Chapter 2: Key Takeaways — Threat Landscape and Attack Taxonomy
Core Concept
Understanding who attacks, why they attack, and how they attack is essential for both effective defense and realistic penetration testing. The modern threat landscape is diverse, professionalized, and constantly evolving.
Essential Takeaways
1. Threat Actors Vary Widely in Motivation and Capability
From script kiddies running automated tools to nation-state APTs conducting multi-year espionage campaigns, the threat spectrum is vast. Your client's threat model — who is most likely to attack them — should shape your penetration testing approach.
2. The Cyber Kill Chain Provides a Linear Model for Understanding Attacks
The seven stages (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives) describe attack progression and reveal defensive opportunities at each stage. Breaking any link in the chain disrupts the attack.
3. MITRE ATT&CK Is Your Rosetta Stone
ATT&CK provides a detailed, standardized taxonomy of 14 tactics and hundreds of techniques that describe real-world adversary behavior. Use it to plan engagements, map findings, and measure coverage. It is the most important framework in modern cybersecurity.
4. Credentials Are the Most Exploited Attack Vector
Roughly half of all breaches involve compromised credentials. Credential stuffing, password spraying, and phishing for credentials are the most common initial access methods. Always test authentication controls thoroughly.
5. Supply Chain Attacks Exploit Trust
The SolarWinds attack proved that compromising a trusted vendor can provide access to thousands of downstream targets. Evaluate your client's third-party dependencies as part of every engagement.
6. Different Organizations Face Different Threats
MedSecure (healthcare, hybrid infrastructure) faces ransomware and regulatory risk. ShopStack (e-commerce, cloud-native) faces web application attacks and payment card theft. Same techniques, different priorities.
7. Threat Intelligence Makes Pentests More Realistic
Intelligence about active threat groups, exploited CVEs, and industry-specific campaigns transforms a pentest from a generic technical exercise into a targeted threat simulation.
Quick Reference Card
| Framework / Concept | Key Point |
|---|---|
| Cyber Kill Chain | 7 stages; linear model; defensive opportunity at each stage |
| MITRE ATT&CK | 14 tactics; hundreds of techniques; the industry standard |
| ATT&CK technique format | T followed by 4 digits (e.g., T1566 for Phishing) |
| Most common initial access | Phishing, credential attacks, vulnerability exploitation |
| Ransomware evolution | Single extortion to double/triple extortion via RaaS model |
| Dwell time (2023 median) | 16 days between compromise and detection |
| Supply chain attack example | SolarWinds (T1195.002) |
| Verizon DBIR | Annual report; essential threat landscape reference |
Threat Actor Quick Reference
| Actor Type | Motivation | Capability | Example |
|---|---|---|---|
| Script kiddie | Curiosity, notoriety | Low | Automated scanning with downloaded tools |
| Cybercriminal | Financial | Medium-High | Ransomware gangs (LockBit, Clop) |
| Nation-state (APT) | Espionage, sabotage | Very High | APT29 (Russia), Lazarus (DPRK) |
| Hacktivist | Ideology | Low-Medium | Anonymous operations |
| Insider | Revenge, greed | Varies | Disgruntled employee with DB access |
Common Mistakes to Avoid
- Ignoring the client's threat model — A pentest should simulate realistic threats, not generic ones.
- Overlooking credential attacks — They are the most common vector; test them thoroughly.
- Focusing only on technical vulnerabilities — Social engineering and insider threats are equally important.
- Not using ATT&CK in reports — Technique IDs provide standardized context and actionable references.
- Treating the Kill Chain as rigid — Real attacks loop, skip, and operate at multiple stages simultaneously.
One Sentence to Remember
You cannot test for attacks you have not studied, and you cannot defend against threats you do not understand.