1. Information Security Overview

Information security is the practice of protecting information by mitigating information risks. It is the state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable.

The Core Elements (CIA Triad + 2)

Modern information security relies on five foundational pillars:

Confidentiality Assurance that information is accessible only to authorized entities. Breaches occur due to improper data handling or unauthorized access. Controls include encryption, access controls, and data classification.
Integrity The trustworthiness of data or resources. It guarantees that information has not been improperly altered. Controls include hashing algorithms (SHA-256), digital signatures, and strict access controls.
Availability Assurance that systems delivering and storing information are accessible when required. Controls include redundancy (RAID), failover clusters, and DDoS mitigation strategies.
Authenticity The characteristic of a communication or document that ensures the quality of being genuine. Controls include Biometrics, Smart Cards, and PKI Certificates.
Non-Repudiation A guarantee that the sender of a message cannot later deny having sent the message, and the recipient cannot deny having received it. Digital signatures and audit trails provide non-repudiation.

Information Security Terminology

Hack Value: The notion among hackers that something is worth doing or is interesting. It is the perceived value of a target.
Vulnerability: The existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the system.
Exploit: A breach of IT system security through vulnerabilities. It refers to the malicious code or technique used to take advantage of a flaw.
Payload: The part of malware or an exploit that performs the intended malicious action, such as deleting data or stealing passwords.
Zero-Day Attack: An attack that exploits a previously unknown computer vulnerability. "Zero-day" implies the developers had zero days of notice to fix the flaw before it was exploited.
Daisy Chaining: Gaining access to one network or computer and using it to gain access to multiple other networks.
Doxing: Publishing personally identifiable information about an individual or organization, usually gathered from public databases, social media, or hacking.
Target of Evaluation (TOE): An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation.

2. Motives, Goals, and Attack Vectors

Understanding the "why" and "how" of an attack is critical to anticipating it. Every cyberattack can be mathematically conceptualized as:

Attack = Motive (Goal) + Method (TTP) + Vulnerability

Common Motives

  • Disrupting business continuity
  • Information theft and corporate espionage
  • Financial loss to the target (Ransomware)
  • State-sponsored military objectives
  • Propagating religious or political beliefs
  • Damaging target reputation or exacting revenge

Threat Categories

  • Network Threats: Information gathering, sniffing, spoofing, session hijacking, MITM attacks.
  • Host Threats: Malware, footprinting, password guessing, privilege escalation, DoS attacks.
  • Application Threats: Injection attacks (SQLi), XSS, parameter tampering, directory traversal.

Tactics, Techniques, and Procedures (TTPs)

Threat actors do not attack randomly; they follow established TTPs:

Component Definition Example
Tactics The overarching strategy adopted by an attacker. Initial Access
Techniques Technical methods used to achieve the tactic. Phishing / Spearphishing
Procedures The step-by-step approach to launch the attack. Sending a macro-enabled Excel document via email.

Top Information Security Attack Vectors

An attack vector is a path or means by which a hacker gains access to a computer or network server. The most prevalent vectors today include:

Cloud Computing Threats Flaws in cloud deployment, misconfigured buckets, insecure APIs, and lack of visibility.
Advanced Persistent Threats (APT) Stealthy and continuous computer network attack processes orchestrated by highly skilled state-sponsored actors targeting specific entities.
Mobile Device Threats Malicious apps, smishing, weak encryption, and insecure OS implementations on BYOD devices.
Insider Threats Disgruntled employees or contractors misusing authorized access to steal or destroy data.
IoT Threats Default passwords, lack of firmware updates, and botnet recruiting (e.g., Mirai) across interconnected smart devices.
Web Application Threats Exploiting software flaws like Cross-Site Scripting (XSS), SQL injection, and insecure direct object references (IDOR).

3. Classification of Attacks & Information Warfare

Classification of Attacks

Attacks are broadly categorized based on their execution methodology and the location of the attacker relative to the target.

Passive Attacks

The attacker intercepts data without altering it. Because there is no active interaction, these attacks are exceedingly difficult to detect. Examples: Network sniffing, traffic analysis, eavesdropping.

Active Attacks

The attacker actively tampers with data or disrupts communications. These attacks generate detectable noise on the network. Examples: DoS, DDoS, SQL Injection, Man-in-the-Middle (MITM).

Close-In Attacks

The attacker must be in physical proximity to the target network or personnel. Examples: Shoulder surfing, dumpster diving, unauthorized facility entry.

Insider Attacks

Executed by a trusted entity (employee, contractor) who misuses privileged access. Examples: Data exfiltration, planting logic bombs, intentional misconfiguration.

Distribution Attacks

Also known as Supply Chain attacks. The attacker tampers with hardware or software at its source or during transit prior to installation. Examples: Malicious firmware injection, compromised software updates.

Information Warfare (InfoWar)

Information warfare is the use of ICT to gain competitive advantages over an opponent. According to Martin Libicki, information warfare is divided into several categories:

Command and Control (C2) Warfare: Disrupting the enemy's C2 systems while protecting one's own.
Intelligence-based Warfare: Designing, protecting, and denying systems that seek sufficient knowledge to dominate the battlespace.
Electronic Warfare: Using radio, electronic, or cryptographic techniques to degrade communication capabilities.
Psychological Warfare: Using information to change the minds of friends, neutrals, and foes (e.g., demagoguery).
Hacker Warfare: Attacking civilian and military computer systems using software flaws, logic bombs, and viruses.
Economic Warfare: Monopolizing information or altering economic data to disrupt an adversary's economy.
Cyber Warfare: The use of information systems against virtual personas to achieve military or strategic objectives.

4. Hacking Concepts and Threat Actors

Hacking in computer security refers to exploiting vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources. The individuals conducting these activities are classified into various groups based on their intent, authorization, and affiliation.

Hacker Classes

White Hat Hackers

Authorized professionals hired to conduct penetration tests, identify vulnerabilities, and improve organizational security posture. They operate with strict consent.

Black Hat Hackers

Malicious actors who breach systems without authorization for financial gain, data theft, or destruction. Also known as crackers.

Gray Hat Hackers

Individuals who operate in a moral gray area. They may hack systems without permission to find bugs, but usually report them to the owner rather than exploiting them maliciously.

Script Kiddies

Inexperienced individuals who use pre-written hacking tools, scripts, and software without understanding the underlying mechanics of the attacks.

State-Sponsored Hackers

Highly skilled operators funded by national governments (APTs) targeting critical infrastructure, defense secrets, and intellectual property of rival nations.

Hacktivists

Individuals or groups who launch cyberattacks (typically DDoS or website defacements) to promote a political, social, or religious agenda.

Suicide Hackers

Individuals who aim to bring down critical infrastructure for a cause, without worrying about facing jail terms or other punishments.

Cyber Terrorists

Individuals with a wide range of skills who are motivated by religious or political beliefs to create severe fear by disrupting large-scale computer networks.

5. Ethical Hacking Concepts & Necessity

Ethical hacking is necessary because it allows organizations to preemptively identify vulnerabilities and anticipate attack vectors. "To beat a hacker, you need to think like one."

Why Organizations Hire Ethical Hackers

  • To uncover vulnerabilities in systems and explore their potential as a security risk.
  • To analyze and strengthen the organization's overall security posture.
  • To safeguard customer data and prevent catastrophic financial or reputational loss.
  • To test the responsiveness of the internal incident response team (Blue Team).

Scope and Limitations: Ethical hackers operate strictly within the defined scope outlined by the organization. The most critical distinction between an ethical hacker and a malicious actor is consent. Ethical hacking requires formal, written permission (Rules of Engagement).

6. Hacking Methodologies and Frameworks

Professional offensive operations follow strict, repeatable methodologies.

The 5 Phases of Hacking

01

Reconnaissance (Footprinting)

Gathering information about the target prior to the attack. Can be Passive (OSINT, WHOIS) or Active (interacting with the target server).

02

Scanning & Enumeration

Using the recon data to identify specific vulnerabilities, open ports, OS versions, and network topology using tools like Nmap.

03

Gaining Access

The exploitation phase. The attacker bypasses security controls, executes code, escalates privileges, and extracts data.

04

Maintaining Access

Ensuring persistence in the compromised environment using backdoors, rootkits, or trojans to survive reboots.

05

Clearing Tracks

Deleting logs, modifying registry entries, and hiding malicious artifacts to evade detection and maintain uninhibited access.

Cyber Kill Chain Methodology

Developed by Lockheed Martin, the Cyber Kill Chain is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities. It provides a seven-phase protection mechanism and greater insight into adversary TTPs.

1

Reconnaissance

Gathering information about the target—searching the internet, social engineering, performing WHOIS/DNS footprinting, and scanning for open ports and services.

2

Weaponization

Creating a tailored deliverable malicious payload using an exploit and a backdoor. The adversary may craft phishing campaigns or leverage exploit kits based on identified vulnerabilities.

3

Delivery

Transmitting the weaponized payload to the victim via email attachments, malicious links, compromised websites, or USB drives.

4

Exploitation

Triggering the malicious code to exploit a vulnerability in the OS, application, or server on the target system.

5

Installation

Installing backdoors and maintaining persistence using encryption and evasion techniques to hide from security controls.

6

Command and Control (C2)

Establishing a two-way encrypted communication channel between the victim's system and the adversary-controlled server for remote exploitation.

7

Actions on Objectives

The adversary accomplishes their intended goals—data exfiltration, service disruption, or using the compromised system as a launchpad for further attacks.

MITRE ATT&CK Framework

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for developing specific threat models and methodologies. The framework contains 14 tactic categories derived from the later stages of the Cyber Kill Chain.

Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

Use Cases: Prioritize defense capabilities, conduct alternatives analysis, determine security coverage, describe intrusion events using common references, identify adversary tradecraft commonalities, and connect mitigations with weaknesses.

Diamond Model of Intrusion Analysis

The Diamond Model offers a framework for identifying clusters of correlated events in any intrusion activity. It consists of four core features that, when arranged by their relationships, form a diamond-shaped structure.

Adversary The opponent "who" was behind the attack—an individual, insider, or competing organization.
Victim The target "where" the attack was performed—a person, organization, IP address, domain, or email.
Capability "How" the attack was performed—strategies, tools, and techniques (e.g., brute forcing, ransomware).
Infrastructure "What" the adversary used to reach the victim—hardware, software, C2 servers, email servers.

Extended Model: Adds socio-political meta-features (adversary-victim relationship, motivation) and technology meta-features (infrastructure-capability relationship). Additional event meta-features include timestamp, phase, result, direction, methodology, and resources.

Indicators of Compromise (IoCs)

IoCs are clues, artifacts, and forensic data found on a network or OS that indicate a potential intrusion or malicious activity. They are divided into four categories:

Email Indicators
Sender address, subject lines, malicious attachments or links.
Network Indicators
Malicious URLs, domain names, suspicious IP addresses.
Host-Based Indicators
Filenames, file hashes, registry keys, DLLs, mutex objects.
Behavioral Indicators
Code injection into memory, scripts running from applications, unusual PowerShell execution.

Key IoCs to monitor: Unusual outbound traffic, privileged account anomalies, geographical anomalies, multiple login failures, increased database reads, mismatched port-application traffic, suspicious registry changes, unusual DNS requests, and signs of DDoS activity.

Adversary Behavioral Identification

Identifying common adversary behaviors enhances detection capabilities. Key behaviors to monitor include:

  • Internal Reconnaissance: Enumeration of systems, hosts, processes, and unusual Batch/PowerShell commands.
  • Use of PowerShell: Automating data exfiltration; detected by checking transcript logs and Windows Event logs.
  • Unspecified Proxy Activities: Multiple domains pointing to the same host for quick switching to avoid detection.
  • Command-Line Interface Abuse: Browsing files, modifying content, creating accounts, and downloading malware via CLI.
  • HTTP User Agent Modification: Altering user agent fields to communicate with compromised systems.
  • C2 Server Communication: Encrypted outbound connections to adversary-controlled infrastructure.
  • DNS Tunneling: Obfuscating malicious traffic within legitimate DNS requests for data exfiltration.
  • Web Shell Deployment: Creating shells within websites for remote server access and file manipulation.
  • Data Staging: Collecting and combining sensitive data before exfiltration or destruction.

7. Information Security Controls

Information security controls prevent unwanted events and reduce risk to an organization's information assets. The core concepts critical to information security are confidentiality, integrity, and availability; the concepts related to access are authentication, authorization, and non-repudiation.

Information Assurance (IA)

IA refers to the assurance of integrity, availability, confidentiality, and authenticity of information during usage, processing, storage, and transmission. Key processes include:

  • Developing local policy and guidance to maintain systems at optimal security levels
  • Designing network and user authentication strategies
  • Identifying network vulnerabilities and threats through regular assessments
  • Applying appropriate information assurance controls
  • Performing Certification and Accreditation (C&A) of information systems

Continual/Adaptive Security Strategy

Organizations should adopt an adaptive security strategy involving four continuous activities:

01 — Protection

Defense-in-depth strategies, endpoint/network/data protection, security policies, firewalls, and IDS.

02 — Detection

Continuous threat monitoring, network traffic analysis, and packet sniffing to identify abnormalities.

03 — Response

Incident response, investigation, containment, impact mitigation, and eradication of root causes.

04 — Prediction

Risk and vulnerability assessment, attack surface analysis, and consuming threat intelligence data.

Defense-in-Depth

A security strategy using multiple protection layers throughout an information system. If one layer fails, another prevents the threat from reaching its target. Layers include:

  • Policies, Procedures, and Awareness
  • Physical Security
  • Perimeter Security (Firewalls, IPS/IDS)
  • Internal Network Security (VLANs, NAC)
  • Host Security (Antivirus, EDR, OS hardening)
  • Application Security (WAF, Code Review)
  • Data Security (Encryption, DLP)

Risk Management

Risk management is the process of identifying, assessing, responding to, and implementing controls to manage potential effects of risk. RISK = Threat × Vulnerability × Asset Value.

Risk levels range from Extreme (immediate action required) to Low (preventive steps). The four key phases are:

  1. Risk Identification: Identify sources, causes, and consequences of internal/external risks before they cause harm.
  2. Risk Assessment: Assess the likelihood and impact of identified risks; assign priorities for mitigation.
  3. Risk Treatment: Select and implement appropriate controls based on severity, cost, and likelihood of success.
  4. Risk Tracking & Review: Ensure appropriate controls are in place, monitor for new risks, and evaluate strategy performance.

Cyber Threat Intelligence (CTI)

CTI is the collection and analysis of information about threats and adversaries, drawing patterns that provide the ability to make knowledgeable decisions for preparedness, prevention, and response against cyberattacks. It converts unknown threats into known threats.

Types of Threat Intelligence

Strategic

High-level information on changing risks, attack trends, and financial impact. Consumed by executives and CISO.

Tactical

Information on attacker TTPs—malware, campaigns, techniques. Consumed by IT/SOC managers and administrators.

Operational

Information on specific incoming attacks, attacker methodologies, and past malicious activities. Consumed by security managers and network defenders.

Technical

Specific indicators of compromise—malicious IPs, domains, file hashes. Consumed by SOC staff and IR teams.

Threat Intelligence Lifecycle

  1. Planning & Direction: Define intelligence requirements, form the team, and create a collection plan.
  2. Collection: Gather data from OSINT, HUMINT, IMINT, SIGINT, and other sources.
  3. Processing & Exploitation: Convert raw data into usable format using structuring, decryption, parsing, and filtering.
  4. Analysis & Production: Combine sources, apply reasoning techniques, and elevate analyzed information to actionable intelligence.
  5. Dissemination & Integration: Deliver intelligence at strategic, tactical, operational, and technical levels. Collect feedback to improve the cycle.

Threat Modeling

A risk assessment approach for analyzing application security by capturing, organizing, and analyzing all relevant information. The five-step process:

  1. Identify Security Objectives: Define goals for confidentiality, integrity, and availability. Determine compliance requirements.
  2. Application Overview: Identify components, data flows, trust boundaries, roles, key usage scenarios, technologies, and security mechanisms.
  3. Decompose the Application: Break down trust boundaries, data flows, entry points, and exit points to find detailed threats.
  4. Identify Threats: Use question-driven approaches and frameworks like STRIDE to identify threats:
    • Spoofing Identity (Authenticity)
    • Tampering with Data (Integrity)
    • Repudiation (Non-Repudiation)
    • Information Disclosure (Confidentiality)
    • Denial of Service (Availability)
    • Elevation of Privilege (Authorization)
  5. Identify Vulnerabilities: Find weaknesses related to the identified threats using vulnerability categories.

Incident Management & Response

Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal operations and prevent recurrence. Incident Handling and Response (IH&R) involves organized, careful steps when reacting to a security incident.

IH&R Process Steps

1. Preparation — Audit resources, define policies, build and train the incident response team.
2. Incident Recording — Initial reporting, recording, and assigning the incident with proper communication plans.
3. Incident Triage — Analyze, validate, categorize, and prioritize based on attack type, severity, and impact.
4. Notification — Inform stakeholders including management, vendors, and clients.
5. Containment — Prevent the spread of infection to other organizational assets.
6. Evidence Gathering & Forensics — Collect evidence and submit for investigation.
7. Eradication — Remove root cause and close all attack vectors.
8. Recovery — Restore affected systems, services, and data.
9. Post-Incident Activities — Documentation, impact assessment, policy revision, investigation closure, and disclosure.

Role of AI & Machine Learning in Cybersecurity

ML is an unsupervised self-learning system that defines what a normal network looks like and reports deviations or anomalies in real-time. AI and ML help identify new exploits and weaknesses for faster mitigation.

Supervised Learning — Algorithms using labeled training data to learn differences between labels. Includes classification and regression.
Unsupervised Learning — Algorithms using unlabeled data to deduce categories. Includes clustering and dimensionality reduction.

How AI/ML Prevent Cyber Attacks:

  • Password Protection & Authentication: AI improves biometric validations and face recognition.
  • Phishing Detection: AI/ML scan and identify phishing emails faster than humans and differentiate malicious from legitimate websites.
  • Threat Detection: ML constantly analyzes data to notify admins of imminent threats before systems are compromised.
  • Vulnerability Management: AI dynamically scans for vulnerabilities and predicts when exploitation might occur.
  • Behavioral Analytics: AI generates user patterns and alerts on suspicious deviations from normal usage.
  • Network Security: AI analyzes traffic and proposes efficient security policies by default.
  • AI-Based Antivirus: Uses anomaly detection instead of signature matching to detect suspicious program behavior.
  • Fraud & Botnet Detection: ML algorithms identify fraudulent transactions and detect unauthorized intrusions that bypass traditional IDS.

8. Information Security Laws and Standards

Laws are a system of rules enforced by a particular country or community to govern behavior. A Standard is a document established by consensus and approved by a recognized body that provides rules, guidelines, or characteristics for activities. Ethical hackers must operate strictly within legal boundaries.

Payment Card Industry Data Security Standard (PCI DSS)

A proprietary information security standard for organizations handling cardholder information for major debit, credit, prepaid, ATM, and POS cards. It applies to all entities involved in payment card processing. Failure to meet requirements may result in fines or termination of processing privileges.

Key Requirements:
  • Build and Maintain a Secure Network (Firewalls, no vendor defaults)
  • Protect Cardholder Data (Encryption at rest and in transit)
  • Maintain a Vulnerability Management Program (Antivirus, secure systems)
  • Implement Strong Access Control Measures (Unique IDs, physical restrictions)
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

ISO/IEC Standards

International standards for security management and implementation.

  • ISO/IEC 27001:2022 — The framework for establishing, implementing, and continually improving an Information Security Management System (ISMS).
  • ISO/IEC 27701:2019 — Extends 27001 to include privacy management and protection of Personally Identifiable Information (PII).
  • ISO/IEC 27002:2022 — Outlines best practices and control objectives for cybersecurity (access control, cryptography).
  • ISO/IEC 27018:2019 — Code of practice for protecting PII in public cloud environments.

Health Insurance Portability and Accountability Act (HIPAA)

Provides federal protections for individually identifiable health information held by covered entities and business associates. Key rules include:

  • Privacy Rule: National standards to protect medical records and personal health information.
  • Security Rule: Requires administrative, physical, and technical safeguards for electronically protected health information (ePHI).
  • National Provider Identifier (NPI): A unique 10-digit identification number for covered health care providers.

Sarbanes-Oxley Act (SOX)

Enacted in 2002 to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It mandates reforms to enhance corporate responsibility, enhance financial disclosures, and combat accounting fraud. Title III requires senior executives to take individual responsibility for the accuracy of financial reports, and Title IV mandates internal controls to ensure report accuracy.

General Data Protection Regulation (GDPR)

One of the most stringent privacy and security laws globally, implemented by the EU in 2018. It imposes obligations on organizations anywhere in the world if they collect data related to people in the EU, levying fines reaching tens of millions of euros for violations.

Data Protection Principles:
  • Lawfulness, fairness, and transparency
  • Purpose limitation (legitimate purposes only)
  • Data minimization (only as much data as necessary)
  • Accuracy (keep data up to date)
  • Storage limitation (store only as long as necessary)
  • Integrity and confidentiality (encryption)
  • Accountability (demonstrating compliance)

Additional Key Legislation

  • DMCA (Digital Millennium Copyright Act): Defines legal prohibitions against circumvention of technological protection measures employed by copyright owners.
  • FISMA (Federal Information Security Management Act): A comprehensive framework for ensuring the effectiveness of information security controls over federal operations and assets in the US.
  • DPA 2018 (Data Protection Act): The UK framework for data protection law, updated to replace the 1998 act and reflecting the UK's status outside the EU post-GDPR.