Attack Types & Threat Actors
Phishing, ransomware, zero-days, and social engineering — every attack has a playbook. Learn to recognize them before they recognize you.
The phone call that cost $4.7 million
It's 9:47 AM on a Tuesday. Sarah Chen, CEO of a mid-size logistics company, gets a phone call. The caller ID says "First National Bank — Corporate Services." The voice on the other end is calm, professional, and slightly urgent.
"Ms. Chen, this is David from your bank's fraud prevention team. We've flagged a suspicious wire transfer on your corporate account — $4.7 million to an overseas recipient. We need to verify whether you authorized this. Can you confirm your account details so we can freeze the transaction?"
Sarah's heart rate spikes. She didn't authorize any wire transfer. She confirms her account number, her security PIN, and approves what she thinks is a "reversal" of the suspicious transaction.
There was no suspicious transaction. There is now. The $4.7 million is gone. "David" was a criminal using caller ID spoofing and a script built from information scraped off LinkedIn, the company website, and a data breach from two years ago.
This is vishing — voice phishing. And it works because it exploits something no firewall can patch: human trust.
Every cyberattack, from the simplest phishing email to the most sophisticated nation-state operation, follows a playbook. This module is about learning those playbooks so you can spot them before they spot you.
Social engineering: hacking the human
Think of social engineering like a con artist movie — Ocean's Eleven, but instead of stealing diamonds from a vault, they're stealing passwords from your brain. The target isn't your computer. It's you.
Social engineering works because humans are wired to be helpful, to trust authority, and to act quickly under pressure. Attackers exploit these instincts ruthlessly.
The social engineering family
| Attack | Channel | How it works | Real-world example |
|---|---|---|---|
| Phishing | Fake emails impersonating trusted entities | "Your PayPal account has been suspended — click here to verify" | |
| Spear phishing | Phishing targeted at a specific person using personal details | "Hi Sarah, here's the Q3 report you asked for" (with malware attachment) | |
| Whaling | Spear phishing targeting executives (the "big fish") | Fake board member email requesting an urgent wire transfer | |
| Vishing | Phone | Voice calls impersonating banks, IT support, government | "This is the IRS. You owe $5,000 in back taxes. Pay now or face arrest." |
| Smishing | SMS | Text messages with malicious links | "USPS: Your package is delayed. Update delivery preferences: [link]" |
| Pretexting | Any | Building a fabricated scenario to extract info | "Hi, I'm from IT. We're doing a security audit — I need your login credentials." |
| Baiting | Physical | Leaving infected USB drives or devices to be found | USB drives labeled "Employee Salary Data Q4" scattered in a parking lot |
| Tailgating | Physical | Following an authorized person through a secured door | Carrying a stack of boxes and asking someone to hold the door open |
There Are No Dumb Questions
"Can't spam filters catch phishing emails?"
Good ones catch most of them — but attackers are constantly evolving. Spear phishing emails are crafted to look exactly like a message you'd expect from a colleague. They use your name, reference real projects, and come from domains that are one letter off from the real thing (like "micros0ft.com"). Filters help, but your judgment is the last line of defense.
"Has anyone actually fallen for a USB drive in a parking lot?"
Yes — famously. In penetration testing experiments, 45–98% of dropped USB drives get plugged in. Curiosity is a powerful force. The US Department of Homeland Security ran a test where they dropped USB drives in government parking lots. 60% were plugged in. When the drives had an official-looking logo on them, it jumped to 90%.
Spot the Phish
25 XP2. **From:** [email protected] — "Hey, here are the meeting notes from yesterday's standup. Let me know if I missed anything." (Attachment: standup-notes-mar14.pdf) →
The malware family tree
If social engineering is the con artist, malware is the weapon they leave behind. Malware — short for malicious software — is any software designed to harm, exploit, or compromise a system.
Think of it like a family tree. They're all related, but each member has a very different personality.
| Malware type | Analogy | How it spreads | Real-world example |
|---|---|---|---|
| Virus | A cold — needs contact to spread | Attaches to files; activates when you open them | ILOVEYOU (2000) — email attachment that overwrote files, hit 50M+ computers |
| Worm | COVID — spreads on its own, no action needed | Self-replicates across networks automatically | WannaCry (2017) — ransomware worm that spread to 200K+ computers in 150 countries in one day |
| Trojan | The original wooden horse — looks like a gift, hides soldiers | Disguised as legitimate software you install willingly | Emotet — disguised as invoice PDFs and Word docs |
| Ransomware | Digital kidnapping — pay up or lose your files | Often delivered via phishing or exploits; encrypts everything | Colonial Pipeline (2021) — shut down US fuel supply, $4.4M ransom paid |
| Spyware | A stalker in your computer — watches everything | Bundled with free software or delivered via exploits | Pegasus — nation-state spyware that could infect iPhones with zero clicks |
| Rootkit | A mole in your organization — hides deep, impossible to detect | Installs at the OS or firmware level | Sony BMG rootkit (2005) — music CDs secretly installed rootkits on customers' PCs |
| Keylogger | Someone reading your diary over your shoulder | Software that records every keystroke | Olympic Vision (2016) — targeted businesses to steal banking credentials |
✗ Without AI
- ✗Virus needs you to open a file to spread
- ✗Worm spreads automatically across networks
- ✗Virus attaches to existing programs
- ✗Worm is a standalone program
✓ With AI
- ✓A virus spreads as fast as humans share files
- ✓A worm spreads as fast as the network allows
- ✓One infected email attachment = virus risk
- ✓One unpatched machine on the network = worm risk
There Are No Dumb Questions
"If I have antivirus software, am I safe?"
Safer, yes. Safe, no. Antivirus software recognizes known malware by its signature — like a wanted poster. But new malware is created every day, and sophisticated attacks use "zero-day" exploits or polymorphic code that changes its signature constantly. Antivirus is one layer of defense, not a silver bullet.
"Why would anyone pay a ransomware demand?"
Because the alternative is often worse. If a hospital's patient records are encrypted and lives are at risk, or if a company's entire operations are frozen and every hour costs millions, paying the ransom can seem like the rational choice. Law enforcement generally advises against paying, but in practice, many organizations do — which is exactly why ransomware is so profitable.
Network attacks: targeting the pipes
Social engineering targets people. Malware targets devices. Network attacks target the infrastructure — the connections, protocols, and systems that move data around.
Man-in-the-Middle (MITM)
Imagine you're passing notes in class. A MITM attack is like someone sitting between you and your friend, reading every note, maybe changing a few words, and passing them along. Neither of you knows the notes have been intercepted.
In practice: an attacker on a public Wi-Fi network intercepts your connection to your bank's website, captures your login credentials, and forwards the request to the real bank so you never notice anything unusual.
DNS poisoning
DNS (Domain Name System) is the internet's phone book — it translates "google.com" into an IP address your computer can find. DNS poisoning is like someone changing the road signs so that when you follow the directions to your bank, you end up at a fake building that looks identical but is run by criminals.
DDoS (Distributed Denial of Service)
Imagine a restaurant with 50 seats. Now imagine 10,000 people show up at the same moment, each claiming they have a reservation. Nobody can get in, including real customers. That's DDoS — overwhelming a server with so much traffic that it can't serve legitimate users.
SQL injection
Websites use databases to store information. SQL injection is when an attacker types database commands into a form field — like a login box — and the website's code accidentally executes them. It's like saying "open sesame" to a safe that was built without checking whether you're allowed to say that.
Cross-site scripting (XSS)
An attacker injects malicious JavaScript code into a website that other users visit. When those users load the page, the code runs in their browser — stealing cookies, session tokens, or redirecting them to malicious sites. It's like someone slipping a forged page into a library book that runs a scam when the next reader opens it.
| Attack | Analogy | Target | Primary defense |
|---|---|---|---|
| MITM | Postal worker reading your letters | Communication between two parties | Encryption (HTTPS, VPN) |
| DNS poisoning | Swapping road signs | DNS resolution | DNSSEC, DNS monitoring |
| DDoS | 10,000 fake reservations at a 50-seat restaurant | Server availability | DDoS mitigation services, rate limiting |
| SQL injection | Saying "open sesame" to a safe that doesn't check who's talking | Web application databases | Input validation, parameterized queries |
| XSS | Forged page slipped into a library book | Website visitors' browsers | Output encoding, Content Security Policy |
There Are No Dumb Questions
"Can HTTPS protect me from all network attacks?"
HTTPS encrypts the data between your browser and the server, which prevents basic MITM eavesdropping. But it doesn't protect against everything. If an attacker has already compromised the server, HTTPS just means you have a secure connection to a compromised machine. And if you click past a certificate warning ("This site's certificate is not trusted — proceed anyway?"), you've just defeated the protection yourself.
"Why do DDoS attacks still work? Can't big companies just handle more traffic?"
They can — and they do. Major cloud providers and CDNs absorb enormous amounts of traffic. But DDoS attacks have grown too. Modern botnets can generate traffic measured in terabits per second. It's an arms race. Smaller organizations without DDoS protection services are especially vulnerable.
Advanced attacks: the big leagues
Some attacks aren't smash-and-grab jobs. They're long, patient, sophisticated operations — often backed by nation-states or well-funded criminal organizations.
Zero-day exploits
A "zero-day" is a vulnerability in software that the developer doesn't know about yet. The name comes from the fact that the developer has had zero days to fix it. It's like picking a lock that nobody knew existed — there's no key, no fix, and no defense until someone discovers it.
Zero-days are incredibly valuable. Governments and criminal organizations pay millions for them. The gray market for zero-days is a real, thriving industry.
Supply chain attacks
Instead of attacking your company directly, attackers compromise a piece of software you trust — like a routine update from a vendor. When you install the update, you install the attacker's code along with it. It's like poisoning the water supply instead of poisoning one person's drink.
The SolarWinds attack (2020) is the textbook example: Russian-linked attackers compromised SolarWinds' software update system, which was used by 18,000 organizations including multiple US government agencies.
Advanced Persistent Threats (APTs)
APTs are the spy movies of cybersecurity. A well-funded group (usually nation-state-backed) gains access to a network and stays hidden for months or years, quietly exfiltrating data. They're not in a rush. They're living undercover in your systems, like a sleeper agent.
Credential stuffing
When a data breach leaks millions of username-password pairs, attackers try those same credentials on other websites. Because people reuse passwords, this works disturbingly often. If your LinkedIn password from a 2016 breach is the same as your Gmail password today, you're vulnerable.
There Are No Dumb Questions
"How do attackers get the leaked credentials in the first place?"
Data breaches. When a company gets hacked, the stolen usernames and passwords often end up for sale on dark web marketplaces or dumped publicly. There are databases with billions of leaked credentials. Attackers buy or download these lists and run automated tools that try each username-password pair across hundreds of popular websites. The whole process is automated — they can test millions of combinations per hour.
"What's the difference between a zero-day and a regular vulnerability?"
Time. A regular vulnerability has been discovered and disclosed — the developer knows about it and (usually) has released a patch. A zero-day is a vulnerability that the developer doesn't know about yet, meaning there's no patch available. Zero-days are far more dangerous because there's literally no official fix. Once a zero-day is discovered and patched, it stops being a zero-day and becomes a regular vulnerability.
Name That Malware
25 XP2. "An employee opened an email attachment. Within minutes, every file on the company's shared drive was encrypted, and a message appeared demanding 2 Bitcoin to unlock them." →
The Cyber Kill Chain: anatomy of an attack
Every sophisticated attack follows a sequence. Lockheed Martin formalized this as the Cyber Kill Chain — seven steps that take an attacker from initial research to mission accomplished. The key insight: defenders can break the chain at any step.
<strong className="block">1. Reconnaissance</strong>
The attacker researches the target — LinkedIn profiles, company websites, public records, leaked databases. They're building a map before the heist. <em>Defense: Limit public exposure of sensitive info. Train employees on what not to share online.</em>
<strong className="block">2. Weaponization</strong>
The attacker creates the weapon — a malware payload, a phishing email, a compromised document. This happens off-stage; you can't see it. <em>Defense: Threat intelligence — knowing what kinds of weapons are trending.</em>
<strong className="block">3. Delivery</strong>
The weapon reaches the target — via email, a malicious website, an infected USB drive, or a compromised software update. <em>Defense: Email filters, web proxies, endpoint protection, user training.</em>
<strong className="block">4. Exploitation</strong>
The vulnerability is triggered — the user clicks the link, the code executes, the zero-day fires. <em>Defense: Patch management, application whitelisting, sandboxing.</em>
<strong className="block">5. Installation</strong>
Malware installs itself on the target system, establishing a foothold. <em>Defense: Endpoint detection and response (EDR), host-based intrusion detection.</em>
<strong className="block">6. Command & Control (C2)</strong>
The compromised system "phones home" to the attacker's server, establishing a communication channel for remote control. <em>Defense: Network monitoring, DNS filtering, firewall rules blocking unknown outbound connections.</em>
<strong className="block">7. Actions on Objectives</strong>
The attacker achieves their goal — data theft, encryption for ransom, sabotage, espionage, or lateral movement to more valuable targets. <em>Defense: Data loss prevention (DLP), network segmentation, backup and recovery plans.</em>
The beauty of the Kill Chain model is that the attacker must succeed at every step, but the defender only needs to break one. If you catch the phishing email at Delivery, the entire operation fails. If you detect unusual outbound traffic at C2, you can shut it down before data is stolen.
There Are No Dumb Questions
"Does every attack follow all seven steps?"
Not exactly. Simple attacks (like mass phishing campaigns) might skip or compress some steps. But sophisticated attacks — especially APTs — follow this pattern closely. The model is most useful as a framework for thinking about defense: "Where in the chain can we detect and stop this?"
"Who came up with the Kill Chain?"
Lockheed Martin's computer incident response team published it in 2011. The name comes from a military concept — the sequence of steps needed to engage a target. It's been widely adopted in cybersecurity, though some critics argue it's too attacker-focused and doesn't account well for insider threats or post-breach response.
How to recognize an attack: red flags everyone should know
You don't need to be a security expert to spot most attacks. Nearly all social engineering attacks rely on the same psychological triggers. Learn these five red flags and you'll catch the vast majority of attempts.
<strong className="block">Urgency</strong>
"Act NOW or your account will be locked!" "You have 24 hours to respond!" Attackers create panic because panicked people don't think critically.
<strong className="block">Authority</strong>
"This is from the CEO." "The IRS requires immediate payment." People comply with authority figures, especially under pressure.
<strong className="block">Too good to be true</strong>
"You've won $10,000!" "Congratulations, you've been selected for a special offer!" If you didn't enter a contest, you didn't win one.
<strong className="block">Unusual requests</strong>
"Send me the password list." "Wire $50,000 to this new account." "Install this software so I can fix your computer remotely." Legitimate organizations have processes — they don't ask for sensitive actions via email or phone.
<strong className="block">Technical red flags</strong>
Misspelled domains (amaz0n.com), mismatched URLs (the link text says "bank.com" but the actual URL goes to "evil-site.ru"), generic greetings ("Dear Customer" instead of your name), poor grammar, and unexpected attachments.
Break the Kill Chain
50 XPRemember Sarah Chen from the opening? Her $4.7 million vishing attack followed a textbook Kill Chain. The attackers researched her on LinkedIn (Reconnaissance), crafted a convincing phone script with spoofed caller ID (Weaponization), called her directly (Delivery), exploited her trust and urgency (Exploitation), gained access to her account (Installation + C2), and transferred the money (Actions on Objectives). If Sarah had followed the "verify through a separate channel" rule — hanging up and calling her bank directly — the chain would have broken at step 3. One habit. $4.7 million saved.
Key takeaways
- Social engineering targets humans, not computers. Phishing, vishing, smishing, pretexting, baiting, and tailgating all exploit trust, authority, and urgency.
- Malware comes in many forms — viruses need human action, worms spread on their own, trojans hide in plain sight, ransomware holds data hostage, and rootkits burrow deep.
- Network attacks target infrastructure — MITM, DNS poisoning, DDoS, SQL injection, and XSS exploit the systems that move and serve data.
- Advanced attacks are patient and well-funded — zero-days, supply chain attacks, APTs, and credential stuffing represent the most sophisticated threats.
- The Cyber Kill Chain has seven steps, and defenders only need to break one to stop an attack.
- Five red flags catch most attacks: urgency, authority, too-good-to-be-true offers, unusual requests, and technical inconsistencies.
Knowledge Check
1.A CEO receives an email that appears to come from a board member, requesting an urgent wire transfer to a new account. The email uses the board member's real name, references a recent board meeting, and includes specific financial details. What type of attack is this?
2.A security team discovers that malware spread across their entire network in under two hours, without any employee clicking a link or opening an attachment. Every machine connected to the network was infected. What type of malware is this most likely?
3.In the Cyber Kill Chain, an attacker sends a phishing email containing a malicious PDF attachment to a target employee. At which step of the Kill Chain does the employee opening the attachment and triggering the exploit occur?
4.A company discovers that a routine software update from a trusted vendor contained hidden malware, which had been quietly exfiltrating data for six months before detection. Which two advanced attack categories does this scenario best represent?