Threats (Attack Vector Learning Library)

Email phishing, credential harvesting, MFA fatigue, and session theft remain common entry paths into networks because they target people and identity workflows, not just software flaws.

$ action: Use MFA, phishing-resistant sign-in where possible, conditional access, and fast account lock / reset playbooks.

VPNs, firewalls, admin panels, RDP, SSH, and internet-facing applications are repeatedly targeted when patching, hardening, or access controls are weak.

$ action: Maintain an inventory of exposed services, patch aggressively, and restrict administrative access paths.

Attackers consistently exploit known weaknesses and insecure defaults, especially on public-facing systems, cloud services, and network appliances.

$ action: Prioritize externally exposed assets, secure defaults, and exploit-informed remediation over severity scores alone.

Once inside, attackers use shared credentials, weak segmentation, and poor monitoring to move across systems and escalate privileges.

$ action: Segment networks, reduce admin sprawl, monitor east-west traffic, and alert on abnormal authentication patterns.

Insider threats include malicious insiders, negligent users, and over-privileged staff or contractors whose access can be misused intentionally or accidentally to expose systems, data, or operations.

$ action: Enforce least privilege, strong monitoring for sensitive actions, separation of duties, and fast access review / revocation workflows.

State-backed or foreign-targeted intrusions often pursue espionage, strategic access, disruption, or long-term persistence, using stealthier tradecraft and patient campaign planning.

$ action: Harden identity and edge access, prioritize high-value systems, improve telemetry retention, and practice threat-informed detection and long-duration investigations.

Attackers target software suppliers, MSPs, integrators, and trusted update or access paths to reach downstream organizations through relationships that defenders often trust by default.

$ action: Inventory third-party dependencies and access, restrict vendor privileges, verify updates and changes, and monitor trusted channels like you monitor external threats.

Modern ransomware operations often combine initial access, credential abuse, lateral movement, data theft, and disruption, turning one weakness into both operational outage and extortion pressure.

$ action: Harden identity and backups, detect early staging/lateral movement, segment critical services, and rehearse containment and restoration before a crisis.

Distributed denial-of-service and service exhaustion attacks aim to degrade availability by overwhelming network paths, applications, or supporting resources such as DNS, load balancers, and upstream dependencies.

$ action: Prepare upstream mitigation, rate limiting, capacity plans, and runbooks that prioritize service continuity, traffic visibility, and fast escalation.

Cloud environments are frequently compromised through identity mismanagement, over-permissioned roles, exposed services, and misconfigurations that create easy paths to data or control-plane access.

$ action: Harden cloud identities, reduce privilege scope, monitor control-plane changes, and continuously validate exposed resources and configuration drift.

Attackers abuse DNS for reconnaissance, payload staging, command-and-control signaling, and covert data movement because DNS is widely allowed and often weakly monitored.

$ action: Centralize DNS logs, baseline query behavior, monitor resolver paths, and detect anomalous domains, query volume, and tunneling-like patterns.

Wireless environments can be abused through rogue access points, evil twin networks, weak segmentation, and credential capture attempts when Wi-Fi visibility and policy enforcement are weak.

$ action: Monitor wireless space, enforce strong authentication, segment wireless networks, and train users to recognize trusted SSIDs and certificate prompts.