Every day, networks face threats from individuals and groups trying to gain unauthorized access, steal data, or disrupt operations. In this room, you'll learn about the "who" and "how" of cyber attacks, the threat actors who launch attacks and the attack vectors they use to breach defenses.

Understanding threat actors and attack vectors is essential for anyone responsible for network security. Whether you're protecting a small business network or a large enterprise system, knowing your adversaries and their methods is the first step toward effective defense. This knowledge helps you anticipate attacks, implement proper safeguards, and respond effectively when incidents occur.

Why This Matters

In today's connected world, cyber attacks can cripple businesses, steal sensitive personal information, and even threaten national security. Recent high-profile breaches have shown that no organization is immune. By learning how attacks work, you're not just studying theory, you're gaining practical knowledge that can protect real networks and data.

Learning Objectives

By completing this room, you will be able to:

• Identify and categorize different types of threat actors
• Explain common attack vectors and how they work
• Understand the step-by-step progression of cyber attacks
• Analyze real-world attack scenarios
• Apply this knowledge to improve network security

Prerequisites

To get the most from this room, you should have:

• Basic understanding of computer networks
• Familiarity with common networking terms
• No prior cybersecurity knowledge required

Optional Video

This optional video covers the fundamental concepts of threat actors and attack vectors. It's helpful but not required to complete the room.

In cybersecurity, a threat actor is any individual or group that performs malicious actions against computer systems, networks, or data. Not all threat actors are the same, they differ in skills, resources, motivations, and targets. Understanding these differences helps you prepare appropriate defenses.

Think of threat actors like different types of intruders: some are opportunistic vandals, while others are highly trained special forces. Your defense strategy changes based on who you're defending against.

Five Main Categories of Threat Actors

1. Script Kiddies

• Who: Beginners with minimal technical skills
• Motivation: Curiosity, notoriety, boredom
• Tools: Pre-made attack tools created by others
• Targets: Easy, poorly secured systems
• Real-World Analogy: Like graffiti artists—visible damage, limited skill

2. Hacktivists

• Who: Activists using hacking for political or social causes
• Motivation: Ideology, protest, social change
• Tools: Ranges from simple scripts to sophisticated tooling
• Targets: Organisations they ideologically oppose
• Real-World Analogy: Like protestors targeting specific entities

3. Criminal Organisations

• Who: Professional cybercriminal groups
• Motivation: Financial gain (ransomware, theft, fraud)
• Tools: Advanced, well-funded operations
• Targets: Any organisation with valuable data or money
• Real-World Analogy: Like organised crime—structured and profit-driven

4. Nation-States

• Who: Government-sponsored threat actors
• Motivation: Espionage, sabotage, political advantage
• Tools: Highly advanced with near-unlimited resources
• Targets: Governments, critical infrastructure, major corporations
• Real-World Analogy: Like military intelligence—strategic and precise

5. Insiders

• Who: Employees, contractors, or partners with authorised access
• Motivation: Revenge, profit, ideology, or negligence
• Tools: Legitimate access abused maliciously
• Targets: Their own organisation
• Real-World Analogy: Like a disgruntled employee with keys to everything

Threat Actor Comparison

Below is a visual demonstration of threat actor categories:

Key Characteristics Table

Threat Actor	Primary Motivation	Skill Level	Resources	Typical Targets
Script Kiddies	Notoriety, curiosity	Low	Minimal	Unprotected systems, websites
Hacktivists	Ideology, protest	Low to Medium	Variable	Political targets, corporations
Criminal Organizations	Financial gain	Medium to High	Significant	Banks, retailers, healthcare
Nation-States	Espionage, sabotage	Very High	Extensive	Governments, infrastructure, tech
Insiders	Revenge, profit	Varies (has access)	Legitimate access	Their employer, sensitive data

An attack vector is the specific path, method, or scenario that a threat actor uses to gain unauthorized access to a network or system. Think of it like the different ways a burglar might enter a house: through an unlocked window (vulnerability), by tricking someone to open the door (social engineering), or with a copied key (stolen credentials).

Four Main Categories of Attack Vectors

1. Network-Based Attacks

These attacks target the network infrastructure itself.

• DDoS Attacks: Overwhelm systems with traffic (like flooding a store with too many customers)
• Man-in-the-Middle: Intercept communications (like eavesdropping on a phone call)
• Port Scanning: Probing for open doors into a system
• Packet Sniffing: Capturing unencrypted network data

2. Software Vulnerability Attacks

These attacks exploit weaknesses in software code.

• SQL Injection: Inserting malicious database commands through web forms
• Buffer Overflows: Sending more data than software can handle
• Zero-Day Exploits: Attacking previously unknown vulnerabilities
• Cross-Site Scripting (XSS): Injecting malicious scripts into websites

3. Credential-Based Attacks

These attacks focus on stealing or guessing login credentials.

• Brute Force: Trying every possible password combination
• Credential Stuffing: Using stolen passwords from other breaches
• Password Spraying: Trying a few common passwords across many accounts
• Phishing for Credentials: Tricking users into revealing passwords

4. Physical Access Attacks

These attacks require physical proximity to the target systems.

• USB Drop Attacks: Leaving infected USB drives for someone to find
• Shoulder Surfing: Observing someone typing their password
• Device Theft: Stealing laptops, phones, or storage devices
• Tampering: Physically modifying hardware components

Attack Vector Visualization

Below is a visual demonstration of different attack vectors targeting a network:

Attack Vector Comparison Table

Vector Type	Description	Common Example	Typical Prevention
Network-Based	Targets network protocols/services	DDoS attack	Firewalls, rate limiting
Software Vulnerability	Exploits code flaws	SQL injection	Input validation, patching
Credential-Based	Steals/guesses login info	Brute force attack	Strong passwords, MFA
Physical Access	Requires physical proximity	USB drop attack	Security policies, encryption

How Attacks Combine Vectors

Sophisticated attacks often use multiple vectors. For example:

1. An attacker might use network scanning to find vulnerabilities
2. Then exploit a software vulnerability to gain access
3. Use that access to steal credentials
4. Use those credentials to access more systems

Cyber attacks rarely happen instantly. They typically follow a systematic process, an attack chain, where each step builds on the previous one. Understanding this progression helps defenders identify and stop attacks at various stages.

The Cyber Kill Chain is a framework developed by Lockheed Martin that describes seven stages of a cyber attack. Think of it like a burglar's process: they don't just randomly break into houses. They research (reconnaissance), prepare tools (weaponization), approach the house (delivery), find an entry point (exploitation), get inside (installation), communicate with accomplices (command & control), and finally steal valuables (actions).

The Seven Stages of the Cyber Kill Chain

1. Reconnaissance

• What: Researching the target
• Example: Gathering employee emails, network diagrams, and system information
• Defence: Limit publicly available information and monitor for scanning activity

2. Weaponisation

• What: Creating the attack tool
• Example: Embedding malware inside a legitimate-looking document
• Defence: Use antivirus solutions and email filtering

3. Delivery

• What: Transmitting the weapon to the target
• Example: Malicious email attachments, compromised websites, or USB devices
• Defence: Security awareness training and web filtering

4. Exploitation

• What: Triggering a vulnerability
• Example: User opens an infected attachment or visits a malicious website
• Defence: Keep software patched and deploy exploit prevention

5. Installation

• What: Installing malware or a backdoor
• Example: Malware executes and establishes persistence
• Defence: Endpoint protection and least-privilege access

6. Command & Control (C2)

• What: Establishing remote control of the compromised system
• Example: Malware communicates with the attacker’s server
• Defence: Network monitoring and blocking malicious domains

7. Actions on Objectives

• What: Achieving the attacker’s goal
• Example: Data exfiltration, system destruction, or ransomware deployment
• Defence: Data encryption, regular backups, and an incident response plan

Attack Chain Visualization

Below is a visual demonstration of the Cyber Kill Chain stages:

Cyber Kill Chain Reference Table

Stage	What Happens	Simple Example	Defense Strategy
Reconnaissance	Attacker researches target	Searching LinkedIn for employees	Limit public information
Weaponization	Attack tool is created	Adding malware to PDF document	Email filtering, antivirus
Delivery	Weapon sent to target	Phishing email with attachment	User training, spam filters
Exploitation	Vulnerability is triggered	User opens malicious attachment	Software patches, sandboxing
Installation	Malware installs on system	Malware creates backdoor	Endpoint protection
Command & Control	Remote access established	Malware contacts attacker server	Network monitoring, firewall rules
Actions on Objectives	Attacker achieves goal	Data stolen, ransomware deployed	Encryption, backups, detection

How Different Threat Actors Use the Chain

• Script Kiddies: Often start at Delivery (using others' weapons)
• Criminal Organizations: Follow all stages methodically
• Nation-States: May spend months in Reconnaissance
• Insiders: Might start at Installation or later (already have access)

Breaking the Chain

The best defense is to break the attack chain as early as possible. Stopping an attack at Reconnaissance (stage 1) is much easier than at Actions (stage 7). This is why defense in depth, multiple layers of security, is so important.

Now let's apply what you've learned about threat actors, attack vectors, and the attack chain to analyze real-world inspired scenarios. Understanding how these elements combine in actual attacks will help you recognize similar patterns in your own environment.

Scenario 1: Hospital Ransomware Attack

The Situation

A regional hospital’s systems suddenly lock up. Patient records, appointment systems, and medical equipment interfaces display ransom notes demanding payment in cryptocurrency.

Analysis

• Threat Actor: Criminal organisation (financially motivated professionals)
• Primary Attack Vector: Phishing email with a malicious attachment

Attack Chain Progression

1. Reconnaissance: Research hospital staff email addresses from public sources
2. Weaponisation: Disguise ransomware as a patient-related document
3. Delivery: Send phishing emails to administrative staff
4. Exploitation: Staff opens attachment and enables malicious macros
5. Installation: Ransomware installs and spreads across the network
6. Command & Control: Malware communicates with the attacker’s server
7. Actions on Objectives: Encrypts files and displays a ransom demand

Impact

Hospital operations are halted, patient care is delayed, and the organisation suffers significant financial and reputational damage.

Prevention

• Security awareness training
• Email filtering
• Regular, tested backups
• Network segmentation

Scenario 2: Corporate Data Breach

The Situation

A technology company discovers that source code for an upcoming product has been stolen and leaked online. The breach is found to have occurred months earlier.

Analysis

• Threat Actor: Hacktivist group (ideologically motivated)
• Primary Attack Vector: SQL injection against a web application

Attack Chain Progression

1. Reconnaissance: Scan public-facing web applications for vulnerabilities
2. Weaponisation: Craft a malicious SQL injection payload
3. Delivery: Submit malicious input via a web form
4. Exploitation: Database executes unauthorised SQL commands
5. Installation: Backdoor installed on the web server
6. Command & Control: Use the backdoor to extract data covertly
7. Actions on Objectives: Leak source code publicly

Impact

Intellectual property theft, loss of competitive advantage, and reputational damage.

Prevention

• Input validation
• Web application firewalls
• Secure code reviews
• Strong access controls

Scenario 3: Defence Contractor Espionage

The Situation

A defence contractor working on sensitive military technology discovers sophisticated malware exfiltrating design documents for months without detection.

Analysis

• Threat Actor: Nation-state intelligence service
• Primary Attack Vector: Watering hole attack

Attack Chain Progression

1. Reconnaissance: Identify websites frequently visited by employees
2. Weaponisation: Develop a zero-day exploit
3. Delivery: Compromise a legitimate, trusted website
4. Exploitation: Employee browsers are infected upon visit
5. Installation: Advanced persistent threat malware is installed
6. Command & Control: Use covert channels to avoid detection
7. Actions on Objectives: Exfiltrate sensitive documents over time

Impact

Compromise of national security and loss of technological advantage.

Prevention

• Network segmentation
• Behavioural monitoring
• Threat intelligence
• Strict access controls

Scenario Visualization

Below is a visual timeline of the ransomware attack scenario:

Scenario Comparison Table

Scenario	Threat Actor	Primary Vector	Key Stages	Outcome
Hospital Ransomware	Criminal Organization	Phishing Email	Delivery → Exploitation → Actions	Operational disruption, financial demand
Corporate Data Breach	Hacktivist Group	SQL Injection	Reconnaissance → Exploitation → Actions	Intellectual property theft, reputation damage
Defense Contractor Espionage	Nation-State	Watering Hole Attack	Long-term: Reconnaissance → Installation → Actions	Sensitive data exfiltration, national security impact

Common Patterns Across Scenarios

1. All attacks started with reconnaissance - knowing the target is crucial
2. Delivery methods varied but all exploited human or technical weaknesses
3. Time to detection differed - ransomware noticed immediately, espionage lasted months
4. Impact increased with attacker sophistication - from financial loss to national security

You've taken an important step in understanding cybersecurity by learning about threat actors and attack vectors. This foundational knowledge will help you better protect networks and systems in the future.

What You've Learned

Throughout this room, you've gained essential knowledge about:

What You Should Now Understand

After completing this room, you should be able to:

• Categorize different types of threat actors and their motivations
• Identify common attack vectors and how they work
• Explain how attacks progress through stages
• Analyze simplified attack scenarios
• Appreciate the importance of comprehensive security measures