Common Threats & Threat Actors

• Malware: Malware simply means malicious software, designed to disrupt, damage, or gain unauthorised access to information systems and assets. Common types include viruses, worms, Trojans, ransomware, and spyware.

• Example: A user unknowingly downloads a malicious email attachment, infecting their computer with ransomware that encrypts valuable files until a ransom is paid.

• Malware: Malware simply means malicious software, designed to disrupt, damage, or gain unauthorised access to information systems and assets. Common types include viruses, worms, Trojans, ransomware, and spyware.

• Example: A user unknowingly downloads a malicious email attachment, infecting their computer with ransomware that encrypts valuable files until a ransom is paid.

• Actors: Cybercriminals, hacktivists, state-sponsored attackers, or insider threats seeking financial gain, disruption, surveillance, or espionage

• Control: Use regularly updated antivirus/anti-malware software, apply security patches promptly, enable email filtering, implement least privilege access, and provide user awareness training on phishing and suspicious links.

• Phishing Attacks: Phishing attacks use deceptive emails, messages, or websites to trick users into revealing sensitive information, such as login credentials or financial data.

• Example: An attacker sends an email disguised as a legitimate bank, asking users to update their account information by clicking a link that leads to a fake website capturing their login details.

• Phishing Attacks: Phishing attacks use deceptive emails, messages, or websites to trick users into revealing sensitive information, such as login credentials or financial data.

• Example: An attacker sends an email disguised as a legitimate bank, asking users to update their account information by clicking a link that leads to a fake website capturing their login details.

• Denial-of-Service (DoS) Attacks: DoS attacks aim to overwhelm or disable a target system or network, making it inaccessible to legitimate users by flooding it with excessive traffic or resource requests.

• Example: An attacker launches a DoS attack against a company's web server, causing it to crash, and rendering the website unavailable to customers.

• Denial-of-Service (DoS) Attacks: DoS attacks aim to overwhelm or disable a target system or network, making it inaccessible to legitimate users by flooding it with excessive traffic or resource requests.

• Example: An attacker launches a DoS attack against a company's web server, causing it to crash, and rendering the website unavailable to customers.

• Actors: Hacktivists, cybercriminals, disgruntled insiders, or state-sponsored groups — often seeking disruption, extortion, or political impact.

• Control: Use network firewalls and intrusion prevention systems (IPS), deploy rate-limiting and traffic filtering, configure anti-DoS protections on routers and servers, employ cloud-based DDoS mitigation services (e.g., Cloudflare, AWS Shield), and monitor network traffic for anomalies.

Distributed DOS (DDOS)

• Insider Threats: Insider threats come from within an organization and can be
  accidental or malicious. Employees or contractors may leak sensitive data or misuse
  their access privileges.

• Example: An employee with access to sensitive customer data leaks the information
  to a competitor for personal gain.

• Insider Threats: Insider threats come from within an organization and can be
  accidental or malicious. Employees or contractors may leak sensitive data or misuse
  their access privileges.

• Example: An employee with access to sensitive customer data leaks the information
  to a competitor for personal gain.

• Actors: Current or former employees, contractors, third-party vendors, or partners — either acting maliciously (e.g., for revenge or financial gain) or negligently (e.g., through poor security practices)

• Control: role-based access control (RBAC), enforce the principle of least privilege, conduct regular audits and activity monitoring, deploy data loss prevention (DLP) systems, and provide security awareness training focused on internal risks.

• Social Engineering: Social engineering involves manipulating people into revealing confidential information or performing certain actions. Attackers use psychological tactics to gain trust or deceive individuals.

• Example: An attacker impersonates an IT technician over the phone, convincing an employee to share their login credentials, claiming it's for a system upgrade.

• Social Engineering: Social engineering involves manipulating people into revealing confidential information or performing certain actions. Attackers use psychological tactics to gain trust or deceive individuals.

• Example: An attacker impersonates an IT technician over the phone, convincing an employee to share their login credentials, claiming it's for a system upgrade.

• Actors: Cybercriminals, fraudsters, disgruntled insiders, or even competitors — typically exploiting human behaviour rather than technical flaws.

• Control: Conduct regular staff training on social engineering awareness, establish strict identity verification protocols, use multi-factor authentication (MFA), promote a strong security culture (e.g., “trust but verify”), and implement procedures for reporting suspicious interactions.

• Insider Data Theft: This threat involves authorised individuals stealing sensitive information for personal gain or to sell to external parties.

• Example: A disgruntled employee copies customer data, including credit card details, to sell it to a competitor.

• Actors:

• Control: ?

• Insider Data Theft: This threat involves authorised individuals stealing sensitive information for personal gain or to sell to external parties.

• Example: A disgruntled employee copies customer data, including credit card details, to sell it to a competitor.

• Actors: Disgruntled employees, contractors, temporary staff, or business partners with legitimate access to internal systems or data.

• Control: Enforce strict access controls (least privilege), implement user activity monitoring and audit logging, use Data Loss Prevention (DLP) tools, segment sensitive data, and ensure offboarding procedures immediately revoke all access.

• Advanced Persistent Threats (APTs): APTs are sophisticated, long-term cyber-attacks launched by skilled attackers who aim to infiltrate and remain undetected within a target organization to extract valuable information.

• Example: A nation-state-sponsored group infiltrates a government agency's network, gathering classified data over an extended period without being detected.

• Actors:

• Control: ?

• Advanced Persistent Threats (APTs): APTs are sophisticated, long-term cyber-attacks launched by skilled attackers who aim to infiltrate and remain undetected within a target organization to extract valuable information.

• Example: A nation-state-sponsored group infiltrates a government agency's network, gathering classified data over an extended period without being detected.

• Actors: Nation-state actors, highly organised cybercriminal groups, and advanced hacker collectives targeting high-value sectors like government, defence, healthcare, or critical infrastructure.

• Control: Implement layered security (defence in depth), monitor networks with threat intelligence and anomaly detection, use endpoint detection and response (EDR), enforce strong authentication (MFA), conduct regular threat hunting, and apply zero-trust network principles to restrict lateral movement.

• Physical Security Breaches: Physical security breaches occur when unauthorised individuals gain physical access to information assets, such as servers or data centres.

• Example: An intruder gains access to a company's data centre and steals
  backup tapes containing sensitive customer information.

• Actors:

• Control: ?

• Physical Security Breaches: Physical security breaches occur when unauthorised individuals gain physical access to information assets, such as servers or data centres.

• Example: An intruder gains access to a company's data centre and steals
  backup tapes containing sensitive customer information.

• Actors: Burglars, disgruntled employees, industrial spies, or social engineers posing as maintenance staff or delivery personnel.

• Control: Implement multi-factor physical access controls (e.g. keycards + biometrics), monitor with CCTV surveillance, enforce visitor sign-in and escort policies, secure equipment in locked rooms or racks, and conduct regular physical security audits.

Threats

• Supply Chain Attacks: Supply chain attacks target vulnerabilities in the supply chain process, aiming to compromise hardware, software, or firmware before reaching end-users.

• Example: Attackers inject malicious code into a software update, which is then distributed to customers, infecting their systems when installed.

• Actors:

• Control: ?

Threats

• Supply Chain Attacks: Supply chain attacks target vulnerabilities in the supply chain process, aiming to compromise hardware, software, or firmware before reaching end-users.

• Example: Attackers inject malicious code into a software update, which is then distributed to customers, infecting their systems when installed.

• Actors: State-sponsored threat actors, organised cybercriminals, or advanced persistent threat (APT) groups — often targeting third-party vendors, developers, or logistics providers to reach the primary victim.

• Control: Perform thorough vetting of third-party vendors, enforce secure software development practices (e.g. code signing, SBOM), use integrity verification (hash checks), apply zero-trust principles, and monitor for anomalies in third-party systems or software updates.

Recall...

Attacker’s Point of View

Cyber Kill Chain

MITRE ATT&CK Framework

So How Do We Detect/Prevent?

• Anomaly-based: establishes a baseline of normal network or system behaviour. It then identifies deviations from this baseline, flagging activities that are unusual or potentially malicious.

  • User and Entity Behaviour Analytics (UEBA) solutions such as Exabeam and Splunk detect anomalies in user and entity behaviour by analysing historical data to identify deviations from normal patterns.

  • Credit Card Fraud Detection Financial institutions use anomaly-based detection to identify unusual transactions, such as large purchases in different geographic locations, as potential credit card fraud

• Heuristic-Based Detection: relies on rules and algorithms to identify potentially suspicious activities. The rules here are based on general knowledge of attack techniques rather than specific signatures.

  • Email filtering systems, like those used by Gmail and Microsoft Outlook, employ heuristics to analyse incoming emails for suspicious content, attachments, or links that may indicate phishing attempts.

  • Web Application Firewalls (WAFs) like ModSecurity use heuristic analysis to detect and block web application attacks based on known attack patterns

• Behaviour-Based Detection: Behaviour-based detection focuses on the behaviour of software or users. It monitors patterns of activities and flags deviations that indicate malicious behaviour.

  • Endpoint Detection and Response (EDR) solutions like CrowdStrike and Carbon Black monitor the behaviour of endpoints (e.g., computers) and alert administrators to unusual activities, such as file modifications or unauthorised access attempts.

  • Also used in user authentication systems to flag suspicious login attempts, such as multiple failed logins or login attempts from unusual locations.

Security Measures

✓ Hardware

✓ Software

✓ Processes and Procedures

✓ Best Practices

Best Practices

• Principle of least privilege!

• Principle of need-to-know

• Defence-in-depth/Layered security

• System Hardening

• SETA Programs

• Network Segmentation

• Keeping Systems Up-to-date

• Clean Desk Policy

Processes/Procedures

• Backups

• Patch and Change Management

• Vulnerability & Penetration Tests

• Continuous Monitoring

• Asset Inventory

• Secure Coding

• Input validation

• Background check/Security Clearance

• Access Control

Hardware/Software

• Firewalls

• DMZ

• Intrusion Detection (Prevention) Systems {IDS/IDPS}

• Proxy/VPN Servers

• Secure Web Gateways {SWG}

• Security Information and Event Mgt {SIEM}

• Security Orchestration, Automation and Response {SOAR}

• Antivirus Program

• Data Loss Prevention Systems {DLP}

Categorising Security Controls

System Hardening

Access Control Types

• Mandatory Access Control (MAC)

• Discretionary Access Control (DAC)

• Role-based Access Control (RBAC)

• Rule-based Access Control (RuBAC)

Conclusion

• You cannot protect against what you don’t know!

• Understanding these different types of security threats is essential for protecting information assets effectively.

• It starts with knowing what assets there are.

• By recognising potential vulnerabilities and implementing appropriate security measures, organisations can mitigate risks and safeguard their valuable data and systems