Introduction to Cyber

Security
What is Cyber Security?
Cyber Security is the practice of protecting computer systems, networks, applications, and
data from digital attacks, unauthorized access, damage, or disruption.

It ensures that information remains confidential, intact, and available for authorized use.
Cyber Security involves deploying technologies, policies, procedures, and education to
safeguard digital assets and infrastructure against evolving threats such as malware, hacking,
phishing, and data breaches.

It is essential for ensuring trust in digital transactions, business operations, and critical services
in a connected world.
What is Cyber Security?
•Cyber Security is the practice of protecting computer systems, networks,
programs, and data from digital attacks.

•Focuses on preventing unauthorized access, damage, disruption, and theft.

•Encompasses policies, technologies, processes, and awareness.

•Ensures secure, reliable, and trusted digital systems.

Why Require Security / Purpose of
Cyber Security
The purpose of Cyber Security is to safeguard valuable data and systems from harm,
misuse, or disruption. It is required to:
•Protect sensitive information (personal, financial, proprietary).
•Prevent financial loss due to fraud, ransomware, or theft.
•Ensure the continuity of business operations and critical services.
•Comply with legal and regulatory requirements such as data protection laws.
•Preserve customer trust and organizational reputation.
•Defend national critical infrastructure from sabotage or espionage.

Cyber Security reduces risk, minimizes potential damage, and builds resilience in the face of
evolving cyber threats.
Scope of Cyber Security
Cyber Security covers multiple domains to ensure holistic protection:
Network Security: Securing data in transit, defending against attacks like
eavesdropping or intrusions.
Endpoint Security: Protecting devices such as computers, smartphones, and IoT
devices.
Application Security: Securing software during development and deployment to
prevent vulnerabilities.
Data Security: Ensuring data confidentiality, integrity, and availability through
encryption and access controls.
Scope of Cyber Security
Cyber Security covers multiple domains to ensure holistic protection:
Cloud Security: Managing risks in virtualized, distributed environments.
Identity and Access Management (IAM): Authenticating users and enforcing
least-privilege access.
Operational Security: Managing policies, procedures, and compliance.
Disaster Recovery & Business Continuity: Preparing for quick recovery from
attacks or failures.
User Awareness & Training: Educating users to recognize and avoid security
risks.
Security Truisms
Fundamental truths that shape effective security strategies:
Perfect security is impossible—risk can only be minimized and managed.
Security is a process, not a product—it requires continuous improvement and adaptation.
Humans are the weakest link—social engineering exploits human behavior.
Attackers need only one weakness; defenders must cover all.
Security must balance usability, cost, and risk—overly restrictive measures may hinder
operations.
Defense in depth is critical—no single control can guarantee security.
Security is everyone's responsibility, not just IT’s.
Understanding these truisms helps organizations create realistic, effective security programs.
Ethics of Computer Security
Cyber security professionals must uphold ethical principles to protect society and
uphold trust:
Respect for privacy and confidentiality of user data.
Honesty and transparency in security research and communication.
Responsible disclosure of vulnerabilities to vendors and affected parties.
Avoidance of harm to systems, organizations, or users.
Adherence to laws, regulations, and industry standards.
Professional accountability—being answerable for one’s actions and decisions.
Balancing security with civil liberties to avoid overreach or surveillance abuses.
Ethics are essential for maintaining trust, legality, and fairness in security practice.
Principles of Security
Foundational principles that guide security design and implementation:
Confidentiality: Ensuring only authorized users can access sensitive data.
Integrity: Protecting data from unauthorized modification or destruction.
Availability: Ensuring systems and data are accessible when needed.
Authentication: Verifying the identity of users and systems.
Authorization: Granting users appropriate access based on roles and policies.
Accountability: Tracking and logging actions to specific users or processes.
Non-repudiation: Ensuring parties cannot deny their actions (e.g., digital signatures).
Applying these principles ensures robust, reliable, and secure systems.
The CIA Triad: The Core Principles
Confidentiality
Protect data from unauthorized disclosure.
Methods: Encryption, access controls, authentication.
Integrity
Maintain accuracy and completeness.
Methods: Hashing, digital signatures, audit logs.
Availability
Ensure systems are up and accessible when needed.
Methods: Redundancy, backups, DoS protection.
Security Threats & Levels
Security Levels:
Common Security Threats:
Malware: Viruses, worms, ransomware, spyware. Physical security: Preventing unauthorized
physical access to systems.
Phishing and social engineering to trick users.
Network security: Firewalls, intrusion detection,
Insider threats from malicious or careless segmentation.
employees.
Application security: Secure development
Denial-of-Service (DoS) and Distributed DoS practices and code reviews.
attacks.
Data security: Encryption, data loss prevention
Advanced Persistent Threats (APTs) by skilled tools.
actors.
Zero-day vulnerabilities exploited before User security: Training, strict access controls,
patches are available. authentication policies.
Each level requires specialized controls and
policies.
What to Protect?
Cyber security aims to protect an organization’s entire digital ecosystem, including:
Data: Personal identifiable information (PII), financial records, intellectual property,
health data.
Systems: Servers, workstations, IoT devices, industrial control systems.
Networks: Internal and external connections, VPNs, Wi-Fi.
Applications: Web apps, mobile apps, APIs, cloud services.
Identities: User accounts, passwords, access tokens.
Processes: Business operations, workflows, communication channels.
Critical Infrastructure: Energy grids, healthcare systems, transportation networks.
A thorough security plan considers all assets, dependencies, and risks.
Security Approaches
Proactive Security:
Defense in Depth:
Threat modeling to identify risks before deployment.
Multiple layers of security controls.
Secure software development (DevSecOps).
Redundancy to prevent single points of
Regular vulnerability scanning and patching. failure.
Penetration testing to find weaknesses before attackers do. Zero Trust Architecture:
Reactive Security: Never trust, always verify.
Continuous monitoring and alerting for incidents. Enforce least-privilege access everywhere.
Rapid incident response to limit damage. Strong authentication and continuous
verification.
Forensic investigation to analyze attacks. Combining these approaches builds a
comprehensive security posture.
Recovery and remediation to restore systems.
Cyber Activity
Cyber activity refers to all actions in cyberspace—both legitimate and malicious.
Malicious Cyber Activity includes:
Delivering malware through phishing, drive-by downloads, or infected media.
Exploiting vulnerabilities in software or systems.
Establishing Command-and-Control (C2) channels to maintain remote access.
Exfiltrating sensitive data to external servers.
Conducting Denial-of-Service attacks to disrupt services.
Deploying ransomware to extort victims.
Blended Threats:
Attackers often combine multiple techniques in multi-stage attacks to maximize impact and evade
defenses.
Goals of Cyber Attacks
Data Theft: Stealing sensitive personal, financial, or proprietary information.
Espionage: Gaining intelligence on competitors, governments, or organizations.
Disruption: Halting services, disrupting operations, damaging systems.
Financial Fraud: Direct theft of money or resources.
Ransom and Extortion: Encrypting data or threatening disclosure for payment.
Sabotage: Damaging critical infrastructure or systems.
Undermining Trust: Eroding customer and public confidence in brands or
institutions.
Attackers are motivated by profit, power, ideology, revenge, or nation-state agendas.
Impact of Cyber Attacks on
Organizations and Society
•Financial Losses: Direct theft, ransom payments, legal fines, investigation and
remediation costs.
•Operational Disruption: Downtime, lost productivity, supply chain interruptions.
•Reputational Damage: Loss of customer trust, brand damage, negative publicity.
•Legal and Regulatory Consequences: Lawsuits, penalties for non-compliance,
breach notifications.
•National Security Risks: Espionage, sabotage of critical infrastructure, destabilizing
activities.
Cyber attacks can cripple organizations, harm economies, and threaten public safety.
Why Cyber Security is Critical
Growing reliance on digital systems across all sectors.
Rapid increase in attack volume and sophistication.
Explosion of sensitive personal and business data online.
Critical services (healthcare, energy, transport) depend on secure IT
systems.
Financial stability at risk from cybercrime and fraud.
Maintaining trust with customers and partners is essential.
Compliance with strict data protection laws and standards is mandatory.
Cyber Security is essential to protect modern economies and societies from
ever-evolving threats.
Modern Cyber Security Approach
Defense in Depth: Multiple, layered security controls across networks, systems, applications, and
users.
Zero Trust Model: Never assume trust; enforce strict authentication and authorization
everywhere.
Continuous Monitoring: Real-time threat detection with advanced analytics and SIEM systems.
Incident Response Planning: Clearly defined playbooks, dedicated teams, regular drills.
User Awareness and Training: Empowering employees to recognize and avoid security threats.
Adoption of Standards and Frameworks: Following best practices like NIST CSF, ISO/IEC
27001, Indian CERT-In Guidelines.
Threat Intelligence Sharing: Collaborating with industry and government partners to stay ahead
of adversaries.
Modern approaches require integrating people, processes, and technology for holistic security.
The Insider Threat
Security risk from individuals within the organization with authorized
access.

Types of Insider Threats:

•Malicious Insiders: Employees or contractors intentionally stealing data
or sabotaging systems.
•Negligent Insiders: Careless users accidentally exposing sensitive data or
falling for phishing.
•Compromised Insiders: Accounts hijacked by external attackers using
stolen credentials.
 The Insider Threat
Mitigation Strategies:
Motivations: •Strict access controls and least privilege
policies.
•Financial gain.
•Continuous monitoring and anomaly detection.
•Revenge against employer.
•Behavioral analytics to spot unusual activities.
•Ideology or political goals.
•Employee training and awareness programs.
•Coercion or blackmail.
•Clear policies and strong incident response
plans.
Types of Malware – Virus
•A computer virus is a type of malware that attaches itself to a legitimate program
or file, replicates when that program runs, and spreads to other systems or files.
•Unlike worms, viruses cannot spread autonomously; they require a user to
execute the infected host.
•Once active, viruses can perform a variety of malicious actions—from displaying
annoying messages to deleting critical files, installing backdoors, or disabling security
software.
•Their goal can be simple mischief, data destruction, theft, or preparing the system
for further compromise.
Types of Malware – Virus
Characteristics of a Virus
•Needs a host file or program.
•Activates when the infected program runs.
•Spreads to other files or systems.
•May remain dormant until triggered.
•Often designed to avoid detection.
•Payload can vary (damage, theft, backdoor creation).
 Types of Malware – Virus
Virus Types
File Infector Virus Macro Virus
•Attaches to executable files (.exe, •Written in macro languages (e.g.,
.dll). Microsoft Office).
•Runs when the host file is •Infects documents, spreadsheets,
executed. templates.
•Can overwrite or modify program •Activates when user opens
code. infected document.
•Example: The "Vienna" virus •Example: Melissa Virus spread via
infected .COM files in DOS. infected Word docs in email.
 Types of Malware – Virus
Virus Types
Boot Sector Virus Multipartite Virus
•Infects boot sector of storage •Combines multiple infection
media (HDD, USB). methods.
•Loads before OS, gaining early •Infects both files and boot
control.
sectors.
•Hard to remove without
specialized tools. •Spreads more aggressively.
•Example: The "Michelangelo" •Example: The "Tequila" virus
virus spread via infected floppy attacked both .EXE files and
disks. boot sectors.
 Types of Malware – Virus
Virus Types
Resident Virus Non-resident Virus
•Loads into system memory. •Doesn't stay in memory.
•Continues to operate even if host •Runs, infects files, then
program closes. terminates.
•Can infect any file accessed while •Simpler, easier to detect.
active.
•Example: Early DOS file infectors.
•Example: "CMOS" virus stayed in
RAM to infect more files.
 Types of Malware – Virus
Virus Types
Polymorphic Virus Metamorphic Virus
•Changes its code with each •Completely rewrites its own code
infection. during replication.
•Evades signature-based antivirus. •Harder to detect via heuristics or
signatures.
•Uses encryption and mutation
engines. •Example: "Zmist" used complex
code rewriting.
•Example: "Storm Worm"
attachments changed signatures
frequently.
 Types of Malware – Virus
Virus Types
Companion Virus Logic Bomb
•Creates a malicious file with the •Malicious code hidden within a
same name as a legitimate one. program.
•Exploits OS behavior to run itself •Activates on a specific trigger
first. (date, event).
•Example: •Often part of a virus or Trojan.
"HKTL_COMPANION" created
malicious .COM files alongside •Example: Malicious code deleting
.EXEs. files on a certain date.
Types of Malware – Virus
Lifecycle of a Virus
Insertion: Virus code attaches to a host file.
Activation: Host file runs, executing virus code.
Replication: Virus seeks other files to infect.
Payload Execution: Performs its intended malicious action.
Dormancy (Optional): Waits for a trigger (date, event).
Spreading: Infected files shared via email, USB, network.
Types of Malware – Virus
Examples
ILOVEYOU (2000): Spread via email as a love letter; overwrote files.
Melissa (1999): Macro virus spread via infected Word docs.
Michelangelo: Boot sector virus activated on the artist’s birthday.
Sality: Polymorphic virus infecting executable files, adding botnet functionality.
Zmist: Advanced metamorphic virus rewriting its own code.
Types of Malware – Virus
How Viruses Evade Detection
•Encryption of payload to avoid signature scanning.
•Polymorphism (changing code appearance each infection).
•Metamorphism (complete code rewriting).
•Stealth techniques (hiding in system memory or boot sectors).
•Disabling antivirus software.
•Exploiting user trust (social engineering in phishing emails).
Types of Malware – Virus
Defending Against Viruses
Keep operating systems and applications up to date.
Use reputable antivirus/anti-malware with real-time scanning.
Enable automatic updates for software.
Disable macros in Office documents by default.
Educate users about phishing and suspicious downloads.
Implement least privilege: limit user permissions.
Regularly back up critical data.
Use network segmentation to limit spread.
Types of Malware – Virus
Type Key Feature Example
File Infector Attaches to executables Vienna
Macro Virus Infects documents with macros Melissa
Boot Sector Infects storage device boot sectors Michelangelo
Multipartite Both files and boot sectors Tequila
Resident Stays in memory, infects opened files CMOS virus
Non-resident Infects, then terminates Early DOS infectors
Polymorphic Changes code to avoid detection Storm Worm attachments
Metamorphic Rewrites entire code each replication Zmist
Logic Bomb Triggered on specific event/date Insider-planted bombs
Types of Malware – Worm
•A worm is a type of malicious software that can self-replicate and
spread across computers and networks without any user intervention.
•Unlike viruses, worms don’t need to attach to a host file.
•They exploit network vulnerabilities or weak security configurations to
move from one device to another, often rapidly.
•Worms can deliver harmful payloads, including ransomware or
backdoors, and can also consume network bandwidth, disrupting
normal operations on a massive scale.
Types of Malware – Worm
Characteristics of a Worm
•Autonomous replication and spread.
•Exploits vulnerabilities in operating systems or applications.
•Often spreads over local networks and the Internet.
•Capable of delivering additional malware.
•Can remain dormant and undetected.
•May include destructive or spying payloads.
 Types of Malware – Worm
Worm Types
Internet Worm Email Worm
•Spreads over the Internet. •Spreads via infected email
attachments.
•Exploits public-facing services.
•Harvests address books to
•Often uses email, messaging, or propagate.
file-sharing. •Tricks users into opening
•Example: ILOVEYOU used email attachments.
attachments to spread rapidly. •Example: Melissa Worm spread
through infected Word
documents.
 Types of Malware – Worm
Worm Types
Network Worm IM (Instant Messaging) Worm
•Exploits network services and •Uses instant messaging platforms
protocols. to spread.
•Scans for vulnerable systems •Sends malicious links to contacts.
automatically.
•Often social-engineered to look
•Can cause denial-of-service by legitimate.
overloading networks.
•Example:
•Example: SQL Slammer used SQL [Link] sent
Server vulnerability to spread in malicious links over MSN
minutes. Messenger.
Types of Malware – Worm
Examples
Morris Worm (1988): First notable Internet worm, exploited Unix vulnerabilities.
ILOVEYOU (2000): Spread via email with the subject “ILOVEYOU”, overwrote
files.
SQL Slammer (2003): Spread in 10 minutes by exploiting Microsoft SQL Server.
Blaster (2003): Targeted Windows systems, forced reboots.
Conficker (2008): Used multiple spreading techniques, infected millions of PCs.
WannaCry (2017): Ransomware worm exploiting SMB vulnerability, global impact.
Types of Malware – Worm
How Worms Evade Detection
Use encryption and obfuscation to hide code.
Exploit zero-day vulnerabilities with no available patch.
Use peer-to-peer (P2P) Command-and-Control to avoid single point of failure.
Use polymorphic code to change appearance on each spread.
Remain dormant before activation to avoid detection.
Types of Malware – Worm
Defending Against Worms
Apply security patches promptly.
Use firewalls to block unauthorized network traffic.
Segment networks to limit spread.
Enable intrusion detection/prevention systems (IDS/IPS).
Use endpoint protection with behavior-based detection.
Disable unused services and ports.
Educate users about phishing and malicious downloads.
Maintain regular backups for recovery.
Types of Malware – Worm
Type How It Spreads Example
Internet Worm Over the Internet ILOVEYOU
Email Worm Infected email attachments Melissa
Network Worm Exploits network vulnerabilities SQL Slammer
IM Worm Instant messaging links Sohanad
File-sharing Worm P2P networks, shared folders Palevo
Mobile Worm SMS, apps, Bluetooth Cabir
Payload-carrying Worm Delivers additional malware Conficker
Types of Malware – Trojan Horse
•A Trojan Horse, or simply Trojan, is malware that tricks users into
installing it by masquerading as a harmless or useful application.
•Unlike viruses and worms, Trojans don't replicate automatically. Instead,
they rely on social engineering—convincing users to install them
voluntarily.
•Once executed, they can create a backdoor to give attackers remote
access, steal information, spy on users, or install additional malware.
•Trojans are among the most flexible and widely used malware types
because of their stealth and versatility.
Types of Malware – Trojan Horse
Characteristics of a Trojan
Requires user interaction for installation.
Disguised as legitimate or appealing software.
Often delivered via phishing emails or malicious websites.
Can deliver payloads like ransomware or spyware.
Maintains persistent attacker access.
Evades detection with social engineering.
 Types of Malware – Trojan Horse
Trojan Types
Remote Access Trojan (RAT) Backdoor Trojan
•Provides full remote control of •Creates secret access point into
victim system. system.
•Allows attacker to install software, •Allows attacker to bypass security
steal data, spy via webcam.
controls.
•Used in advanced targeted
attacks. •Used for long-term persistence.
•Example: NanoCore RAT sold on •Example: PlugX used by APT
dark web for spying and control. groups to maintain foothold.
 Types of Malware – Trojan Horse
Trojan Types
Banking Trojan Backdoor Trojan
•Targets online banking sessions. •Creates secret access point into
system.
•Steals login credentials, intercepts
transactions. •Allows attacker to bypass security
controls.
•Can inject malicious forms into
banking sites. •Used for long-term persistence.
•Example: Zeus/Zbot targeted •Example: PlugX used by APT
hundreds of financial institutions. groups to maintain foothold.
Types of Malware – Trojan Horse
Examples
Zeus (Zbot): Banking Trojan that stole millions in credentials.
Emotet: Started as banking Trojan, evolved into powerful downloader.
NanoCore: Popular RAT sold on dark web.
DarkComet: RAT used for spying via webcams.
FakeAV Trojans: Scammed users with fake malware alerts.
Types of Malware – Trojan Horse
How Trojans Evade Detection
Masquerade as legitimate software or documents.
Use social engineering to fool users.
Encrypt communications with C2 servers.
Use packers and obfuscation to hide from antivirus.
Install rootkits to hide processes and files.
Disable or bypass security software.
Types of Malware – Trojan Horse
Defending Against Trojans
Educate users to recognize phishing and suspicious downloads.
Use updated, reputable antivirus/anti-malware solutions.
Enforce least privilege—limit user permissions.
Block unapproved software installations.
Monitor network for unusual C2 connections.
Apply patches to prevent exploitation of known vulnerabilities.
Use email filtering to block malicious attachments and links.
Employ application whitelisting where possible.
Types of Malware – Trojan Horse
Type Key Feature Example
Remote Access Trojan Full control over victim system NanoCore, DarkComet
Banking Trojan Steals online banking credentials Zeus/Zbot
Downloader Trojan Installs other malware Emotet
Infostealer Trojan Steals sensitive data Agent Tesla
Backdoor Trojan Creates hidden access PlugX
Hides malware and provides
Rootkit Trojan Rustock
privilege
Fake AV Trojan Scams with fake security alerts Win32/FakeAV
SMS Trojan Sends premium-rate SMS [Link]
Game-Thief Trojan Steals online gaming credentials [Link]
Spy Trojan Logs keystrokes, captures screen DarkComet
Types of Malware – Ransomware
•Ransomware is a type of malware that blocks access to a victim’s files
or entire systems by encrypting them.
•The attacker demands a ransom, usually in cryptocurrency, in exchange
for a decryption key.
•Some variants also exfiltrate data and threaten public leaks (double
extortion).
•Ransomware attacks have evolved into highly organized operations,
targeting everything from small businesses to hospitals and city
governments.
Types of Malware – Ransomware
Characteristics of Ransomware
Uses strong cryptography to make decryption impossible without key.
Payment demanded in hard-to-trace cryptocurrency.
Often includes threatening messages or countdown timers.
Can spread across networks to encrypt multiple systems.
Some variants steal data before encryption.
Types of Malware – Ransomware
Examples
WannaCry (2017): Global wormable ransomware using SMB exploit.
Petya/NotPetya: Master Boot Record encryption, massive disruption.
Ryuk: Targeted hospitals, demanded high ransoms.
Maze: Combined encryption with data theft (double extortion).
REvil (Sodinokibi): Ransomware-as-a-Service platform.
Types of Malware – Ransomware
How Ransomware Evades Detection
Uses email attachments with macros or exploits.
Obfuscates code to bypass antivirus.
Uses fileless techniques (PowerShell scripts).
Delays execution to avoid sandbox analysis.
Disables backups and shadow copies.
Types of Malware – Ransomware
Defending Against Ransomware
Regular offline backups.
Patch operating systems and applications promptly.
Block macros in Office documents.
Use strong endpoint protection.
Network segmentation to limit spread.
User training to recognize phishing.
Implement least privilege and access controls.
Incident response plan for rapid containment.
Types of Malware – Spyware
Spyware is software designed to covertly collect information about a user or
organization.
It often runs silently in the background, tracking keystrokes, browsing habits,
or capturing sensitive credentials, and sends this information to
cybercriminals.
Secretly monitors user activity.
Steals sensitive information (passwords, credit card numbers).
Sends data to attackers without user consent.
Often bundled with legitimate-looking software.
Types of Malware – Spyware
Characteristics of Spyware
Stealthy and often hard to detect.
Can degrade system performance.
Uses network connections to exfiltrate data.
May include multiple spying capabilities.
 Types of Malware – Spyware
Spyware Types
Keylogger Password Stealer
•Records keystrokes to steal •Extracts stored passwords from
credentials. browsers or apps.
•Example: Zeus Trojan included •Example: Agent Tesla steals
keylogging features. browser and email passwords.
Screen Capture / Webcam Spy Tracking Cookies / Adware
Overlap
•Captures screenshots or webcam
video. •Tracks browsing to build user
profiles.
•Example: DarkComet RAT
•Example: Bundled in free
included webcam spying. software.
Types of Malware – Spyware
Examples
CoolWebSearch: Redirected browsers to ads.
Agent Tesla: Keylogger and infostealer.
FinFisher: Commercial spyware used by governments.
DarkComet: RAT with spying capabilities.
Types of Malware – Spyware
How Spyware Evades Defending Against Spyware
Detection •Use reputable anti-malware with
real-time scanning.
•Hides in legitimate software •Be cautious with free software
installers. downloads.
•Uses encryption to hide data •Patch vulnerabilities promptly.
exfiltration. •Block suspicious outbound network
connections.
•Disguises processes and files.
•Disables security tools. •Educate users about phishing risks.
Types of Malware – Adware
Adware is software that automatically delivers advertisements to users. While
some adware is legitimate (bundled with free software), malicious adware can
track users without consent, hijack browsers, and sometimes install other
malware.
Characteristics of Adware
•Aggressive, intrusive ads.
•Tracks browsing habits.
•May change browser settings.
•Sometimes acts as malware downloader.
 Types of Malware – Adware
Adware Types
Popup Adware Browser Hijacker
Displays pop-up ads on desktop Changes default search engine or
or browser. homepage.
Redirects to partner sites for
revenue.
Bundled Adware Malvertising
Included with free or cracked Delivers malware through
software. malicious ads on legitimate sites.
Installed without clear user
consent.
Types of Malware – Adware
How Adware Evades Defending Against Adware
Detection •Avoid downloading from untrusted
•Disguises as legitimate software. sources.
•Uses misleading install wizards. •Read install prompts carefully.

•Hides in system processes. •Use reputable antivirus and

anti-malware tools.
•Keep browsers updated.
•Block pop-ups and malicious sites.
Types of Malware – Rootkit
A rootkit is a type of malware designed to gain and maintain privileged
access to a computer while actively hiding its presence.
By modifying system files, drivers, or even the operating system kernel,
rootkits make themselves and any associated malware nearly invisible to
antivirus software and system monitoring tools.
Rootkits are often used in advanced persistent threat (APT) attacks to
ensure long-term, stealthy access.
Types of Malware – Rootkit
Characteristics of Rootkits
Stealth: Hides processes, files, registry keys.
Persistence: Survives reboots, reinstalls.
Privileged access: Kernel-level or admin-level control.
Used to deploy and hide other malware.
Very difficult to detect and remove.
 Types of Malware – Rootkit
Rootkit Types Kernel-mode Rootkit
User-mode Rootkit
Hooks into user-level applications. Operates at OS kernel level.

Hides malicious processes from the Complete control over system.

user. Harder to detect and extremely dangerous.
Example: Modifies system utilities like Example: Rustock botnet used kernel-mode
task manager. rootkits.

Bootkit Firmware Rootkit

Infects the boot sector or bootloader. Resides in device firmware (BIOS,

UEFI).
Loads before the OS, gaining early Persists even after OS reinstall or hard
control. drive replacement.
Example: TDL-4 bootkit. Example: LoJax infected UEFI
firmware.
Types of Malware – Rootkit
How Rootkits Evade Detection Defending Against Rootkits
Keep OS and software fully patched.
Modify OS components to hide
processes/files. Use secure boot and UEFI protections.
Use reputable antivirus with rootkit
Intercept system API calls. detection.
Survive reboots with persistent Monitor for unusual behavior and
system anomalies.
startup entries.
Employ specialized rootkit scanners
Embed in firmware or bootloader. and removal tools.
Disable security software. For severe infections, reimage or
replace hardware.
Types of Malware – Botnet
A botnet is a network of compromised devices controlled by a
cybercriminal, known as a botmaster.
Each infected machine is called a “bot” or “zombie” and can receive
commands remotely.
Botnets are used for launching large-scale attacks like DDoS, sending
spam, mining cryptocurrency, or distributing other malware.
Types of Malware – Botnet
Characteristics of Botnets
Centralized or decentralized C2 structures.
Can consist of thousands or millions of devices.
Often includes poorly secured IoT devices.
Frequently used in cybercrime-as-a-service models.
Very profitable for attackers.
 Types of Malware – Rootkit
Botnet Types
Centralized Botnet Hybrid Botnet
Uses single C2 server.
Combines centralized and P2P.
Easy to manage but single point of
failure. More resilient and flexible.
Example: Early IRC-controlled Example: Gameover Zeus.
botnets.
Decentralized (P2P) Botnet IoT Botnet
Bots communicate with each Infects smart devices with weak
security.
other.
Enormous scale possible.
No central server to take down.
Example: Mirai botnet used cameras
Example: Storm botnet. and routers.
Types of Malware – Botnets
How Botnets Evade Detection Defending Against Botnets
Use encryption for C2 Keep systems patched to close exploits.
communications.
Change default passwords on IoT
P2P networks avoid single points of devices.
failure.
Use firewalls to block C2 connections.
Use fast-flux DNS to rapidly change
IPs. Employ network monitoring for
anomalies.
Blend malicious traffic with
legitimate use. Participate in threat intelligence sharing.
Infect non-traditional devices (IoT). Educate users to avoid phishing links.
Infrastructure Supporting
Cyber-Attacks
Cyber-attack infrastructure includes servers, domains, malware, and
communication channels set up specifically for attacks.
Attackers don't just send a virus from their laptop—they build complex
systems to spread malware, control infected machines, launder money,
and avoid detection.
This infrastructure supports the entire criminal operation, from initial
compromise to final monetization.
Infrastructure Supporting
Cyber-Attacks
Why Do Attackers Need Infrastructure?
Scalability: Automate attacks on many victims.
Resilience: Survive takedowns by law enforcement.
Stealth: Hide real identities and locations.
Management: Coordinate large-scale campaigns.
Monetization: Collect ransoms, sell stolen data.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
1. Command-and-Control (C2) Servers
Remote servers attackers use to communicate with malware on victim
machines.
Send instructions, receive stolen data.
Often use encryption and obfuscation.
Example: RATs like DarkComet connect to C2 servers for control.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
2. Malware Payload Repositories
Servers hosting the malware files.
Delivery systems for downloaders, droppers.
Often use multiple redundant servers to stay online.
Example: Emotet delivered banking Trojans via multiple payload servers.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
3. Phishing Infrastructure
Email servers and templates for sending phishing emails.
Fake websites mimicking login pages.
Domains registered to look legitimate.
Example: Office 365 phishing pages to steal credentials.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
4. Exploit Kits
Web-based tools that deliver malware via browser vulnerabilities.
Hosted on malicious or compromised websites.
Example: Angler Exploit Kit exploited Flash and Java vulnerabilities.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
5. Bulletproof Hosting Services
Hosting providers that deliberately ignore abuse complaints.
Used for hosting C2 servers, malware, phishing sites.
Example: Some Eastern European providers famous for hosting
cybercrime sites.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
6. Domain Infrastructure
Domains for phishing, C2, payload delivery.
Fast-flux DNS to rotate IPs and avoid takedowns.
Domain Generation Algorithms (DGAs) for automated, hard-to-block
domains.
Example: Conficker worm used DGA to create new domains daily.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
7. Proxy and VPN Networks
Obscure attacker locations.
Hide traffic between victims and C2.
May use compromised devices as proxies.
Example: Attackers routing C2 traffic through TOR.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
8. Botnets
Network of infected machines controlled remotely.
Used to send spam, launch DDoS, distribute malware.
Example: Mirai Botnet controlled IoT devices for massive DDoS
attacks.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
9. Payment Systems
Cryptocurrency wallets for ransom payments.
Mixers to launder funds.
Dark web markets for selling stolen data.
Example: Ransomware demands in Bitcoin.
Infrastructure Supporting
Cyber-Attacks
Key Components of Attack Infrastructure
10. Monitoring and Analytics
Dashboards for tracking infection rates.
Logs of stolen credentials.
Management tools for affiliates in Ransomware-as-a-Service (RaaS)
operations.
Example: RaaS operators providing live dashboards to affiliates.
Lifecycle of Infrastructure Supporting
Cyber Attacks

Planning Setup Operation

Maintenance Monetization Retirement/Reuse

Lifecycle of Infrastructure Supporting
Cyber Attacks
Planning & Design Acquisition & Setup
Select target type (e.g., phishing, Register domains (often with stolen
ransomware). identities).
Choose hosting, domains, malware Rent or compromise servers
types. (bulletproof hosting).
Build or buy necessary tools. Set up C2 frameworks (Cobalt Strike,
custom RATs).
Define operational goals (stealth vs.
scale). Deploy phishing kits and payload
servers.
Lifecycle of Infrastructure Supporting
Cyber Attacks
Weaponization Delivery & Launch
Develop or customize malware Send phishing emails with malicious
payloads. links/attachments.
Test exploit kits and delivery Launch exploit kits on compromised
methods. websites.
Configure C2 communication Use botnets to distribute malware.
channels (encryption, proxies).
Deliver payloads via infected USBs or
Set up phishing templates and spam insider access.
campaigns.
Lifecycle of Infrastructure Supporting
Cyber Attacks
Command-and-Control (C2) Maintenance and Updates
Operations
Rotate domains and IP addresses
Infected systems connect back to C2. (fast-flux, DGAs).
Attackers issue commands remotely. Patch malware to avoid detection.
Download additional payloads. Monitor detection rates via telemetry.
Maintain stealthy communication Re-infect systems that were cleaned.
channels (TOR, proxies).
Lifecycle of Infrastructure Supporting
Cyber Attacks
Monetization Takedown / Retirement / Reuse
Demand ransoms (cryptocurrency Abandon infrastructure under
payments). pressure.
Sell stolen credentials on dark web Law enforcement seizes servers,
markets. domains.
Rent access to botnets or C2 servers. Attackers move to new hosting,
domains.
Launder money through mixers and
exchanges. Reuse malware tools with new
campaigns.
Lifecycle of Infrastructure Supporting
Cyber Attacks
Stage Key Activities
Planning & Design Choose targets, select tools, plan delivery.
Acquisition & Setup Rent servers, register domains, configure C2.
Weaponization Build malware, test exploits, create phishing kits.
Delivery & Launch Send phishing emails, exploit sites, distribute malware.
Command-and-Control Ops Manage infected systems, issue commands.
Maintenance and Updates Rotate domains, patch malware, avoid detection.
Monetization Demand ransoms, sell data, launder money.
Takedown/Retirement/Reuse Abandon or reuse infrastructure after detection.