Chapter 1: Understanding Threat Actors

and Threat Intelligence

What is a Threat Actor? 🎭

A Threat Actor is any person or entity (individual, group, or government) that carries
out an attack or malicious activity that harms the security of information or data.

This can include:

Amateur Hackers: (e.g., a teenager trying to steal their neighbor's Wi-Fi

password).

Organized Crime: Cybercriminal groups motivated by financial gain.

Nation-States: Governments that fund groups to carry out attacks on other

countries.

Insiders: An employee from within the company itself.

What are their Motivations? (Threat Actor Motivations)

🎯
Threat actors have many different motivations, including:

Data Exfiltration: To steal data.

Blackmail: To extort money or other concessions.

Espionage: To spy on individuals, organizations, or governments.

Service Disruption: To disrupt services.

Financial Gain: To make money.

Political/Philosophical Beliefs: (e.g., Hacktivists).

Revenge: To get back at a person or organization.

 Chaos/War: To create chaos or wage cyber warfare.

Attributes of Threat Actors 🧩

These are the characteristics that distinguish one type of threat actor from another:

Internal vs. External: Whether they are from inside or outside the company.

Resourcing/Funding: Whether they have a lot of money and tools or are working
with simple tools.

Sophistication: Their level of complexity – are they a beginner or a professional?

Types of Threat Actors 👥

1. Unskilled Attackers:

They have no experience and use ready-made tools from the internet (e.g.,
Script Kiddies).

2. Hacktivists:

People who attack for a political, social, or environmental cause (e.g.,

taking down a government website to protest a law).

3. Organized Crime:

Organized gangs whose goal is money (e.g., ransomware, identity theft,

credit card fraud).

4. Nation-State Actors:

Governments that fund powerful groups to carry out Cyberwarfare,

espionage, or sabotage.

5. Insider Threats:

Someone from within the company, either:

Malicious: (e.g., for revenge or to sell data).

Negligent: (e.g., an unintentional mistake).

🕵️‍♂️ Shadow IT
This is when employees use apps or tools without the approval of the IT
department (e.g., someone using Google Drive or Dropbox without permission).

This is dangerous because it violates security policy and can lead to data leaks.

🚪 Threat Vectors & Attack Surfaces

Attack Vector: The path the hacker takes to get in (e.g., USB, email phishing,
calls, files, photos).

Attack Surface: All the points that can be attacked (e.g., the number of servers,
apps, and accounts).

🎣 Deception & Disruption

Honeypot: A decoy system designed to attract and trap attackers to study their
methods.

Honeynet: A network of honeypots.

Honeyfiles: Decoy files designed to detect unauthorized access.

Honeytokens: Fake credentials (like usernames and passwords) designed to

detect when they are used.

What is the difference between Motivation vs. Intent?

🎭
Intent: (The direct goal) What exactly does the attacker want to do?
For example: Steal data, disrupt a service, or demand money.

Motivation: (The underlying reason) Why are they doing this in the first place?
For example: For money, for politics, for revenge, or for war.
Types of Threat Actor Motivations 🧩
1. Data Exfiltration (Data Theft/Leakage)

Stealing sensitive data like trade secrets, intellectual property (IP), or

customer information.

The data might be used for corporate espionage, identity theft, or sold on
the Dark Web.

Example: A hacker steals a company's customer database containing bank

account details and emails.

2. Financial Gain

This is a very common motivation.

Examples:
Ransomware: Encrypting data and demanding money for its release.

Banking Trojans: Stealing banking credentials.

Goal: To make money.

3. Blackmail

The hacker threatens you with private photos or sensitive information,

saying, "Pay money, or I will expose you."

They usually ask for money in Bitcoin because it is difficult to trace.

Examples:
Sextortion: Leaking private photos.

Doxxing: Publishing personal information.

Ransomware: With the threat of data leakage.

4. Service Disruption

The hacker stops your service to create political noise, demand money, or
damage your reputation.

Most famous example: DDoS Attack (filling the server with traffic until it
crashes).
 Real-life example: A DDoS attack on GitHub in 2018 left the site down for
about 20 minutes.

5. Philosophical / Political Beliefs

This is called Hacktivism.

Groups attack systems or sites for a social/political cause.

Example: A group of hacktivists takes down a government website to

protest a law.

6. Ethical Reasons

Here we are talking about the White Hat Hacker.

They work as a Pen Tester or Bounty Hunter.

They look for vulnerabilities to fix them, not to exploit them.

Goal: To improve security.

7. Revenge

A disgruntled or fired employee who comes back to leak data or wipe

servers.

Example: A former employee leaves malware on the system to get revenge.

8. Disruption or Chaos

Some hackers do this just for the fun or challenge of it.

Example: Spreading viruses just to mess things up (Script Kiddies).

🔥 Just like what was said in the movie "Batman": "Some people just want
to watch the world burn."

9. Espionage

Stealing secret information from a company/organization/government.

They are often Nation-State Actors or competitors in the market.

Example: A country hacks into the factories or energy companies of another

country to learn their secrets.

10. War (Cyber Warfare)

 This is the highest level: Cyber Warfare.

Its goal is to disrupt the infrastructure, strike national security, or cause

economic losses.

Example: A country attacks the electricity grid of another country.

1️⃣ Internal vs. External

🔹 Internal Threat Actor:
This is someone from inside the company, like an employee, contractor, or even a
business partner.

This is dangerous because the person already has legitimate access and
permissions, which they can exploit for malicious purposes.

Example: An employee at Coca-Cola, who had authorized access to files, copied a

secret formula and gave it to Pepsi. This is an Internal Threat Actor.

🔹 External Threat Actor:

This is someone from outside the company, such as:
Hackers

Hacktivists (groups with social/political goals)

Competitors

State-sponsored entities

They have no initial access, so they have to use methods like:

Malware

Phishing

Exploiting vulnerabilities

2️⃣ Resources & Funding

This determines the attacker's strength.
Individual Hacker: Few skills + personal laptop = (alone).
 Powerful Entity or State: Huge budget + massive infrastructure + advanced
tools + large team = (powerful entity or state).

Example:
A regular hacker uses a free program to launch a Facebook attack.

A country like North Korea, with an APT team, can develop custom tools
and hack banks.

3️⃣ Level of Sophistication & Capability

This means how skilled the attacker is and what advanced tools they have.

🔹 Low Level (Script Kiddies):

They use ready-made tools from the internet.

They don’t have deep knowledge.

Example: A young person downloads a tool that performs a DDoS attack without
understanding how it works.

🔹 High Level (APT / Nation-State Actors):

They have very high technical skills.

They use custom-developed tools.

They exploit Zero-Day Exploits.

They know how to hide for a long time without being detected.

Example: A state-sponsored APT group hacks into a government network and

stays inside for months without anyone noticing.

In the field of Cybersecurity, not all threat actors are geniuses or have a lot of money.

Those with a very low level of skill and funding are what we call:

🧩💻 Script Kiddies
These are people who do not have strong technical expertise and cannot write
their own exploits or tools.

They rely on ready-made tools created by professional hackers.

 Their knowledge is very superficial, meaning they know how to run the tool but
not how to fix or improve it.

⚡ How can they cause damage?

Despite not being professionals, they can still cause damage using ready-made
tools.

For example:
They can perform a DDoS (Distributed Denial of Service) attack using a tool
like LOIC (Low Orbit Ion Cannon).

They can deface a website (Website Defacement).

They can spread malware on the internet.

🎯 Who do they target?

They usually look for easy targets (weak in security or not updated).

They do not focus on large or complex targets like governments or banks.

💡 Their Motivations
They want fame or recognition among their friends or the community.

Just for fun or curiosity to see what they can hack.

They are not like Hacktivists or Cybercriminals who are looking for money or
political motives.

🚨 Where is the real danger?

Each one of them alone is not strong.

But the large number of them is what poses a threat, because 100 or 1000 people
can use the same tool against you at the same time.

🧩💻 Hacktivists
🤔 Who are they?
Individuals or groups who use their technical skills to serve a political or social
cause, not for money.
 Their name comes from Hacking + Activism = Hacktivism.

🎯 Their Goals
Spreading an idea or cause (political, social, human rights).

Protesting against practices they see as unethical (like censorship, violation of

human rights, pollution).

Drawing attention to their cause through electronic attacks.

⚡ Attack Methods of Hacktivists

1. Website Defacement:
Like electronic graffiti, just changing the shape or content of a website to
send a message.

2. DDoS Attacks:
Flooding servers with requests to the point that legitimate users cannot
access the service.

3. Doxxing:
Publishing personal data (name, address, phone number…) to cause
pressure or threats in the real world.

4. Data Leaks:
Stealing sensitive data and leaking it to the public to expose or embarrass
the targeted entity.

💡 Their Characteristics
Technical Skills: Varies—some are beginners, and some groups have
professional people who develop custom exploits.

Motivations: Not financial, but ideological or political.

Targets: Governments, companies, organizations that they see as acting against

their principles.

👥 Examples of Hacktivist Groups

Anonymous:
 The most famous group, they attacked entities that defend intellectual
property rights like MPAA and RIAA in Operation Payback – 2010.

LulzSec:
Carried out 50 Days of Lulz attacks against Sony, CIA, and FBI in 2011.

Their motives were a mix of chaos for “Lulz” (laughs) and political stances
(against censorship and surveillance).

📌 What does Organized Cybercrime mean?

Just like the Mafia in America in the forties and fifties, who were organized and
strong, with a leader and everyone having a role.

Now it's the same idea, but instead of working in the real world (drugs, weapons,
smuggling), they work online.

📌 How do they work?

These are organized groups on the internet.

They have specific roles: one is responsible for hacking, one designs the
malware, one launders the money with cryptocurrency, one is responsible for
managing the victims, and so on.

They work in the same way as large gangs: planning, organization, distributing
roles, and profitable targeting.

📌 Why is the internet attractive to them?

Anonymity: It's hard to be identified.

Global Reach: They can attack a victim anywhere in the world without moving.

Legal Complexity: Because they work across different countries, it is difficult for
the police or judiciary to track them.

📌 They have strong capabilities:

They use custom malware.

Ransomware – to encrypt companies' data and demand money.

Phishing – fake emails and websites to trick people.

 They use the Dark Web and Cryptocurrency to hide and launder money.

📌 Their main goal:

💰 Money, not politics or ideology like hacktivists or governments.
But someone (even a government) can hire them as mercenaries to carry out
political attacks or espionage operations.

📌 Examples:
1. FIN7
A very professional group.

It specifically targets the retail and hospitality (hotels, restaurants) sectors.

Their main work is high-quality phishing emails that make the employee
give them their login or download malware.

2. Carbanak Group
They stole more than a billion dollars from different banks.

They invented malware called Carbanak that hacks the bank's network.

They were able to move money between accounts or even make an ATM
dispense money without anyone touching it.

🔹 Who are Nation-State Actors?

Entities (groups or individuals) sponsored by governments.

Goal: To carry out cyber operations against countries, organizations, or

individuals.

They often follow the intelligence agencies or the army.

Sometimes they work as independent entities but with the state's capabilities →
so that the state can say “we have nothing to do with it” (Plausible Deniability).

🔹 False Flag Attack

A deliberate attack that is executed in a way that makes it seem like it came from
a party other than the real one.
 Goal: To mislead investigators and direct the fingers of blame at another
opponent.

Example: The 2018 Winter Olympics attack in South Korea → it looked like it was
from North Korea, but it turned out to be from Russia imitating the Pyeongchang
style.

🔹 Nation-State Actors' Capabilities

Very advanced technologies (Custom Malware, Zero-day Exploits).

They have huge financial and technical resources.

They leave their long-term presence inside the network → Advanced Persistent
Threat (APT).

The goal is often not quick sabotage, but long-term espionage or data theft.

🔹 Their Goals and Motivations

Not always money (except in the case of North Korea because of economic
sanctions).

Most of them aim to:

Gather intelligence information.

Disrupt critical infrastructure.

Influence political operations.

Steal intellectual property.

North Korea → financial attacks (banks, crypto) to finance the regime.

🔹 Famous Examples
1. Stuxnet (2011):
Attributed to America + Israel.

Designed to sabotage the Iranian central centrifuges (nuclear program).

Exploited USB to transfer the infection to air-gapped networks.

2. 2016 US Elections:
Russia accused of campaigns of attacks + media disinformation.
 Goal: To weaken confidence in the electoral process and support Trump.

🔹 What is an Insider Threat?

Any cybersecurity threat that comes from within the organization itself.

It can be a current employee, a former employee, a contractor, or even a business

partner who has access to the system or the network.

The danger is that this person knows all the company's details: policies, systems,
and even weak points, and this makes them more dangerous than any external
hacker.

🔹 Simple Analogy
An external hacker is like someone who wants to break into a building but has
never entered it before → it's hard to know the entrances, cameras, or secret
doors.

An employee inside the company (even if they are upset) is like someone who has
an access card and knows the entrances and exits → it's very easy to do damage.

🔹 Insider Threat Capabilities

They depend on:
1. Level of Permissions:
An admin (System Admin) can do great damage because they see
everything.

A regular employee can do limited damage, but it's still harmful.

2. Skills:
An employee with high technical knowledge, even if their permissions
are few, can do more harm than a novice admin.

🔹 Types of Attacks from an Insider Threat

1. Data Theft: → Stealing sensitive files or information.

2. Sabotage: → Destroying systems or deleting data.

 3. Misuse of Access: → Opening a backdoor, introducing malware, helping a hacker
from outside.

4. Unintentional: → An employee who is not paying attention clicks on a phishing

link, and things go wrong without intention.

🔹 Causes of Insider Threats

💰 Money: Selling secret information to a competitor.
😡 Revenge: A fired employee who exposes the company.
🧩 Negligence/Lack of Awareness: Like opening a phishing email.
🔹 Famous Examples
1. Edward Snowden (2013)
He was a contractor at the NSA.

He used his permissions to leak very secret information about surveillance

and espionage programs.

For some, he is a hero (Whistleblower), but for the US government → the

most dangerous Insider Threat in history.

The losses were estimated in billions.

2. Twitter Attack (2020)

An external hacker collaborated with employees from inside (Insiders).

They were able to take control of large accounts like (Elon Musk, Obama,
Biden, Bill Gates).

They did a scam to steal Bitcoin.

This incident showed that even huge tech companies like Twitter can fall
because of an Insider Threat.

🔹 How do we face Insider Threats?

🛡️ Zero Trust Architecture: Don't assume that anyone is safe just because they
are “inside” the network.

🔑 Access Control: Permissions should be as minimal as possible (Least

Privilege).
 📋 Audits: Periodic reviews of systems and behaviors.
🎓 Security Awareness Training: Training employees to reduce mistakes.
✅ What does Shadow IT mean?
Shadow IT = any devices, programs, applications, or services that employees use
without the knowledge or approval of the IT department.

It has other names like Stealth IT or Client IT.

✅ Simple Examples:
1. An employee brings another screen from outside and installs it themselves → no
one in IT knows its source or if it is safe or not.

2. An employee uses a personal external hard drive or USB on the company's device
→ it might carry viruses.

3. An employee uploads files to Google Drive or Dropbox without permission →

data leakage can happen.

4. An employee opens the company's email on their personal mobile (BYOD) → the
personal device is not as secure as the company's devices.

✅ Why does Shadow IT happen?

Complexity or slowness of procedures (like the example of the screen that takes
45 days to be approved and installed).

Employees want ease and speed in their work.

BYOD (Bring Your Own Device): Employees use personal devices.

The wide spread of cloud apps like Google Drive, OneDrive, Slack.

✅ The Risks:
Increased security attacks → devices or programs that are not secured.

Data leakage → due to the use of unapproved cloud.

Violation of laws → the company can get into legal trouble for non-compliance.

Difficulty of IT management → not knowing what is actually being used.

 Spreading malware without IT knowing.

✅ The Benefits (the positive side):

It can increase productivity (the employee finds faster solutions).

It can increase innovation (employees try new tools).

But it is very dangerous if there is no monitoring.

✅ Solutions / Dealing with Shadow IT:

Establishing clear policies for the use of devices and applications.

Applying BYOD security rules (like MDM – Mobile Device Management).

Providing official alternatives from IT that are fast and easy so that the employee
does not have to resort to Shadow IT.

Educating employees about the risks.

✅ First: Definitions
Threat Vector:

It is the method or path that an attacker uses to hack a device or network, deliver
malicious software, or execute an attack.

Attack Surface:

It is all the points/places that an attacker can exploit to enter or steal data.

👉 You can think of it as the “set of all vulnerabilities and entry points that can
be exploited.”

📌 The Difference:
Threat Vector = “How” the attack is carried out.

Attack Surface = “Where” the attack can happen.

✅ Types of Threat Vectors we talked about:
1️⃣ Messages
Via email, SMS, or chat.

Example: Phishing (a fake message from a bank/company to steal your data).

It can contain a malicious link or an infected attachment.

2️⃣ Images
The attacker hides malicious code inside an image.

Example: Stegano attack (2017) → a banner ad with an image containing

malicious code that exploited a vulnerability in Internet Explorer and
downloaded malware onto devices.

3️⃣ Files
Files that look normal (like PDF, Word, EXE).

Distributed via email, download sites, or file sharing.

Example: Downloading a cracked game = it has hidden malware.

4️⃣ Voice Calls

Its name is Vishing (Voice Phishing).

The attacker calls and pretends to be a bank/government agency.

“I’m from the bank/taxes… give me your card number or we’ll arrest you.”

5️⃣ Removable Devices

Like USBs, external hard drives.

They can be infected with malware, and as soon as you connect them to your
device, the infection spreads.

Famous Example: The Stuxnet virus, which was transmitted via USB to infect
Iran's nuclear facilities, which were not connected to the internet (air-gapped).
6️⃣ Cloud
The cloud is now a primary target for attackers.

How?
Misconfigured Cloud Storage: Like an Amazon S3 bucket left public
without a password, exposing all the data inside.

Weak Credentials: If the login to the cloud account is weak, the attacker
can enter and control everything.

Cloud Service Vulnerabilities: The cloud provider itself may have a

vulnerability that the attacker exploits.

7️⃣ Network & Wireless

Wi-Fi Attacks:
Evil Twin Attack: The attacker creates a fake Wi-Fi network with a name
similar to a real network (e.g., “Free Airport WiFi”). When you connect, they
can see all your traffic.

Man-in-the-Middle (MITM): The attacker intercepts the connection

between you and the internet to spy on or modify the data.

Network Protocol Attacks: Exploiting vulnerabilities in network protocols like

DNS or ARP.

8️⃣ Third-Party / Supply Chain

This is one of the most dangerous types.

Instead of attacking the main target directly (which is often highly secured), the
attacker targets a smaller, less secure company that provides services to the main
target.

Example: An attacker hacks a small software company that provides updates to a

larger company. They inject malware into the update, and when the large
company installs the update, the malware spreads.

Famous Example: The SolarWinds attack (2020), where hackers breached the
company and injected malicious code into its Orion software. This software was
used by thousands of major companies and government agencies, so they were
all compromised.
✅ What is Threat Intelligence?
It is not just “information,” but rather analyzed information that gives us
context and allows us to make better security decisions.

Information: “There is a new virus called X.”

Threat Intelligence: “The new virus X is being used by the Russian hacking
group APT28. It targets financial institutions in Europe, exploits a vulnerability in
Microsoft Office, and its goal is to steal banking credentials. To protect yourself,
you must apply patch Y and block traffic from IP addresses Z.”

✅ Why is Threat Intelligence important?

From Reactive to Proactive: Instead of waiting for an attack to happen and then
responding, you can anticipate the attack and prepare for it.

Better Decision-Making: It helps you understand the risks and prioritize your
resources (e.g., which vulnerabilities to patch first).

Faster Detection & Response: When you know what to look for, you can detect
attacks more quickly and respond more effectively.

✅ Sources of Threat Intelligence

Internal Sources:
Logs: From firewalls, intrusion detection systems (IDS), and servers.

Incident Response Reports: From previous attacks that happened to you.

External Sources:
Open-Source Intelligence (OSINT): Publicly available information from
blogs, news sites, and security forums.

Commercial Threat Intelligence Feeds: Paid services from companies like

CrowdStrike, FireEye, or Kaspersky that provide curated threat data.

Government Agencies: Like CISA (in the US) or NCSC (in the UK) that
publish security alerts.

Information Sharing and Analysis Centers (ISACs): Industry-specific

organizations where companies in the same sector (e.g., finance,
healthcare) share threat information with each other.
✅ Types of Threat Intelligence
1. Strategic Threat Intelligence:

Audience: High-level management (e.g., CEO, CISO).

Content: High-level overview of the threat landscape. Who are the

attackers? What are their motivations? What are the major trends?

Goal: To inform long-term security strategy and investment decisions.

Example: A report that says, “Attacks from nation-states against the

energy sector have increased by 50% in the last year.”

2. Tactical Threat Intelligence:

Audience: Security operations teams (SOC analysts, IT admins).

Content: Detailed information about the attackers’ tactics, techniques,

and procedures (TTPs).

Goal: To help defenders understand how attackers operate so they can

build better defenses.

Example: A report that describes the specific phishing techniques used by a

particular hacking group.

3. Operational Threat Intelligence:

Audience: Incident response teams.

Content: Information about specific, ongoing attack campaigns.

Goal: To provide the necessary information to detect and respond to a

specific attack.

Example: An alert that says, “A new malware campaign is underway. Here

are the malicious domains and IP addresses to block.”

4. Technical Threat Intelligence:

Audience: Automated security systems (e.g., firewalls, SIEM).

Content: Specific indicators of compromise (IoCs) like malicious IP

addresses, file hashes, or domain names.

Goal: To be fed directly into security tools to automatically block threats.

Example: A list of 100 malicious IP addresses to add to the firewall blocklist.

✅ What is a Threat Feed?
A real-time stream of threat intelligence data.

It can be open-source (free) or commercial (paid).

It provides a continuous flow of indicators of compromise (IoCs) that can be

integrated with security tools.

Example: A threat feed can provide your SIEM with a constantly updated list of
malicious IP addresses, and the SIEM can then generate an alert if any of your
systems communicate with one of those IPs.

✅ What is a Threat Map?

A visual representation of cyberattacks happening in real-time around the
world.

It often shows the source country and the target country of the attacks.

Is it useful?
For marketing and awareness: Yes, it’s a great tool to show management
or the public that cyberattacks are real and constant.

For technical defense: No, it’s not very useful. It’s just a pretty picture
that doesn’t give you specific, actionable information to protect your own
network.

✅ What is a Threat Actor?

Any person or group who performs a malicious act.

It could be:
An individual hacker.

A criminal organization.

A nation-state.

An insider.

✅ What is a TTP?
Tactics, Techniques, and Procedures (TTPs)
 It’s a way to describe the behavior of a threat actor.

Tactic: The high-level goal (e.g., gain initial access).

Technique: The specific method used to achieve the tactic (e.g., phishing).

Procedure: The step-by-step implementation of the technique (e.g., sending an

email with a malicious attachment named “invoice.pdf”).

Understanding TTPs is more valuable than just relying on IoCs. IoCs (like an IP
address) can change quickly, but an attacker’s TTPs (their behavior) are more
stable.

✅ What is an IoC?
Indicator of Compromise (IoC)

A piece of evidence that indicates that a security breach has occurred.

It’s like a digital footprint left by the attacker.

Examples:
A malicious IP address or domain name.

A hash of a malware file.

An unusual network traffic pattern.

Unusual activity on an admin account.

✅ What is an IoA?
Indicator of Attack (IoA)

Focuses on the actions an attacker is taking, rather than the artifacts they leave
behind.

It tries to detect the attack while it is happening, not after it has already
succeeded.

Example:
IoC: A file hash of a known ransomware.

IoA: A process that is rapidly encrypting files on a hard drive (this is the
behavior of ransomware).

IoAs are more proactive and can detect new, unknown threats (zero-day attacks)
because they look for malicious behavior, not just known bad files.
✅ What is a CVE?
Common Vulnerabilities and Exposures (CVE)

It is a dictionary of publicly known cybersecurity vulnerabilities.

Each vulnerability is given a unique ID number (e.g., CVE-2023-12345).

What it is: A standardized way to refer to a specific vulnerability.

What it is not: It is not a database of how to exploit the vulnerability or how

severe it is. It’s just an ID.

✅ What is a CVSS?
Common Vulnerability Scoring System (CVSS)

It is a scoring system that rates the severity of a vulnerability.

The score ranges from 0 to 10, with 10 being the most severe.

It helps organizations prioritize which vulnerabilities to fix first.

Example: A vulnerability with a CVSS score of 9.8 is much more critical to patch
than one with a score of 4.5.

✅ What is a KEV?
Known Exploited Vulnerabilities (KEV) Catalog

A list of vulnerabilities that are actively being exploited in the wild.

It is maintained by CISA (the US Cybersecurity and Infrastructure Security

Agency).

This is a very important list because it tells you which vulnerabilities you
absolutely must patch immediately, because attackers are already using them.

If a vulnerability is in the KEV catalog, it’s not a theoretical risk anymore—it’s a

real and present danger.

5️⃣ Removable Devices

Like USBs, external hard drives.
 They can be infected with malware, and as soon as you connect them to your
device, the infection spreads.

Famous Example: The Stuxnet virus, which was transmitted via USB to infect
Iran's nuclear facilities, which were not connected to the internet (air-gapped).

6️⃣ Cloud
The cloud is now a primary target for attackers.

How?
Misconfigured Cloud Storage: Like an Amazon S3 bucket left public
without a password, exposing all the data inside.

Weak Credentials: If the login to the cloud account is weak, the attacker
can enter and control everything.

Cloud Service Vulnerabilities: The cloud provider itself may have a

vulnerability that the attacker exploits.

7️⃣ Network & Wireless

Wi-Fi Attacks:
Evil Twin Attack: The attacker creates a fake Wi-Fi network with a name
similar to a real network (e.g., “Free Airport WiFi”). When you connect, they
can see all your traffic.

Man-in-the-Middle (MITM): The attacker intercepts the connection

between you and the internet to spy on or modify the data.

Network Protocol Attacks: Exploiting vulnerabilities in network protocols like

DNS or ARP.

8️⃣ Third-Party / Supply Chain

This is one of the most dangerous types.

Instead of attacking the main target directly (which is often highly secured), the
attacker targets a smaller, less secure company that provides services to the main
target.

Example: An attacker hacks a small software company that provides updates to a

larger company. They inject malware into the update, and when the large
 company installs the update, the malware spreads.

Famous Example: The SolarWinds attack (2020), where hackers breached the
company and injected malicious code into its Orion software. This software was
used by thousands of major companies and government agencies, so they were
all compromised.

✅ What is Threat Intelligence?

It is not just “information,” but rather analyzed information that gives us
context and allows us to make better security decisions.

Information: “There is a new virus called X.”

Threat Intelligence: “The new virus X is being used by the Russian hacking
group APT28. It targets financial institutions in Europe, exploits a vulnerability in
Microsoft Office, and its goal is to steal banking credentials. To protect yourself,
you must apply patch Y and block traffic from IP addresses Z.”

✅ Why is Threat Intelligence important?

From Reactive to Proactive: Instead of waiting for an attack to happen and then
responding, you can anticipate the attack and prepare for it.

Better Decision-Making: It helps you understand the risks and prioritize your
resources (e.g., which vulnerabilities to patch first).

Faster Detection & Response: When you know what to look for, you can detect
attacks more quickly and respond more effectively.

✅ Sources of Threat Intelligence

Internal Sources:
Logs: From firewalls, intrusion detection systems (IDS), and servers.

Incident Response Reports: From previous attacks that happened to you.

External Sources:
Open-Source Intelligence (OSINT): Publicly available information from
blogs, news sites, and security forums.
 Commercial Threat Intelligence Feeds: Paid services from companies like
CrowdStrike, FireEye, or Kaspersky that provide curated threat data.

Government Agencies: Like CISA (in the US) or NCSC (in the UK) that
publish security alerts.

Information Sharing and Analysis Centers (ISACs): Industry-specific

organizations where companies in the same sector (e.g., finance,
healthcare) share threat information with each other.

✅ Types of Threat Intelligence

1. Strategic Threat Intelligence:

Audience: High-level management (e.g., CEO, CISO).

Content: High-level overview of the threat landscape. Who are the

attackers? What are their motivations? What are the major trends?

Goal: To inform long-term security strategy and investment decisions.

Example: A report that says, “Attacks from nation-states against the

energy sector have increased by 50% in the last year.”

2. Tactical Threat Intelligence:

Audience: Security operations teams (SOC analysts, IT admins).

Content: Detailed information about the attackers’ tactics, techniques,

and procedures (TTPs).

Goal: To help defenders understand how attackers operate so they can

build better defenses.

Example: A report that describes the specific phishing techniques used by a

particular hacking group.

3. Operational Threat Intelligence:

Audience: Incident response teams.

Content: Information about specific, ongoing attack campaigns.

Goal: To provide the necessary information to detect and respond to a

specific attack.
 Example: An alert that says, “A new malware campaign is underway. Here
are the malicious domains and IP addresses to block.”

4. Technical Threat Intelligence:

Audience: Automated security systems (e.g., firewalls, SIEM).

Content: Specific indicators of compromise (IoCs) like malicious IP

addresses, file hashes, or domain names.

Goal: To be fed directly into security tools to automatically block threats.

Example: A list of 100 malicious IP addresses to add to the firewall blocklist.

✅ What is a Threat Feed?

A real-time stream of threat intelligence data.

It can be open-source (free) or commercial (paid).

It provides a continuous flow of indicators of compromise (IoCs) that can be

integrated with security tools.

Example: A threat feed can provide your SIEM with a constantly updated list of
malicious IP addresses, and the SIEM can then generate an alert if any of your
systems communicate with one of those IPs.

✅ What is a Threat Map?

A visual representation of cyberattacks happening in real-time around the
world.

It often shows the source country and the target country of the attacks.

Is it useful?
For marketing and awareness: Yes, it’s a great tool to show management
or the public that cyberattacks are real and constant.

For technical defense: No, it’s not very useful. It’s just a pretty picture
that doesn’t give you specific, actionable information to protect your own
network.
✅ What is a Threat Actor?
Any person or group who performs a malicious act.

It could be:
An individual hacker.

A criminal organization.

A nation-state.

An insider.

✅ What is a TTP?
Tactics, Techniques, and Procedures (TTPs)

It’s a way to describe the behavior of a threat actor.

Tactic: The high-level goal (e.g., gain initial access).

Technique: The specific method used to achieve the tactic (e.g., phishing).

Procedure: The step-by-step implementation of the technique (e.g., sending an

email with a malicious attachment named “invoice.pdf”).

Understanding TTPs is more valuable than just relying on IoCs. IoCs (like an IP
address) can change quickly, but an attacker’s TTPs (their behavior) are more
stable.

✅ What is an IoC?
Indicator of Compromise (IoC)

A piece of evidence that indicates that a security breach has occurred.

It’s like a digital footprint left by the attacker.

Examples:
A malicious IP address or domain name.

A hash of a malware file.

An unusual network traffic pattern.

Unusual activity on an admin account.

✅ What is an IoA?
Indicator of Attack (IoA)

Focuses on the actions an attacker is taking, rather than the artifacts they leave
behind.

It tries to detect the attack while it is happening, not after it has already
succeeded.

Example:
IoC: A file hash of a known ransomware.

IoA: A process that is rapidly encrypting files on a hard drive (this is the
behavior of ransomware).

IoAs are more proactive and can detect new, unknown threats (zero-day attacks)
because they look for malicious behavior, not just known bad files.

✅ What is a CVE?
Common Vulnerabilities and Exposures (CVE)

It is a dictionary of publicly known cybersecurity vulnerabilities.

Each vulnerability is given a unique ID number (e.g., CVE-2023-12345).

What it is: A standardized way to refer to a specific vulnerability.

What it is not: It is not a database of how to exploit the vulnerability or how

severe it is. It’s just an ID.

✅ What is a CVSS?
Common Vulnerability Scoring System (CVSS)

It is a scoring system that rates the severity of a vulnerability.

The score ranges from 0 to 10, with 10 being the most severe.

It helps organizations prioritize which vulnerabilities to fix first.

Example: A vulnerability with a CVSS score of 9.8 is much more critical to patch
than one with a score of 4.5.
✅ What is a KEV?
Known Exploited Vulnerabilities (KEV) Catalog

A list of vulnerabilities that are actively being exploited in the wild.

It is maintained by CISA (the US Cybersecurity and Infrastructure Security

Agency).

This is a very important list because it tells you which vulnerabilities you
absolutely must patch immediately, because attackers are already using them.

If a vulnerability is in the KEV catalog, it’s not a theoretical risk anymore—it’s a

real and present danger.