Cybersecurity Threat Landscape: Actors, Vectors, and Defenses
English with a size of 9.76 KB🔎 Threat Actors & Their Attack Paths
Who is attacking?
Threat Actors are the people or groups launching attacks. Mnemonic: “NO HIS” (Nation-State, Organized Crime, Hacktivists, Insiders, Script Kiddies).
| Actor Type | Motivation | Tactics |
|---|---|---|
| Nation-State (APT Groups) | Espionage, warfare | Advanced, persistent attacks |
| Organized Crime | Financial gain | Ransomware, phishing |
| Hacktivists | Social justice, ideology | Website defacement, data leaks |
| Insiders | Revenge, profit | Data theft, sabotage |
| Script Kiddies | Fun, fame | Low-skill attacks using existing tools |
How do threats reach systems?
Threat Vectors are the attack paths used by threat actors. Mnemonic: “MFWDVN” (Messages, Files, Websites, Devices, Vendors, Networks).
| Attack Path | Example | How It Works |
|---|---|---|
| Message-Based | Phishing, smishing | Trick users into clicking malicious links |
| File-Based | Malware in PDFs/docs | Hidden scripts inside attachments |
| Web-Based | Drive-by downloads | Malicious site infects visitors |
| Removable Media | Infected USB drives | Auto-run malware from a device |
| Supply Chain | Compromised software updates | Attacker embeds malware in legitimate vendor updates |
| Network-Based | MITM, sniffing | Attackers intercept network traffic |
💡 Connections:
- Threat actors use threat vectors to reach vulnerable systems and launch attacks.
- Example: An organized crime group uses a phishing vector to spread ransomware.
⚠ Vulnerabilities & Exploits
A Vulnerability is a weakness in a system that attackers exploit. Mnemonic: “AOHVCZ” (Application, OS, Hardware, Virtualization, Configuration, Zero-Day).
| Vulnerability Type | Examples | Why It’s Dangerous |
|---|---|---|
| Application | SQL Injection, XSS | Exploits flaws in web apps |
| OS | Unpatched software | Allows privilege escalation |
| Hardware | Default passwords | Devices can be hijacked |
| Virtualization/Cloud | VM escape | Breaks out of virtual machines |
| Configuration | Weak firewall rules | Opens attack paths |
| Zero-Day | No patch available yet | Cannot be prevented until discovered |
💡 Connections:
- Vulnerabilities create attack surfaces that threat actors exploit via threat vectors.
- Example: An insider may exploit weak firewall rules to steal company data.
🔍 Recognizing Attacks (Indicators of Compromise)
Mnemonic: “OCHUBS” (Outbound traffic, CPU usage, Hidden processes, Unauthorized changes, Broken security).
| IOC (Indicator of Compromise) | What It Suggests |
|---|---|
| Unusual outbound traffic | Data exfiltration, command & control malware |
| High CPU/memory usage | Crypto mining malware |
| Unknown processes/services | Hidden malware persistence |
| Strange account behavior | Compromised credentials |
| Unauthorized file changes | Insider activity, rootkits |
| Disabled security tools | Malware tampering with defenses |
💡 Connections:
- Attack techniques create malicious activity, which triggers IOCs.
- Example: A ransomware attack creates file encryption changes & high CPU usage.
🦠 Malware Types
Mnemonic: “VWTRSKL” (Virus, Worm, Trojan, Ransomware, Spyware, Keylogger, Logic Bomb).
| Malware Type | How It Works | How to Spot It |
|---|---|---|
| Virus | Attaches to files, spreads manually | Infected file behavior |
| Worm | Spreads automatically via networks | Multiple system infections |
| Trojan Horse | Pretends to be legitimate software | Unexpected program behavior |
| Ransomware | Encrypts files, demands money | Locked/encrypted files |
| Rootkit | Hides deep in the system | Stealthy, disables security tools |
| Spyware | Steals user data | Secret tracking of activity |
| Keylogger | Records keystrokes | Stolen login credentials |
| Logic Bomb | Activates under specific conditions | Delayed attack execution |
💡 Connections:
- Attackers use malware to exploit vulnerabilities.
- Example: A trojan disguised as an email attachment delivers ransomware.
⚡ Common Attack Techniques
Mnemonic: “DDA-PBP” (DDoS, DNS Poisoning, ARP Poisoning, Password Attacks, Buffer Overflow, Race Condition).
| Attack | How It Works | Example |
|---|---|---|
| DDoS | Overloads network with traffic | Botnets flood a website |
| DNS Poisoning | Redirects users to fake sites | Attacker modifies DNS records |
| ARP Poisoning | Hijacks network traffic | MITM attack altering MAC addresses |
| Password Attacks | Guessing credentials | Brute force, dictionary attacks |
| Buffer Overflow | Overwrites memory | Crashes programs, remote code execution |
| Race Condition (TOC/TOU) | Exploits timing gaps | Swaps files before execution |
💡 Connections:
- Attackers use password attacks to gain access, then pivot using MITM techniques.
- Example: An insider uses password spraying, then ARP poisons the network to steal credentials.
🛡️ Mitigation Techniques
Mnemonic: “NAPIES MLC” (Network Segmentation, ACLs, Patch Management, Allowlisting, Isolation/Sandboxing, Encryption, SIEM/Monitoring, Least Privilege, Configuration Management).
| Mitigation | How It Works | Defends Against |
|---|---|---|
| Network Segmentation | Divides networks into zones | Limits malware spread |
| ACLs (Access Control Lists) | Restricts access by IP, port, protocol | Blocks unauthorized traffic |
| Patch Management | Regular OS & app updates | Prevents known exploits |
| Application Allowlisting | Only approved apps can run | Stops unauthorized software execution |
| Isolation & Sandboxing | Runs suspicious files in a controlled space | Prevents malware infections |
| Encryption | Protects data at rest & in transit | Prevents theft via exfiltration |
| SIEM & Monitoring | Logs & detects anomalies | Identifies attacks early |
| Least Privilege Enforcement | Restricts user permissions | Prevents insider threats |
| Configuration Management | Secures default settings | Eliminates weak setups |
💡 Connections:
- Network segmentation prevents malware spread, while monitoring detects attacks early.
- Example: SIEM detects failed login attempts, then ACLs block unauthorized IPs.