Threat Taxonomy & Malware

The CIA Triad is the foundation every security decision is measured against. Before categorising attacks, you need a shared vocabulary.

The CIA Triad

┌─────────────────────────────────────────────────────────┐
│                      CIA Triad                          │
│                                                         │
│   Confidentiality ──── Integrity ──── Availability      │
│   (who can see it)   (has it changed?)  (can we use it) │
└─────────────────────────────────────────────────────────┘

Pillar	Goal	Attack that breaks it
Confidentiality	Only authorized parties can read data	Data breach, sniffing, credential theft
Integrity	Data is accurate and unmodified	Tampering, MitM injection, hash collision
Availability	Authorized users can access systems when needed	DoS/DDoS, ransomware, hardware destruction

---

Core Vocabulary

Term	Definition
Vulnerability	A flaw in a system that could be exploited
Zero-day	A vulnerability unknown to the vendor but known to an attacker
Exploit	Code/technique that takes advantage of a vulnerability
Threat	Potential danger that can exploit a vulnerability
Risk	Probability × Impact of a threat materializing
Attack	An active attempt to exploit a vulnerability and cause harm
Attack vector	The path or method used to gain unauthorized access
Attack surface	Sum of all possible attack vectors in a system

Tip

Risk = Threat × Vulnerability × Impact. You can’t eliminate risk, only reduce it. Good security reduces the probability of a threat exploiting a vulnerability, and limits the impact if it does.

---

Malware Taxonomy

Malware (malicious software) is any code designed to harm, spy on, or take control of a system without the user’s consent.

By Propagation Method

Malware
├── Self-propagating
│   ├── Virus       - attaches to host files; spreads when executed
│   └── Worm        - spreads autonomously via network/OS vulns; no host needed
└── Non-propagating (requires user action or manual install)
    ├── Trojan       - disguised as legitimate software
    ├── Adware       - bundled with free software; displays ads
    ├── Ransomware   - encrypts data; demands payment for key
    └── Logic Bomb   - dormant until a trigger condition fires

By Purpose / Behaviour

Type	Primary Goal	Real-World Example
Virus	Replicate and infect executables	ILOVEYOU (2000) - spread via email attachments
Worm	Self-propagate across networks	WannaCry (2017) - exploited SMB EternalBlue vuln
Trojan	Backdoor disguised as legit software	Zeus - banking Trojan capturing credentials
Spyware	Silently monitor and exfiltrate data	FinFisher - commercial stalkerware
Keylogger	Record keystrokes (passwords, messages)	Sub-category of spyware
Adware	Display ads; may track browsing	Often bundled with freeware installers
Ransomware	Encrypt data; extort victim	WannaCry, LockBit, REvil
Rootkit	Persist undetected at OS/kernel level	Stuxnet rootkit component
Bot / Botnet	Remote-controlled zombie; used for DDoS, spam, crypto mining	Mirai (IoT botnet, 2016 Dyn attack)
Backdoor	Covert re-entry path for attacker	Sub7, DarkComet
Logic Bomb	Activate on a trigger (date, event)	Insider threat - deletes files upon termination

---

Network Attacks

Man-in-the-Middle (MitM)

The attacker inserts themselves between two communicating parties. Neither party knows the session is being intercepted.

Normal:    Client ──────────────────── Server
MitM:      Client ── Attacker ──────── Server
                     intercepts/modifies traffic

Common MitM techniques:

Technique	How it works
ARP Poisoning	Attacker floods LAN with fake ARP replies, associating their MAC with victim’s IP
DNS Spoofing	Poison DNS cache to redirect domain to attacker-controlled IP
Session Hijacking	Steal session cookie from HTTP traffic; replay to impersonate authenticated user
SSL Stripping	Downgrade HTTPS to HTTP connection by intercepting the redirect
Rogue AP / Evil Twin	Deploy a fake Wi-Fi hotspot mimicking a legitimate SSID; victims connect and expose traffic

Defences: HTTPS everywhere, HSTS preloading, certificate pinning, WPA2-Enterprise (802.1X), network monitoring for ARP anomalies.

---

Denial-of-Service (DoS) & DDoS

Goal: exhaust a resource (CPU, memory, bandwidth, connection table) so legitimate users can’t access the service.

DoS:   Attacker ──→ Target (single source)

DDoS:  Bot 1 ─┐
       Bot 2 ─┼──→ Target (thousands of bots via botnet)
       Bot N ─┘

Attack Type	Layer	Mechanism
Ping of Death	Network (L3)	Malformed oversized ICMP packet causes buffer overflow
Ping Flood (ICMP Flood)	Network (L3)	Saturation with ICMP echo requests
SYN Flood	Transport (L4)	Fill connection table with half-open TCP connections; server never receives ACK
UDP Flood	Transport (L4)	Random UDP packets force target to respond with ICMP Unreachable on each
HTTP Flood	Application (L7)	Valid HTTP GET/POST requests at massive scale to exhaust web server
Amplification (Reflected)	Network (L3/4)	Spoof victim IP; small request to open server elicits large response back to victim (DNS/NTP/memcached)
Volumetric	Network (L3)	Pure bandwidth saturation (Gbps/Tbps scale) - requires botnet or amplification

Note

SYN Flood mechanics: Normal TCP needs SYN → SYN-ACK → ACK. Attacker sends thousands of SYNs with spoofed source IPs, so the SYN-ACKs go nowhere. Server holds half-open connections until timeout, exhausting its connection table. Mitigated by SYN cookies (server doesn’t allocate state until ACK received).

Notable DDoS events:

Year	Target	Scale	Method
2013	Spamhaus	300 Gbps	DNS amplification
2016	Dyn DNS	~1.2 Tbps	Mirai IoT botnet
2018	GitHub	1.35 Tbps	Memcached amplification (51,000× amplification factor)
2020	AWS Shield	2.3 Tbps	CLDAP reflection

Defences:

• Rate limiting and traffic shaping at edge routers
• SYN cookies on TCP stacks
• Anycast CDN absorption (Cloudflare, Akamai)
• Upstream scrubbing centres (ISP-level BGP blackholing)
• fail2ban for single-source volumetric attacks at host level

---

DNS Cache Poisoning

Attacker injects a forged DNS record into a resolver’s cache. All clients using that resolver are redirected to the attacker’s IP until the TTL expires.

Attack flow:
1. Attacker sends forged DNS response to resolver
   (race with legitimate response - Kaminsky Attack)
2. Resolver caches fake record
3. All clients querying for example.com get attacker's IP
4. Attacker serves fake site or intercepts traffic

Defence: DNSSEC (cryptographically signs records), use of DNS over HTTPS/TLS (DoH/DoT), randomised source ports and query IDs (RFC 5452).

---

Injection Attacks (Application Layer)

Injection attacks occur when untrusted data is sent to an interpreter as part of a query or command.

Type	Target	Payload Example
SQL Injection (SQLi)	SQL databases	' OR '1'='1 - bypasses authentication
Cross-Site Scripting (XSS)	Browser/users	<script>document.cookie</script> injected into page
Command Injection	OS shell	; rm -rf / appended to a shell-executing input
LDAP Injection	Directory services	Manipulated LDAP filter to bypass auth

SQLi mental model:

-- Intended query:
SELECT * FROM users WHERE username='alice' AND password='secret';

-- Attacker input: username = admin'--
-- Resulting query (password check bypassed by comment):
SELECT * FROM users WHERE username='admin'--' AND password='anything';

Defences:

• Parameterised queries / prepared statements (never concatenate user input into SQL)
• Input validation and allowlisting
• Web Application Firewall (WAF)
• Least privilege on DB accounts

---

Password Attacks

Attack	Method	Mitigation
Brute Force	Try every combination	Rate limiting, account lockout, long passwords
Dictionary Attack	Wordlist of common passwords	Complexity requirements, check against HaveIBeenPwned
Credential Stuffing	Use breached credentials from other sites	MFA, breach detection, passwordless auth
Rainbow Table	Precomputed hash lookup table	Password salting (makes precomputation infeasible)
Pass-the-Hash (PtH)	Replay stolen NTLM hash directly	Network authentication guard, Kerberos, Protected Users group
Keylogging	Record keystrokes to capture passwords	EDR, hardware key authenticators (FIDO2)

---

Malware Detection & Removal - Practical Procedure

Step 1 - Gather & Verify

# On Linux: check for suspicious processes
ps aux | sort -k3 -rn | head -20          # top CPU consumers
ss -tulnp                                  # open sockets + owning process
ls -la /proc/$(pidof suspicious)/exe       # real binary path for a PID

# On Windows: check processes and network connections
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20
Get-NetTCPConnection -State Established | Sort-Object RemoteAddress

Step 2 - Quarantine

• Disconnect network: disable Wi-Fi, unplug Ethernet
• Disable auto-backups: prevents malware getting baked into a restore point
• Do NOT power off if performing forensics - running memory contains artifacts (encryption keys, C2 addresses)

Step 3 - Offline Scan

Boot from a clean live USB (e.g., Ubuntu, Windows PE) and run scanner against the mounted drive to avoid the malware subverting its own detection.

# Example: ClamAV offline scan
clamscan -r --remove /mnt/suspicious_drive/

Step 4 - Remediate

• If removal fails → restore from last known-clean backup
• If no backup → rebuild from scratch (reinstall OS)
• Patch the vulnerability that allowed the initial infection

Step 5 - Post-Incident

• Create a clean restore point
• Re-enable automatic updates and AV definitions
• Document the incident (what, when, how, impact)

---

Quick Reference - Defence Checklist

Control	Addresses
Patch management / automatic updates	Exploitable known CVEs
Endpoint antivirus/EDR	Known malware signatures + behavioural detection
Principle of least privilege	Limits blast radius of any compromise
Network segmentation (VLANs)	Limits lateral movement
Firewall (host-based + perimeter)	Blocks unwanted inbound/outbound traffic
MFA on all accounts	Credential theft (phishing, brute force)
Regular, tested backups (3-2-1 rule)	Ransomware, physical damage
IDS/IPS	Detects/blocks known attack patterns
User security training	Social engineering (covered in the next note)