Sujith's Library

Appearance

Anatomy of a Cyber Attack

Cybercriminals use a systematic approach to identify and exploit weaknesses in digital systems. Understanding this methodology is key to building effective defenses.

This process involves defining the attack's scope, planning the intrusion, and executing the final attack.

Core Concepts: Vectors, Surfaces, and Vulnerabilities

Before launching an attack, an adversary must understand the target's weaknesses and potential entry points.

Attack Surface

The attack surface is the sum of all potential entry points, or attack vectors, that an adversary could exploit to compromise a system, network or data. It's the total exposure of an organization to potential threats.

It includes vulnerabilities, exposed services where every device, user, and network connection is a potential door or window for an attacker to exploit.

A fundamental principle of cyber security is to minimize this surface, as a smaller attack surface reduces risk.

The attack surface is generally categorized into three types:

1. Digital Attack Surface

The digital attack surface encompasses all of an organization's hardware and software components connected to the network. This includes everything from applications, servers, and websites to unauthorized devices and applications introduced through "shadow IT".

Common vulnerabilities in the digital surface include:

  • Weak or poorly managed passwords.

  • System and network misconfigurations.

  • Unpatched vulnerabilities in software, operating systems, and firmware.

  • Internet-facing assets that are not properly secured.

  • Unauthorized use of shadow IT applications or devices.

2. Physical Attack Surface

The physical attack surface comprises all endpoint devices that an attacker can physically access. This includes desktop computers, laptops, mobile phones, hard drives, and USB drives. Threats aren't limited to high-tech breaches; they can be as simple as an intruder finding carelessly discarded hardware or a password written on a sticky note.

Common threats to the physical surface include:

  • Malicious insiders: Individuals with authorized access who misuse their privileges to steal data, disable devices or install malware.

  • Device theft: Stolen laptops or phones can be exploited to access stored data and network credentials.

  • Baiting: An attacker intentionally leaves a malware-infected USB drive in an accessible location, tricking an employee into plugging it into their system.

3. Social Engineering Attack Surface

The social engineering attack surface arises from human factors rather than technical flaws. It involves manipulating or deceiving individuals into performing actions that compromise security or reveal confidential information. This is often the most unpredictable surface because it targets human psychology.

Examples of exploiting the social engineering surface include:

  • Phishing attacks designed to trick employees into revealing sensitive data like passwords or financial information.

  • Exploiting human error or trust to gain unauthorized physical or digital access.

  • Targeting authorized users who are susceptible to deception or impersonation tactics.

System Vulnerabilities

Vulnerabilities are specific weaknesses in a system that an attacker can exploit. Common technical vulnerabilities include:

  1. Inadequate Border Protection: Weak security at the network perimeter, like unprotected firewalls.

  2. Weak Remote Access Servers (RASs): Poor authentication controls on remote access points.

  3. Unpatched Application Servers: Systems with known, publicly documented exploits that have not been fixed.

  4. Misconfigured Systems: Devices using default settings or improperly configured security options.

Attack Vector

An attack vector is the specific path or method an attacker uses to deliver a malicious payload and gain unauthorized access to a system, network, or data. It specifies "how" or the delivery route for a cyber attack.

Here are some of the most common attack vectors.

Human-Based Vectors (Social Engineering)

Exploits human psychology rather than technical flaws.

  • Phishing Emails: Attackers send deceptive emails that appear to be from legitimate sources, tricking recipients into revealing sensitive information like passwords or credit card numbers. This is a primary form of social engineering.

  • Deception and Impersonation: Criminals may pose as law enforcement officials (as seen in Digital Arrest Scams) or service providers to extort money or gain unauthorized access through social engineering tactics.

Web-Based Vectors

These vectors use websites and web services to deliver threats.

  • Malicious Websites and Pop-up Ads: Attackers create or compromise websites to host malicious code. Visiting such a site or clicking on a deceptive pop-up ad can trigger a malware download without the user's knowledge.

  • Web Jacking/Hijacking: An attacker takes control of a website by stealing login credentials, allowing them to spread malware, steal user data, or redirect traffic.

Software and Hardware-Based Vectors

These vectors leverage software vulnerabilities or physical media to launch an attack.

  • Malware (Viruses, Worms, Ransomware): Malicious software is a primary payload delivered through various vectors. It can be spread via infected downloads, email attachments, or network vulnerabilities to damage systems, steal data, or encrypt files for a ransom.

  • Compromised USB Drives: A physical attack vector where an attacker uses an infected USB drive or other removable media to introduce malware to a system. This is a common method for baiting attacks.

  • Exploiting Vulnerabilities: Hackers actively seek out and exploit security flaws in software, operating systems, or networks to gain unauthorized access.

The Three Phases of a Cyber Attack

Cybercriminals use a systematic approach to identify, analyze, and exploit weaknesses in systems. Targets may include individuals, organizations, or even governments.

Cyber attacks typically follow a structured, three-phase plan.

Phase 1: Reconnaissance (Information Gathering)

Reconnaissance is the preparatory phase where an attacker gathers as much information as possible about the target. This initial stage is often a passive attack, meaning it's conducted without directly interacting with the target's systems to avoid detection.

  • Passive Reconnaissance: Gathers information from publicly available sources like websites, social media, and WHOIS data.

  • Active Reconnaissance: Involves direct interaction, such as probing open ports, which increases the risk of detection.

Footprinting is a common technique used during reconnaissance to build a profile of the target, including:

  • Network architecture
  • Domain names and IP addresses
  • Operating systems and applications in use
  • Security policies and vulnerabilities

Phase 2: Scanning and Scrutinizing

This phase acts as a bridge between reconnaissance and the actual attack, using the gathered information to find specific, exploitable weaknesses.

  • Port Scanning: Identifies which logical ports are open, closed, or filtered by a firewall, revealing what services are running on a system.

  • Network Scanning: Detects active hosts on a network and maps its topology and device configurations.

  • Vulnerability Scanning: Uses automated tools to identify known security flaws in software and services.

Phase 3: Attack Launch (Exploitation)

This is the final phase where the attacker gains and maintains control over the system. The typical steps include:

  1. Crack credentials like passwords to gain initial access.

  2. Exploit privileges to escalate access to an administrator or root level.

  3. Execute malicious code or commands.

  4. Hide tools and files to remain undetected.

  5. Cover tracks by deleting access logs and other traces of the intrusion.

Types of Cyber Attacks: Active vs. Passive

Attacks are broadly classified based on whether they involve direct interaction and modification of the target system.

Passive Attacks

These attacks involve silent observation and information gathering without altering the target system. They focus on confidentiality and often serve as reconnaissance, leaving little to no trace.

  • Eavesdropping – Listening to unencrypted network communication
  • Traffic Analysis – Monitoring communication flow to gather insights
  • Keylogging – Recording keystrokes to capture credentials or sensitive data
  • Packet Sniffing – Intercepting and analyzing data packets on a network

Active Attacks

These attacks involve direct interaction to modify or disrupt data, services, or system behavior. They affect a system's integrity and availability and carry a high risk of detection.

  • Man-in-the-Middle (MitM) – Intercepting and altering communication between two parties

  • Distributed Denial-of-Service (DDoS) – Overwhelming a system or server with excessive traffic

  • SQL Injection – Injecting malicious SQL queries to manipulate or destroy database content

Other Examples: Active Attack Techniques, Packet injection, Spoofing (IP, ARP, DNS), Session hijacking, Buffer overflow, Malware insertion

Port Scanning with Nmap

Tools are crucial for the scanning phase, with Nmap being one of the most prominent.

Understanding Ports

A port is a logical communication endpoint for an application for exchanging information using TCP or UDP protocols, identified by a number from 0 to 65535.

A port scan can reveal its state:

  1. Open or accepted: The host has sent a reply indicating that a service is actively listening on the port for connections.

  2. Closed or not listening: The port is reachable but no service is listening. The host sent a reply indicating that connections will be denied to the port.

  3. Filtered or Blocked: No response received, often due to firewalls or security devices.

Nmap (Network Mapper)

Nmap is a powerful, open-source network scanning tool used for host discovery, port scanning, and vulnerability detection in a network. It operates by sending packets to target systems and analyzing the responses.

A common and stealthy technique is a TCP port scan, it employs is the SYN Scan, also known as a "half-open" scan.

  1. Nmap initiates a TCP connection with SYN packet.

  2. If the port is open, the target responds with a SYN-ACK packet.

  3. Instead of completing the handshake with an ACK, Nmap replies with a RST (reset) packet to terminate the connection. Avoiding a full connection that could be logged.

Functions of Nmap

  • Host Discovery: Identifies live hosts in a network.
  • Port Scanning: Detects open ports on a system.
  • Service Version Detection: Determines the application and version information running on open ports.
  • Operating System Detection: Estimates the operating system of the target system.
  • Vulnerability Scanning: Identifies known vulnerabilities using the Nmap Scripting Engine (NSE).
  • Network Mapping: Provides a visual representation of the network structure.

Made with ❤️ for students, by a fellow learner.

© 2025 Sujith.