July 7, 2026Mark Hayward

Cyber Security Risk Management ~ 1.2 Overview of Cyber Threats

A comprehensive survey of the modern cyber threat landscape — from malware and social engineering to nation-state APTs and supply-chain attacks — and the key lessons organisations must apply.

# 1.2 Overview of Cyber Threats ## Introduction Cyber threats have grown from simple, opportunistic exploits into a sophisticated, multi-layered global challenge. As organisations and individuals become more dependent on digital infrastructure, understanding the breadth and depth of cyber threats is not merely an academic exercise — it is a critical business and national-security imperative. This chapter provides a comprehensive survey of the modern threat landscape, the actors behind it, and the evolving attack vectors that every cyber security professional must understand. --- ## The Modern Threat Landscape The cyber threat landscape is shaped by three converging forces: **technology proliferation**, **geopolitical tension**, and **criminal economics**. The explosion of internet-connected devices (IoT), the mass migration to cloud platforms, and the digital transformation of critical infrastructure have all dramatically expanded the attack surface available to adversaries. At the same time, the commoditisation of hacking tools — ransomware-as-a-service (RaaS), exploit kits, and stolen credentials sold on darknet markets — has lowered the barrier to entry for would-be attackers. Today, a person with minimal technical skill can rent sophisticated malware capabilities for a small fee. --- ## Categories of Cyber Threats ### 1. Malware Malicious software remains the most prevalent cyber threat vector. Key subcategories include: - **Ransomware** — encrypts victim data and demands payment for decryption keys. High-profile campaigns such as WannaCry (2017) and the Colonial Pipeline attack (2021) demonstrated devastating real-world impact. - **Trojans** — disguise themselves as legitimate software to trick users into installation. - **Spyware & Keyloggers** — silently monitor user activity, capturing credentials and sensitive data. - **Worms** — self-propagating malware that spreads across networks without user interaction. - **Rootkits** — deeply embedded software that hides attacker presence at the operating system level, making detection extremely difficult. ### 2. Phishing and Social Engineering Technical controls can be bypassed when human psychology is exploited. Social engineering attacks manipulate individuals into divulging sensitive information or performing actions that compromise security: - **Spear phishing** — targeted emails crafted to appear legitimate, often impersonating trusted colleagues or institutions. - **Vishing (voice phishing)** — phone-based manipulation, such as impersonating IT support staff. - **Smishing (SMS phishing)** — fraudulent text messages designed to lure victims to malicious links. - **Business Email Compromise (BEC)** — attackers impersonate executives to trick finance staff into transferring funds. ### 3. Denial-of-Service (DoS) and Distributed DoS (DDoS) DDoS attacks flood systems, servers, or networks with traffic to exhaust resources and render services unavailable. Modern DDoS attacks can exceed terabits per second and are frequently used as diversionary tactics while a secondary intrusion occurs undetected. ### 4. Man-in-the-Middle (MitM) Attacks Attackers intercept communications between two parties — for example, between a user and a banking website — to eavesdrop on or alter the data exchanged. Common techniques include ARP poisoning, SSL stripping, and rogue Wi-Fi access points. ### 5. Insider Threats Not all threats originate externally. Insider threats — whether malicious or negligent — account for a significant proportion of data breaches: - **Malicious insiders** deliberately steal or sabotage data, often motivated by financial gain or grievance. - **Negligent insiders** inadvertently expose systems through misconfiguration, weak passwords, or falling victim to phishing. ### 6. Advanced Persistent Threats (APTs) APTs are sophisticated, long-term intrusion campaigns typically conducted by nation-state actors or well-funded criminal groups. Unlike opportunistic attacks, APTs are methodical: they establish a foothold, move laterally through a network over weeks or months, and exfiltrate data quietly to avoid detection. Notable APT campaigns include **APT28 (Fancy Bear)** attributed to Russian military intelligence, and **APT41** — a Chinese state-sponsored group that simultaneously conducts espionage and financially motivated cybercrime. ### 7. Supply Chain Attacks Rather than attacking a well-defended target directly, adversaries compromise a less-secure vendor or software provider upstream. The **SolarWinds breach** (2020) is the defining example: attackers inserted malicious code into a software update distributed to approximately 18,000 organisations, including US government agencies. ### 8. Zero-Day Exploits A zero-day vulnerability is a software flaw unknown to the vendor, for which no patch exists at the time of exploitation. Zero-day exploits are highly valuable on the black market and are frequently weaponised in APT campaigns. --- ## Attack Vectors: How Threats Enter Systems Understanding *how* threats enter an environment is as important as knowing *what* they are: | Attack Vector | Description | |---|---| | Email | Most common initial access vector; delivers phishing links and malicious attachments | | Unpatched Software | Exploitation of known CVEs in operating systems, browsers, or applications | | Remote Access Services | Brute-force or credential-stuffing attacks against RDP, VPNs, and SSH | | Third-Party Software | Compromised updates or libraries (supply chain) | | Physical Access | USB drops, device theft, or direct system access | | Cloud Misconfigurations | Publicly exposed S3 buckets, weak IAM policies, and unrestricted ports | --- ## Lessons from High-Profile Breaches ### Target Corporation (2013) Attackers gained initial access through a **third-party HVAC vendor** with network access to Target's environment. Once inside, they moved laterally to point-of-sale systems and exfiltrated credit card data belonging to approximately **40 million customers**. **Key lesson:** Third-party access and network segmentation failures are critical risk vectors. Vendor access should follow the principle of least privilege and be continuously monitored. ### Equifax (2017) A failure to patch a known vulnerability in the **Apache Struts** web framework (CVE-2017-5638) allowed attackers to infiltrate Equifax's systems. The breach exposed personal data of approximately **147 million individuals**, including Social Security numbers, birth dates, and addresses. **Key lesson:** Patch management is non-negotiable. Unpatched vulnerabilities in public-facing systems represent an open door to attackers. ### SolarWinds (2020) As described above, attackers embedded a backdoor (SUNBURST) into the SolarWinds Orion software update pipeline, compromising thousands of organisations globally before detection. **Key lesson:** Supply chain integrity requires code-signing, vendor security assessments, and anomaly monitoring for software updates. --- ## The Threat Intelligence Lifecycle Organisations do not defend against threats in isolation — they must build a **threat intelligence** function: 1. **Direction** — define what information is needed and why. 2. **Collection** — gather raw data from feeds, open-source intelligence (OSINT), and dark web monitoring. 3. **Processing** — normalise and filter the raw data. 4. **Analysis** — derive actionable insights from processed data. 5. **Dissemination** — share intelligence with relevant teams (SOC, CISO, IT). 6. **Feedback** — continuously refine the process based on operational outcomes. --- ## The Human Element Research consistently shows that **human error** contributes to over 80% of security incidents. A technical defence stack is only as strong as the security awareness of the people operating within it. Regular training, simulated phishing exercises, and a culture of security awareness are therefore not optional extras — they are foundational controls. --- ## Summary Cyber threats span a wide spectrum — from opportunistic script-kiddie attacks to precision APT campaigns directed by nation-states. The common thread is that organisations that understand the threat landscape, maintain awareness of attack vectors, and learn from high-profile incidents are far better positioned to defend themselves. In the chapters that follow, we will explore how risk management frameworks — from NIST to ISO 27001 — provide the structured methodology needed to translate this threat awareness into actionable, measurable security programmes. --- *Next: Chapter 1.3 — ISO/IEC 27001 Standards: Building a Risk-Aware Organisation*

📚 Want to go deeper?

Cyber Security Risk Management

The complete guide to quantifying risk, applying frameworks like NIST and ISO, and building a resilient security programme.

📬

Stay ahead of cyber threats

New book alerts + expert cyber security insights — straight to your inbox.