SPLK-5001 Threat and Attack Types, Motivations, and Tactics

Threat and Attack Types, Motivations, and Tactics Detailed Explanation

1. Threat and Attack Types

This section explains different kinds of attacks and threats that cybersecurity professionals face.

Each attack type represents a different method that attackers use to harm systems, steal information, or disrupt services.

Phishing

Phishing is a type of attack where the attacker sends fake emails, messages, or communications that look legitimate.

The goal is to trick users into:

• Clicking on malicious links

• Downloading malware

• Giving away sensitive information such as usernames, passwords, or bank details

Example:
You receive an email that looks like it is from your bank. It asks you to click a link and "verify your account." However, the link leads to a fake website that steals your login information.

Phishing is very common because it relies on human mistakes rather than technical flaws.

Malware

Malware stands for "malicious software." It refers to any software that is designed to harm a computer, server, client, or network.

Common types of malware include:

• Viruses: Attach themselves to clean files and infect other files.

• Worms: Spread automatically without needing a host program.

• Trojans: Disguise themselves as legitimate software but perform malicious actions.

• Ransomware: Encrypts data and demands payment for decryption.

Malware can:

• Steal sensitive information

• Destroy data

• Spy on users

• Control infected computers

Ransomware

Ransomware is a specific type of malware.

It works by:

• Encrypting the victim’s files or locking the computer system

• Demanding a ransom (payment) in exchange for the decryption key

Victims are usually told to pay in cryptocurrencies like Bitcoin to remain anonymous.

Example:
You open an attachment in an email, and suddenly all your files are locked. A message appears demanding $1,000 to unlock your data.

Even if payment is made, there is no guarantee that access will be restored.

DDoS (Distributed Denial of Service)

A DDoS attack tries to make an online service unavailable by overwhelming it with massive amounts of traffic.

Attackers use multiple systems (often infected devices called a "botnet") to flood the target.

Effects of DDoS:

• Slowdown of website services

• Complete unavailability of websites, applications, or servers

• Potential loss of revenue and reputation

Example:
An online store is attacked during Black Friday, making it impossible for customers to shop.

DDoS attacks do not usually steal data, but they cause disruption.

Zero-Day Exploits

A zero-day exploit happens when an attacker uses a software vulnerability before the vendor knows about it or before a patch is available.

"Zero-day" means that the developers have had zero days to fix the issue.

Zero-day attacks are very dangerous because:

• There are no defenses yet

• They can be used to gain secret access to systems

• Detection is difficult

Example:
A hacker finds a flaw in a popular web browser and uses it to take control of users' computers before the company releases an update.

Insider Threats

Insider threats come from people within the organization.

This can include:

• Employees

• Contractors

• Business partners

Types of insider threats:

• Malicious insiders: People who intentionally cause harm.

• Negligent insiders: People who accidentally cause harm by being careless.

Example:
A former employee, angry at being fired, deletes important files.
Or an employee accidentally clicks on a phishing link, allowing malware into the network.

Insiders are dangerous because they already have some level of access and trust.

Credential Theft

Credential theft involves stealing usernames and passwords.

Attackers use stolen credentials to:

• Log in as legitimate users

• Access sensitive systems

• Move through networks unnoticed

Credential theft can happen through:

• Phishing

• Malware (keyloggers)

• Exploiting weak password practices

• Breaching poorly protected databases

Example:
An attacker steals a manager's login credentials and uses them to access confidential company data.

2. Motivations of Threat Actors

Understanding why attackers do what they do is very important.
Knowing their motivations helps defenders predict what kind of attacks may happen and how to better protect systems.

Threat actors are not all the same. Their goals and motivations can be very different.

Here are the major motivations:

Financial Gain

Many attackers are motivated by money.
They want to profit by stealing, scamming, or extorting their victims.

Common activities include:

• Stealing credit card information

• Deploying ransomware and demanding payment

• Committing fraud (such as fake transactions)

• Selling stolen data (such as personal information, login credentials) on the black market

Example:
A cybercriminal group hacks into an online store, steals customer credit card numbers, and sells them for profit.

Summary:
Financially motivated attackers usually focus on attacks that bring fast money.

Espionage

Espionage means spying to gather secret information.

In cybersecurity, espionage is usually carried out by:

• Nation-states (governments)

• State-sponsored groups

Their goals are often:

• Stealing classified government data

• Stealing corporate trade secrets (industrial espionage)

• Gaining political or military advantage

Example:
A government group hacks into an aerospace company's network to steal plans for a new fighter jet.

Summary:
Espionage attacks are usually targeted, secretive, and highly sophisticated.

Political Agenda

Some attackers are motivated by political beliefs or causes.

This includes:

• Hacktivists: Activists who use hacking to promote a social or political cause.

• Nation-states: Governments that want to influence another country’s politics or public opinion.

Common activities:

• Defacing websites (changing website content to display a political message)

• DDoS attacks against government or corporate websites

• Leaking sensitive information to embarrass organizations or governments

Example:
A hacktivist group takes down a government website to protest new surveillance laws.

Summary:
Political attacks focus more on making a statement than making money.

Reputation Damage

Some attacks are designed to hurt the reputation of a person, company, or government.

Attackers may:

• Leak embarrassing or confidential information

• Spread false information (disinformation campaigns)

• Sabotage operations to cause public relations disasters

Example:
An attacker releases internal company emails that show unethical behavior, damaging the company's public image.

Summary:
Reputation-motivated attacks aim to destroy trust and credibility.

Personal Vendettas

Sometimes attacks are motivated by personal reasons.

This often involves:

• Disgruntled employees

• Former contractors

• Personal enemies

Actions they might take:

• Deleting important files

• Leaking confidential information

• Planting malware inside the company network

Example:
A fired IT employee, angry about losing his job, uses his still-active credentials to sabotage company systems.

Summary:
Personal vendetta attacks are emotionally driven and often target specific individuals or organizations.

3. Attack Tactics

Attack tactics are the general strategies or goals that attackers pursue when carrying out an attack.
Each tactic describes what the attacker is trying to achieve at a certain stage, not the exact method.

Understanding these tactics helps defenders recognize attack patterns and stop threats faster.

Here are the major tactics:

Initial Access

Initial access is about getting the first entry point into a target network, system, or application.

Common methods for initial access:

• Phishing emails with malicious links or attachments

• Exploiting software vulnerabilities (unpatched systems)

• Brute-forcing weak passwords

• Using stolen credentials

• Gaining access through infected USB devices

Example:
An attacker sends a phishing email that tricks an employee into entering their username and password on a fake login page.

Summary:
Initial access is the first door that attackers need to open.

Persistence

Persistence refers to the attacker's effort to maintain long-term access to a system, even if it is rebooted or if the user logs out.

Why attackers want persistence:

• So they can come back anytime without having to hack again

• To stay hidden for longer periods

Methods attackers use:

• Installing backdoors

• Creating new user accounts with administrator rights

• Modifying system settings to allow remote access

• Using scheduled tasks or startup scripts

Example:
A hacker installs a small program that automatically reconnects to their control server every time the computer starts.

Summary:
Persistence ensures that attackers can continue operating over time without needing new attacks.

Privilege Escalation

Privilege escalation means gaining higher-level permissions within a system.

Attackers often start with limited access (like a regular user) and try to become administrators or root users.

Why privilege escalation is important:

• Higher privileges give access to sensitive files and system settings

• It allows attackers to disable security tools or create new backdoors

Common methods:

• Exploiting vulnerabilities in operating systems

• Using stolen administrator credentials

• Misusing software with weak security settings

Example:
A hacker who first enters as a low-level employee finds a flaw in the system and upgrades their access to a domain administrator.

Summary:
Privilege escalation gives attackers the power to do more serious damage.

Defense Evasion

Defense evasion means avoiding being detected by security tools such as antivirus software, firewalls, or intrusion detection systems.

Techniques attackers use:

• Encrypting or obfuscating malware so it cannot be easily recognized

• Deleting or altering logs to erase evidence

• Disabling security software

• Using legitimate tools (so-called "living off the land" techniques)

Example:
An attacker encrypts a piece of malware so antivirus programs cannot recognize it.

Summary:
Defense evasion helps attackers stay hidden for longer, increasing the chance of success.

Credential Access

Credential access refers to stealing usernames, passwords, or other authentication information.

Once attackers have valid credentials, they can:

• Log into systems without raising alarms

• Access sensitive data

• Move around within the organization unnoticed

How attackers steal credentials:

• Phishing

• Keyloggers (malware that records keystrokes)

• Dumping password hashes from memory

• Capturing credentials over the network

Example:
An attacker uses a keylogger to capture a CEO's login information and accesses confidential business plans.

Summary:
Credential theft is a powerful tool that allows attackers to blend in with legitimate users.

Lateral Movement

Lateral movement is the process of moving through a network after gaining initial access, to find valuable data or systems.

Why attackers move laterally:

• To explore the network and find high-value targets

• To avoid being stuck if their first compromised machine is isolated

Common methods:

• Using stolen credentials

• Exploiting trust relationships between systems

• Remote execution tools (like PowerShell or PsExec)

Example:
An attacker who compromises a receptionist’s computer uses it to access the HR department's servers and then the finance department’s servers.

Summary:
Lateral movement helps attackers find and reach their real objectives.

Collection and Exfiltration

Collection refers to gathering data that attackers want to steal.

Exfiltration means sending that stolen data out of the victim's network to a location controlled by the attacker.

What attackers may collect:

• Personal identifiable information (PII)

• Financial data

• Intellectual property

• Credentials

How data is exfiltrated:

• Encrypted channels to external servers

• Uploading to cloud services

• Hiding data inside normal-looking traffic

Example:
An attacker collects thousands of customer records and uploads them secretly to a server located in another country.

Summary:
Collection and exfiltration are the main ways attackers steal valuable information.

Command and Control (C2)

Command and Control (often abbreviated C2) is the method attackers use to maintain communication with the compromised systems.

Why attackers need C2:

• To send commands to infected machines

• To receive stolen data

• To update malware

Common C2 techniques:

• Using standard network protocols (HTTP, HTTPS, DNS) to avoid detection

• Setting up hidden servers

• Using social media or cloud services for communication

Example:
A hacker-controlled server sends new instructions to malware inside an organization, telling it to collect screenshots every five minutes.

Summary:
C2 gives attackers remote control over the compromised machines and enables continuous operations.

Threat and Attack Types, Motivations, and Tactics (Additional Content)

1. Supply Chain Attacks (Threat Types)

A Supply Chain Attack occurs when attackers compromise an organization by first targeting its vendors, suppliers, or third-party service providers.

Instead of attacking the organization directly, the adversary infiltrates trusted external partners who have legitimate access or influence over the organization’s systems or software.

Key Characteristics:

• Exploits trust relationships between an organization and its partners.

• May involve tampering with software updates, hardware components, or service providers.

• Typically difficult to detect because the malicious activity appears to come from trusted sources.

Famous Example:

• The SolarWinds Attack: Attackers compromised a software provider's update mechanism, allowing them to inject malware into legitimate updates, which were then distributed to thousands of organizations, including major government and corporate networks.

Summary:
Supply Chain Attacks target an organization indirectly by exploiting trusted external relationships, often resulting in widespread and stealthy compromises.

2. Ideological Motivations (Threat Actor Motivations)

Beyond financial gain, espionage, political agendas, reputation damage, and personal vendettas, some threat actors are motivated by ideology.

Ideological motivations involve attackers acting based on deeply held religious, ethical, philosophical, or extremist beliefs.

Key Characteristics:

• Attackers are often driven by a desire to promote, defend, or impose their ideology.

• They may target organizations, governments, or groups that they perceive as enemies or opposers to their beliefs.

• Their goal is typically to cause disruption, spread propaganda, or intimidate rather than to gain monetary or political power.

Examples:

• Cyberattacks by extremist groups against governments or corporations they oppose.

• Hacktivist operations motivated by perceived ethical causes or religious conflicts.

Summary:
Ideological motivations differ from pure political motivations by being rooted in deeply personal or collective belief systems, often leading to unpredictable and highly determined attacks.

3. Beaconing in Command and Control (C2) Tactics

In the Command and Control (C2) phase of an attack, Beaconing is a common technique used to maintain communication between a compromised machine and the attacker’s server.

Key Characteristics:

• A compromised machine periodically sends small packets of data, known as beacons, to a C2 server.

• These beacons often contain minimal information, such as a simple "heartbeat" signal indicating that the machine is still under the attacker's control and ready to receive further instructions.

• Beaconing traffic is often designed to blend into normal network activity, making it difficult to detect without sophisticated monitoring or anomaly detection.

Techniques Used:

• Beacons may be sent over common protocols like HTTP, HTTPS, or DNS to evade detection.

• The timing and frequency of beaconing can be randomized to avoid establishing obvious patterns.

Importance in Threat Detection:

• Detecting beaconing behavior is a critical aspect of advanced network threat detection and threat hunting.

• Continuous low-volume outbound traffic to unusual external IP addresses can be an indicator of active C2 beaconing.

Summary:
Beaconing is a stealthy method by which compromised hosts silently communicate with C2 servers, ensuring that attackers can issue commands while minimizing the risk of detection.