You can't defend against threats you don't understand. This lesson surveys the cast of attackers, the most common attack types, and the frameworks security teams use to reason about them.
Who Attacks?
| Actor | Motivation | Capability |
|---|---|---|
| Script kiddies | Curiosity, bragging rights | Low — uses pre-made tools |
| Hacktivists | Political / ideological | Variable; group-coordinated (e.g., Anonymous) |
| Cybercriminals | Money — ransomware, fraud, theft | High; well-funded, organised, often as-a-service |
| Insider threats | Revenge, money, espionage, negligence | Already have legitimate access — hardest to detect |
| Advanced Persistent Threats (APTs) | Espionage, sabotage | Very high; nation-state backed; long dwell times |
| Competitors | Industrial espionage | Often via insiders or contracted actors |
Match your defences to your threat model. A small SaaS protecting against opportunistic ransomware faces a different problem than a defence contractor facing nation-state intrusion.
Common Attack Types
Malware
Software written to harm systems. Categories: virus (attaches to files), worm (self-propagating), trojan (disguised legitimate-looking program), ransomware (encrypts data, demands payment), spyware, rootkit (hides itself in the OS), botnet client.
Phishing and Social Engineering
Manipulating people into giving up credentials or running malware. Variants: spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice), BEC (business email compromise — often the costliest of all). Despite all the technical defences, social engineering remains the #1 attack vector.
Network Attacks
DDoS (Distributed Denial of Service) overwhelms a target with traffic. Man-in-the-middle (MITM) intercepts traffic between parties. DNS spoofing redirects users to malicious sites. ARP poisoning impersonates a host on a LAN.
Web and Application Attacks
SQL injection, cross-site scripting (XSS), CSRF, broken access control. Covered in depth in the application security lesson.
Credential Attacks
Brute force (try every password), dictionary (try common ones), credential stuffing (reuse leaked credentials from another breach), password spraying (one common password across many accounts to evade lockouts).
Supply-Chain Attacks
Compromise a vendor or open-source dependency that thousands of organisations trust, then ride that trust into all of them. Examples: SolarWinds (2020), the xz-utils backdoor (2024), malicious npm packages.
Zero-Day Exploits
Attacks against vulnerabilities the vendor doesn't yet know about. Most defences (patching, signature-based AV) don't help — defence in depth and behavioural detection do.
The Cyber Kill Chain
Lockheed Martin's seven-stage model of an intrusion. Defenders aim to disrupt the attacker at any stage:
- Reconnaissance — research the target (social media, DNS, scanning)
- Weaponization — build the payload (malware-laden document)
- Delivery — send it (phishing email, USB drop, watering-hole site)
- Exploitation — trigger the vulnerability or social engineering
- Installation — establish persistence (backdoor, scheduled task)
- Command and Control (C2) — beacon to attacker infrastructure
- Actions on Objectives — exfiltrate data, deploy ransomware, pivot
Detecting a single stage is often enough to break the chain. A blocked phishing email stops everything that would have followed.
MITRE ATT&CK
The MITRE ATT&CK framework is a curated, continuously updated catalogue of real-world adversary tactics and techniques observed in actual intrusions. It is structured as a matrix:
- Tactics (the columns) — the attacker's objective at each stage: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact.
- Techniques (the cells) — specific ways to achieve each tactic, with sub-techniques and detection guidance.
SOC analysts use ATT&CK to:
- Map detection coverage — which techniques can we see, which can't we?
- Run tabletop exercises and red-team simulations
- Communicate clearly across teams ("the attacker used T1078 — Valid Accounts")
Threat Modeling
Threat modeling brings attacker thinking into design reviews. The most common framework is STRIDE:
| Spoofing | Pretending to be someone else (counter: authentication) |
| Tampering | Modifying data (counter: integrity controls, signing) |
| Repudiation | Denying an action (counter: logging, signed audit trails) |
| Information disclosure | Leaking data (counter: encryption, access control) |
| Denial of service | Stopping legitimate use (counter: rate limiting, redundancy) |
| Elevation of privilege | Gaining unauthorised rights (counter: least privilege, validation) |
For each component in your design, ask which STRIDE categories apply, and what control mitigates each. Other frameworks include PASTA, OCTAVE, and the lightweight 4-question framework (What are we building? What can go wrong? What are we doing about it? Did we do a good job?).