Technical Threats | Cybersecurity Policy

Slide 1 of 13 | CSP-W2-01 | Week 2

Technical Threats
Malware, Network Attacks, Supply Chain

Malware Taxonomy • Network Attacks • Web App Exploits • APTs • Supply Chain • Zero-Days • Crypto Attacks • IoT/OT • Attack Economics • Threat Intelligence

Cybersecurity policy cannot be written in a vacuum. Before you can regulate, defend, or allocate budget, you need to understand what you are defending against. This deck catalogs the technical threat landscape -- from commodity malware to nation-state operations -- and examines the economics and intelligence systems that track them. Every policy decision you make in this course will reference threats covered here.

13 Slides CSP-W2-01 Week 2 CIS2208 -- Cybersecurity Policy

Slide 2 of 13

Malware Taxonomy

Seven major categories of malicious software -- each with distinct propagation, payload, and persistence characteristics.

Virus

Requires a host file and user action to propagate. Attaches to executables or documents. Classic example: ILOVEYOU (2000) -- caused $10B in damages via email attachments.

Worm

Self-replicating, no user action needed. Exploits network vulnerabilities to spread autonomously. WannaCry (2017) exploited EternalBlue to hit 200K+ systems in 150 countries.

Ransomware

Encrypts victim data and demands payment -- often in cryptocurrency. Double extortion variants also exfiltrate data. Colonial Pipeline (2021) shut down US fuel supply for six days.

Fileless

Operates entirely in memory using legitimate tools like PowerShell, WMI, or .NET. Leaves no traditional file artifacts. Bypasses signature-based detection. Growing to 40%+ of attacks.

Policy Implication

Signature-based antivirus alone is insufficient. Modern endpoint protection policy must mandate behavioral analysis, memory scanning, and application whitelisting. Fileless malware specifically requires process-level monitoring and PowerShell constrained language mode enforcement.

Slide 3 of 13

Network Attacks

Attacks targeting the transport layer -- disrupting, intercepting, or redirecting network traffic.

DDoS (Distributed Denial of Service)

Floods a target with traffic from thousands of compromised hosts. Amplification attacks abuse open resolvers (DNS, NTP, Memcached) to multiply traffic up to 51,000x. Record attacks exceed 3.47 Tbps. Mitigation requires upstream scrubbing, rate limiting, and anycast distribution.

Man-in-the-Middle (MitM)

Attacker intercepts communication between two parties, reading or modifying data in transit. Executed via ARP spoofing, rogue Wi-Fi access points, or BGP hijacking. TLS with certificate pinning and HSTS are the primary countermeasures.

DNS Poisoning

Corrupts DNS cache to redirect users to malicious servers. Attacker injects forged DNS responses before the legitimate server responds. DNSSEC validates DNS responses cryptographically but adoption remains below 40% globally.

Session Hijacking

Stealing or predicting session tokens to impersonate an authenticated user. Methods include packet sniffing, XSS-based cookie theft, and session fixation. Defenses: secure cookie flags (HttpOnly, Secure, SameSite), token rotation, and short session lifetimes.

Scale of the Problem

DDoS attacks increased 46% year-over-year. The average cost of a DDoS attack for a mid-size enterprise exceeds $120,000 per hour in downtime. Network-layer attacks are increasingly used as smokescreens to distract security teams while more targeted application-layer attacks proceed simultaneously.

Slide 4 of 13

Web Application Attacks

Exploiting vulnerabilities in how web applications handle user input, state, and trust boundaries.

SQL Injection (SQLi)

Injecting SQL commands through user input fields. A login form expecting a username instead receives admin' OR '1'='1 -- bypassing authentication entirely. Ranked number one on the OWASP Top 10 for over a decade. Prevention: parameterized queries, input validation, and least-privilege database accounts.

Cross-Site Scripting (XSS)

Injecting malicious scripts into web pages viewed by other users. Stored XSS persists in the database. Reflected XSS bounces off the server in a URL. DOM-based XSS manipulates client-side JavaScript directly. Enables session theft, defacement, and credential harvesting. Prevention: output encoding, Content Security Policy headers.

Cross-Site Request Forgery (CSRF)

Tricks an authenticated user's browser into making unintended requests to a web application. If you are logged into your bank and visit a malicious page, that page can submit a transfer request using your session. Prevention: anti-CSRF tokens, SameSite cookies, and re-authentication for sensitive actions.

Directory Traversal

Manipulating file paths (e.g., ../../etc/passwd) to access files outside the intended directory. Allows reading configuration files, source code, or credentials. Prevention: input sanitization, chroot jails, and WAF rules that block path traversal patterns.

Common Thread

Every web application attack in this slide exploits the same root cause: the application trusts user input. The fundamental defense principle is "never trust, always validate." Policy must mandate secure coding standards (OWASP ASVS), regular penetration testing, and Web Application Firewalls as defense-in-depth for production systems.

Slide 5 of 13

Advanced Persistent Threats (APTs)

State-sponsored or state-affiliated groups conducting prolonged, targeted intrusions with strategic objectives.

APT28 (Fancy Bear)

Russian GRU Unit 26165. Targeted DNC (2016), WADA, Bundestag. Specializes in spear-phishing with zero-day exploits and custom X-Agent/X-Tunnel malware. Average dwell time: 295 days before detection.

APT41 (Double Dragon)

Chinese state-affiliated group conducting both espionage and financially motivated operations. Targeted healthcare, telecom, and gaming industries. Known for supply chain compromises and exploiting newly disclosed vulnerabilities within hours.

Defining Characteristics

APTs differ from commodity threats in three ways: (1) state-level resources and sophistication, (2) strategic patience -- operations span months to years, (3) specific targeting -- they choose their victims deliberately rather than casting wide nets.

Policy Reality

Most organizations cannot defend against APTs alone. Policy must address intelligence sharing (ISACs), incident response retainer agreements, and network segmentation to limit lateral movement. The goal shifts from prevention to detection speed and containment -- reducing dwell time from months to hours.

Slide 6 of 13

Supply Chain Attacks: The Domino Effect

Compromising a trusted vendor to reach thousands of downstream targets simultaneously.

SolarWinds

Russian SVR (APT29) injected SUNBURST backdoor into SolarWinds Orion build process. 18,000 organizations installed the trojanized update. Targets included US Treasury, Commerce, DHS. Went undetected for nine months. The attack exploited trust in automated software updates.

Kaseya

REvil ransomware gang exploited zero-day in Kaseya VSA (remote monitoring tool used by MSPs). Single exploit cascaded through MSPs to 1,500+ downstream businesses. $70M ransom demanded. Demonstrated how one vendor compromise can paralyze entire supply chains within hours.

Log4Shell

Critical RCE vulnerability in Apache Log4j -- an open-source logging library embedded in millions of applications. A single crafted string in any logged input triggered arbitrary code execution. The invisible dependency problem: most organizations did not know they were running Log4j.

The New Reality

Supply chain attacks exploit the deepest form of trust in computing: the trust between an organization and its software vendors. Policy responses include Software Bill of Materials (SBOM) mandates, vendor security assessments, zero-trust verification of updates, and the US Executive Order 14028 requiring SBOM for government software procurement.

Slide 7 of 13

Zero-Day Vulnerabilities

Unknown flaws exploited before vendors can issue a patch -- the most dangerous class of vulnerability.

The Underground Market

Zero-day exploits are traded on dark web markets and through brokers. An iOS zero-click exploit can fetch $2M+. Zerodium publicly offers up to $2.5M for iOS remote jailbreaks. Nation-states are the primary buyers -- stockpiling exploits for intelligence operations rather than disclosing them for patches.

Disclosure Ethics

Responsible disclosure: researcher notifies vendor, gives time to patch, then publishes. Full disclosure: publish immediately to force vendor action. Coordinated disclosure (CVE process): involves CERT/CC or MITRE as intermediary. The Vulnerabilities Equities Process (VEP) governs when US agencies must disclose vs. retain zero-days.

Defense Without a Patch

Zero-day defense relies on defense-in-depth: network segmentation limits blast radius, behavioral detection catches anomalous activity, application whitelisting prevents unauthorized execution, and microsegmentation contains lateral movement. Virtual patching via WAF/IPS rules provides interim protection.

By the Numbers

Google Project Zero tracked 97 zero-days exploited in the wild in 2023 -- a record high. The average time from zero-day disclosure to exploit availability has shrunk from weeks to hours. Organizations that rely solely on patch management are structurally vulnerable to zero-days by definition.

Slide 8 of 13

Cryptographic Attacks

Breaking or circumventing the mathematical foundations that protect data confidentiality and integrity.

Brute Force

Systematically trying every possible key or password. Effectiveness depends on key length: a 56-bit DES key can be cracked in hours; a 256-bit AES key would take longer than the age of the universe. GPU clusters and ASICs accelerate attacks against weak keys and passwords.

Rainbow Tables

Precomputed lookup tables mapping plaintext to hashes. Trade computation time for storage space. A rainbow table for all 8-character alphanumeric passwords fits on a single hard drive. Defense: salted hashes (bcrypt, Argon2) make precomputation infeasible by adding randomness per-password.

Birthday Attack

Exploits the birthday paradox: the probability of hash collisions grows much faster than expected. For a 128-bit hash, a collision can be found in roughly 2^64 operations, not 2^128. This is why hash output lengths must be at least double the desired security level. MD5 and SHA-1 are both vulnerable.

Quantum Threat

Shor's algorithm on a quantum computer would break RSA, ECC, and Diffie-Hellman in polynomial time. "Harvest now, decrypt later" attacks are already underway -- adversaries storing encrypted traffic today to decrypt once quantum computing matures. NIST has standardized post-quantum algorithms (ML-KEM, ML-DSA) for the transition.

Policy Imperative

Cryptographic policy must address both current threats (mandating strong algorithms and key lengths) and future threats (crypto-agility requirements for post-quantum migration). Organizations should inventory all cryptographic dependencies now and establish a transition timeline to post-quantum algorithms before large-scale quantum computers become operational.

Slide 9 of 13

IoT and OT Threats

The expanding attack surface where the digital meets the physical -- billions of devices with minimal security.

Mirai Botnet

In 2016, Mirai infected 600,000+ IoT devices (cameras, DVRs, routers) using 61 default username/password combinations. Launched a 1.2 Tbps DDoS attack against Dyn DNS, taking down Twitter, Netflix, Reddit, and GitHub. Proved that insecure IoT devices are weapons at scale.

ICS/SCADA Vulnerabilities

Industrial control systems run on protocols designed for reliability, not security (Modbus, DNP3 -- no authentication). Stuxnet destroyed Iranian centrifuges. TRITON targeted safety systems at a Saudi petrochemical plant. The Oldsmar water treatment hack attempted to increase sodium hydroxide to lethal levels.

The Scale Problem

By 2025, over 30 billion IoT devices are connected globally. Most have no security update mechanism, no authentication, and no encryption. Average lifespan of an IoT device is 10+ years. These devices cannot be patched, yet they sit on networks with access to critical systems.

Policy Response

The US Cyber Trust Mark program, EU Cyber Resilience Act, and NIST IR 8259 all mandate minimum IoT security baselines: unique credentials, encrypted communications, automated updates, and vulnerability disclosure programs. OT environments require network segmentation (Purdue Model), protocol-aware firewalls, and air-gapped safety systems.

Slide 10 of 13

Attack Economics

The asymmetry that defines cybersecurity: attacking is cheap, defending is expensive, and crime pays.

Ransomware-as-a-Service (RaaS)

Criminal organizations operate like SaaS companies. LockBit, BlackCat, and Conti provide ransomware toolkits, negotiation portals, and even customer support -- all for a percentage of ransom payments (typically 20-30%). Affiliates need zero technical skill. The RaaS model has industrialized cybercrime, lowering the barrier to entry to near zero.

The Defender's Dilemma

Attackers need to find one vulnerability. Defenders must protect every endpoint, every application, every user, every day. A single missed patch, one phishing click, one misconfigured cloud bucket -- and the attacker wins. This asymmetry means defense-in-depth is not optional; it is the only mathematically rational strategy.

Why This Matters for Policy

Cybersecurity budgets must be justified against this asymmetry. Policy decisions involve calculating acceptable risk, not eliminating all risk (which is impossible). The economics also explain why regulation is necessary: without mandated minimums, the rational short-term choice for many organizations is to underinvest in security.

Slide 11 of 13

Threat Intelligence

Turning raw data about threats into actionable intelligence that informs defense and policy decisions.

Key Concepts

Term	Definition
IOC	Indicator of Compromise -- observable artifacts (IP addresses, file hashes, domains) that indicate a breach has occurred or is in progress. Tactical, short-lived, high volume.
TTP	Tactics, Techniques, and Procedures -- the behavioral patterns of threat actors mapped to frameworks like MITRE ATT&CK. Strategic, durable, high value for detection engineering.
STIX	Structured Threat Information eXpression -- a standardized JSON format for describing cyber threat information including indicators, campaigns, threat actors, and relationships between them.
TAXII	Trusted Automated eXchange of Intelligence Information -- the transport protocol for sharing STIX data between organizations. Supports collection-based (pull) and channel-based (push) sharing models.
ISAC	Information Sharing and Analysis Center -- sector-specific organizations (FS-ISAC, H-ISAC, IT-ISAC) that facilitate threat intelligence sharing between member organizations within an industry vertical.

Intelligence Levels

Threat intelligence operates at three levels: Strategic (board-level trends and risk posture), Operational (campaign-level context for IR teams), and Tactical (IOCs for automated blocking). Effective policy mandates participation in all three -- subscribing to ISAC feeds, integrating STIX/TAXII with SIEM, and producing strategic reports for leadership.

Slide 12 of 13

Key Takeaways

The technical threat landscape distilled into policy-actionable principles.

1 Malware has evolved from file-based viruses to fileless, memory-resident attacks. Signature-based detection is necessary but insufficient -- policy must mandate behavioral analysis and endpoint detection and response (EDR).

2 Network attacks exploit protocol weaknesses at scale. DDoS amplification can generate terabits of traffic from minimal resources. Upstream scrubbing and anycast distribution are infrastructure-level policy decisions.

3 Web application attacks share a root cause: trusting user input. Secure coding standards, penetration testing mandates, and WAF deployment are policy controls that address the entire category.

4 APTs operate with state-level resources and strategic patience. Defense shifts from prevention to detection speed and containment. Intelligence sharing through ISACs is a policy requirement, not a luxury.

5 Supply chain attacks exploit trust in software vendors. SBOM mandates, vendor security assessments, and zero-trust update verification are the policy responses codified in Executive Order 14028.

6 Zero-day vulnerabilities cannot be patched by definition. Defense-in-depth, behavioral detection, and crypto-agility for post-quantum migration are the policy frameworks that address unknowns.

7 IoT and OT devices represent billions of unmanaged endpoints with decade-long lifespans and no update mechanisms. Network segmentation and minimum security baselines are mandatory policy controls.

8 Attack economics favor the adversary: $50 phishing kits versus $2M+ SOC budgets. This asymmetry is why regulatory minimums exist -- rational self-interest alone leads to underinvestment in security.

9 Threat intelligence transforms raw data into actionable defense. IOCs provide tactical blocking, TTPs enable detection engineering, and strategic intelligence informs budget allocation and policy priorities.

What Comes Next

Understanding technical threats is the prerequisite for writing effective policy. Every framework (NIST CSF, ISO 27001, CMMC) maps controls to specific threat categories covered in this deck. In the next module, you will evaluate how these threats translate into regulatory requirements and organizational risk management decisions.

Slide 13 of 13 | Complete

Presentation
Complete

Technical Threats -- 13 slides

Malware Taxonomy • Network Attacks • Web App Exploits • APTs • Supply Chain • Zero-Days • Crypto Attacks • IoT/OT • Attack Economics • Threat Intelligence

CIS2208 Cybersecurity Policy Week 2