Cybersecurity 101: A Spectrum of Threats

One of the most common questions we get here at Pondurance is, "What kind of threat activity can we protect against?" The question holds more weight than most people think, and is one that more organizations should think about much more often.  It's true that not all threats can be blocked, there will always be some forms of threat activity that can slip through even the best defenses.  Even so, the vast majority of malicious cyber activity can be blocked from impacting your company.  Let's dive a little deeper into this topic using a spectrum - or scale - that was shared with this author many years ago by Allison Giannotto - a.k.a. Snipe of SnipeIT. 

Allison started out her career as an IT wiz who slowly moved into cybersecurity due to the needs of the company she was working for, and has seen the science of cybersecurity - and the way threat actors work - evolve over the last few decades.  During that time, she came to the realization (which others also have arrived at) that not all malicious activity is considered equal.  Some threats are much easier to dodge, while others are almost impossibly hard. Working with a limited budget and even more limited staff, she leveraged this straight-forward "1 to 10" spectrum to determine where to assign resources to have the greatest effect on the safety of the companies she worked for. 

Level 1 - Non-targeted, non-specific "spray-and-pray" email threat: These are the phishing and other forms of threat email we all see on a daily basis.  They generally don't even specify their target by name, and use a copy-and-paste method to send the same exact email, SMS, or other messages to hundreds of thousands of people hoping for someone to open the attachment/click on the link.  Example: Various phishing emails/texts.

Level 2 - Targeted and/or personalized email threats: These can be "spear-phishing" attacks where a threat actor goes after a specific target, or a mail-merge where usernames and real names are inserted into the email or other messaging (SMS, What'sApp, etc.) to make it more likely to get the user interaction they want. Example: Phishing emails which are personalized with information about you or your company.

Level 3 - User behavior manipulation: Threat actors purchase space on advertising networks and may even set up fake sites to trick a user into interacting with content that isn't what they think it is.  This leads to malicious downloads and other threat activity. Example: "Sponsored" links that lead to pages which contain malicious downloads and/or code.

Level 4 - Targeted user behavior manipulation: Much like Level 5, but here the threat actor is specifically crafting these advertisements and fake sites to lure the interaction of specific individuals (business leaders, healthcare professionals, etc.) or industries (legal, retail, manufacturing, etc.).  Example: A sponsored link that pretends to be leading to an industry organization website, but instead leads to a credential stealing site.

Level 5 - Exploiting known vulnerabilities: Here, a threat actor will create scripting and other automation to attempt to leverage a weakness in an operating system or other software that is well known.  This automation lets them try to perform an exploit across thousands of organizations with little effort. The goal is to attack organizations that have not patched critical systems, and use that fact to gain a foothold for further spread within the organization for malicious purposes.  Examples: Recently exploited vulnerabilities in hardware from Cisco, Juniper, Windows, MacOS, etc.

Level 6 - Exploiting new vulnerabilities: It's possible that a threat actor may discover a vulnerability on their own, meaning that it isn't known to either the vendor of the software that is vulnerable or to anyone else yet. This requires a great deal of both research and luck, but means the attack will have a greater potential for success. Example: The NSO Group and their spyware software which takes advantage of previously unknown weaknesses in mobile phone operating systems to get itself installed. 

Level 7 - Advanced user manipulation: By combining many of the techniques so far, and adding in hands-on, real-time manipulation, threat actors can actively guide an attack by tricking personnel into performing actions that give the threat actor more access to systems. This can be tricking a help-desk employee into reseting a user password, or tricking a user into installing a browser extension or other software that opens a door into the organization. Examples: The recent threat activities of Scattered Spider, Shiny Hunters, etc.

Level 8 - Exploiting inertia, process, and people directly: Threat actors can discover that outdated process and procedure have opened gaps in defenses around an organization - such as very weak Identity and Access Control. A business process that has not been able to modernize brings continued use of outdated systems along with it, which may have weaker overall controls and defenses that a threat actor can take advantage of - such as reliance on very old software. Example: Most supply-chain attacks, where the software or other solutions being perceived as "safe" led to weak security controls around said software. 

Level 9 - State-sponsored threat activity: When the unlimited budget and manpower of a nation or nation-state are brought to bear, few organizations can actually stop threat activity created by that actor. Nation-state threat actors can use hundreds of techniques and tactics over weeks or months to slowly chip away at defenses and find a way in to even the most secure organizations when neither time or money is a factor. Example: Stuxnet [[ https://en.wikipedia.org/wiki/Stuxnet ]].

Level 10 - Internal collusion: If one or more key personnel are on the payroll of the threat actors, then any defenses in place can simply be shut off, allowing for complete and total access to the organization.  This also applies to collusion involving vendors and organizations who aren't part of your company, but instead sit between your company and the outside world - such as mobile carriers and device manufacturers.  Example: The various actions of world governments working directly with mobile service providers.

So how can you defend against all of these things, and should you?

For Level 1 to Level 4 threats, everyone - companies and individual people alike - can and should defend against these types of threat activity.  Learning to spot phishing and other forms of social engineering, keeping an eye out to ensure the site you're landing on is indeed the one you wanted to visit, and combining these methods with basic cybersecurity controls like anti-malware tools and a good email service provider can overcome these types of threats.  It's still very possible one of these attacks will slip past one defense (like social engineering training), but it can then be caught by other layers.  Especially for companies, layered defenses are critical in deflecting these types of attacks.  User education combined with endpoint, network, and email security can allow for one layer to catch things if any other layer should fail. 

Layer 5 is where we begin to get into things that are generally handled at the company level - much more so than what an individual would have at home, for example. A comprehensive and well-prioritized vulnerability management program will allow the organization to recognize vulnerabilities that can be exploited to allow access to critical systems, and corporate policies to allow patching and upgrading when required combine together to add an additional layer of defenses.  Managed Detection and Response (MDR) systems - like Pondurance - can be extremely helpful here.  By looking for evidence of attempts to perform unusual or outright malicious actions (such as the steps required to exploit a vulnerability suddenly starting to get played out), MDR solutions can raise alerts to investigate - and help in the mitigation of - potential and actual threat activity.

Layers 6 and 7 are where we talk about organizational policy and protocols being critical to defeating these forms of threat.  Technology alone can't compensate for these forms of threats because they're either unknown vulnerabilities (and therefore there are no patches to apply), or the attacks rely on non-technological methods to work (like tricking IT employees into resetting passwords). Well-defined policy and procedures allows for these attacks to be detected through blocking inappropriate actions and/or quickly recognizing unusual behaviors and activities across the organization.  MDR solutions can be a huge benefit here as well - identifying multiple events that add up to threat activity when seen a a collective group, even if any individual event might seem benign on its own. 

Layer 8 is all about not being stuck in a rut by inertia.  "We've always done it this way," is a refrain that has led to more successful attacks than I'd care to count.  People and process must evolve over time in the same way as technology does.  If it doesn't, then an outdated way to manage user access can easily be leveraged by a threat actor to wedge open a digital door into the greater data-systems of the organization itself.  Advisory services and regular assessments can identify when inertia is beginning to cause security holes to open up.

Layers 9 and 10 are rarely defendable against - but are also exceedingly rare to ever encounter. A threat actor with a virtually unlimited amount of money and man-hours will find a way around defenses, policy, and procedures eventually.  They simply have more than enough time and the necessary amount of people for more than enough effort to get through in the end. Collusion takes all of your defenses out of the equation entirely, opening the door to whatever the threat actor wants to do.  The most common examples of this level of threat activity are digital warfare events like Stuxnet, and the various governmental agency agreements with mobile carriers exposed by Edward Snowden. 

These events were impossible to avoid entirely, but also so extremely rare that they were unheard of entirely before they occurred.  Proper damage control plans and recovery methodologies are the only thing that organizations can do to ensure they can stay in business if/when they are impacted by one of these events - but the likelihood they ever will be impacted by one of these events is so low that 99% of organizations will never encounter them. 

Organizations cannot protect against every form of threat activity - nor can they entirely avoid being impacted by malicious actors.  Even so, there are effective methodologies to prevent, limit, and derail threat activity in nearly every case.  Knowing the spectrum of threat activity is a great first step into devising a plan to defend against it. 

About the Author:

Michael DeNapoli is a seasoned Senior Solutions Architect with more than 25 years of experience in cybersecurity, solution architecture, and enterprise systems design. Throughout his career, he has led technical strategy, security architecture, and advanced solution development for organizations ranging from emerging security vendors to global enterprises. Michael’s expertise spans cybersecurity operations, cloud architecture, technical sales leadership, security posture management, and identity protection, with a proven track record of guiding clients through complex technology challenges. Today, he brings his deep industry knowledge to Pondurance as a Senior Solutions Architect, helping organizations strengthen their security foundations with clarity and confidence.