The Adversaries: Who Are They? Threat & Attack Landscape

🎧 Listen to more in-depth episodes on Spotify!

Threat & Attack Landscape

Agents Vectors Lifecycle Tech Risks Modeling

The Adversaries: Who Are They?

Cybersecurity threats originate from various actors, each with unique motivations and capabilities. Understanding these threat agents is the first step in building an effective defense.

Hackers / Threat Actors

Individuals or groups targeting systems for various reasons, including financial gain, espionage, or destabilization.

State-Sponsored Actors

Funded and directed by nations to steal intellectual property, sensitive information, and funds for espionage purposes.

Hacktivists

Groups of hackers operating to promote specific social causes or political agendas through cyber means.

Insiders

A significant threat from within. Employees who, either intentionally or not, use their authorized access for malicious purposes.

Adversaries

Actors with conflicting interests, motivated to intercept data, tamper with hardware, or perform social engineering.

External Threats

The broad category for any attacker originating from outside the target organization, entity, or individual.

The Playbook: Common Attack Vectors

Cyberattacks are executed through various methods, or vectors. This section provides a quantitative overview of the attack types mentioned in the source document and allows you to explore the details of each category.

Diversity of Attack Methods

The chart above illustrates the number of distinct attack techniques cataloged in the report for each major category. Use the tabs below to dive into the specifics of each vector.

DoS/DDoS: Flooding a network with traffic to make it unavailable.

Man-in-the-Middle: Intercepting communications between two parties.

Spoofing: Impersonating a legitimate entity by faking an IP, domain, or email.

Ransomware: Encrypting data and demanding payment for its release.

Port Scanning: Searching for open network ports to find vulnerabilities.

Reverse Shell: Tricking a target's machine to initiate a connection back to the attacker, bypassing firewalls.

SQL Injection: Injecting malicious SQL code into a website to access its database.

Cross-Site Scripting (XSS): Injecting malicious scripts into a website that then run in visitors' browsers.

Race Condition: Exploiting applications that rely on a specific sequence of events by forcing them out of order.

Mobile Code (Viruses): Software designed to move between computers and alter applications.

Brute Force: Using automated programs to guess passwords by trying all possible combinations.

Keystroke Logging: Tracking a user's keyboard presses to steal credentials and personal info.

Malware: Malicious software (viruses, worms, spyware) that infects a host system.

Rogue Mobile Apps: Malicious apps disguised as legitimate ones to steal information.

Phishing: Using fake emails to trick users into revealing sensitive information.

Spear Phishing: Highly targeted phishing aimed at specific individuals or companies.

Vishing: Phishing conducted over voice calls (VoIP).

Pretexting: Creating a fake scenario or identity to build trust and manipulate a victim.

Catfishing: Creating a fake online persona to lure a victim into a relationship for financial gain.

Theft: Physically stealing hardware, software, or data storage devices.

Tampering: Gaining physical access to modify IT infrastructure.

Piggybacking: Following an authorized person into a restricted area.

Discarded Equipment: Stealing sensitive data from improperly disposed-of hardware.

Embedded Code: Inserting malicious code into software or firmware before it's sold.

Pre-installed Malware: Installing malware on hardware (e.g., USB drives) before it reaches the target.

Watering Hole: Compromising a website that is frequently visited by a target group.

Vendor Attacks: Attacking a key vendor to disrupt the target company's operations.

Anatomy of an Attack

While the methods vary, most cyberattacks follow a predictable pattern of stages. Understanding this lifecycle is key to detecting and disrupting attacks at any point.

1

Reconnaissance

The attacker gathers information about the target, searching for vulnerabilities like open ports, unpatched software, or employee information.

2

Gaining Access

The attacker uses the collected information to breach the system using a chosen attack vector (e.g., phishing, exploiting a vulnerability).

3

Escalation of Privileges

Once inside, the attacker attempts to gain higher levels of access, often by stealing the credentials of an administrator.

4

Maintaining Access

The attacker establishes a persistent presence in the system to prolong access and ensure they can return later.

5

Network Exploitation & Exfiltration

The attacker achieves their objective: stealing or modifying data, disrupting operations, or using the network for other malicious acts.

6

Covering Tracks

The attacker attempts to hide their presence by deleting logs, modifying files, and removing any tools they used.

The Modern Battlefield: Technology-Specific Risks

As technology evolves, so do the threats. Cloud computing, mobile devices, and the Internet of Things (IoT) introduce unique vulnerabilities that require specific defensive strategies.

• Loss of Control & Visibility: Relinquishing direct control over infrastructure to a third-party provider.
• Cloud Malware Injection: Attackers injecting malicious code into the shared cloud environment.
• Compliance Violations: Risk that the cloud provider does not meet regulatory requirements like GDPR or HIPAA.
• Multi-Cloud Management Issues: Complexity in managing and monitoring multiple cloud environments, making detection difficult.

• Physical Threats: Increased risk of loss or theft compared to stationary devices.
• Unsecured Wi-Fi: Connecting to public networks exposes the device to anyone on the same network.
• Application Malware: Downloading malicious apps that appear legitimate.
• Lack of Encryption: Many devices rely only on a simple passcode, leaving data vulnerable if access is gained.
• Location Tracking: GPS technology can be used by attackers to track a user's physical location.

• Expanded Footprint: Every IoT device is another potential point of attack on the network.
• Device Spoofing: Attackers introducing a fake device onto the network to gain access.
• Outdated Firmware: IoT devices are often not updated, leaving known vulnerabilities unpatched.
• Escalated Attacks: Compromised IoT devices can be used as a base to launch larger attacks (e.g., DDoS).

Proactive Defense: Threat Modeling

Threat modeling is a structured process for identifying, analyzing, and mitigating potential threats. It forces an organization to think like an attacker to find and fix weaknesses before they can be exploited.

Common Methodologies

Several frameworks guide the threat modeling process. The most common ones include:

STRIDE

Developed by Microsoft, focuses on application threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.

PASTA

Process for Attack Simulation and Threat Analysis. A seven-stage, risk-centric methodology that prioritizes countermeasures based on business impact.

VAST

Visual, Agile, and Simple Threat. Integrates threat management into the software development lifecycle on a scalable basis.