> There is no other purpose they are serving, no secondary masters or considerations that need to be used to weaken their attacks.
Nowadays their purpose has some sort of monetization component, therefore there is consideration as to which attack vectors seem to be the most likely to lead to the kind of a monetization scheme they are targeting on. For example does a group of attackers ransoming companies prefer the same attacks as phishing individuals? Are these the same companies / groups (I prefer companies at this point, they are organized crime, they are a company and have the same sort of problems in that any small company have in deciding where to put their resources - we don't have a phishing division here, we ransom data, we don't denial of service - nobody is paying us for that, we ransom data and that's it!)
Sure, the final business goal is selling access to the resources gained by the attack, but ultimately the attacking IS aligned with/directly enables that goal. Defense in cyber security is almost always at odds with the goals of defender's business. Or put another way, if there were no Attackers, no one would spend any money on cyber security defense. But if there were no Defenders, someone would still be paying for cyber security attacks.
Nowadays their purpose has some sort of monetization component, therefore there is consideration as to which attack vectors seem to be the most likely to lead to the kind of a monetization scheme they are targeting on. For example does a group of attackers ransoming companies prefer the same attacks as phishing individuals? Are these the same companies / groups (I prefer companies at this point, they are organized crime, they are a company and have the same sort of problems in that any small company have in deciding where to put their resources - we don't have a phishing division here, we ransom data, we don't denial of service - nobody is paying us for that, we ransom data and that's it!)