US Cyber Threat Landscape: Current Threat Categories

The US cyber threat landscape encompasses the full range of adversarial techniques, threat actor categories, and attack vectors that target public and private sector networks across the country. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly track these threats through published advisories, annual reports, and sector-specific alerts. Understanding this threat taxonomy is essential for organizations assessing risk exposure, selecting security controls, and meeting compliance obligations under frameworks such as the NIST Cybersecurity Framework and sector-specific regulations. This page catalogs the primary threat categories, their mechanisms, and the classification logic that distinguishes them operationally.

Definition and scope

A cyber threat, as defined by the National Institute of Standards and Technology (NIST) in NIST SP 800-30 Rev. 1, is "any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service."

Scope within the US context spans 16 critical infrastructure sectors identified by CISA, from financial services and healthcare to election systems and water utilities. Threat categories apply across all sectors but manifest differently by environment — a ransomware deployment against a hospital has different operational consequences than the same variant targeting a municipal government.

The cyber threat landscape for the US is shaped by four primary adversary classes:

1. Nation-state actors — Government-sponsored groups pursuing espionage, intellectual property theft, or pre-positioning for destructive operations
2. Cybercriminal organizations — Financially motivated groups operating ransomware-as-a-service (RaaS) platforms and business email compromise (BEC) schemes
3. Hacktivists — Ideologically motivated actors conducting denial-of-service campaigns or data leaks
4. Insider threats — Employees, contractors, or third-party personnel with privileged access who act maliciously or negligently

CISA's Known Exploited Vulnerabilities (KEV) catalog tracks actively exploited vulnerabilities across all adversary classes, listing over 1,100 entries as of its operational history.

How it works

Cyber attacks follow a recognizable operational sequence regardless of threat category. The MITRE ATT&CK framework, maintained by MITRE Corporation, documents adversary tactics, techniques, and procedures (TTPs) across 14 tactic categories — from Initial Access through Impact. This taxonomy provides the standard reference used by federal agencies, managed security service providers, and enterprise security teams.

The generalized attack lifecycle proceeds through these phases:

1. Reconnaissance — Passive or active information gathering on targets (OSINT, port scanning, phishing pretexts)
2. Initial access — Exploitation of a vulnerability, stolen credential use, or phishing lure delivery
3. Execution — Running malicious code on the compromised system
4. Persistence — Establishing mechanisms to maintain access across reboots or credential changes
5. Privilege escalation — Gaining higher-level permissions to expand operational reach
6. Lateral movement — Traversing the network from the initial foothold to target systems
7. Exfiltration or impact — Extracting data, deploying ransomware, or degrading system availability

Nation-state actors, particularly those attributed by the NSA and CISA in joint advisories (e.g., the 2021 advisory on Russian SVR activity), tend to operate across longer dwell times — sometimes exceeding 200 days before detection — compared to cybercriminal groups that typically move toward monetization within hours or days of initial access.

Common scenarios

Ransomware attacks represent the dominant disruptive threat category across US sectors. The FBI's Internet Crime Complaint Center (IC3) 2023 Internet Crime Report recorded over $59.6 million in adjusted losses from ransomware complaints, though the FBI acknowledges this figure represents significant underreporting. Ransomware threat mechanics and sector impact are documented separately.

Phishing and social engineering remain the primary initial access vector across threat categories. Phishing and social engineering techniques include spear-phishing, vishing (voice phishing), smishing (SMS phishing), and business email compromise. The IC3 2023 report identified BEC as accounting for over $2.9 billion in reported losses (IC3 2023 Internet Crime Report).

Supply chain compromises involve adversaries targeting software vendors, managed service providers, or hardware manufacturers to gain access to downstream customers. The 2020 SolarWinds incident, attributed by the US government to Russian SVR, compromised approximately 18,000 organizations through a single software update mechanism. Supply chain cybersecurity risk frameworks address this vector specifically.

Vulnerability exploitation of unpatched systems, particularly internet-facing infrastructure, enables rapid mass-exploitation campaigns. CISA's Binding Operational Directive 22-01 requires federal civilian agencies to remediate KEV catalog entries within defined timeframes (BOD 22-01).

Credential-based attacks — including password spraying, credential stuffing, and Kerberoasting in Active Directory environments — exploit weak authentication configurations. Multi-factor authentication (MFA) defeats the majority of automated credential attacks, according to CISA guidance on MFA.

Decision boundaries

Classifying a threat event into the correct category determines the regulatory reporting path, the appropriate incident response protocol, and the applicable cybersecurity incident reporting requirements.

Nation-state vs. criminal actor: Attribution is the responsibility of federal intelligence agencies. Organizations do not make formal attribution determinations — they report indicators to CISA or the FBI, who apply attribution logic. The distinction matters for critical infrastructure protection standards because CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022) imposes 72-hour reporting requirements for covered entities regardless of attribution.

Ransomware vs. destructive malware: Ransomware presents a ransom demand; destructive malware (wiper malware) does not. Both trigger incident response, but destructive attacks may qualify as acts of cyber warfare under federal analysis, escalating the response chain to include the Department of Defense.

Data breach vs. security incident: Not every security incident constitutes a reportable data breach. A breach requires confirmed unauthorized access to protected data — personal, financial, or health information — triggering notification obligations under state breach notification laws and sector regulations such as HIPAA (45 CFR §164.400–414). An intrusion that is detected and contained before data access does not typically trigger notification requirements, though it may trigger CIRCIA reporting if the entity is a covered critical infrastructure entity.

Threat category classification also determines which regulatory body receives notification: HHS OCR for HIPAA-covered entities, the SEC for public companies under 17 CFR §229.106, and CISA for critical infrastructure operators.

References

• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
• CISA Critical Infrastructure Sectors
• CISA Known Exploited Vulnerabilities Catalog
• MITRE ATT&CK Framework
• FBI IC3 2023 Internet Crime Report
• CISA Binding Operational Directive 22-01
• CISA Advisory AA21-116A — Russian SVR Activity
• CISA Multi-Factor Authentication Guidance
• HIPAA Breach Notification Rule — 45 CFR §164.400–414
• NIST Cybersecurity Framework