Attack Vectors

How Attacks Actually Happen

Hollywood shows hackers furiously typing green code into a terminal. Reality is less glamorous. Most breaches start with one of a few common attack vectors:

Phishing — Tricking a human into clicking a link, opening an attachment, or entering credentials on a fake site. This is still the number one initial access method. Spear phishing targets a specific person with customized bait.

Malware — Software designed to damage or gain unauthorized access: ransomware encrypts your files and demands payment, trojans disguise themselves as legitimate software, and worms spread automatically across networks.

Supply Chain Attacks — Compromising a trusted vendor or software dependency. The SolarWinds attack in 2020 injected malicious code into a routine software update that was distributed to 18,000 organizations, including US government agencies.

Credential Attacks — Brute forcing passwords, credential stuffing (using leaked passwords from other breaches), or exploiting default credentials that were never changed.

Zero-Day Exploits — Attacking a vulnerability that the software vendor does not yet know about. These are rare but devastating because there is no patch available.

Threat Actors and MITRE

Who Is Behind the Attacks?

Not all attackers are the same. Security professionals categorize them by motivation and capability:

Script Kiddies — Low-skill attackers using pre-built tools. They cause real damage but are not sophisticated.

Hacktivists — Politically or socially motivated. They deface websites, leak data, or launch denial-of-service attacks to make a point.

Cybercriminals — Profit-driven. Ransomware gangs, fraud rings, and data brokers. This is organized crime adapted for the internet.

Nation-State Actors (APTs) — Advanced Persistent Threats backed by governments. They have large budgets, custom tools, and patience measured in years. Think espionage, infrastructure sabotage, and intellectual property theft.

Insiders — Employees or contractors with legitimate access who misuse it, either maliciously or through negligence.

MITRE ATT&CK Framework

MITRE ATT&CK is a publicly available knowledge base that catalogs real-world attacker techniques organized by phases: initial access, execution, persistence, privilege escalation, lateral movement, exfiltration, and more. Defenders use it to understand what attackers do at each stage and build detections accordingly.

Firewalls, VPNs, and IDS/IPS

Network Defense Layers

Network security is about controlling what traffic enters, leaves, and moves within your network. No single device does this alone — defense in depth means layering multiple controls.

Firewalls — The first line of defense. A firewall examines network traffic and allows or blocks it based on rules. A basic firewall filters by IP address and port number. A next-generation firewall (NGFW) inspects the actual content of the traffic and can identify specific applications.

VPNs (Virtual Private Networks) — Encrypt traffic between two points, creating a secure tunnel over an untrusted network like the public internet. Remote workers use VPNs to access internal company resources as if they were on-site.

IDS/IPS (Intrusion Detection/Prevention Systems) — An IDS monitors traffic and alerts when it sees something suspicious. An IPS does the same but can automatically block the traffic. Think of IDS as a security camera and IPS as a security camera with a guard who can lock the door.

Network Segmentation — Dividing a network into isolated zones so that a breach in one area cannot easily spread to others. A compromised workstation in the marketing department should not be able to reach the database servers in the finance department.

Zero Trust and DNS Security

Zero Trust Architecture

Traditional network security followed the castle-and-moat model: strong perimeter defenses, but once you are inside, you are trusted. This fails catastrophically when an attacker gets past the perimeter — or when the perimeter disappears because everyone works from home.

Zero Trust flips the model: never trust, always verify. Every request — whether it comes from inside or outside the network — must be authenticated, authorized, and encrypted. Key principles:

- Verify explicitly — Authenticate and authorize based on all available data: identity, location, device health, service or workload, data classification.

- Least privilege access — Give users and systems only the minimum permissions they need, for only as long as they need them.

- Assume breach — Design systems as if an attacker is already inside. Minimize the blast radius of any compromise.

DNS Security

DNS translates domain names to IP addresses. Attackers exploit this in several ways: DNS spoofing redirects users to malicious sites, DNS tunneling hides data exfiltration inside DNS queries, and domain hijacking takes over a legitimate domain. DNSSEC adds cryptographic signatures to DNS responses to prevent tampering.

Injection Attacks

When Applications Become the Attack Surface

Network defenses can be perfect, but if the application itself has vulnerabilities, attackers walk right through the front door.

SQL Injection — The attacker inserts malicious SQL code into an input field. If the application builds database queries by concatenating user input, the attacker can read, modify, or delete the entire database. Example: entering `' OR 1=1 --` into a login form might bypass authentication entirely.

Cross-Site Scripting (XSS) — The attacker injects malicious JavaScript into a web page that other users will view. When a victim loads the page, the script runs in their browser and can steal session cookies, redirect them to phishing sites, or modify what they see on the page.

The OWASP Top 10 — The Open Web Application Security Project publishes a regularly updated list of the most critical web application security risks. Injection and XSS have been on the list for over a decade. Other entries include broken access control, security misconfiguration, and insecure design.

The fix for injection attacks is not input filtering alone — it is parameterized queries (also called prepared statements). Instead of building SQL strings with user input, you pass the input as a separate parameter that the database treats as data, never as code.

Authentication and Secure Development

Authentication Done Right

Authentication is proving you are who you claim to be. Authorization is determining what you are allowed to do. Confusing the two is a common source of vulnerabilities.

Multi-Factor Authentication (MFA) — Requires two or more factors: something you know (password), something you have (phone or hardware key), something you are (fingerprint). MFA blocks the vast majority of credential-based attacks because a stolen password alone is not enough.

OAuth 2.0 and OpenID Connect — Standards for delegated authorization and authentication. When you click 'Sign in with Google,' OAuth lets the application verify your identity through Google without ever seeing your Google password.

Secure Software Development Lifecycle (SDLC)

Security cannot be bolted on after development. The secure SDLC integrates security at every phase:

- Design — Threat modeling: what could go wrong?

- Development — Secure coding standards, code review, static analysis tools

- Testing — Dynamic analysis, penetration testing, fuzz testing

- Deployment — Hardened configurations, secrets management

- Maintenance — Patching, vulnerability scanning, dependency updates

The Incident Response Lifecycle

When Prevention Fails

No defense is perfect. When a breach happens, the difference between a minor incident and a catastrophe is how quickly and effectively you respond.

The standard incident response lifecycle has six phases:

1. Preparation — Build the team, define roles, create playbooks, run tabletop exercises. This happens before any incident. An unprepared team wastes critical hours figuring out who does what.

2. Detection and Analysis — Identify that an incident is happening and determine its scope. This is where SIEM (Security Information and Event Management) systems aggregate logs from across the environment and alert on suspicious patterns. SOC (Security Operations Center) analysts triage these alerts 24/7.

3. Containment — Stop the bleeding. Short-term containment might mean isolating an infected machine from the network. Long-term containment might mean building a clean parallel environment while you investigate.

4. Eradication — Remove the attacker's presence entirely: malware, backdoors, compromised accounts, and persistence mechanisms.

5. Recovery — Restore systems to normal operation. Validate that the environment is clean. Monitor closely for signs the attacker is still present.

6. Lessons Learned — The most neglected phase. Conduct a blameless post-mortem: what happened, how was it detected, what worked, what did not, and what changes will prevent a recurrence.

Incident Response Scenario

Scenario: Ransomware at 2 AM

You are the on-call security analyst. At 2:14 AM, your SIEM fires an alert: multiple file servers are showing unusual encryption activity. Within minutes, employees in the European office report that their files have been replaced with ransom notes demanding 50 Bitcoin.

Your incident response plan says to escalate to the IR team lead and follow the ransomware playbook. The CEO is calling. Legal wants to know about notification obligations. The IT director wants to know if backups are clean.

Lessons Learned

The Phase Everyone Skips

After the immediate crisis is resolved, the lessons-learned phase determines whether the organization actually improves. A blameless post-mortem asks:

- What was the initial access vector?

- How long was the attacker in the environment before detection (dwell time)?

- What controls failed, and why?

- What controls worked?

- What specific, measurable changes will prevent recurrence?

The word blameless matters. If people fear punishment, they hide mistakes. If they hide mistakes, the organization never learns. The goal is to fix systems, not punish individuals.

Average dwell time for ransomware attacks has dropped in recent years, but for other attack types, attackers often remain undetected for weeks or months. Detection speed is one of the most important metrics in security operations.

Career Paths in Cybersecurity

Where This Knowledge Goes

Cybersecurity has a massive talent shortage — hundreds of thousands of unfilled positions globally. The field offers multiple career paths with different personalities and skill sets:

SOC Analyst — The front line. SOC analysts work in shifts monitoring alerts, triaging incidents, and escalating threats. It is the most common entry point into cybersecurity. Expect shift work and a lot of alert fatigue, but it builds deep practical knowledge fast.

Penetration Tester (Pentester) — You get paid to break into organizations with their permission. You find vulnerabilities before the attackers do. Requires deep technical skills in networking, web applications, and operating systems. Creative problem-solving is essential.

Security Engineer — Designs and builds the defensive infrastructure: firewalls, SIEM systems, identity platforms, encryption systems. This is the builder role. Strong overlap with DevOps and cloud engineering.

Digital Forensics and Incident Response (DFIR) — The investigators. When a breach happens, DFIR professionals reconstruct what happened, how, and when. Requires meticulous attention to detail and comfort with legal processes and evidence handling.

Certifications

Certifications are not required, but they open doors:

- CompTIA Security+ — Industry-standard entry-level certification. Covers foundational security concepts. A good starting point.

- OSCP (Offensive Security Certified Professional) — Hands-on penetration testing certification. You have 24 hours to break into multiple machines in a lab. Highly respected and genuinely difficult.

- CISSP (Certified Information Systems Security Professional) — Management-level certification covering security strategy, risk management, and governance. Requires five years of experience. Widely required for senior and leadership roles.

Your Security Mindset

Wrapping Up

You have covered a lot of ground: the CIA triad, threat actors and attack vectors, network defense and zero trust, application security and injection attacks, incident response from detection to lessons learned, and career paths that put all of this to work.

The core principle of defense in depth is that no single control is sufficient. You layer firewalls with segmentation, segmentation with monitoring, monitoring with incident response, and all of it with trained people who know what to do when something fails.

The attackers only need to find one gap. Defenders need to cover them all. That asymmetry is what makes this field both challenging and important.