-step vetting process which tests for undercover law enforcement, skills, criminal intent and reputation in the hacker community, Kellerman says. At the end of this process, these organizations go into business.

“The very best, most sophisticated, most talented hackers in the world don’t always hack,” Kellermann says. “They do something that’s very interesting. They develop custom malware and custom attack frameworks that they just lease and sell.”

It’s a service industry model in which criminal hackers act as contractors who provide specialized components. One group might create the emails for a phishing operation, while another writes the malware that hijacks a system. Each group sells its software or services to anyone who wants to cobble together their own hacks. Sometimes that means other professionals, but just as often the buyers are adventurous amateurs.

Philosophical hackers

Historically the third common threat to data has come from “hacktivists.”

Often working alone, the hacktivist doesn’t want money (like the criminal) or power (like the spies). They attack networks out of ideology. This is the hacker who strikes a petroleum company to post messages about climate change, for example, or who sends stolen files on Wikileaks. They generally want to embarrass the target, interfere with its operations, or expose information.

Driven by philosophy, they bring persistence to their work that can mirror attacks by nation states. Their numbers have, however, declined in recent years. A major reason for this, says Carter, is the amount of money and risk involved. People with the skills to launch a high-end data breach generally use those skills either on behalf of criminal organizations or as cybersecurity professionals.

“You still see people engaged in hacktivism,” he says, “but it tends to be a much less technologically sophisticated crowd.”

The cybersecurity professional

Experts respond best when they know their enemy.

“If you’re dealing with a nation state you have to understand that you’re dealing with a 24/7 operation,” Kellermann says. “You can’t just triage the event, do an after action report, and assume that you’ve gotten them out of your infrastructure.”

Compared to if you’re dealing with a criminal group, he says, “you have to be very wary to make sure that they have not manipulated the integrity of the data after they’ve stolen it.”

And if you’re on defense against a hacktivist, he emphasizes, prepare for persistence.

When it comes to cybersecurity, the nature of the threat is often defined by the nature of the attacker, and networks increasingly need defenses built around the motivations of the people trying to break in. In fact, many experts argue, this isn’t merely a nice-to-have feature of cyber defense. It has become absolutely essential.

Carter explains this vulnerability through the example of a nation state attack.

“China wants to cultivate a spy in the United States government,” he says. “[And] let’s say I worked in the Department of Defense. You could have hypothetical me and see that I have financial problems, but you could also say my mother has cancer.”

In that case, Carter says, the hypothetical version of himself might get an offer from the Chinese government to take care of his mother or his financial problems. But how would they know about that point of leverage? They could hack into a hotel chain and discover that he often stays at properties near Dana Farber Hospital. They could hack into his bank account and not steal a penny, just look at his records. They could look at online retailers and data mine his purchase histories. This seemingly innocent data can lead to devastating results in the hands of a foreign intelligence service.

Understanding that and guarding against it, experts say, is the first step in protecting modern networks from increasingly sophisticated adversaries. Organizations have to consider the kinds of threats they face, who might target them, and what those bad actors would want. Knowing the profile of the threat can be the difference between successfully keeping a network well protected and losing essential data without even realizing the hack happened.