Key Takeaways: The Threat Landscape

A one-page reference. Reread before an exam or before moving on. Dense by design.

Threat-actor taxonomy (memorize cold)

Actor Motivation Capability Targets a bank? Defender's key fact
Nation-state / APT Espionage, strategic advantage, sabotage Very high; patient; custom tools, zero-days Sometimes (strategic / via supply chain) Can't out-spend; detect & contain
Cybercriminal Money Low→high; businesslike, automates Constantly Economically rational — be a costlier target
Hacktivist Ideology, protest, attention Low→moderate Situational Not deterred by "nothing to steal"
Insider Grievance, greed, or accident Starts with legitimate access Always present Begins inside; needs detection + culture
Script kiddie Ego, curiosity Low; runs others' tools Opportunistically Can't improvise past a closed door
  • Two axes: motivation (why) × capability (how good). Dangerous quadrant = high × high.
  • APT = Advanced Persistent Threat: advanced technique, persistent long-term access, often nation-state.
  • Naming the actor is a defensive act — it right-sizes the defense ("hackers" is not a threat).

Motivations → behavior → defense

Motivation Behavior signature Detect by…
Money Fast, loud; toward ransomware/fraud/monetization Sudden escalation + lateral movement toward financial systems
Espionage Slow, quiet; living off the land; "watch, don't grab" Quiet anomalies: odd account/host/off-hours behavior, slow egress
Ideology Targets by belief/event; disruption, defacement, leaks Availability attacks; watch public posture, not just assets
Ego Opportunistic, showy; easy wins Basic hygiene denies the easy hole

Rule: Read the goal → anticipate the next move. "What would an attacker with this goal do next?"

The cyber kill chain (in order)

# Stage Attacker does Break it with…
1 Reconnaissance Gather target info Reduce footprint; watch for active scanning
2 Weaponization Build the weapon/payload Threat intel recognizes known tooling
3 Delivery Send it (email/web/USB/supply chain) Email/URL filtering, sandboxing, user reporting
4 Exploitation Trigger it (run code / use creds) Patching, hardening, EDR, app control, MFA
5 Installation Persist (backdoor/task/account) EDR, baseline/autoruns, least privilege
6 Command & Control Phone home / beacon Network + DNS monitoring, block C2, beacon detection
7 Actions on Objectives Exfil / ransomware / fraud DLP, anomaly on transfers, segmentation, backups

🚪 Core idea: the attacker must pass every stage; the defender only has to break one link. This is the engine of defense in depth (Theme 4). Meridian's Ch.1 attack broke at Exploitation (MFA); SolarWinds broke at Command & Control (behavioral anomaly). Limit: the model is perimeter/malware-centric; real attacks skip stages or start inside.

MITRE ATT&CK — the shared language

Level Question it answers Example
Tactic The adversary's goal in a phase Initial Access, Persistence, Credential Access
Technique The method (stable ID) Phishing = T1566; Command/Scripting = T1059
Procedure The specific implementation Fake DocuSign email → cloned SSO page harvesting a password
  • Together = TTPs (tactics, techniques, procedures) — an adversary's characteristic way of operating.
  • ATT&CK is a common language, a coverage map, and threat-informed defense made operational.
  • Detect behavior, not just indicators: an IP/hash is cheap to change; a technique is costly to abandon → behavioral detections age slowly. (Pyramid of pain — climbed in Ch.22.)
  • Pitfall: ATT&CK is not a checklist to turn fully green; cover the techniques of your likely actors.

Intrusion vocabulary

Term Definition
Indicator of compromise (IoC) Observable artifact of an intrusion (hash, IP, domain, registry key, log string) — raw evidence
Threat intelligence Curated, analyzed understanding of adversaries (identity, motive, infra, TTPs) — gives indicators meaning
Attack vector The path/means an attacker uses to reach and breach a target (email, web, media, vuln service, supplier)
Payload The part of an attack that executes the attacker's intent once delivered (run code, backdoor, encrypt)
Social engineering Manipulating people into actions/disclosures that compromise security (e.g., phishing)

STRIDE-lite threat model

Letter Threat CIA property
Spoofing Pretend to be someone/something else Authentication
Tampering Unauthorized modification Integrity
Repudiation Deny an action; no proof Non-repudiation
Information disclosure Expose data Confidentiality
Denial of service Make it unavailable Availability
Elevation of privilege Gain capabilities you shouldn't Authorization
  • A threat model = structured answer to what are we protecting, who attacks it, how, where do we stop them? Tie each threat to an actor + kill-chain stage + defense → it becomes your roadmap.
  • STRIDE = a checklist against forgetting; populate every letter, especially the ones you struggle with (those are blind spots).

Anchor cases (this chapter)

Case Actor Motivation Caught by Lesson → chapter
SolarWinds / Sunburst Nation-state APT Espionage Behavioral anomaly (not antivirus) Trust = managed risk → Ch.29, 31; detection → Ch.22
Ransomware (Colonial Pipeline) Cybercriminal Money (availability) (after impact) Many links to break; offline backups decisive → Ch.24, 33, 35
  • Double extortion: steal data then encrypt — backups alone don't remove the leak threat (Ch.35).
  • Living off the land: use built-in legit tools to evade signatures — defeat with behavioral detection.

Certification crosswalk

Concept CompTIA Security+ (ISC)² CISSP domain
Threat-actor types & attributes 2.0 Threats, Vulnerabilities & Mitigations Security Operations; Security & Risk Mgmt
Motivations / threat intel 2.0; 4.0 Security Operations Security Operations
Cyber kill chain 4.0 Security Operations Security Operations
MITRE ATT&CK / TTPs / IoCs 4.0 Security Operations Security Operations
Attack vectors / payloads 2.0 Threats & Mitigations Communication & Network Security
Threat modeling / STRIDE 1.0; 3.0 Security Architecture Security Architecture & Engineering
Social engineering 2.0 Threats & Mitigations Security & Risk Management

Project additions this chapter

  • Meridian program: threat-actor profile (criminals HIGH; insiders ever-present; hacktivists situational; APT low-likelihood/high-impact) + STRIDE-lite threat models for crown-jewel assets + re-prioritized risk register (adds supply-chain risk).
  • bluekit toolkit: threatmodel.pykill_chain_stage(event) and attack_surface(assets).

Common pitfalls

  • Writing "hackers" instead of a specific actor + motivation + vector.
  • Equating low skill (script kiddie) or low likelihood (APT) with low risk — impact still counts ($\text{Risk} = \text{L} \times \text{I}$).
  • Treating ATT&CK as a checklist to fully "green," producing brittle detections that never fire.
  • Detecting only indicators (IPs/hashes) and neglecting durable behavioral detection.
  • Concluding "we can't stop a nation-state, so why invest?" — defense isn't binary; controls limit blast radius and dwell time even when prevention fails.
  • Modeling only the probable threat and forgetting the high-impact one (the supply-chain blind spot).