Skip to main content

2.1 Cyber Foundations

Topic 2.1: Cyber Foundations

A strong understanding of cybersecurity begins with recognizing the various tactics adversaries use and the foundational principles of defense. Social engineering remains one of the most effective methods for attackers, as it targets human psychology rather than technology. These attacks rely on several key principles to manipulate individuals:

  • Pretexting: Creating a fabricated scenario or a believable reason (a pretext) to engage a target and elicit information.
  • Authority: Impersonating a person of power, such as a manager, law enforcement officer, or IT administrator, to make a request seem legitimate and non-negotiable.
  • Intimidation: Using threats of negative consequences, such as account suspension or legal action, to pressure a target into immediate compliance.
  • Consensus: Making a target believe that "everyone else is doing it" to create social pressure to conform. An attacker might claim that all other employees have already completed a required security update.
  • Scarcity: Creating the impression that an opportunity is limited, which encourages impulsive action.
  • Familiarity: Establishing a sense of trust by pretending to be a friend, colleague, or someone the target knows.
  • Urgency: Imposing a strict deadline to rush a target into making a decision without careful consideration.

Adversaries, or threat actors, can be categorized by their motivations and skill levels. Script kiddies are low-skilled attackers who use pre-made tools without understanding their inner workings. Hacktivists are motivated by social or political causes and use cyberattacks to promote their agenda. Insider adversaries are current or former employees who use their legitimate access for malicious purposes, often driven by revenge or financial gain. Cyberterrorists aim to cause widespread disruption to critical infrastructure, while transnational criminal organizations are sophisticated groups focused on large-scale financial crimes like ransomware and intellectual property theft.

Cyberattacks typically follow a sequence of phases, though not every attack includes all of them. This process is often referred to as the "cyber kill chain."

  1. Reconnaissance: The adversary gathers information about the target using publicly available sources, a practice known as Open Source Intelligence (OSINT).
  2. Initial Access: The adversary gains a foothold on a system, often through social engineering, weak credentials, or exploiting a vulnerability.
  3. Persistence: The adversary installs tools like a Remote Access Trojan (RAT) or a rootkit to ensure they can maintain access to the compromised system over time, often through a command and control (C2) channel.
  4. Lateral Movement: The adversary moves from the initial compromised system to other systems on the network, seeking to escalate their privileges and access more valuable assets.
  5. Taking Action: The adversary achieves their ultimate goal, such as stealing and exfiltrating data, disrupting services, or destroying information.
  6. Evading Detection: The adversary attempts to cover their tracks by altering or deleting log files and removing any tools or malware they installed.

To defend against these threats, organizations perform risk assessments. Risk exists where a threat can exploit a vulnerability to compromise an asset. The assessment process evaluates two key factors: the likelihood of an attack and the potential impact or severity of the damage. A quantitative risk assessment assigns a numerical or monetary value to the risk, while a qualitative assessment uses descriptive terms like "low," "medium," or "high."

Once a risk is assessed, an organization has four main strategies for managing it: avoidance (discontinuing the risky activity), transference (shifting the risk to another party, like an insurance company), mitigation (implementing security controls to reduce the risk), and acceptance (knowingly accepting the remaining, or residual, risk).

Security controls are the specific countermeasures used to mitigate risk. They are designed to uphold the three core principles of information security: confidentiality (preventing unauthorized disclosure), integrity (ensuring data accuracy and trustworthiness), and availability (ensuring data and services are accessible when needed). Controls can be categorized by type (physical, technical, or managerial) and by function (preventative, detective, or corrective).

No single security control is foolproof. Therefore, organizations employ a defense-in-depth strategy, also known as a layered defense. This approach uses multiple, overlapping security controls across different layers (human, physical, network, device, application, and data). If an adversary bypasses one layer of defense, other layers are still in place to prevent or detect the intrusion, creating a more resilient and robust security posture.