Offensive Security
Understanding how systems are attacked is a prerequisite for defending them. This page surveys attacker tradecraft — from social engineering to memory-corruption exploits — through the lens of the frameworks defenders use to catalogue it.
1. Social engineering
The most reliable way into a system is often to ask a human for the keys. Social engineering exploits trust, authority, urgency, and habit rather than technical flaws. It remains the leading cause of breaches in successive editions of the Verizon Data Breach Investigations Report[13].
- Phishing — fraudulent messages that harvest credentials or deliver malware; spear-phishing targets a specific individual, whaling targets executives.
- Business email compromise (BEC) — impersonating a trusted party to redirect payments; one of the costliest categories of cybercrime by dollar loss.
- Pretexting, baiting, and vishing — invented scenarios, malicious media, and voice-based deception.
Generative AI has sharply lowered the cost and raised the quality of these attacks — flawless localised text, cloned voices, and deepfake video — a theme picked up on the AI & Security page.
2. Malware & ransomware
Malware is any software designed to cause harm. The major families:
| Type | Defining behaviour |
|---|---|
| Virus | Attaches to a host file; spreads when executed |
| Worm | Self-propagates across a network without user action |
| Trojan | Masquerades as legitimate software |
| Rootkit | Hides its presence at a deep system level |
| Ransomware | Encrypts data and demands payment for the key |
| Spyware / infostealer | Covertly exfiltrates data and credentials |
Ransomware is the dominant criminal threat of the era, having evolved into a ransomware-as-a-service economy with affiliate models, initial-access brokers, and double extortion (encrypt and leak). Landmark events — WannaCry (2017), NotPetya (2017), and Colonial Pipeline (2021) — demonstrated that malware can cause physical and economic disruption at national scale.
3. Web application attacks (OWASP)
The OWASP Top 10[14] is the industry-standard list of the most critical web-application risks. The most enduring entries:
- Injection (e.g., SQL injection) — untrusted input is interpreted as a command. The canonical fix is parameterised queries.
- Broken access control — users acting outside their intended permissions; consistently ranked #1.
- Cross-site scripting (XSS) — injecting script that runs in another user’s browser.
- Cryptographic failures — weak or missing encryption of sensitive data.
- Server-side request forgery (SSRF) — coercing a server into making attacker-controlled requests.
-- Vulnerable: string concatenation lets input become code
query = "SELECT * FROM users WHERE name = '" + user_input + "'"
-- Input ' OR '1'='1 -> returns every row
-- Safe: parameterised query treats input strictly as data
cursor.execute("SELECT * FROM users WHERE name = ?", (user_input,))4. Memory-corruption exploitation
In systems languages without memory safety (C, C++), bugs that corrupt memory can be turned into arbitrary code execution. This is the deepest and most consequential class of vulnerability.
- Buffer overflow — writing past the bounds of a buffer to overwrite adjacent data or control structures. Aleph One’s 1996 Smashing the Stack for Fun and Profit[15] is the foundational text.
- Use-after-free — dereferencing memory that has been freed and possibly reallocated.
- Heap grooming / spraying — arranging heap memory so that a corruption lands on attacker-chosen data.
Defences have escalated in turn: non-executable memory (NX/DEP), address-space layout randomisation (ASLR), stack canaries, and control-flow integrity (CFI). Attackers responded with return-oriented programming (ROP), which chains existing code fragments to bypass NX. The most durable fix is to remove the bug class entirely — the central argument for memory-safe languages like Rust, now endorsed by CISA and the NSA for new development.
5. Vulnerabilities: zero-days vs N-days
A zero-day is a vulnerability unknown to the vendor, with no patch available — defenders have had “zero days” to react. An N-day is a known, patched vulnerability that remains exploitable on unpatched systems. Vulnerabilities are catalogued publicly as CVE identifiers and scored by severity using the CVSS system[16].
The economics matter: most real-world compromise exploits N-days, because patching at scale is slow. The window between a patch’s release (which reveals the bug) and its deployment is a primary battleground — and one that AI-accelerated exploitation is now compressing dramatically (see AI & Security).
6. MITRE ATT&CK & red teaming
MITRE ATT&CK[5] is a globally adopted, continuously updated knowledge base of real-world adversary tactics (the “why”) and techniques (the “how”), observed in actual intrusions. It gives defenders a shared vocabulary to describe attacker behaviour and to measure detection coverage.
Organisations test their defences against this tradecraft through:
- Penetration testing — scoped, time-boxed assessment of a system’s exploitable weaknesses.
- Red teaming — goal-oriented, adversary-emulating campaigns testing detection and response, not just vulnerabilities.
- Purple teaming — red and blue (defence) working together to tighten the detect-and-respond loop.
The defensive counterpart to all of this — how organisations detect, contain, and recover — is the subject of the next page.