1.

Introduction to Cyber Security

Cyber Security is the process of protecting computers, networks, programs, and data from
unauthorized access, damage, or attacks. It ensures that digital information is safe and used only by
authorized people.

The main objective of cyber security is to maintain the CIA Triad:

• Confidentiality – keeping information private and accessible only to authorized users.

• Integrity – ensuring data is not changed or tampered with without permission.

• Availability – making sure systems and data are available whenever needed.

In today’s world, cyber threats are increasing rapidly because almost all organizations depend on
online systems and internet-based services. Cyber attacks such as hacking, phishing, ransomware,
and malware can cause serious damage to both individuals and companies.

Cyber security involves using security measures such as firewalls, encryption, multi-factor
authentication, and intrusion detection systems to protect against threats. These tools help to
detect, prevent, and respond to cyber attacks.

Cyber threats keep evolving over time, which means security systems must be continuously
updated. Along with technology, human awareness and training are very important, because human
error is one of the main causes of security breaches.

Example: In 2017, the WannaCry ransomware attack affected thousands of organizations worldwide,
locking their data until ransom was paid. This shows why strong cyber security measures are
necessary.

2. Cyber Activity – Different Types of Malware and How They Are Used

Definition:
Malware (short for malicious software) is any program or code created to damage, disrupt, steal, or
gain unauthorized access to computer systems. Malware is a major tool used in most cyber attacks.

Types of Malware and Their Use:

1. Virus – A program that attaches itself to files and spreads when those files are opened. It can
delete data, slow down systems, and cause operational problems.

o Example: File-infecting virus that corrupts documents.

2. Worm – Self-replicating malware that spreads across networks without user action. It often
consumes bandwidth and can install backdoors for attackers.

o Example: Internet worms like the Morris Worm.

3. Trojan Horse (Trojan) – Appears as legitimate software but secretly performs malicious
activities such as stealing passwords or installing spyware.

o Example: Fake antivirus programs.

4. Ransomware – Locks or encrypts files and demands payment (ransom) to restore access.
 o Example: WannaCry ransomware attack.

5. Spyware – Secretly monitors user activity and sends collected data to attackers. Often used
to steal login credentials or financial information.

6. Adware – Displays unwanted advertisements and can track browsing habits. Though less
harmful, it can slow systems and invade privacy.

7. Rootkit – Hides itself deep in the system to give attackers full control of the computer
without detection.

8. Botnet – A group of infected computers controlled by hackers,Used for large attacks, spam,
and stealing data.

How Malware is Used in Attacks:

• Often combined in a single malicious event. For example, a phishing email might drop a
Trojan that installs ransomware.

• Used for data theft, financial fraud, espionage, or to disrupt services.

• Delivered through infected email attachments, malicious websites, USB drives, or software
downloads.

Example Combination: An attacker uses spyware to steal bank login details, then ransomware to
lock files, forcing the victim to pay twice.

3. Cyber Activity – Lifecycle for Infrastructure Supporting Cyber Attacks

Definition:
The cyber attack lifecycle explains the step-by-step process attackers follow to plan, build, deliver,
and maintain an attack using supporting infrastructure like servers, malware, and communication
channels. Understanding this helps in detecting and stopping attacks early.

Stages of the Cyber Attack Lifecycle:

1. Reconnaissance (Planning Stage)

o Attackers gather information about the target.

o They use open-source intelligence (OSINT), scanning tools, and social engineering.

o Keywords: Information gathering, OSINT, scanning, footprinting.

2. Weaponization

o Attackers create or select malware (virus, Trojan, ransomware) to exploit specific

vulnerabilities.

o Combine tools like phishing emails + malicious payloads.

o Keywords: Malware creation, payload, exploit kit.

 3. Delivery

o Attack is sent to the target using methods such as email, infected websites, USB
drives, or malicious downloads.

o Keywords: Phishing, drive-by download, malicious link.

4. Exploitation

o The delivered malware activates and exploits a vulnerability in the target’s system.

o Example: Exploiting outdated software.

o Keywords: Vulnerability exploitation, zero-day attack.

5. Installation

o Malware installs itself on the target system, sometimes with rootkit techniques to
hide.

o Keywords: Rootkit, persistence, stealth.

6. Command and Control (C2)

o The infected system connects back to the attacker’s control server.

o Attackers can send commands, steal data, or spread malware further.

o Keywords: Botnet, remote access, data exfiltration.

7. Actions on Objectives

o Final goal of the attack is executed: data theft, destruction, espionage, financial
fraud, or service disruption.

o Keywords: Data breach, financial loss, service outage.

Example:
In the WannaCry attack, attackers:

• Did reconnaissance on vulnerable Windows systems.

• Weaponized ransomware with a worm feature.

• Delivered it through network scanning.

• Exploited SMB protocol vulnerability.

• Installed the ransomware.

• Connected to a command server.

• Encrypted files to demand ransom.

4. Cyber Activity – The Insider Threat

Definition:
An insider threat occurs when someone inside an organization — such as an employee, contractor,
or business partner — intentionally or unintentionally causes harm to the organization’s systems,
data, or security.

Unlike external hackers, insiders already have authorized access, making them harder to detect.

Types of Insider Threats:

1. Malicious Insider

o Intentionally harms the organization.

o May steal data, install malware, or sabotage systems.

o Motivations: Revenge, financial gain, ideology.

2. Negligent Insider

o Causes harm accidentally due to carelessness or lack of awareness.

o Example: Clicking on phishing links or misconfiguring security settings.

3. Compromised Insider

o An insider’s account or device is hacked by an outsider.

o Example: Attacker uses stolen employee credentials to access systems.

Common Methods Used by Insider Threats:

• Data theft through USB drives, emails, or cloud storage.

• Sharing sensitive information with competitors.

• Bypassing security policies.

• Installing unauthorized software.

Why Insider Threats Are Dangerous:

• They have legitimate access to sensitive systems.

• Their actions are often not flagged by security systems because they seem normal.

• They can cause financial loss, reputational damage, and legal issues.

Prevention & Mitigation:

• Access Control – Give employees only the access they need (least privilege principle).

• Monitoring – Track unusual activity using User Behavior Analytics (UBA).

• Training – Regular cyber security awareness programs.

• Incident Response Plans – Be ready to act quickly if an insider attack is suspected.

Introduction to Attacks and Vulnerabilities

Definition:
In cyber security, an attack is any attempt to gain unauthorized access, steal data, damage systems,
or disrupt services. A vulnerability is a weakness or flaw in a system, network, or application that
can be exploited by attackers.

Relationship Between Attacks and Vulnerabilities:

• Vulnerabilities are like open doors or cracks in the system.

• Attacks are the actions taken by attackers to enter through those doors and cause harm.

• Without vulnerabilities, attacks are much harder to perform.

Common Approaches to Reconnaissance Prior to Hostile Cyber Activity

Reconnaissance, also called footprinting, is the first and most important step in a cyber attack,
where attackers gather as much information as possible about the target’s network, systems, or
employees. This step helps them identify vulnerabilities and plan an effective attack strategy.

The common approaches include:

1. Passive Reconnaissance – In this approach, attackers collect information without directly

contacting the target. They use publicly available data such as company websites, social
media profiles, news articles, and domain records (WHOIS lookups). Tools like Google
Dorking are also used to uncover hidden files or sensitive information. This method is low
risk because it is difficult to detect.

2. Active Reconnaissance – Here, attackers interact directly with the target’s systems to gather
more precise details. Techniques include port scanning to find open ports, ping sweeps to
identify active devices, and network mapping to see how the systems are connected. This
method provides accurate data but is easier to detect.

3. Social Engineering – Attackers use psychological manipulation to trick people into revealing
confidential data like passwords or security codes. Methods include phishing emails, fake
login pages, or phone calls pretending to be a trusted person.

4. Automated Scanning Tools – Tools like Nmap, Nessus, and Shodan allow attackers to quickly
detect vulnerabilities, outdated software, and misconfigured systems.

Example: In many ransomware incidents, attackers first use passive reconnaissance to identify
potential employees, then perform active scanning to find an unpatched server, and finally exploit it
to deliver the malware.

In short, reconnaissance is the foundation of any cyber attack, and understanding these approaches
helps in designing strong security defenses.
Nascent Vulnerabilities in Network Infrastructure, Web Applications, and Native Code

Vulnerabilities are weaknesses or flaws in systems that can be exploited by attackers to

compromise security. "Nascent vulnerabilities" means newly discovered or emerging weaknesses
that may not yet be widely known or patched. These can exist in network infrastructure, web
applications, or native code.

1. Network Infrastructure Vulnerabilities

Network infrastructure includes routers, switches, firewalls, and servers that connect and protect
systems.
Common vulnerabilities:

• Unpatched firmware – Outdated device firmware with known flaws.

• Weak authentication – Default or weak passwords in routers and admin panels.

• Misconfigurations – Open ports, unnecessary services, or insecure protocols like Telnet.

• Example: An attacker exploits an unpatched router to intercept sensitive traffic.

2. Web Application Vulnerabilities

Web applications are software programs accessed via browsers, like e-commerce or banking sites.
Common vulnerabilities:

• SQL Injection – Attacker inserts malicious code into database queries.

• Cross-Site Scripting (XSS) – Injecting scripts into web pages to steal cookies or sessions.

• Insecure authentication – Poor password storage or lack of multi-factor authentication.

• Example: A shopping site vulnerable to SQL Injection allows attackers to access customer
data.

3. Native Code Vulnerabilities

Native code refers to programs written in low-level languages like C or C++ that run directly on the
operating system.
Common vulnerabilities:

• Buffer overflow – Writing more data than the buffer can hold, causing system crashes or
arbitrary code execution.

• Memory leaks – Poor memory management that slows down systems or causes crashes.

• Insecure APIs – Functions that allow unauthorized system access.

• Example: A video player app with a buffer overflow bug lets attackers run malicious code on
the user’s device.

Conclusion:
Nascent vulnerabilities are dangerous because patches may not yet exist, making systems an easy
target. Regular updates, vulnerability scanning, and secure coding practices are essential to prevent
exploitation.
Attacks and Exploits that Target Vulnerabilities

Attacks are malicious actions aimed at exploiting vulnerabilities in systems to gain unauthorized
access, steal data, or disrupt services. An exploit is the specific method or code used to take
advantage of that vulnerability.

1. Network Infrastructure Attacks

• Denial of Service (DoS) / Distributed DoS (DDoS): Overloading a network or server with
excessive traffic to make it unavailable.

• Man-in-the-Middle (MITM): Intercepting and altering communication between two parties.

• Example: Exploiting an unpatched router to eavesdrop on login credentials.

2. Web Application Attacks

• SQL Injection: Injecting malicious SQL commands to access or delete database information.

• Cross-Site Scripting (XSS): Injecting malicious scripts into web pages to steal cookies or
session IDs.

• Cross-Site Request Forgery (CSRF): Forcing a logged-in user to perform unintended actions.

• Example: Exploiting a vulnerable login form to bypass authentication and access admin data.

3. Native Code Attacks

• Buffer Overflow: Writing beyond memory boundaries to execute malicious code.

• Privilege Escalation: Exploiting flaws to gain higher system permissions.

• Remote Code Execution (RCE): Running attacker-controlled code on the victim’s device.

• Example: Exploiting a buffer overflow in a media player to install spyware.

4. Exploit Kits

• Pre-packaged tools containing multiple exploits, often delivered via malicious websites or
phishing emails.

• Automatically detect vulnerabilities and choose the best attack method.

Conclusion:
Attackers often combine multiple exploits to maximize impact. Regular patching, network
monitoring, web application firewalls, and secure coding are essential to defend against these
attacks.
Approaches to Understanding the Business and Mission Effects

When a cyberattack occurs, it’s important to not only fix the technical issue but also understand its
business and mission impact. This helps organizations make informed decisions for recovery,
prevention, and risk management.

ABBREVIATION FOR THIS - "Big Missions Require Strong Protection"

1. Business Impact Analysis (BIA)

• Definition: A method to assess the consequences of a malicious activity on core business

operations.

• Purpose: Identify which processes are most critical and estimate financial, operational, and
reputational losses.

• Example: Evaluating how a ransomware attack would halt customer transactions and cause
revenue loss.

2. Mission Impact Assessment

• Definition: Focuses on how malicious activity affects the primary objectives (mission) of the
organization.

• Application: Often used in government, military, and critical infrastructure sectors.

• Example: An attack on a hospital system affecting patient care and emergency response.

3. Risk Assessment

• Definition: Identifies the likelihood and severity of cyber threats and their effect on assets.

• Process: List possible threats → Estimate damage → Prioritize mitigation.

• Example: Ranking phishing, DDoS, and insider threats based on potential business
disruption.

4. Stakeholder Communication

• Why important: Clear, timely updates to management, employees, customers, and partners
reduce confusion and help recovery.

• Example: Informing customers about a data breach and steps being taken to protect them.

5. Post-Incident Review

• Definition: A structured analysis of the event after it’s resolved to find root causes and
improve defenses.

• Example: Reviewing logs to see how an attacker bypassed a firewall and planning stronger
access controls.

Conclusion:
By combining BIA, mission assessment, risk evaluation, and post-incident learning, organizations
can better understand the real-world effects of cyber incidents and prepare stronger defenses.
Defensive TTPs – Tools, Techniques, and Procedures
Defensive TTPs are methods and resources used by organizations to protect, detect, and respond to
cyber threats. They help improve the defensive posture of a system.

A. Tools – (Software/Platforms for defense)

1. EDR (Endpoint Detection & Response) – Monitors endpoints like laptops or servers for
suspicious activity and stops threats. (Example: CrowdStrike Falcon)

2. SIEM (Security Information & Event Management) – Collects logs, detects anomalies, and
gives alerts. (Example: Splunk)

3. IDS/IPS (Intrusion Detection/Prevention Systems) – Detects and blocks malicious network

activity. (Example: Snort)

4. Firewalls – Filters traffic based on security rules. (Example: Fortinet)

5. Vulnerability Scanners – Finds weaknesses in software and systems. (Example: Nessus)

6. Threat Intelligence Platforms – Share and store threat data like IOCs (Indicators of
Compromise). (Example: MISP)

7. Deception Tools (Honeypots) – Lure attackers to fake systems to study their methods.
(Example: Canarytokens)

B. Techniques – (Ways to apply security)

1. Defense-in-Depth – Use multiple layers of security to reduce attack success.

2. Network Segmentation – Divide the network into zones to stop threat spread.

3. Zero Trust Model – Never trust by default, verify every access.

4. MFA (Multi-Factor Authentication) – Use two or more verifications for login.

5. UEBA (User & Entity Behavior Analytics) – Track unusual user activity to find insider threats.

6. Data Encryption – Secure data in storage and while moving.

7. Patch Management – Update software to fix known vulnerabilities.

8. Threat Hunting – Proactively search for hidden threats using attacker TTPs.

C. Procedures – (Step-by-step security processes)

1. Incident Response Plan – Steps to handle security breaches quickly.

2. Security Policy Management – Set and enforce rules like access control.

3. Regular Security Audits – Check and review systems for gaps.

4. Phishing Simulations & Training – Teach users to spot fake emails.

5. Backups & Disaster Recovery – Restore data and systems after an attack.

6. Change Management – Control and approve system changes to avoid mistakes.

Using the right tools, proven techniques, and clear procedures helps organizations detect attacks
early, reduce damage, and maintain a strong cyber defense.
Approaches to Cyber Threat Hunting

Meaning:
Cyber threat hunting is the proactive search for threats within a network to detect hidden attacks
before they cause damage.

1. Hypothesis-Driven Hunting

• Concept: Start with a hypothesis about attacker behavior and investigate.

• Example: “An attacker has compromised a domain admin account to move laterally.”
Investigate unusual logins, Kerberos anomalies, lateral movement.

• Tools: Splunk, ELK Stack, EDR tools, MITRE ATT&CK

2. Indicator of Compromise (IoC)-Based Hunting

• Concept: Search for known indicators like IPs, domains, file hashes, registry keys.

• Example: Threat feed shows malicious[.]com; hunter checks DNS logs.

• Strength: Fast and effective for known threats.

• Limitation: Cannot detect unknown or evolving threats.

• Tools: MISP, VirusTotal, SIEM (QRadar, Splunk)

3. TTP-Based Hunting (Tactics, Techniques, Procedures)

• Concept: Hunt based on attacker behavior patterns using MITRE ATT&CK framework.

• Example: Look for persistence techniques (scheduled tasks, registry autostarts).

• Strength: Detects novel attacks and adversary tradecraft.

• Tools: ATT&CK Navigator, Red Canary Reports, Velociraptor

4. Anomaly-Based Hunting

• Concept: Detect deviations from normal behavior.

• Examples: User logs in from two countries in minutes; device uploads 20GB at 2 AM.

• Techniques: Behavioral baselining, outlier detection (ML/statistics).

• Strength: Effective for zero-days and insider threats.

• Tools: UEBA platforms, Exabeam, Microsoft Sentinel, CrowdStrike

5. Threat Intelligence-Driven Hunting

• Concept: Use external threat intel to guide hunts.

• Example: Threat actor using Cobalt Strike; search EDR logs for its patterns.

• Sources: Recorded Future, Anomali, CISA, MISP, MITRE ATT&CK

• Strength: Stay informed on latest attacker trends.

6. Machine Learning-Based Hunting

• Concept: Detect subtle anomalies that are hard for humans to find.

• Techniques: Clustering unusual user groups, classification of risky behaviors.

• Strength: Useful for large-scale data environments.

• Tools: Splunk UBA, Elastic ML, Microsoft Defender XDR

Key Points for Exam:

• Threat hunting is proactive.

• Approaches: Hypothesis, IoC, TTP, Anomaly, Threat Intel, ML-based.

• Tools vary depending on approach but include SIEM, EDR, UEBA, ATT&CK Navigator.

• Goal: Early detection, reduced risk, improved defense.