Dzmitry Harbachou

Posted on Aug 13 • Edited on Aug 18

Boring Cybersecurity Theory: Threats (Vulnerability, Attack, Malware)

#cybersecurity #beginners #theory #security

We’ve already been introduced to the key actors in the cybersecurity landscape - such as hackers, cyber activists, and other threat agents - and we understand the goals they may pursue and the capabilities they possess. Now, it’s time to examine the methods they use and the steps they take to achieve their objectives.

In this article, we will explore the fundamental concepts of cybersecurity, including threats, vulnerabilities, attacks, and malware. We will look at how these elements are interconnected, the different forms they can take, and why understanding them is essential for building effective security strategies.

Cybersecurity is a field of technology focused on protecting computers, mobile devices, and digital information from malicious actors seeking unauthorized access or intending to cause harm. Individuals, businesses, and governments increasingly store sensitive data - such as credit card numbers, addresses, phone numbers, passwords, personal details, and customer information - on desktops and mobile devices. The primary goal of cybersecurity is to keep that data secure and private. And the best way to ensure effective protection is to understand potential threats in order to prepare for and defend against them.

The following diagram shows how threats, vulnerabilities, attacks, and malware are interconnected within the cybersecurity landscape.

Threats - what can happen
      │
     Examples:
      ├── Hackers, cybercrime groups, competitors
      ├── Disgruntled employee, Administrator error
      │
      ▼  
Vulnerability (gaps, are used to get access)
      │
    Examples: 
      ├── Errors in code, configuration, logic
      ├── XSS
      ├── SQLi
      ├── open ports
      ├── weak passwords
      │
      ▼  
Attacks (actions)
      │
    Examples:
      ├── Exploits (Exploit) - code that exploits a vulnerability
      ├── Phishing
      ├── Brute- force / Credential stuffing
      ├── DDoS (Denial of Service)
      │
      ▼  
Malware (weapons)
      │
    Examples:
      ├── Viruses - embed themselves in other files
      ├── Worms - self-propagating
      ├── Trojans - disguise themselves as useful programs
      ├── Rootkits - hide the presence of other threats
      ├── Spyware - spies on the user
      ├── Ransomware - encrypts files, Demands ransom
      └── Backdoors - leaves a “backdoor” for access

How it all works together :

A threat actor is motivated to gain benefit or cause damage.
It seeks or discovers a vulnerability - technical, process or social.
An attack is launched, which may involve several phases (reconnaissance → delivery → exploitation → hardening → targeting).
The delivery/exploitation phase often utilizes malware as a means of penetration, withholding access, or extending influence.
If the attack is successful, risk is realized: data compromise, downtime, financial loss, reputational damage, etc.

There is plenty of information here, and instead of inventing a florid presentation, I suggest not wasting time - let's just dive into the facts. Let's read!

Threats

Threats in cybersecurity refer to any potential danger that could exploit a vulnerability and cause harm to a system, network, or data. These threats can come from various sources - including malicious individuals, software bugs, or natural disasters - and can lead to data breaches, service disruptions, or unauthorized access.

Below are several common classifications of threats used to better understand and address them.

By source

External: cybercriminals, governments, partners/contractors.
Internal (insider): employees, admins, contractors with access.
Natural/technogenic: fire, flooding, power failure, data center failure.

By actor (threat actors)

State APT groups (cyber espionage, sabotage).
Cybercriminals (financial motivation, extortion).
Hacktivists (ideology/protest).
Competitors (corporate espionage).
Script-kiddies (use off-the-shelf exploits without in-depth knowledge).
Internal attackers (intentional) and unintentional insiders (mistakes, negligence).

By attack vector

Networked: DDoS, MITM, service scanning and exploitation.
Application (AppSec): SQLi, XSS, RCE, SSRF, deserialization.
Social engineering: phishing, spear-phishing, vishing, BEC.
Supply-chain (through supply chain/libraries/partners).
Physical access: device theft, hardware tampering.
Cloud/configuration: public S3 bundles, excessive IAM privileges.
IoT/OT/SCADA: attacks on industrial controllers, smart devices.

By target/impact (CIA-triad + other)

Breach of confidentiality: data leakage, exfiltration.
Integrity breach: data spoofing/modification, sabotage.
Availability breach: DDoS, encryptors (ransomware).
Breach of trust/reputation, fraud, financial loss.

By motivation

Financial gain (ransomware, banking trojans, cryptomining).
Espionage (cyber espionage, intellectual property theft).
Sabotage/destruction (disabling IT/OT systems).
Activism/ideology.
Reconnaissance/network movement (for future operations).

By complexity and duration

Opportunistic (mass, automated, no targeting).
Targeted (targeted).
APT (Advanced Persistent Threat) - lengthy, resource-intensive, with TTP by MITRE ATT&CK.

By environment/technology

Clouds (IaaS/PaaS/SaaS).
Mobile devices.
IoT / IIoT.
OT/ICS (industry, energy).
AI/ML-centric threats (data poisoning, model stealing, deepfakes).
Crypto/blockchain ecosystem (compromise of smart contracts, bridges, wallets).

Vulnerabilities

Cybersecurity professionals spend much of their time chasing weaknesses - patching unpatched systems, reconfiguring misconfigured clouds, training distracted users. All of these weaknesses share one name: vulnerabilities. But not all vulnerabilities are created equal. This article maps the landscape so you can identify, prioritize, and ultimately eliminate the cracks before an adversary slips through.

A vulnerability is a key point of interest for both hackers and cybersecurity professionals. It’s a weakness in a system that can be exploited to gain unauthorized access or cause damage. In ancient times, it would be like an open gate in a city wall - if the gate is left open and the guards are asleep, invaders can raid the city with ease… and might even leave a thank-you note for the hospitable hosts on their way out. That’s why identifying and securing vulnerabilities lies at the heart of any effective cybersecurity strategy.

Where Do Vulnerabilities Come From?

Vulnerabilities in cybersecurity can stem from a variety of sources. Understanding where they come from is essential for identifying and addressing them effectively. Below are the four most common origins of vulnerabilities, along with real-world examples that highlight how they manifest in practice.

1. Software Flaws

One of the most common sources of vulnerabilities is flawed or poorly written code. These can result from bugs, design oversights, or a failure to account for edge cases during development. Classic examples include buffer overflows in C-based applications, SQL injection vulnerabilities in login forms, and unsafe object deserialization in web services. Even a single overlooked line of code can open the door for serious security breaches.

2. Hardware Flaws

Sometimes the vulnerabilities lie deeper - within the hardware itself. Defects in CPUs, firmware, or devices can lead to serious exploits that are difficult to patch or detect. Notable examples include the Spectre and Meltdown side-channel attacks, which exploited fundamental flaws in modern processors. Other cases include backdoored routers or vulnerable UEFI firmware, which attackers can use to compromise systems at a low level.

3. Misconfigurations

Even well-designed systems can be made insecure through misconfiguration. This includes using insecure default settings, failing to restrict access properly, or exposing internal tools to the internet. Examples include publicly accessible Amazon S3 buckets, open FTP or Telnet services, Kubernetes dashboards left unprotected, or applying overly permissive file permissions like chmod 777 on sensitive data.

4. Human Factor

Finally, humans are often the weakest link in the security chain. Whether through ignorance, error, or manipulation, people can unintentionally create vulnerabilities. Common examples include reusing passwords across services, leaving test or default accounts active in production environments, or falling victim to phishing emails. Social engineering remains a highly effective tactic for attackers precisely because it targets human behavior rather than technology.

Mapping Vulnerabilities Across the Stack

Vulnerabilities can exist at every layer of a system - from physical infrastructure all the way up to application logic. Understanding where these weaknesses occur helps security teams apply defense-in-depth strategies and prioritize remediation efforts. Below is a breakdown of common vulnerability types across different layers of the stack:

1. Network Level

At the network layer, poor segmentation or outdated technologies can expose internal systems to external threats. Examples include weak or flat network architecture, legacy VPN protocols that no longer meet modern security standards, and open SMB (Server Message Block) shares accessible without proper restrictions.

2. Protocol Level

Vulnerabilities in communication protocols can be exploited to intercept, manipulate, or redirect data. Common issues include SSL/TLS downgrade attacks, DNS cache poisoning, and insecure SMTP relays - all of which can lead to man-in-the-middle attacks or data tampering.

3. Application Level

The application layer is one of the most frequently targeted by attackers. Vulnerabilities here include Cross-Site Scripting (XSS), SQL Injection (SQLi), Remote Code Execution (RCE), and broken access control. These flaws can lead to unauthorized data access, service disruption, or full system compromise.

4. Operating System Level

When the underlying OS is not properly maintained, it can expose systems to low-level attacks. Examples include outdated kernels lacking security patches, vulnerable device drivers, and the absence of exploit mitigation features like Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP).

5. Physical Level

Even the best digital defenses can be bypassed if physical security is neglected. Unlocked server rooms, unencrypted laptops left unattended, or the use of rogue USB devices can all lead to direct data theft or the installation of persistent malware.

How Dangerous Are They? (Severity)

Not all vulnerabilities are created equal. To manage risk effectively, it's essential to classify vulnerabilities by their severity. This helps security teams prioritize which issues to address first, ensuring that the most dangerous threats are mitigated before they can be exploited.

Here’s a breakdown of common severity levels, the typical impact associated with each, and why they matter in a real-world security context:

Severity	Typical Impact	Why It Matters
Critical	Full system takeover, mass data breach	Must be patched or mitigated immediately - attackers often automate exploitation.
High	Data exfiltration, authentication bypass	Should be prioritized quickly due to high risk of real-world damage.
Medium	Denial of Service (DoS), partial compromise	Can be scheduled for remediation - may be chained with other bugs for escalation.
Low	Information disclosure, banner grabbing	Fix during regular patch cycles - valuable for attackers during reconnaissance.

Understanding severity not only helps with technical triage, but also with communicating risk to stakeholders. Critical and high-severity vulnerabilities often require immediate attention, while medium and low-severity issues can be managed over time - though none should be ignored. In cybersecurity, even “low-risk” vulnerabilities can be a foothold for a more serious breach if left unattended.

By Exploitation Method

Vulnerabilities can be categorized not only by their severity or stack, but also by how attackers exploit them. Understanding these methods helps prioritize risks and build more effective defenses.

Remote vulnerabilities - no prior access needed (e.g., SQLi, Log4Shell).
Local vulnerabilities - require foothold first (privilege escalations like Dirty Pipe).
Logical flaws - business‑logic errors (bypassing payment limits, coupon abuse).
Zero-days - unknown to the vendor, patch not available; keep multi-layered protection at the ready.

Organizational & Process Vulnerabilities

Technology alone is rarely the root of a breach - it's often weaknesses in processes, policies, and people that create the real risk surface.

Common organizational vulnerabilities include the absence of a proper patch-management policy, allowing known CVEs to remain unpatched for months. Defensive tools such as antivirus and intrusion detection systems may be in place, but if they're outdated or misconfigured, they fail to detect evolving threats. A lack of security awareness among staff means users continue to fall for phishing emails and open malicious attachments like “invoice.pdf.exe.” And perhaps most critically, without tested and recoverable backups, a ransomware incident can escalate into a full-scale business disaster.

Vulnerabilities are inevitable, breaches are not. By systematically spotting weaknesses and treating the most dangerous first, you shift the odds dramatically in your favor.

And, as tradition demands, let’s wrap up with a few infamous security stories - real-world bugs that left scars, headlines, and some valuable lessons.

😏 Heartbleed (CVE‑2014‑0160)
Year: 2014
Who knew a harmless-sounding "heartbeat" feature in OpenSSL could end up bleeding encryption keys across the internet? It was just a missing bounds check… and suddenly half the web was exposed. Lesson: never underestimate small bugs in critical libraries.

😧 Log4Shell (CVE‑2021‑44228)
Year: 2021
A logging library. That’s all it was. But thanks to some overly “helpful” features in Log4j, attackers could achieve remote code execution by… sending a log string. In short: “If you can log it, you can own it.” Java admins everywhere cried in JSON.

Stay patched, stay paranoid, and keep learning - because the attackers surely are.

Attacks

In cybersecurity, an attack is any intentional action designed to exploit a vulnerability in order to gain unauthorized access, disrupt services, or steal data. To defend effectively, it’s crucial to understand not just what attacks look like, but how they work - and why they happen.

Below is an organized overview of the most common attack types, grouped by attack vector (how they enter), technique (how they operate), and objective (what they aim to achieve). This structure helps teams classify threats, recognize attack patterns early, and prioritize response based on real-world risk.

By Point of Entry

To understand how attacks begin, it's helpful to look at their initial point of entry - the place where attackers first interact with a system. Each vector opens a different kind of door, and each demands a tailored defense strategy.

Here are the most common entry points attackers use:

Network

Attackers manipulate network traffic, protocols, or routing mechanisms to disrupt services or intercept communication.
Typical attacks: DDoS, ARP spoofing, DNS cache poisoning, TCP RST flood.

Web Applications

Vulnerabilities in web services are exploited through crafted input or malicious data injection. This is one of the most common and dangerous vectors.
Typical attacks: SQL injection (SQLi), Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Remote Code Execution via unsafe deserialization.

Social Engineering

Here, the attacker targets people, not systems - manipulating users into giving up access, credentials, or performing unsafe actions.
Typical attacks: phishing, spear-phishing, business email compromise (BEC), voice phishing (vishing), SMS phishing (smishing).

Supply Chain

By compromising a trusted third-party component, attackers gain indirect access to a target system - often going unnoticed.
Typical attacks: malicious package updates (e.g. NPM), SolarWinds-style backdoors in software build pipelines.

Physical Access

Sometimes attackers go beyond the digital layer and gain direct access to devices or environments.
Typical attacks: rogue USB drives, hardware keyloggers, Evil Twin Wi‑Fi access points.

Cloud / SaaS

Misconfigured cloud environments or weak identity policies can be an open door to sensitive resources.
Typical attacks: stolen OpenID Connect (OIDC) tokens, exposed AWS S3 keys, missing multi-factor authentication (MFA) in Azure AD.

IoT / OT / SCADA Systems

Industrial controllers and smart devices are often insecure by design — and hard to patch.
Typical attacks: logic manipulation in PLCs, IoT botnets like Mirai targeting smart cameras and routers.

Understanding the entry point is the first step in anticipating how an attack may unfold - and in designing defenses that block threats before they take hold.

By Mode of Impact

Passive - Eavesdropping, scanning, OSINT; observes without modifying data or systems.
Active - Injections, remote code execution (RCE), ransomware; alters system state or breaks confidentiality, integrity, or availability.
Combined - Starts with silent reconnaissance, followed by active exploitation; common in advanced persistent threats (APTs).

Popular Attack Techniques (TTPs)

Attackers rely on a wide range of Tactics, Techniques, and Procedures (TTPs) to achieve their objectives. Below are the most common categories and what they typically involve:

Credential Attacks - Brute force, credential stuffing, pass-the-hash, password spraying. Often use leaked password dumps or weak login policies.
Injection Attacks - SQL, LDAP, OS command injection, XXE, NoSQL injection. Prevented through input validation and secure coding practices.
Memory Exploitation - Buffer overflows, use-after-free, integer overflows. Common in low-level languages like C/C++.
Man-in-the-Middle (MitM) - ARP poisoning, SSL stripping, session hijacking. Modern protocols like TLS 1.3 and HSTS help reduce the risk.
Malware-Based Attacks - Ransomware, Trojans, worms, crypto-miners, RATs. Delivered via phishing emails, drive-by downloads, or malicious ads.
Denial-of-Service (DoS) - DNS/UDP floods, SYN floods, Slowloris-style attacks. Often launched by botnets to overwhelm services.
Privilege Escalation - Kernel exploits (e.g., Dirty Pipe), misconfigured SUID, cloud metadata abuse. Used to gain admin or root access.
Evasion and Obfuscation - Fileless malware (PowerShell, WMI), packed binaries. Designed to bypass antivirus and endpoint protection.
Data Exfiltration - DNS tunneling, steganography, abuse of cloud sync services. Makes stolen data appear as regular outbound traffic.

A Step‑by‑Step Attack: The MITRE ATT&CK Kill Chain

Reconnaissance - OSINT collection, port scanning.
Initial Access - Phishing email delivers dropper.
Execution - Payload runs via PowerShell.
Persistence - Adds autorun key in Registry.
Privilege Escalation - Kernel exploit used for admin rights.
Defense Evasion - Disables antivirus/EDR tools.
Credential Access - Extracts passwords from LSASS memory.
Lateral Movement - Pass-the-Hash to move within Active Directory.
Collection - Archives sensitive documents.
Exfiltration - Sends data via HTTPS to attacker-controlled cloud.
Impact - Launches ransomware and encrypts files.

Attacks by Goal (CIA + E)

Attacks often target one or more of the following:

Confidentiality - Sniffing, SQL dumps, phishing. Result: Data breaches, regulatory fines.
Integrity - Web defacement, data tampering (e.g., IoT sensors). Result: Operational disruption, misleading metrics.
Availability - DDoS, ransomware, database destruction. Result: Downtime, reputational damage.
Economics / Reputation - Business Email Compromise (BEC), CEO fraud, insider trading. Result: Financial loss, stock price drops.

How to Defend (Quick Guide)

Layered security - Network segmentation, Zero Trust, WAF, EDR, SIEM.
Patch management - Prioritize by CVSS scores and real-world exploitability.
Secure development - Use SDLC practices, SAST/DAST, and threat modeling.
User awareness - Regular phishing simulations and security training.
Backups & Disaster Recovery - Keep offline, off-site, and test them regularly.
Threat intelligence - Track IOCs, follow TTP trends, and map to MITRE ATT&CK.

An attack is rarely a single event - it’s a chain of methods and tools. Break that chain early, and most threats will remain nothing more than lines in an analyst’s report.

Malware

Malware is a broad term for any malicious code designed to disrupt systems, steal data, or gain unauthorized access. Despite decades of evolution, it remains one of the top cyber threats. Below is a practitioner-focused breakdown of today’s malware landscape.

By Primary Function (Payload)

Virus - Injects itself into files to spread. Examples: ILOVEYOU, Michelangelo. Rare today; mostly blocked by modern EDRs.
Worm - Spreads automatically over networks. Examples: Conficker, WannaCry. Recently resurged via AI-crafted SMB exploits.
Ransomware - Encrypts data for ransom. Examples: LockBit, BlackCat. Now with “triple extortion” (encryption + leak + DDoS).
Spyware/Infostealer - Steals credentials and session data. Examples: AgentTesla, RedLine. New stealers target browsers and MFA tokens.
Trojan - Masquerades as legitimate software. Example: Emotet. Often the first stage in multi-phase attacks.
Rootkit/Bootkit - Hides deep in the system or firmware. Examples: TDL-4, LoJax. UEFI implants require firmware-level validation to detect.
Wiper - Destroys data permanently. Examples: Shamoon, NotPetya. Often seen in geopolitically motivated attacks.
Cryptominer - Hijacks system resources to mine crypto. Example: XMRig variants. Containerized environments are common targets.

By Infection Vector

Email & Phishing - Office macros, ISO/LNK droppers.
Drive-by Download - Malicious ads or compromised websites.
Supply Chain - Poisoned libraries (NPM/PyPI), trojanized updates.
Removable Media - USB tools, AutoRun exploits (still seen in OT).
Remote Exploits - VPN, RDP, Confluence, Ivanti zero-days.
Lateral Movement Tools - PSExec, WMI, remote PowerShell.

By Stealth & Persistence

Fileless/Living off the Land - PowerShell, WMI, LOLBins. Hard to detect - relies on memory for execution.
File-based - Executables, scheduled tasks, registry keys. Moderate detection - caught by signatures + heuristics.
Firmware/UEFI/BMC - Malware in motherboard or controller firmware. Highly stealthy - requires chip-level attestation.

By Target Platform

Windows - Still the #1 target for ransomware and loaders.
Linux/Containers - Cryptominers, botnets (Kaiji, Kinsing).
macOS - RATs and adware using notarization loopholes.
Android/iOS - Banking trojans (Anatsa), spyware (Pegasus).
IoT/OT - Mirai variants, ICS wipers.
Cloud/SaaS - OAuth token theft, misconfigured access scopes.

The Malware Kill Chain (Example)

Initial Access - Phishing email with dropper attachment.
Execution - Macro runs PowerShell loader.
Command & Control - Connects to C2 via DNS-over-HTTPS.
Privilege Escalation - Exploits kernel bug (e.g. Dirty Pipe).
Lateral Movement - RDP/AD enumeration across network.
Action on Objectives - Deploys ransomware, exfiltrates data.

Break any one of these steps - and the entire attack can fail.

Malware keeps evolving - fileless payloads, Rust-based binaries, firmware-level persistence - but the same weaknesses remain: users click, systems stay unpatched, and misconfigurations persist.

Shrink your attack surface. Assume compromise. Monitor everything. Back up often.

Stay patched. Stay paranoid. And may your backups never be needed.

Comparison to reality

Sometimes the abstract concepts of cybersecurity become clearer when compared to everyday scenarios. Let’s imagine your system is a house - how would typical security elements translate?

Category	Examples	Figurative comparison
Threat	Attacker wants to steal data	Burglar in the neighborhood
Vulnerability	Program with a bug (e.g. SQLi)	Window that was forgotten to close
Attack	SQL injection, phishing, DDoS	Robber action
Malware	Trojan, virus, spy, ransomware	Theft tool (lockpick)

Every cyberattack begins with a motive - the attacker wants something: money, data, disruption. That’s the threat. To act on that motive, they search for weak spots - vulnerabilities - like an unpatched server or misconfigured access. Once they find one, they launch an attack, often using malware as a tool to gain entry, stay hidden, or cause damage.

Cybersecurity isn’t just about firewalls and antivirus - it’s about thinking like a defender and detective in a world full of burglars, windows, and lockpicks.
Understanding how attackers think is the first step toward making your home or system invulnerable.