Network Security Lesson 2 – Network Threat Landscape | Dataplexa

Network Security

I. Network Security Fundamentals
1. What is Network Security 2. Network Threat Landscape 3. OSI & TCP/IP (Security) 4. Network Attack Surface 5. Network Security Controls 6. Defense in Network Security 7. Perimeter Security 8. Internal Network Security 9. Network Security Best Practices 10. Network Security Careers
II. Firewalls, IDS & Architecture
11. Firewall Fundamentals 12. Types of Firewalls 13. Firewall Rules & Policies 14. Network Segmentation 15. IDS vs IPS 16. Intrusion Detection 17. Secure Network Architecture 18. Zero Trust Networking 19. Network Security Hardening 20. Design Checklist
III. Attacks, Monitoring & Defense
21. Network Reconnaissance 22. ARP Spoofing 23. DNS Attacks 24. DHCP Attacks 25. Network Sniffing 26. MITM Attacks 27. DoS Attacks 28. Traffic Analysis 29. Security Monitoring 30. Incident Detection
IV. VPN, Cloud & Real World
31. VPN Concepts 32. IPsec & SSL VPN 33. Wireless Security 34. Secure Remote Access 35. Logging & Auditing 36. Cloud Network Security 37. Security Automation 38. Network Troubleshooting 39. Security Checklist 40. Mini Project – Secure Network
Network Security · Lesson 2

The Threat Landscape

Identify the full range of adversaries, attack vectors, and motivations facing a real network so you can prioritize defenses where they will actually matter.

The Attack That Started with a Thermostat

In 2017, an unnamed North American casino lost 10 gigabytes of high-roller data to attackers who got in through a fish tank thermometer. The smart device was connected to the casino's main network for remote monitoring — and it had default credentials, an unpatched firmware, and no network isolation. From the thermometer, attackers pivoted to the database server holding the high-value customer list and exfiltrated it before anyone noticed unusual traffic.

That story gets told a lot because it is funny and absurd. But it illustrates something serious: the threat landscape is not just hackers at keyboards typing furiously. It is every device, every credential, every misconfigured service, and every person with network access — any of which can become the entry point for something much worse.

Understanding the threat landscape means mapping the full picture of what could go wrong, who could cause it, and how — before the incident, not after. The organizations that do this well are not necessarily the ones with the biggest security budgets. They are the ones that have spent time thinking carefully about which threats actually apply to them.

Who Is Actually Out There

Security training has a habit of making every attacker sound like a sophisticated nation-state operative. The reality is messier and, in some ways, more unsettling — because the most common threats require almost no sophistication at all.

Script Kiddies & Opportunists

Run pre-built tools and exploit kits against any target that shows up in a scan. They are not targeting your company — they are targeting your unpatched service. Low skill, high volume, and responsible for the majority of successful breaches against small and mid-size organizations.

Financially Motivated Groups

Organized crime groups running ransomware-as-a-service operations, business email compromise campaigns, or large-scale credential theft. These groups have division of labor — some members specialize in initial access, others in lateral movement, others in monetization. They operate like businesses.

Insider Threats

Current or former employees, contractors, and partners with legitimate credentials. Most insider incidents are not malicious — a departing employee copies their work files out of habit, or a contractor misconfigures a server while rushing. But intentional insiders are the hardest to detect because they already have access.

Nation-State Actors

Government-backed groups with significant resources, long time horizons, and strategic objectives — IP theft, critical infrastructure disruption, or persistent surveillance. They use zero-day vulnerabilities, supply chain compromises, and multi-stage campaigns that unfold over months. Most organizations will never face them directly.

TechPulse's security lead Meera spent her first month building a realistic threat profile for the company. The honest answer was: 80% of their risk came from opportunistic attackers and phishing campaigns, 15% from financially motivated groups that target mid-size SaaS companies for customer data, and perhaps 5% from insider risk given their growth stage and high employee turnover in the Support team. Nation-state actors were not on the priority list — not because the threat is impossible, but because no finite security budget should be distributed equally across unequal risks.

Attack Vectors: The Routes In

An attack vector is the specific path an attacker uses to gain access — the door, window, or ventilation shaft in the physical security analogy. Networks have many vectors, and the most dangerous ones are often the most mundane.

The Most Exploited Entry Points — In Rough Order of Frequency

1

Phishing & social engineering — a crafted email, SMS, or phone call tricks a user into handing over credentials or running a malicious attachment. Accounts for roughly 36% of all breaches in Verizon's annual data breach reports.

2

Unpatched vulnerabilities — known software flaws that have not been fixed. Automated scanners find exposed services and match them to public exploit databases within hours of a CVE being published.

3

Stolen or weak credentials — password reuse means a breach at one service hands attackers valid logins to a dozen others. Credential stuffing tools can test millions of username/password pairs per hour against exposed login pages.

4

Misconfigured services — an S3 bucket left public, an admin interface without authentication, a firewall rule that got added during an incident and never removed. Configuration drift is a continuous source of exposure in any live environment.

5

Supply chain & third-party compromise — an attacker who cannot breach the target directly goes after a software vendor, managed service provider, or contractor with trusted access. The SolarWinds compromise in 2020 reached thousands of organizations through a single software update.

The 72-Hour Window

Security researchers have measured how quickly attackers move after a major CVE is published. In several documented cases, working exploits appeared in the wild within 72 hours of a vulnerability disclosure. For unpatched systems facing internet-exposed services, the window between "public knowledge" and "active exploitation" is measured in days, not weeks. Patch cycles that assume months of runway are operating on outdated assumptions about attacker speed.

Malware Families: What Gets Deployed Once Inside

Getting past the perimeter is the beginning, not the end. Once an attacker has access, they typically deploy software to maintain that access, move further into the network, and eventually accomplish whatever goal brought them there. These tools have distinct signatures that security teams learn to recognize.

Malware Type What It Does Network Indicator Primary Goal
Ransomware Encrypts files or systems and demands payment for decryption keys Massive write activity, outbound C2 connections, SMB scanning Financial extortion
Remote Access Trojan (RAT) Gives the attacker persistent remote control of an infected host Beaconing to C2 servers on unusual ports or intervals Persistent access, data theft
Keylogger / Spyware Records keystrokes, takes screenshots, or harvests credentials from memory Small, regular outbound data transfers to uncommon destinations Credential theft, surveillance
Botnet Agent Enrolls the host in a network of compromised machines used for DDoS, spam, or mining High outbound traffic, connections to known botnet C2 infrastructure DDoS-for-hire, spam, crypto mining
Rootkit Hides itself and other malware at the OS or firmware level, making detection extremely difficult Inconsistencies between running processes reported by OS vs network traffic observed Stealth, long-term persistence

The network behavior column in that table matters enormously. Every piece of malware eventually has to communicate — with a command-and-control server to receive instructions, with the attacker to exfiltrate data, or with other infected hosts to spread. That communication is the telltale pattern that well-configured network monitoring catches. This is why traffic analysis is not optional; it is often the only way to find sophisticated malware that successfully hides from endpoint tools.

Threat Intelligence: Knowing Before You Are Hit

Threat intelligence is the practice of collecting, analyzing, and acting on information about the threat actors, techniques, and indicators relevant to a specific organization. Done well, it lets a security team shift from purely reactive — finding out about attacks when they land — to at least partially predictive.

Intelligence comes in different forms. Indicators of Compromise (IoCs) are specific, technical artifacts: a malicious IP address, a domain name used for command-and-control, a file hash matching a known malware sample. These are easy to share and consume, but also the fastest to change — an attacker can rotate infrastructure in hours. Tactics, Techniques, and Procedures (TTPs) describe how attackers operate at a behavioral level: what tools they prefer, how they move laterally, how they exfiltrate data. TTPs are slower to change and therefore more durable intelligence.

TechPulse: A Phishing Campaign Hits the Support Team

Three members of TechPulse's Support team received near-identical emails purporting to be from the company's HR platform, asking them to verify their direct deposit details via a linked form. Two clicked through. One entered credentials before the IT team received a phishing report from the third. Meera pulled the email headers, traced the sending domain to a lookalike registered four days earlier, and submitted the IoC to the company's threat intel feed within the hour. The attacker's infrastructure was already being used against at least six other SaaS companies in the same sector. Sharing threat intelligence through industry groups like FS-ISAC or sector-specific ISACs means TechPulse's discovery helps other companies before they become victims too.

The most widely used framework for organizing threat intelligence is MITRE ATT&CK — a publicly available knowledge base that catalogs the tactics and techniques observed from real-world adversaries. Security teams use it to map their detection coverage: which attacker behaviors can they actually see in their logs, and which would pass through completely undetected?

Risk: Probability Meets Impact

Not every threat in the landscape demands the same response. The concept that connects threat knowledge to resource allocation is risk — a function of how likely a threat is to materialize and how damaging the result would be. High likelihood with low impact is a nuisance. Low likelihood with catastrophic impact still demands preparation. High likelihood with high impact is an emergency.

Qualitative Risk Assessment

Rates threats on descriptive scales — high, medium, low — based on expert judgment. Faster to produce and useful for broad prioritization. Most organizations start here because it requires no historical loss data.

Best for: initial threat modeling, board-level communication, rapid triage after an incident or infrastructure change.

Quantitative Risk Assessment

Assigns numerical probabilities and financial impact values to produce an expected loss figure — the Annual Loss Expectancy (ALE). More defensible for budget decisions but requires reliable historical data that most organizations do not have.

Best for: security investment decisions, insurance conversations, comparing the cost of a control against the risk it reduces.

Meera's threat model for TechPulse used a hybrid approach. She built a simple risk matrix mapping their identified threats against asset value — the production database containing customer PII sat in the top-right quadrant of high likelihood and high impact, which made it the first priority for additional controls. The legacy reporting server in the co-location facility had moderate exploit likelihood but minimal business impact if compromised on its own, so it went on the deferred list while higher-value targets got attention first.

The Compliance Trap

Many organizations conflate passing a compliance audit with having a good security posture. These are related but different things. A compliance framework like SOC 2 or ISO 27001 tells you which controls you need to have documented and in place — it does not tell you whether those controls are tuned to your specific threat landscape. An organization can pass every audit and still be catastrophically exposed to the threats that are actually targeting them, if the controls do not line up with the real risks. Compliance is a floor, not a ceiling.

Building a Threat Model for TechPulse

A threat model is a structured document — or diagram, or spreadsheet — that answers four questions about a specific system or organization: what are we building or protecting, what could go wrong, what are we going to do about it, and did we do a good enough job? The last question is what keeps it alive rather than becoming a document that gets filed and forgotten.

The most widely taught threat modeling methodology is STRIDE, which Microsoft developed in the late 1990s. It categorizes threats into six types: Spoofing (pretending to be someone else), Tampering (modifying data), Repudiation (denying an action took place), Information Disclosure (data ending up where it should not), Denial of Service (making a service unavailable), and Elevation of Privilege (gaining more access than authorized). For each system component, a team works through the STRIDE categories and asks whether each type of threat applies and whether there are controls in place to address it.

TechPulse applies STRIDE to their customer login endpoint. Spoofing: could an attacker impersonate a customer? Yes — they added MFA. Tampering: could session tokens be modified in transit? Yes — they enforced HTTPS-only. Repudiation: could a user deny making a purchase? Yes — they improved audit logging. Information Disclosure: could session data leak? They found a logging misconfiguration that included auth tokens in plaintext logs and fixed it immediately. Denial of Service: could the login page be taken down? They added rate limiting. Elevation of Privilege: could a regular user access admin functions? A review found two API endpoints missing authorization checks. STRIDE turned a theoretical exercise into six concrete fixes in a single afternoon.

Threat modeling is not a one-time activity. Every time TechPulse ships a new feature, migrates a service, or onboards a third-party integration, the threat model needs to be revisited. The organizations that treat it as a living document — updated with every significant infrastructure change — tend to catch problems in design rather than in production.

What the Landscape Means for How You Defend

Every lesson from here forward builds a specific control or detection capability. The threat landscape gives you the context for why each one exists. Firewalls exist because uncontrolled network access is how opportunistic attackers find their footing. Intrusion detection exists because prevention is imperfect and some threats will always get through. Network segmentation exists because lateral movement after initial access is how small breaches become catastrophic ones.

The controls are not ends in themselves — they are answers to specific questions in the threat model. When you understand that, the difference between a security team that follows a checklist and one that actually protects their organization becomes clear. Checklist security adds controls in the order they appear on the list. Threat-informed security adds controls in the order the landscape demands.

Sources Worth Following

The threat landscape evolves continuously. Verizon's annual Data Breach Investigations Report (DBIR) is the most comprehensive public data source on breach causes and attacker behavior. The MITRE ATT&CK knowledge base tracks adversary techniques with real-world attribution. CrowdStrike, Mandiant, and Palo Alto Networks Unit 42 publish annual threat reports based on their incident response caseloads. The Cybersecurity and Infrastructure Security Agency (CISA) publishes advisories when specific vulnerabilities are being actively exploited in the wild. Following these four sources gives a security team a grounded picture of what is actually happening — not just theoretical risk.

Quiz

1. Meera wants to tune TechPulse's detection rules so they remain effective even when the specific phishing group targeting them rotates their server infrastructure and domain names. Which type of threat intelligence should she prioritize?

2. TechPulse's Engineering team discovers that an S3 bucket used to stage build artifacts was set to public access two months ago during a testing sprint and never changed back. No attacker was involved in creating the exposure. Which attack vector category best describes this risk?

3. While applying the STRIDE model to TechPulse's internal admin dashboard, Meera finds that a regular Support team agent can access API endpoints intended only for administrators by manipulating the request parameters. Which STRIDE category does this fall into?

Up Next
OSI and TCP/IP as Security Frameworks
TechPulse's team maps the network stack layer by layer and identifies exactly which threats live at each level — so controls get placed where attacks actually happen.
← Previous Course Index Next →