Comprehensive breakdown of modern cyber attack vectors — how they work, how to detect them, and how to defend against them.
14Attack Vectors
6Critical Severity
58IOC Indicators
42Defense Tactics
⌕
🔓
ATK-001 // ACCOUNT TAKEOVER
Account Takeover (ATO)
CRITICAL
An attacker gains unauthorized access to a victim's account by obtaining valid credentials through various means, then exploits that access for fraud, data theft, or lateral movement.
Impact
95%
Frequency
88%
IDENTITYFRAUDLATERAL MOVEMENT
Kill Chain Breakdown
01
Credential AcquisitionAttacker obtains credentials via phishing, data breaches, or purchase on dark web markets.
02
Validation & TestingAutomated tools test credential pairs across target platforms to identify valid combinations.
03
Account CompromiseSuccessful login triggers session establishment; attacker changes recovery details to lock out the owner.
04
ExploitationAccount used for financial fraud, data exfiltration, or further social engineering attacks.
Indicators of Compromise
Login from new geographic region
Multiple failed attempts then success
Password or email changed post-login
Unusual time-of-day access patterns
New device fingerprint detected
Defense Playbook
✓Enforce MFA across all accounts
✓Monitor anomalous login behavior with UEBA
✓Implement adaptive authentication
✓Monitor dark web for leaked credentials
🔨
ATK-002 // BRUTE FORCE
Brute Force Attack
HIGH
Systematic trial-and-error method used to decode encrypted data, crack passwords, or find hidden pages by exhaustively testing all possible combinations until the correct one is found.
Impact
75%
Frequency
82%
CREDENTIALAUTOMATED
Kill Chain Breakdown
01
Target IdentificationAttacker identifies login interface — web app, SSH, RDP, or API endpoint.
02
Tool DeploymentTools like Hydra or Burp Suite automate systematic password submission attempts.
03
Credential DiscoveryCorrect password is identified after exhausting combinations or a subset thereof.
04
Access EstablishedAttacker gains authenticated access and proceeds with post-exploitation objectives.
Indicators of Compromise
High volume of failed login attempts
Sequential username/password patterns
Rapid-fire requests from single IP
Auth logs showing systematic failures
Defense Playbook
✓Account lockout policies after N failures
✓Rate limiting on authentication endpoints
✓CAPTCHA on login forms
✓Require strong password policies
🎭
ATK-003 // INSIDER THREAT
Compromised Insider
CRITICAL
A legitimate employee's credentials or access is taken over by an external threat actor through coercion, extortion, or technical compromise — turning a trusted insider into an unwitting attack vector.
Impact
92%
Detection
20%
INSIDERCOERCIONHIGH PRIVILEGE
Kill Chain Breakdown
01
Target ProfilingAttacker identifies a high-value insider — privileged access, financial authority, or system admin.
02
Compromise VectorPhishing, malware installation, or personal coercion/extortion gains control of the insider.
03
Access LeverageAttacker uses insider's legitimate credentials and trust level to bypass security controls undetected.
04
Data ExfiltrationSensitive assets extracted using tools and channels trusted for legitimate business use.
Indicators of Compromise
Unusual data access outside job scope
Large file transfers to personal storage
After-hours access to sensitive systems
Behavioral change or financial stress signs
Defense Playbook
✓Least privilege access enforcement
✓User behavior analytics (UEBA)
✓DLP tools monitoring data movement
✓Regular access reviews and audits
📋
ATK-004 // CREDENTIAL STUFFING
Credential Stuffing
HIGH
Attackers use large-scale automated injection of breached username/password pairs to gain fraudulent account access — exploiting the widespread habit of password reuse across platforms.
Impact
80%
Frequency
91%
BREACH DATAAUTOMATEDSCALE
Kill Chain Breakdown
01
Database AcquisitionAttacker purchases or downloads leaked credential lists from dark web breach repositories.
02
Credential FormattingLists are cleaned and formatted for use with automated stuffing tools like Sentry MBA or OpenBullet.
03
Distributed AttackRequests are distributed across rotating proxies to avoid IP-based rate limiting and detection.
04
Account HarvestingValid logins are extracted for immediate exploitation or resale on underground markets.
Indicators of Compromise
Spike in login failures across user base
Requests from datacenter IP ranges
Unusual geographic login distribution
Identical user agent strings in bulk
Defense Playbook
✓Breach password detection on login
✓Bot detection and fingerprinting
✓IP reputation scoring
✓MFA enforcement for all accounts
📖
ATK-005 // DICTIONARY ATTACK
Dictionary Attack
MEDIUM
A targeted password cracking technique using curated wordlists of common passwords, phrases, and variations — far more efficient than brute force by exploiting predictable human password choices.
Impact
65%
Ease
85%
PASSWORDWORDLISTOFFLINE
Kill Chain Breakdown
01
Hash ExtractionPassword hashes are obtained from compromised database, local SAM file, or intercepted auth traffic.
02
Wordlist PreparationCurated lists (RockYou, SecLists) combined with context-specific terms and rule-based mutations.
03
Hash ComparisonTools like Hashcat or John the Ripper compute hashes of wordlist entries and compare to targets.
04
Plaintext RecoveryMatched hashes reveal plaintext passwords for use in access attempts or further attacks.
Indicators of Compromise
Offline — not directly detectable on login
Subsequent access from unknown location
Database breach exposing hash data
Defense Playbook
✓Use bcrypt/Argon2 for password hashing
✓Unique salts per password hash
✓Ban commonly used passwords at registration
✓Regular security awareness training
🕵️
ATK-006 // MALICIOUS INSIDER
Malicious Insider
CRITICAL
A current or former employee, contractor, or partner who intentionally misuses authorized access to harm the organization — through data theft, sabotage, espionage, or system disruption.
Impact
97%
Detection
18%
INSIDERSABOTAGEESPIONAGE
Kill Chain Breakdown
01
Motivation FormationGrievance, financial gain, ideology, or recruitment by external party forms the intent to act maliciously.
02
ReconnaissanceInsider maps sensitive data locations, security tools, logging systems, and access boundaries.
03
Covert ActionUses legitimate access during normal hours to avoid detection; exfiltrates data or plants logic bombs.
04
Exit / SabotageDamage executed at departure or during tenure; may sell IP to competitors or nation-state actors.
Indicators of Compromise
Bulk downloads before resignation date
Accessing systems outside job function
Connecting unauthorized USB devices
Researching own company's security systems
Defense Playbook
✓Offboarding checklist with immediate access revocation
✓UEBA with behavioral baseline monitoring
✓Zero-trust architecture principles
✓Segregation of duties for sensitive roles
🔀
ATK-007 // MITM
Man-in-the-Middle
CRITICAL
An attacker secretly intercepts and potentially alters communications between two parties who believe they're communicating directly — enabling eavesdropping, data theft, and session manipulation.
Impact
89%
Stealth
86%
INTERCEPTNETWORKSSL STRIP
Kill Chain Breakdown
01
Network PositioningAttacker positions via ARP spoofing, rogue WiFi AP, DNS hijacking, or BGP route manipulation.
02
Traffic InterceptionAll communication between victim and server passes through attacker's controlled node.
03
Decryption / RelaySSL stripping or certificate spoofing downgrades encrypted connections; content inspected or modified.
04
Data HarvestingCredentials, session tokens, financial data, and sensitive communications are captured in real time.
Indicators of Compromise
Unexpected SSL certificate changes
ARP table anomalies on local network
Latency spikes in network communications
Unknown devices on network segment
Defense Playbook
✓Enforce HTTPS with HSTS headers
✓Certificate pinning in mobile apps
✓VPN for all sensitive communications
✓Network monitoring with anomaly detection
😶
ATK-008 // INSIDER THREAT
Negligent Insider
MEDIUM
Unintentional security incidents caused by careless or uninformed employees — clicking phishing links, mishandling data, using weak passwords, or bypassing security controls for convenience.
Frequency
94%
Prevention
72%
INSIDERHUMAN ERRORPHISHING
Common Scenarios
01
Phishing InteractionEmployee clicks malicious link or downloads attachment from a convincing phishing email.
02
MisconfigurationAdmin misconfigures cloud storage permissions, exposing sensitive data to the public internet.
03
Device MishandlingUnencrypted laptop or USB with sensitive data left in public place or lost in transit.
04
Shadow ITEmployee uses unapproved cloud services or personal devices to process corporate data.
Indicators of Compromise
Sensitive data on public S3 buckets
Unencrypted data transfers externally
Malware execution from email attachment
Unauthorized app installations detected
Defense Playbook
✓Mandatory security awareness training
✓Phishing simulation programs
✓Full disk encryption on all endpoints
✓Cloud access security broker (CASB)
🔑
ATK-009 // PASS-THE-HASH
Pass-the-Hash
CRITICAL
An authentication bypass technique where an attacker uses a captured NTLM password hash directly to authenticate to remote systems — without ever needing to crack the underlying plaintext password.
Impact
93%
Stealth
78%
NTLMLATERAL MOVEWINDOWS
Kill Chain Breakdown
01
Initial CompromiseAttacker gains foothold via phishing or exploitation; requires local admin access to target system.
02
Hash ExtractionTools like Mimikatz extract NTLM password hashes from Windows LSASS process memory.
03
Hash InjectionHash is injected into a new authentication session, mimicking legitimate user credentials.
04
Lateral MovementAttacker authenticates to additional systems across the network using the captured hash.
Indicators of Compromise
Mimikatz or similar tool execution
LSASS process memory access
Unusual SMB authentication across hosts
Logon type 3 without prior type 2
Defense Playbook
✓Enable Windows Credential Guard
✓Restrict NTLM authentication where possible
✓Enforce local admin password solution (LAPS)
✓Privileged access workstations (PAW)
⬆️
ATK-010 // PRIV ESC
Privilege Escalation
HIGH
A technique where an attacker with limited system access exploits vulnerabilities, misconfigurations, or design flaws to gain elevated permissions — moving from user-level to admin or root access.
Impact
85%
Frequency
79%
EXPLOITROOT ACCESSPOST-EXPLOIT
Kill Chain Breakdown
01
Foothold EstablishedAttacker has low-privilege access via initial compromise and begins local enumeration.
02
Vulnerability DiscoveryUnpatched kernel exploits, SUID misconfigs, weak service permissions, or stored credentials identified.
03
ExploitationIdentified weakness is exploited to execute code in the context of a privileged process or user.
04
Elevated PersistenceNew privileged account created or backdoor installed with admin/root permissions for persistent access.
Indicators of Compromise
New privileged accounts created unexpectedly
Exploit tool execution (e.g., BeRoot, WinPEAS)
Suspicious SUID binary modifications (Linux)
Registry run key modifications (Windows)
Defense Playbook
✓Timely patching of OS and applications
✓CIS hardening benchmarks on all systems
✓Endpoint detection and response (EDR)
✓Limit sudo/admin rights strictly
🍪
ATK-011 // SESSION HIJACK
Session Hijacking
HIGH
An attacker steals or forges a valid session token to impersonate an authenticated user — allowing access to web applications or services without needing the user's credentials.
Impact
82%
Stealth
76%
COOKIE THEFTWEB APPTOKEN
Kill Chain Breakdown
01
Token AcquisitionSession cookie stolen via XSS, network sniffing, browser exploit, or physical access to logged-in device.
ImpersonationServer recognizes valid session token and grants attacker full access as the legitimate user.
04
ExploitationAttacker performs account actions, steals data, or pivots to other systems within the session scope.
Indicators of Compromise
Same session used from two locations simultaneously
XSS vulnerabilities in web application
User reporting unexpected account actions
Defense Playbook
✓HttpOnly and Secure flags on all cookies
✓Short session timeout windows
✓Bind session to client fingerprint
✓CSP headers to mitigate XSS
👁️
ATK-012 // SHOULDER SURFING
Shoulder Surfing
MEDIUM
A low-tech physical attack where an adversary directly observes a target entering sensitive information — PINs, passwords, or confidential data — by looking over their shoulder or using surveillance equipment.
Ease
90%
Prevention
70%
PHYSICALLOW-TECHOBSERVATION
Kill Chain Breakdown
01
Target SelectionAttacker identifies victim in public place — cafe, airport, ATM — who appears to be entering credentials.
02
ObservationCredentials captured visually or via recording device; may use smartphone camera or zoom lens.
03
Information CollectionPIN, password, or sensitive business data noted for later use or immediate exploitation.
04
Access AttemptCaptured credentials used for account access, ATM fraud, or sold to a third party.
Indicators of Compromise
Unauthorized access from unknown device
ATM or card reader anomalies
Suspicious individuals near workstations
Defense Playbook
✓Privacy screen filters on laptops
✓Body-facing screen awareness in public
✓MFA reduces value of observed passwords
✓Clean desk policies and access controls
🎯
ATK-013 // SPEAR PHISHING
Spear Phishing
CRITICAL
A highly targeted phishing attack crafted with personal details about the victim — using OSINT, social media, and reconnaissance to create convincing deceptive communications that bypass skepticism.
Lure CraftingHyper-personalized email crafted referencing real events, colleagues, or ongoing projects to appear authentic.
03
DeliveryMessage sent from spoofed or compromised trusted address; payload is malicious link, attachment, or request.
04
ExploitationVictim clicks link, provides credentials, or executes malware; attacker gains intended access or data.
Indicators of Compromise
Email domain closely mimics legitimate domain
Credential harvesting page in browser history
Unexpected macro execution in Office docs
Unusual DNS lookup for spoofed domains
Defense Playbook
✓DMARC, DKIM, SPF email authentication
✓Email gateway with AI-powered phishing detection
✓Regular phishing simulation training
✓Limit OSINT-available employee information
⛓️
ATK-014 // SUPPLY CHAIN
Supply Chain Compromise
CRITICAL
An attacker infiltrates an organization by compromising a trusted supplier, vendor, or software component in their supply chain — injecting malicious code or access into trusted update mechanisms or dependencies.
Impact
98%
Detection
12%
SOFTWAREVENDORAPT
Kill Chain Breakdown
01
Vendor CompromiseAttacker breaches a software vendor, package registry, or build pipeline — often via spear phishing developer accounts.
02
Code InjectionMalicious code inserted into legitimate software update, open-source package, or hardware firmware.
03
Trusted DistributionCompromised update is cryptographically signed by vendor and distributed to all customers automatically.
04
Mass ExploitationMalware activates across thousands of organizations simultaneously; attacker selects high-value targets for active exploitation.