The path or method an attacker uses to gain unauthorized access to a system or network.
| Threat | Description |
|---|
| Rogue devices | Unauthorized hubs, switches, or computers plugged into the network |
| On-path (MITM) | Intercepting and potentially modifying traffic between two parties |
| ARP poisoning | Linking attacker’s MAC to victim’s IP — redirects local traffic |
| MAC spoofing | Changing MAC address to impersonate a device or bypass filtering |
| 802.1X bypass | Exploiting misconfigured NAC to gain access |
| Replay attacks | Capturing and retransmitting valid auth tokens |
| Threat | Description |
|---|
| Evil twin AP | Rogue AP mimicking a legit SSID — captures credentials |
| Deauth attack | Forcing clients off the network via 802.11 deauthentication frames |
| WPA2 cracking | PMKID attack or capturing handshake for offline brute force |
| SSID spoofing | Broadcasting same SSID as legit network |
| Wardriving | Mapping wireless networks from a moving vehicle |
| Captive portal attack | Fake Wi-Fi portal harvesting credentials |
# Evil twin / deauth (for authorized testing only)
airmon-ng start wlan0
airodump-ng wlan0mon
aireplay-ng --deauth 0 -a <BSSID> wlan0mon
| Threat | Description |
|---|
| Bluejacking | Sending unsolicited messages via Bluetooth |
| Bluesnarfing | Unauthorized access to data (contacts, messages) via Bluetooth |
| Bluebugging | Taking control of device via Bluetooth |
| KNOB attack | Forcing weak encryption keys on BT connection |
| Attack | Description |
|---|
| USB drop attack | Leaving infected USB drives in parking lots / offices |
| Rubber Ducky | USB device that emulates a keyboard — injects keystrokes |
| BadUSB | Reprogrammed USB firmware to act as HID or network adapter |
| Keylogger (hardware) | Physical device between keyboard and computer |
| Juice jacking | Malicious USB charging cable/station exfiltrates data |
USB drop attack psychology:
- Labeled "Payroll Q4" or "Confidential"
- Relies on curiosity + lack of policy awareness
Defense: Disable AutoRun, block USB via GPO/endpoint policy
- Copying sensitive files to USB
- Burning to optical media
- Using personal smartphones as storage devices
Mitigation: DLP software, endpoint USB blocking, monitoring alerts
Compromising the software, hardware, or services an organization relies on — attacking the supplier rather than the target directly.
Types:
- Software supply chain: Injecting malware into updates or libraries
- Hardware supply chain: Tampering with devices before delivery
- Managed service provider (MSP) compromise: Attacker pivots from MSP to all clients
| Incident | Method |
|---|
| SolarWinds (2020) | Malicious code injected into Orion software update |
| NotPetya (2017) | Spread via compromised Ukrainian accounting software (M.E.Doc) |
| XZ Utils (2024) | Backdoor inserted into open-source compression library |
| Codecov (2021) | Compromised CI/CD script leaked environment secrets |
- Software Bill of Materials (SBOM) — inventory all dependencies
- Code signing — verify integrity of software updates
- Vendor risk management — assess third-party security posture
- Zero trust — don't implicitly trust third-party software
- Monitor for unexpected outbound traffic from tools
| Vector | Description |
|---|
| Direct-access | Physical access to a device — boot from USB, bypass login |
| Shadow IT | Unauthorized apps/services that bypass security controls |
| Misconfigured services | Open S3 buckets, exposed admin panels, default credentials |
| Unpatched software | Known CVEs exploited before patches applied |
| Third-party APIs | Insecure integrations exposing backend data |