10 Ways to Think Like a State Cyber Actor

At this moment, a foreign government could be probing your network for weakness. If you think otherwise you are probably wrong. Because the harsh reality is this: any company that does something of value is a target for state actors.

State actors are different from criminal hackers. States employ the full extent of national power in ways even the most sophisticated criminal groups cannot. Tools like the CIS Top 20 Controls and the NIST Cybersecurity Framework can help you defend against 80% of threats. But these tools alone won’t stop the dedicated and well-resourced state actor.

One of the best defenses you can mount against state actors is to think like one. In our recent Cyber Defense Review article, How Could They Not: Thinking Like a State Cyber Threat Actor, we highlight what makes state threat actors different, how they think, and how you can blunt their activities by crafting better defenses.

Here are 10 things to know about state actors to help you understand them better and ultimately bolster your defense against this most capable of threat groups.

  1. State activities aren’t always state-only.

State cyber operations are rarely unilateral. State actors may be state-operated, state-sponsored, state-affiliated, or state-tolerated. Expect states to partner with less capable and often disposable threat actors. And when you see non-state groups conduct cyber operations with a surprising degree of sophistication, consider if there’s a state benefactor behind the scenes. 

  1. State actors can be unreasonably tenacious.

The assertion that a strong enough defense will dissuade attackers and compel them to seek a softer target elsewhere won’t hold up when targeted by state actors. Criminal actors need profitable operations to pay the bills. State actors, on the other hand, can pursue extensive operations with no opportunity for financial gain because profit is not the objective. 

  1. States create vulnerabilities.

Most attackers use pre-existing vulnerabilities to conduct their attacks. States are different. Sophisticated states employ massive vulnerability discovery efforts, such as employing contractors who specialize in large scale fuzzing or paying large sums of money to bug bounty hunters. Assume states will go to extremes such as maneuvering security-sensitive devices, people, hardware, companies, and data to create vulnerability. 

  1. State cyber forces will push the limits of authority.

State cyber forces want to aggressively do their jobs and will push their authorized activities to the limit, and then ask for greater authority. If the authority is given, the results can be extreme, sometimes resulting in legal authorities being undermined or eliminated if they become public. 

  1. Going off script can get operators reprimanded, banished, imprisoned…or promoted.

State actors who fail to comply with their government overlords face consequences. In law-abiding democracies, we’ll see career terminations, reassignments, and arrests. In strict regimes, we’ll see more severe punishments, including execution. That said, innovation is necessary for success in cyber conflict, and innovation can’t flow when organizations are rigid and risk averse. Expect flexibility in what nations will tolerate from their cyber groups.

  1. State actors challenge fundamental security assumptions.

You might assume your web communications are secure. In actuality, web security is based on cryptographic certificates embedded in our browsers, and assumptions like this can be dangerous. This was the case in 2011 when a state threat group breached Dutch certificate authority DigiNotar and conducted a large-scale attack against Iranian Gmail users. States don’t necessarily fight fair – carefully consider your assumptions about state threats. 

  1. States actors have strategies – we have tactics.

Another thing state actors have on their side is time. Most companies are perpetually stuck in near-present tactics, and short range thinking at the enterprise level hinders defense. For state actors, long-term planning conducted by professional cyber operators, intelligence analysts, and military planners is common. State actors will quietly cultivate access to computing systems over many years and then strike when the opportunity is right.   

  1. States think at massive scale.

What could you do with a billion-dollar budget, a robust intelligence apparatus, a cyber army, and sovereign immunity? With resources like this, states can think big. Mounting a state-grade defense requires working alongside enterprises, sectors, and governments to build a collective defense against these powerful cyber forces.

  1. States have security research ahead of the open community.

Assume state forces are 5-10 years ahead of the open cyber community in cryptography and offensive security. While many top companies have well-established cyber defense programs, lesser-resourced small and midsize companies lag behind – as does much of the US government outside of the defense and intelligence communities. We must move beyond US overconfidence and assume we won’t enjoy a perpetual lead in many emerging technologies. 

  1. States leverage the full spectrum of national power.

State cyber operations don’t exist in a technology vacuum. Governments deploy their full spectrum of tools including diplomatic, informational, economic, law enforcement, and military levers of power to achieve their cyber objectives. This is what makes state actors such a dynamic threat.


While this post paints a grim picture about state actors, these groups are not superhuman. They consist of people with rare talent operating under tremendous pressure. People leave. They get sick, have babies or take other jobs. For all their strengths, state threat actors have weaknesses we can exploit.

The key is banding together in a collective defense. No company can stand alone against state actors. We must learn to defend as sectors and nations in tight coordination.

The Cyber Defense Review article goes beyond surface-level press coverage to provide a more meaningful and useful understanding of how state actors think, what incentives drive them, what challenges they face, and what special advantages state actors possess.

To learn more about how IronNet is applying behavioral analytics and collective defense to increase the quality and speed of threat detection, request a demo.

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet, Inc. (NYSE: IRNT) is a global cybersecurity leader that is transforming how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today.