The grugq has a useful explainer for the different kinds of threat actors an organization might be mindful for, such as hactivists, criminals, and state actors, and how and why they tend to operate as they do. With regards to state, and private-public, teams:
There is a tendency to want to rank the Services, but this is not especially fruitful. More interesting is the culture of the Services teams, their nature, their agility, the problems that the team are expected to address, whether they have internal capacity or rely on third parties, and so on. More relevant is trying to understand what they exist to accomplish, how capable they are of doing that, how agile they are in term of changing their MO and if and how well they can accomplish other goals.
This is an inherent problem with hybrid public/private teams — information sharing. While the private component will probably have superior skills and breadth and depth of operational experience, their lack of big picture understanding will prevent them from surfacing ideas, making connections, or otherwise providing insight to help advance the operation. Generally, having the people actually doing the work involved in suggesting improvements is a good way to improve. Similarly, having the people with wide access to botnet victims know what sort of data will get them paid will produce a greater volume of potentially interesting data.
While I tend to think that his analysis of nation-states is good, it under-emphasizes how certain states either have their farm leagues ‘train’ on civil society or, alternately, team with semi-skilled private operators who operate similar to criminals. Whether these behaviours are representative of training exercises, of not wasting the good stuff on civil society, of deliberately being evident to instil caution amongst civil society, or of something else, isn’t entirely clear. Regardless, there is arguably a bit more nuance that could be added to round out some of the characteristics of different threat actors.