Skip to main content

Documentation Index

Fetch the complete documentation index at: https://roadtocybersec.com/llms.txt

Use this file to discover all available pages before exploring further.

Common Digital Threats

Understanding how attackers operate is the foundation of effective defense. Cybercriminals are not random; they follow structured methodologies, exploit predictable human behaviors, and leverage the same vulnerabilities over and over again. According to the 2023 Verizon Data Breach Investigations Report (DBIR), 74% of all breaches involved the human element: including social engineering attacks, errors, and misuse of credentials.

The Attack Lifecycle

Most cyberattacks follow a predictable sequence known as the Cyber Kill Chain (developed by Lockheed Martin):
1

Reconnaissance

The attacker researches the target, gathering email addresses, employee names, technology stacks, and organizational structure from public sources (LinkedIn, company websites, GitHub, DNS records).
2

Weaponization

The attacker creates a payload, a malicious email attachment, a phishing page, a compromised link, or an exploit targeting a known vulnerability.
3

Delivery

The payload is delivered, via email (phishing), a malicious website, a USB drive, or a compromised software update.
4

Exploitation

The payload executes, exploiting a vulnerability in the target’s software, browser, or human judgment.
5

Installation

Malware is installed on the target system, establishing a persistent foothold (backdoor).
6

Command & Control (C2)

The compromised system communicates back to the attacker’s infrastructure, awaiting further instructions.
7

Actions on Objectives

The attacker achieves their goal, stealing data, encrypting files for ransom, moving laterally to other systems, or causing disruption.
Understanding this lifecycle helps defenders identify and break the chain at any stage.

Phishing and Social Engineering

Phishing is the single most common initial attack vector, responsible for 16% of all breaches according to the Verizon DBIR.

Anatomy of a Phishing Email

A well-crafted phishing email exploits urgency, authority, and trust:
ElementLegitimate EmailPhishing Email
Sender addresssecurity@paypal.comsecurity@paypa1-support.com
GreetingUses your real name”Dear Customer” or “Dear User”
UrgencyInformational tone”Your account will be suspended in 24 hours!”
Link destinationhttps://www.paypal.com/settingshttps://paypal-verify.suspicious-domain.com
AttachmentsRare, expectedUnexpected .zip, .docm, or .exe files

Types of Phishing

  • Bulk phishing: Mass emails sent to thousands of recipients. Low effort, low success rate, but high volume compensates.
  • Spear phishing: Targeted at a specific individual, using personal information gathered during reconnaissance. Much higher success rate.
  • Whaling: Spear phishing specifically targeting C-level executives (CEO, CFO, CTO).
  • Vishing: Voice phishing, phone calls impersonating IT support, banks, or government agencies.
  • Smishing: SMS phishing, text messages with malicious links (“Your package is delayed, track here: [malicious link]”).

Social Engineering Beyond Email

Social engineering is the broader discipline of manipulating human psychology. Techniques include:
  • Pretexting: Creating a fabricated scenario to gain trust (“Hi, I’m from IT and I need your password to fix an urgent issue on your account”).
  • Baiting: Leaving infected USB drives in parking lots or lobbies, labeled “Confidential, Q4 Salary Report”.
  • Tailgating/Piggybacking: Physically following an authorized employee through a secured door.
  • Quid pro quo: Offering something in exchange for information (“Free security audit if you share your network diagram”).
Social engineering attacks exploit trust, urgency, fear, and helpfulness, all natural human responses. The best defense is not just technology, but awareness. If something feels rushed, unusual, or too good to be true, verify independently before acting.

Malware

Malware (malicious software) is any software intentionally designed to cause damage, steal data, or provide unauthorized access. The malware ecosystem is vast:

Types of Malware

TypeBehaviorExample
VirusAttaches to legitimate files and spreads when the file is executedILOVEYOU (2000); caused $10B+ in damages
WormSelf-replicates across networks without user interactionWannaCry (2017); infected 230,000+ computers in 150 countries
TrojanDisguises itself as legitimate softwareEmotet; initially posed as invoice emails
SpywareSilently monitors user activity (keystrokes, screenshots, browsing)Pegasus; used to surveil journalists and activists
AdwareDisplays unwanted advertisements, often bundled with free softwareFireball; infected 250M+ computers
RootkitHides deep in the operating system to maintain persistent, undetectable accessSony BMG rootkit (2005); installed via music CDs
Fileless malwareOperates entirely in memory, leaving no files on diskPowerShell-based attacks that evade traditional antivirus

Ransomware: A Special Category

Ransomware deserves special attention because it has become the most financially devastating type of malware:
  1. Encryption: The malware encrypts the victim’s files using strong encryption (AES-256 + RSA).
  2. Ransom note: A message demands payment (usually in cryptocurrency) in exchange for the decryption key.
  3. Double extortion: Modern ransomware groups also steal the data before encrypting it, threatening to publish it if the ransom is not paid.
  4. Ransomware-as-a-Service (RaaS): Criminal organizations now sell ransomware kits to affiliates, who carry out attacks and share profits.
Notable attacks:
  • Colonial Pipeline (2021): $4.4M ransom, fuel shortages across the US eastern seaboard.
  • JBS Foods (2021): $11M ransom, disrupted meat supply in the US, Canada, and Australia.
  • Costa Rica Government (2022): Conti ransomware group attacked multiple government agencies, forcing a national emergency declaration.

Credential Theft

Stolen credentials are the single most common way attackers gain initial access to systems (stolen credentials were involved in 49% of breaches - Verizon DBIR 2023).

Methods of Credential Theft

  • Data breaches: Attackers compromise a website’s database and steal millions of username/password pairs. If users reuse passwords, every account with that password is now at risk.
  • Credential stuffing: Automated tools test stolen credentials against hundreds of other services (banking, email, social media). Success rates range from 0.1% to 2%, but at scale, that is thousands of compromised accounts.
  • Password spraying: Instead of trying many passwords against one account (which triggers lockout), attackers try one common password against many accounts (e.g., Summer2024! across 10,000 employee accounts).
  • Keyloggers: Malware that records every keystroke, capturing passwords as they are typed.
  • Man-in-the-Middle (MitM): Intercepting communication between a user and a service (especially on unsecured Wi-Fi) to capture credentials in transit.
The single most effective defense against credential theft is unique passwords + multi-factor authentication (MFA). If every account has a unique, randomly generated password stored in a password manager, a breach on one site cannot cascade to others. And if MFA is enabled, a stolen password alone is not enough.

Supply Chain Attacks

Supply chain attacks target the trusted software, services, or hardware that organizations depend on. Instead of attacking the target directly, attackers compromise a supplier, and the malicious payload is delivered through legitimate update channels. Notable examples:
  • SolarWinds (2020): Attackers injected malicious code into the Orion software update, which was distributed to 18,000+ organizations, including US government agencies.
  • Kaseya (2021): The REvil ransomware group exploited vulnerabilities in Kaseya’s VSA software, encrypting data on 1,500+ downstream businesses.
  • Log4Shell (2021): A critical vulnerability in the Apache Log4j logging library affected millions of Java applications worldwide.
Supply chain attacks are particularly dangerous because they exploit trust. Users and organizations install updates specifically because they trust the vendor. This makes these attacks extremely difficult to detect until the damage is already done.

Who is Behind the Attacks? (Types of Hackers)

Not all hackers operate with the same intent. To fully understand cybersecurity, it is essential to categorize the actors behind digital operations based on their legality, ethics, and motivations. In the security industry, hackers are historically classified by the color of their “hats”—a term inspired by classic Western movies where heroes wore white hats and villains wore black hats.

1. White Hat Hackers (Ethical Hackers)

  • What they do: They identify and fix vulnerabilities in computer systems and networks, working to strengthen defense.
  • Why they do it: To secure systems, protect data, and help organizations stay safe from malicious attacks.
  • Where they work: They are legally employed as security analysts, penetration testers, security consultants, or participate in authorized Bug Bounty programs.
  • Ethics: They operate strictly with permission, within the law, and follow a strict code of ethical disclosure.

2. Black Hat Hackers (Malicious Hackers)

  • What they do: They break into computer networks to bypass security, deploy malware, steal sensitive data, or destroy systems.
  • Why they do it: Driven by financial gain, corporate espionage, cyber warfare, or personal notoriety.
  • Where they work: They operate in the shadows, often as part of organized cybercrime syndicates or state-sponsored advanced persistent threat (APT) groups.
  • Ethics: They act illegally and maliciously without permission, exploiting systems and victimizing individuals or organizations.

3. Grey Hat Hackers

  • What they do: They search for vulnerabilities in systems without the owner’s explicit permission or knowledge.
  • Why they do it: Out of curiosity, to raise awareness, or sometimes to solicit a fee from the organization to fix the issue.
  • Where they work: Independently. They might report a vulnerability to a company and offer to patch it, or release it publicly if the vendor ignores them.
  • Ethics: They operate in a legal gray area. While they do not steal data or destroy systems (unlike Black Hats), their intrusion is unauthorized and technically illegal.

The Cypherpunks: A Different Breed of Digital Activist

Beyond traditional hackers focused on breaking into or defending systems, a distinct group of digital advocates emerged in the late 1980s known as the Cypherpunks. Unlike White, Black, or Grey hats who are defined by how they interact with existing system vulnerabilities, Cypherpunks are privacy advocates who use strong cryptography as a tool to drive social and political change. Rather than exploiting networks, they build decentralized, privacy-enhancing technologies (such as PGP, Tor, BitTorrent, and Bitcoin) to shield individual liberties from state and corporate surveillance.
We will take a more profound approach to their history, philosophies, and revolutionary creations later in the dedicated Cypherpunks page.

How to Protect Yourself: Key Takeaways

  1. Verify before you trust: Always confirm the sender’s identity independently before clicking links, opening attachments, or sharing information.
  2. Use unique passwords + MFA: Eliminate password reuse and enable MFA on every account that supports it.
  3. Keep software updated: Patches fix the vulnerabilities that attackers exploit. Delaying updates is accepting risk.
  4. Be skeptical of urgency: Legitimate organizations rarely demand immediate action under threat of consequences.
  5. Report suspicious activity: In an organizational context, reporting a suspicious email to your security team can prevent a breach that affects thousands of people.