← Back to domain
Domain 4 Module 4.2

Threats & Attacks

4.2 Network Threats and Attacks

← 4.1 Computer Networking | 4.3 Network Infrastructure →

Why this module matters

Defenders need to think like attackers to recognize malicious patterns early. Many exam questions in this area are not asking you to memorize names only. They ask you to identify how an attack works, what makes it different from similar attacks, and which control best reduces risk.

This lesson covers threat actors, denial-of-service attacks, malware, man-in-the-middle attacks, side-channel attacks, phishing, zero-day and supply chain threats, plus the major detection and prevention tools.

Learning goals

By the end of this lesson, you should be able to:

1. Rank threat actors by capability. 2. Compare DoS and DDoS by type and effect. 3. Distinguish common malware families. 4. Explain MITM attack methods. 5. Identify phishing variants. 6. Define zero-day and supply chain attacks. 7. Compare IDS, IPS, NIDS, HIDS, and SIEM. 8. Match firewall and security controls to the right threat.

---

Threat Actors

Threat actors are people or groups that carry out attacks. They differ by motivation, resources, skill, and persistence.

Threat actor table

| Actor | Capability | Motivation | Typical behavior | |---|---|---|---| | Script kiddie | Low | Curiosity, bragging rights, mischief | Uses tools made by others, limited skill | | Hacktivist | Variable | Ideology, protest, politics | Defacement, leaks, disruptive campaigns | | Insider | Variable to high | Money, revenge, negligence | Misuse of legitimate access | | Organized crime | High | Profit | Fraud, ransomware, theft, extortion | | Cybercriminal group | High | Profit | Phishing, botnets, credential theft | | Competitor / industrial spy | High | Business advantage | Data theft, espionage | | Nation-state | Very high | Intelligence, disruption, geopolitics | Advanced persistent threats, supply chain compromise |

How to think about threat actors

The more resources an attacker has, the more patient and sophisticated they tend to be. A script kiddie often wants a quick result. A nation-state may spend months learning the environment before acting.

Real-world analogy:

  • Script kiddie: someone using a generic lock-picking set found online.
  • Nation-state: a professional team building a custom tool for a specific vault.

> Exam tip: If the question says “highly resourced, persistent, stealthy, politically motivated,” think nation-state or advanced persistent threat behavior.

---

Denial of Service Attacks

A denial of service attack tries to make a system unavailable to legitimate users.

DoS vs DDoS

| Type | Source | Scale | Defense difficulty | |---|---|---|---| | DoS | Single source | Smaller | Easier to block | | DDoS | Many distributed sources, often botnets | Large | Much harder to stop |

Botnets

A botnet is a network of compromised devices controlled by an attacker. Each infected device, or bot, can be told to flood a target at the same time.

Why botnets are dangerous:

  • They can generate huge traffic volumes.
  • The traffic appears from many locations.
  • Blocking one IP address rarely solves the problem.

DDoS categories

| Category | What it targets | Example attacks | |---|---|---| | Volumetric | Bandwidth | UDP flood, ICMP flood, DNS amplification | | Protocol | Network stack resources | SYN flood, fragmented packet attacks | | Application | App/server processing | HTTP flood, Slowloris-style attacks |

Volumetric attacks

These try to consume bandwidth. They are like clogging a highway with traffic so no legitimate car can pass.

Protocol attacks

These target weaknesses in TCP/IP handling. A SYN flood, for example, exhausts half-open connection tables by sending many SYN packets without finishing the handshake.

Application attacks

These target the service itself. They may be slower and more subtle, but they can still shut down a website by exhausting web server threads, database connections, or request handlers.

DoS scenario

Imagine a ticket site that suddenly gets thousands of fake requests per second. The website becomes slow or unavailable to real customers. That is a denial of service attack.

> Exam tip: A DDoS involves multiple sources, often a botnet. If the question mentions many compromised machines, it is DDoS.

---

Malware Types

Malware is software created to damage, steal, spy, or disrupt. Different malware types behave differently, and exam questions often ask you to match the definition.

Malware comparison table

| Malware | Description | Host needed? | Self-replicates? | |---|---|---|---| | Virus | Attaches to a legitimate file or program and spreads when executed | Yes | Yes, but usually via user action | | Worm | Self-contained malware that spreads automatically across networks | No | Yes | | Trojan | Malicious software disguised as something useful | No | No | | Ransomware | Encrypts or blocks access to files and demands payment | Usually yes | Sometimes | | Rootkit | Hides malicious activity and gives stealthy control | Usually yes | Not necessarily | | Spyware | Secretly monitors user behavior or data | Usually yes | Not necessarily |

Virus

A virus needs a host file or program. It usually spreads when the infected program is run. The key idea is that it attaches to something legitimate.

Analogy:

A virus is like a forged page stapled to a real document. The real document is the host.

Worm

A worm self-replicates and spreads on its own, often through network connections or shared vulnerabilities. It does not need a user to run a host file first.

Analogy:

A worm is like a rumor that spreads by itself from person to person without needing an invitation.

Trojan

A Trojan looks legitimate or useful but secretly performs malicious actions. It depends on deception.

Example:

A fake software update that installs a backdoor is a Trojan.

Ransomware

Ransomware encrypts data or locks systems and demands payment for recovery.

It may arrive through:

  • Phishing emails
  • Drive-by downloads
  • Exploited vulnerabilities
  • Malicious attachments

Rootkit

A rootkit is designed to hide itself and maintain privileged access. It may conceal files, processes, registry entries, or kernel objects.

Spyware

Spyware silently watches the user. It may capture browsing habits, keystrokes, login data, or other sensitive information.

> Exam tip: Worm = self-replicates automatically. Virus = needs a host and user execution. Trojan = disguised as something legitimate.

---

Man-in-the-Middle Attacks

A man-in-the-middle (MITM) attack occurs when an attacker secretly inserts themselves between two communicating parties. The attacker can observe, relay, or alter the traffic.

Why MITM is dangerous

  • Confidential data can be read.
  • Authentication can be stolen.
  • Messages can be altered in transit.
  • Users may think they are communicating with a trusted system.

Common MITM methods

#### ARP spoofing

At Layer 2, the attacker sends fake ARP replies so the victim sends traffic to the attacker’s MAC address instead of the real gateway.

#### Session hijacking

The attacker steals or reuses an active session token, cookie, or identifier and impersonates the user.

#### Rogue access point

A fake or unauthorized access point is installed to trick users into connecting. Once connected, the attacker can observe or manipulate traffic.

#### Evil twin

A special type of rogue AP that imitates a legitimate Wi-Fi network name to lure victims.

MITM prevention

  • Use encryption such as TLS.
  • Validate certificates.
  • Use secure Wi-Fi with WPA2 or WPA3.
  • Avoid untrusted networks for sensitive logins.
  • Use VPNs where appropriate.

MITM analogy

It is like someone intercepting your sealed mail, opening it, reading or changing it, and resealing it so neither end notices.

---

Side-Channel Attacks

Side-channel attacks do not attack the algorithm directly. Instead, they exploit the information leaked by its physical or observable behavior.

Side-channel types

| Side channel | What it measures | Example use | |---|---|---| | Timing | How long an operation takes | Inferring key bits from response time | | Power | Electrical usage patterns | Observing cryptographic operations | | Electromagnetic | EM emissions from hardware | Capturing leakage from devices |

Why this matters

Even if a cryptographic algorithm is mathematically strong, a flawed implementation may leak clues through timing or power consumption. The attacker uses those clues to reconstruct secrets.

Real-world analogy:

Imagine trying to guess a safe combination by watching how the dial feels rather than breaking the safe. The safe is intact, but it leaks hints.

> Exam tip: Side-channel attacks often involve physical or environmental leakage, not packet traffic.

---

Phishing Variants

Phishing is social engineering that tricks users into revealing information or installing malware. The attacker usually impersonates a trusted person or organization.

Phishing types

| Variant | Target | Description | |---|---|---| | Phishing | Broad | Mass emails sent to many people | | Spear phishing | Specific person or group | Personalized and targeted | | Whaling | Senior executive or high-value target | Focused on leadership, finance, or legal staff | | Vishing | Voice calls | Uses phone calls or voicemail | | Smishing | SMS/text messages | Uses text messages to lure victims |

Examples

  • A generic “reset your password now” email sent to thousands of users is phishing.
  • A carefully written email to one payroll clerk asking for a wire transfer is spear phishing.
  • A fake urgent message aimed at the CEO is whaling.
  • A phone call claiming to be from tech support is vishing.
  • A text containing a malicious link is smishing.

Why phishing works

Phishing exploits urgency, authority, fear, curiosity, and trust.

Common lures:

  • Account suspension notices
  • Fake delivery alerts
  • Password reset prompts
  • Invoice fraud
  • Executive impersonation

> Exam tip: If the attack uses SMS, choose smishing. If it uses voice or phone calls, choose vishing.

---

Zero-Day Attacks

A zero-day vulnerability is a flaw that is unknown to the vendor or not yet patched. A zero-day attack exploits that weakness before defenders can widely mitigate it.

Why it is dangerous:

  • No patch may exist yet.
  • Antivirus signatures may not detect it.
  • Defenders may not even know the flaw exists.

Think of it like a burglar finding a hidden unlocked door that nobody realized was there.

Defense ideas

  • Apply defense in depth.
  • Use behavior-based detection.
  • Reduce attack surface.
  • Patch quickly when fixes become available.
  • Segment critical systems.

> Exam tip: “Unknown vulnerability with no patch yet” points to zero-day.

---

Supply Chain Attacks

A supply chain attack targets the trusted path by which software, hardware, updates, or services are delivered.

Instead of attacking the victim directly, the attacker compromises a vendor, build system, update server, package repository, contractor, or hardware supplier.

Why supply chain attacks are powerful

  • The malicious component comes from a trusted source.
  • Many downstream organizations may be affected at once.
  • Detection is difficult because the item appears legitimate.

Examples

  • A tainted software update that installs malware
  • Compromised open-source dependency
  • Malicious firmware inserted before delivery
  • Vendor account compromise that pushes fake updates

Supply chain defense

  • Verify software integrity and signatures.
  • Review third-party risk.
  • Use least privilege for vendors.
  • Segment update infrastructure.
  • Maintain asset and dependency inventories.

> Exam tip: If the attack is delivered through a trusted vendor or update mechanism, think supply chain.

---

Detection Technologies

Good defense requires visibility. Detection tools help identify malicious activity, but they work at different points and with different methods.

IDS vs IPS

| Feature | IDS | IPS | |---|---|---| | Full name | Intrusion Detection System | Intrusion Prevention System | | Placement | Passive, off-path | Inline, in traffic path | | Action | Alerts only | Blocks or drops traffic | | Risk | Missed attacks | False positives can block legitimate traffic | | Best for | Visibility and alerting | Real-time enforcement |

> Exam tip: IDS detects. IPS prevents.

NIDS vs HIDS

| Feature | NIDS | HIDS | |---|---|---| | Full name | Network-based IDS | Host-based IDS | | Observes | Network traffic | One host’s logs, files, processes, behavior | | Strength | Sees network-wide patterns | Sees local host activity in detail | | Weakness | Encrypted traffic may hide details | Only sees the host where it is installed |

NIDS is like a security camera covering the hallway. HIDS is like a camera inside one office.

Detection methods

| Method | How it works | Strengths | Weaknesses | |---|---|---|---| | Signature-based | Matches known bad patterns | Accurate for known threats | Misses new attacks | | Anomaly-based | Compares behavior to a baseline | Can detect unknown threats | More false positives | | Heuristic | Uses rules and logic to flag suspicious activity | Useful against variants | Still can create false alarms |

SIEM

Security Information and Event Management systems collect logs from many sources, normalize them, correlate events, and alert analysts.

What SIEM does well:

  • Centralizes security logs
  • Correlates activity across systems
  • Supports alerting and investigations
  • Helps with compliance and reporting

Analogy:

A SIEM is like a command center that receives reports from many guards, then spots patterns no single guard could see.

---

Prevention Technologies

Detection is important, but prevention is better when the risk is known. Several security controls are common on the exam.

Firewall comparison

| Firewall type | How it works | Typical layer | Strengths | Weaknesses | |---|---|---|---|---| | Packet filtering | Allows or blocks based on IP, port, protocol | 3-4 | Fast and simple | Limited context | | Stateful | Tracks connection state | 3-4 | Better context than packet filtering | Still limited application awareness | | Proxy | Intermediary that inspects and relays traffic | 7 | Strong content inspection | More overhead | | NGFW | Deep inspection, app awareness, threat intel | 3-7 | Strong modern control | Complex and costly | | WAF | Protects web apps specifically | 7 | Great for HTTP/HTTPS threats | Only protects web traffic |

Firewall types explained

Packet filtering firewalls make decisions from packet headers. They are fast, but they do not understand much about the content.

Stateful firewalls track connection state. They know whether packets belong to an established conversation.

Proxy firewalls terminate and inspect sessions, acting like a middleman.

NGFWs can identify applications and enforce more advanced policy.

A WAF focuses on web application attacks such as injection and malicious HTTP patterns.

Antivirus and EDR

Antivirus traditionally looks for known malware signatures and malicious behavior. EDR, or Endpoint Detection and Response, adds deeper behavioral monitoring, telemetry, investigation, and response capability.

Why EDR matters:

  • Better visibility into host behavior
  • Quicker containment and response
  • Stronger against unknown or fileless attacks

Network segmentation

Segmentation divides the network into smaller zones so attackers cannot move freely after compromise.

Benefits:

  • Limits lateral movement
  • Contains malware outbreaks
  • Protects sensitive assets
  • Reduces blast radius

Real-world prevention example

If a workstation is infected with malware, segmentation can stop that infection from reaching payroll servers. A firewall, endpoint protection, and restricted VLANs all work together.

---

Putting It Together

An effective defense stack might look like this:

1. A user receives a phishing email. 2. Email filtering blocks obvious threats. 3. The endpoint agent inspects any attachment. 4. The firewall blocks suspicious outbound connections. 5. The SIEM correlates logs from email, endpoint, and network devices. 6. The SOC analyst investigates and isolates the host.

This layered response is a good example of defense in depth.

---

Exam Tips

  • Script kiddie = low skill, reused tools.
  • Botnet = many compromised hosts, often used for DDoS.
  • Worm = self-replicates without needing a host file.
  • Virus = needs a host and user execution.
  • Trojan = disguised as something useful.
  • MITM often involves ARP spoofing, rogue APs, or session hijacking.
  • Smishing uses SMS; vishing uses voice.
  • IDS alerts; IPS blocks.
  • NIDS watches network traffic; HIDS watches one host.
  • WAF protects web apps, not general network traffic.

---

Practice Questions

1. Which threat actor is usually low-skill and uses prebuilt tools? 2. What type of attack uses many distributed systems to overwhelm a target? 3. Which malware self-replicates without needing a host file? 4. What attack involves fake ARP messages redirecting traffic? 5. What phishing variant targets executives? 6. What is a zero-day vulnerability? 7. What system collects and correlates logs from many sources? 8. Which control blocks traffic inline: IDS or IPS? 9. Which firewall type is specialized for HTTP/HTTPS applications? 10. What attack compromises software updates or vendors to reach victims?

Answers

1. ✅ Script kiddie 2. ✅ DDoS 3. ✅ Worm 4. ✅ ARP spoofing 5. ✅ Whaling 6. ✅ An unknown or unpatched vulnerability exploited before a fix is available 7. ✅ SIEM 8. ✅ IPS 9. ✅ WAF 10. ✅ Supply chain attack

← Previous: 4.1 Next: 4.3 →