As someone with a Master’s in Social Community Psychology transitioning into cybersecurity, I’ve found that understanding group dynamics and human behavior is a great complement for analyzing threats and cyber defense. My experience as a program manager, where I oversaw the complexities of 24/7 residential shelters, has provided me with a unique lens for understanding human behavior in high-stakes situations, which I find particularly relevant to cybersecurity. During my time in the SANS Cyber Immersion Academy, where I took courses like SEC 401 and SEC 504, I found so many parallels between psychology and cybersecurity. For example, these courses’ emphasis on baselines mirrored my work in 24/7 shelters, where anticipating deviations in routines was key to averting crises or, at the very least, regaining control of situations that could impact staff and clients.

Cybersecurity requires diverse skills, and I believe, understanding human behavior is among the most critical. In this article, I’ll explore how integrating psychology, from cognitive biases to stress resilience, with insights from threat intelligence can help anticipate, identify, and mitigate threats. This is not about human error, it is about transforming the so-called ‘weakest link’ into a stronger defense.

Understanding Baselines: Normal vs. Abnormal

In psychology, establishing behavioral baselines is essential for identifying deviations that may indicate underlying issues. The same applies to cybersecurity, for example, without knowing normal network activity, detecting anomalies becomes difficult. As Professor Bryan Simon emphasizes in the SANS SEC 401 course: ‘Know thy systems!’ — a principle that applies equally to understanding human behavior and network traffic.

Cybersecurity experts must understand what constitutes normal network activity to identify potential intrusions. This parallels behavioral assessments, where normal behavior must be established to spot anomalies. As a program manager overseeing two 24/7 residential shelters, I saw firsthand how ‘baselines’ operate in high-risk human environments. While humans aren’t identical to systems, the principle holds: knowing clients’ routines, staffing patterns, and facility dynamics allows us to detect risks early, whether a sudden shift in a client’s behavior or an unexpected staff absence. Just as a shelter’s stability depends on recognizing deviations from the norm, cybersecurity relies on spotting anomalies like unusual login times or data transfers in network traffic.

By continuously monitoring and analyzing network patterns, cybersecurity professionals can detect irregularities, much like psychologists or mental health therapists observe and interpret behavioral shifts. This detection is enhanced by threat intelligence, which reveals common adversary tactics, techniques, and procedures (TTPs) and their preferred methods of manipulation, for instance, using urgent language. Knowing what specific deviations attackers often cause allows defenders to align their baseline monitoring with likely malicious activity, transforming human observation into a security advantage. Due to my experience, I see threat intel as those client notes or past observations that guide behavioral professionals to anticipate future behavior and potential triggers, so threat intel provides cybersecurity experts with a record of adversary tactics and motivations, allowing for a more informed and proactive defense.

Recommended Reading:

• "Intrusion Detection" by Rebecca Gurley Bace and Peter Mell: This book goes deep into methods for setting up and maintaining network baselines for security purposes.

Social Engineering: Exploiting Trust, Authority, and Habituation

While understanding normal system and network behavior is crucial, attackers also exploit our understanding of 'normal' human interactions and tendencies to manipulate us through social engineering.

Social engineering attacks exploit psychological principles to coerce us into, for example, revealing confidential information or doing something on their behalf. Knowledge of psychological tactics, such as trust, authority, and social proof, can help cybersecurity professionals better defend against these attacks. Let’s see some case study examples:

1. Seagate Technology (2016)

   In 2016, Seagate Technology fell victim to a sophisticated phishing attack. The attackers employed a tactic known as "whaling," where they impersonated Seagate CEO Stephen Luczo in an email to the HR department. The email requested W-2 forms and personally identifiable information (PII) of all employees. Believing it was legitimate, the HR employee complied. Just like that, they went from being a regular staff doing their job to becoming an unintentional insider threat as they provided sensitive information to threat actors. A great reminder about how even well-meaning folks can become vectors for attacks.

2. Democratic National Committee (DNC, 2016)

   APT29 (Cozy Bear), a Russian state-sponsored group, breached the Democratic National Committee in 2016 using spear-phishing emails disguised as legitimate Google security alerts. Staff were tricked into entering credentials on fake login pages—a tactic known as "credential harvesting." This attack exploited the affect heuristic: trusting a familiar brand like Google and overlooking subtle anomalies like mismatched URLs. Also, authority bias: assumes legitimacy due to Google’s credibility.

   Similar risks arise from habituation—a psychological phenomenon where users prioritize convenience over caution due to repeated exposure to ‘normal’ prompts. For example:

   • Clicking "OK" on Microsoft’s User Account Control (UAC) prompts without reading them.

   • Granting data access to services or apps via, for example, Google sign-in without reviewing permissions.

Attackers exploit this reduced scrutiny by mimicking trusted interfaces, knowing users will likely bypass the defenses in place.

3. MGM Resorts Hack (2023)

   In 2023, MGM Resorts faced a ransomware attack by Scattered Spider. The attack used a common social engineering technique, vishing (phishing over the phone), to impersonate an employee and gain admin privileges.

   How? By impersonating an MGM Resorts employee in a call to the IT help desk, the attackers obtained administrator privileges to MGM's Okta and Azure tenant environments. As a result of the attack, MGM experienced disruptions to essential services, including reservation systems and digital room keys.

These incidents demonstrate the critical need for robust cybersecurity awareness and training programs to mitigate social engineering threats effectively. This training becomes far more effective when informed by threat intelligence. Understanding how specific adversaries craft their campaigns—knowing their preferred social engineering playbooks—allows organizations to tailor awareness programs. Instead of generic warnings, training can focus on countering the actual tactics employees are likely to face, empowering them to actively protect themselves and the organization. By teaching employees what to look for, we create a much more resilient defense, a human-centric approach focused on increasing their awareness and providing specific skills to spot these attacks.

For a deeper dive into the psychological principles behind these attacks, see the Cognitive Biases section below.

Practical Tips:

• Train everyone regularly, or educate yourself about the methods or tricks of social engineering and how to recognize them! It’s getting thicker by the minute, given Gen AI and all the tools available.

• Use what is known about real attacker tactics (that's where threat intelligence comes in!) to create simulated phishing campaigns.

• Foster a culture of skepticism and verification, encouraging employees to double-check unexpected requests for sensitive information.

Something to read:

• "Social Engineering: The Art of Human Hacking" by Christopher Hadnagy: This book explores the psychological tactics used in social engineering and how to counteract them.

Cognitive Biases and Decision-Making

Cognitive biases can cloud judgment in any field, but their impact on cybersecurity decision-making is particularly critical, as they influence everything from threat analysis to incident response.

Let’s explore some cognitive biases that can impact cyber defenses:

1. Authority Bias: This is the tendency to comply with requests from perceived authority figures without verification. Psychologists like Stanley Milgram demonstrated how authority figures can override personal judgment—a principle that attackers exploit in social engineering. Like in the MGM breach, attackers pretended to be employees calling IT support. Similarly, in the Seagate attack, HR staff complied with a fake email from the “CEO” requesting sensitive employee data.

2. Anchoring: This bias occurs when we rely too heavily on the first piece of information we find. For instance, if a Chief Information Security Officer (CISO) prioritizes a specific cyber threat, other team members may focus solely on that threat, neglecting other potential risks.

3. Availability Heuristic: Security teams often assess risks based on recent experiences or industry trends. This can result in overlooking less obvious threats that do not fit the familiar pattern. For example, while security teams might proactively prioritize defenses against the threat of ransomware attacks, this could also lead to overlooking other significant vulnerabilities or attack vectors that aren't trending yet.

4. Affect Heuristic: This mental shortcut is heavily influenced by emotions. For example, if security staff feel confident about a situation, they may perceive it as low risk and fail to investigate thoroughly, potentially overlooking significant threats.

5. Optimism Bias: Many people, including security teams, believe that because they have security measures in place, they are immune to attacks. This “it won’t happen to us” mentality can lead to complacency and underpreparedness. Threat intelligence directly counters this bias by presenting concrete evidence of real-world risks, such as sector-specific targeting trends. This helps teams to address likely attack vectors based on evidence, rather than relying on potentially dangerous assumptions. For more real-world examples, see this article about optimism bias in Cybersecurity.

6. Decision Fatigue: Continuous decision-making is exhausting for anyone. In Security Operations Centers (SOC), for instance, one of the risks is that overwhelmed or fatigued security staff may ignore alerts from security tools, potentially leading to missed critical threats.

Practical Tips:

• Build a culture where we all feel comfortable asking questions and reviewing each other's work. It's about having each other's backs and being open to different ways of seeing things – challenging assumptions is key!

• Use structured techniques, like this one called "Analysis of Competing Hypotheses” (p.95). It's a way to consider all the possible explanations instead of sticking with the first one that makes sense. This encourages a thorough analysis.

• Keep learning and be ready to adapt when new information pops up. Let's not get too stuck on initial thoughts! Staying curious and open to new evidence is crucial.

• Leverage information about cognitive biases to improve decision-making. For example, peer reviews help us catch our blind spots.

Something to read:

• "Thinking, Fast and Slow" by Daniel Kahneman: Kahneman presents various cognitive biases and their impacts on decision-making, offering valuable insights for anyone, including cybersecurity folks!

• “Psychology of Intelligence Analysis” by Richard J Heuer, Jr: The author explores the psychological factors that can affect intelligence analysis, providing insights for cyber threat intelligence professionals looking to improve their analytical skills and objectivity.

Stress Management and Resilience

The high-pressure nature of cybersecurity work can lead to burnout and decreased performance. Applying psychological principles of stress management and resilience can help professionals maintain their mental health and perform effectively under pressure.

As a program manager in a 24/7 residential facility, I witnessed firsthand how chronic stress affects performance. Social workers and managers faced relentless demands: staffing shortages, traumatic cases, overnight emergencies, and the emotional toll of clients’ crises; therefore, Burnout wasn’t just a buzzword. Based on my research, cybersecurity incident responders face similar challenges: high-stakes alerts, sleepless on-call rotations, and the pressure to mitigate threats in real-time.

My experience taught me that resilience isn’t just individual—it’s systemic. Just as in social services, we implemented team discussions after a crisis and mandatory downtime for staff to process high-stress events, cybersecurity teams need similar support. Without it, even the most skilled professional risks becoming the next ‘insider threat’—not from malice, but from exhaustion.

Just as shelters use debriefings as part of a broader strategy to build resilience, cybersecurity teams can implement structured support systems to maintain vigilance and prevent burnout.

Practical Tips:

• Implement a range of stress management resources, such as regular workshops on coping strategies, physical wellness activities, and provide access to mental health support services.

• Encourage a balanced work-life environment to prevent burnout.

• Develop a support system within the team to share the workload and provide emotional support during high-pressure situations.

• Build peer mentoring systems—a tactic rooted in community psychology—to distribute workloads and combat decision fatigue.

Something to read:

• "The Resilient Practitioner: Burnout Prevention and Self-Care Strategies for Counselors, Therapists, Teachers, and Health Professionals" by Thomas M. Skovholt and Michelle Trotter-Mathison: Although focused on health professionals, the principles of resilience and self-care are highly relevant to cybersecurity.

Conclusion

Ultimately, recognizing the impact of human behavior, informed by psychological principles, is essential for building a truly resilient cybersecurity posture that can complement the defenses. My journey, from social-community psychology and managing high-risk human environments (like shelters) to my cybersecurity training and certifications, has solidified the undeniable parallels between understanding human dynamics in crisis and effectively responding to cyber incidents, a key insight reinforced by my studies and research. I hope that this integrated perspective inspires a more human-centered approach to security, leading to stronger and more adaptable defenses.

Security isn’t just about technology; it’s about people. A truly resilient cybersecurity strategy doesn’t just defend against threats—it anticipates them by understanding human behavior. In this effort, threat intelligence acts as a vital bridge, providing defenders with insights into how adversaries are actively exploiting human psychology, allowing us to anticipate and proactively strengthen our defenses, transforming the 'weakest link' into a powerful asset.

So, the next time you think about cybersecurity, ask yourself: Are you securing just the system or the people who interact with it every day?

With the recent buzz surrounding Netflix’s Zero Day, a series exploring the chaos caused by a zero-day cyberattack, I felt it was the perfect time to dive into known cyberattacks that have disrupted real-world systems and operations. While Zero Day focuses on a fictional zero-day vulnerability and its global consequences, wiper malware represents another form of cyber destruction, and many have experienced what these types of attacks can do.

Wiper malware has been in use for over a decade, but its role in cyber warfare, geopolitical conflicts, and sabotage operations has expanded significantly in recent years. A recent example occurred during Russia’s 2022 invasion of Ukraine, where cyberattacks, including multiple wiper malware strains, were used to target critical infrastructure alongside military operations.

The Viasat Cyberattack

On February 24, 2022—the same day Russia launched its military invasion of Ukraine—a cyberattack targeted Viasat, a satellite communications provider. The attack disabled KA-SAT modems, disrupting internet services for thousands of users in Ukraine and some parts of Europe. For example, the attack disrupted remote monitoring and control of approximately 5,800 wind turbines in Germany, preventing operators from accessing them

Following the incident, researchers at SentinelLabs identified a new wiper malware they named AcidRain. Unlike ransomware, which demands a ransom to unlock data, AcidRain was designed to erase data from modems and routers, potentially rendering them inoperable without recovery options.

Attacks like this highlight a hard reality: wiper malware is a modern cyber warfare weapon that sabotages critical infrastructure.

With geopolitical tensions rising, it is crucial to understand how wiper malware works, its devastating impact, and how organizations can defend against it.

What is Wiper Malware?

Wiper malware is a destructive form of malicious software that permanently deletes, overwrites, or corrupts data, often leaving devices completely unusable. Recovery is extremely difficult without specialized forensic methods or offline backups.

Key Characteristics of Wiper Malware:

• Data Destruction: Systematically deletes, overwrites, or corrupts files at the disk level, often targeting boot records to make systems unbootable. This makes recovery extremely difficult without backups or specialized forensic methods

• No Ransom Demand: Unlike ransomware, wiper malware provides no decryption keys or ransom demands. It is designed for sabotage, not financial gain.

• Wide-scale Impact: These attacks can cripple networks by wiping servers, corrupting databases, and IoT devices, leading to widespread service disruptions.

Who is targeted?

Governments, critical infrastructure, financial institutions, and major enterprises have all been victims of wiper attacks.

How Does Wiper Malware Work?

Wiper malware employs various techniques to destroy data and make systems inoperable:

1. Initial Access – Attackers gain entry via phishing, supply chain attacks, or exploiting unpatched software.

2. Privilege Escalation – Once inside, they gain admin rights to increase their control.

3. File & System Wiping – Some wipers target the Master Boot Record (MBR), preventing the system from booting or delete/corrupt key system files.

4. Network Propagation – In larger networks, wiper malware spreads to other connected devices, causing broader damage.

Notable Wiper Malware Attacks

1. NotPetya (2017)

• Target: Ukrainian businesses, but quickly spread worldwide (Maersk, FedEx, Merck).

• Impact: Originally thought to be ransomware, NotPetya was later identified as a wiper in disguise. It encrypted data with no way to decrypt it (recover it), causing an estimated $10 billion in damages.

• Key Lesson: Wiper malware may resemble ransomware, but its intent is purely destructive, not financial.

2. Shamoon (2012, 2016, 2020)

• Target: Energy sector, notably Saudi Aramco and RasGas.

• Impact: Shamoon erased data on 35,000 company computers at Saudi Aramco, replacing files with an image of a burning American flag. Later versions targeted other companies.

• Key Lesson: Wiper malware can serve as a cyber weapon for political messaging and industrial sabotage.

3. AcidRain (2022)

• Target: Viasat satellite modems, affecting Ukraine and parts of Europe.

• Impact: Unlike traditional wipers, AcidRain was designed to erase firmware on satellite modems; thousands were disabled, and internet services were knocked offline.

• Key Lesson: Wiper malware isn’t limited to computers; it can target network infrastructure and IoT devices, expanding the attack surface.

4. Olympic Destroyer (2018)

• Target: Winter Olympics IT infrastructure (Pyeongchang, South Korea).

• Impact: The attack crippled ticketing systems, broadcasting, and event services, causing widespread operational chaos. Olympic Destroyer contained data-wiping functionality but also included anti-forensic measures to mislead investigators.

• Key Lesson: Wiper malware can be used to sabotage global events and disrupt international operations.

  💡

  Extra: Hear the Darknet Diaries episode #77 about the Olympic Destroyer!

Can Organizations Recover from Wiper Attacks?

While wiper malware is destructive by design, some companies have successfully recovered by implementing robust cybersecurity and disaster recovery plans. Here are two examples:

• Maersk & NotPetya (2017) – The global shipping giant had all but one of its domain controllers wiped. Thanks to an unaffected office in Ghana, Maersk was able to restore operations within 10 days after rebuilding its IT infrastructure from these isolated backups.

• Sony Pictures (2014 Attack) – After the North Korea-linked Destover wiper malware attack, Sony relied on off-site backups and network isolation to recover operations, though data loss was significant and also led to public leaks of sensitive information.

These cases highlight the importance of offline backups, rapid response, and resilient IT infrastructure in surviving cyberattacks.

Who is Behind Wiper Attacks?

Determining who is responsible (attribution) for cyberattacks is complex because attackers use:

• False flags: Making the attack appear to come from another country.

• VPNs & Proxy Servers: Hiding their true locations.

• Compromised Systems: Launching attacks from hacked machines. false flags, VPNs, and compromised systems to hide their identities.

Security researchers rely on:

• Malware code similarities: Comparing wiper malware with known nation-state tools.

• Infrastructure analysis: Tracking IP addresses, command-and-control servers, and domain registrations.

• Victim Profiling: Identifying which industries, organizations, or countries are being targeted.

• Threat Actor Profiling: Analyzing who benefits from the attack and linking it to potential perpetrators.

Attribution is rarely 100% certain, but cybersecurity experts rely on technical forensics and geopolitical context to assign responsibility.

Why is Wiper Malware a Growing Threat?

While wiper malware primarily targets organizations, governments, and critical infrastructure, individuals and businesses can still take steps to protect their data and systems from destructive cyber threats.

1. Increasing Geopolitical Tensions: Nation-state actors are using wiper malware as a tool for cyber warfare, targeting critical infrastructure.

2. Escalating Cyber Sabotage: Wiper malware is being deployed not just in war zones, but also in financial, energy, and government sectors.

3. Harder to Defend Against: Unlike ransomware, wiper malware often leaves no straightforward recovery options, making mitigation strategies critical.

How to Defend Against Wiper Malware

For Organizations & Enterprises

• Network Segmentation: Prevents malware from spreading across critical systems by isolating sensitive networks.

• Advanced Threat Detection: AI-powered security tools can detect wiper malware before activation.

• Endpoint Detection and Response (EDR) – EDR solutions provide continuous monitoring and response capabilities at the endpoint level (device), allowing organizations to detect and contain wiper malware before it spreads throughout the network.

• Incident Response Plans: A prepared and tested response strategy can reduce downtime.

• Patch & Update Software: Regular updates help eliminate security vulnerabilities.

• Zero-Trust Security Model: Requires continuous verification for network access.

For Individuals & Small Businesses

• Regular Backups: Store backups offline and in the cloud to ensure data recovery.

• Software Updates: Patch vulnerabilities to prevent exploits.

• Email & Link Caution: Be cautious with emails and links, as phishing is a common method for delivering wiper malware.

• Security Tools: Use firewalls, antivirus software, and multi-factor authentication (MFA) for added protection.

TL;DR: Wiper Malware vs. Zero-Day Exploits

While Netflix’s Zero Day explores cyberattacks that may seem similar, most wiper malware does not rely on zero-day exploits. Some, like NotPetya, have used zero-days to spread, but not all wipers require them to cause destruction. A zero-day is an unknown software vulnerability, while a wiper is designed for destruction. Defending against both requires proactive patching, backups, and threat detection

Conclusion

Wiper malware is a dangerous and evolving threat, used in cyber warfare and politically motivated attacks. Whether targeting critical infrastructure, financial institutions, or global events, its effects can be catastrophic.

Understanding how wiper malware operates, its real-world consequences, and how to defend against it is essential. Preparation is the best defense.

✅ Want to learn more?

• Check my beginner guide to MITRE ATT&CK to understand cyberattack techniques.

• Explore CISA’s cybersecurity best practices.

• Evaluate your organization’s cyber resilience with NIST cybersecurity resources.

💬 How prepared do you think most organizations are against wiper malware? Share your thoughts!

MITRE ATT&CK can be just as daunting for beginners. It’s a framework that organizes vast amounts of information about how attackers operate, which can feel overwhelming if you're starting. But trust me, once you break it down, it becomes an incredibly valuable tool for understanding and defending against cyber threats. In this guide, I'll help you make sense of the ATT&CK framework, how it's structured, and how you can use it to improve your cybersecurity practices. Whether you're a beginner or someone working to sharpen your skills, let's dive in and make MITRE ATT&CK less intimidating!

What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly accessible knowledge base that catalogs real-world adversary behaviors. Think of it as a "playbook" of how attackers operate, organized into tactics (goals) and techniques (methods). Unlike traditional threat lists, ATT&CK focuses on how attacks happen, not just what they look like. Please note that while this guide focuses on the Enterprise Matrix, MITRE also offers frameworks for Mobile and Industrial Control Systems (ICS).

Why It Matters

• Common Language: Security teams use ATT&CK to communicate threats clearly.

• Detection & Response: Helps organizations spot attacker behaviors, not just malware signatures.

• Proactive Defense: By anticipating attacker workflows, teams can prioritize patching vulnerabilities or monitoring high-risk techniques.

Key Concepts: Tactics, Techniques, and Sub-Techniques

Tactics: The "Why" Behind Attacks

Tactics represent the "why" behind an attacker’s actions. In other words, the adversary's goals at various stages of the attack. Note that all tactics IDs start with TA, then the number. ex. Reconnaissance: TA0043

Here are the main tactics and their goals:

• TA0043: Reconnaissance – Collect data to plan future malicious activities.

• TA0042: Resource Development – Identify resources to support malicious operations.

• TA0001: Initial Access – Gain first access to your network.

• TA0002: Execution – Execute malicious code.

• TA0003: Persistence – Maintain their foothold.

• TA0004: Privilege Escalation – Get access to higher-level permissions.

• TA0005: Defense Evasion – Evade defenses to avoid being detected.

• TA0006: Credential Access – Acquire account names and passwords.

• TA0007: Discovery – Investigate your environment.

• TA0008: Lateral Movement – Move through your environment.

• TA0009: Collection – Collect data relevant to their goal.

• TA0011: Command and Control – Control compromised systems and communicate with them.

• TA0010: Exfiltration – Steal collected data.

• TA0040: Impact – Alter, corrupt, or destroy your systems and data.

As seen in the image above, each tactic includes several techniques.

Techniques: The "How"
Techniques are specific actions attackers use to achieve their goals. Note that all technique IDs start with T, then the number. ex. Phishing: T1566 For example:

• Phishing (T1566): Sending deceptive emails to trick users into sharing sensitive information.

• Use Alternate Authentication Material (T1550): Using alternative credentials or methods for authentication, such as password hashes or Kerberos tickets.

Some techniques like Use Alternate Authentication Material have sub-techniques. Let’s explore that.

Sub-Techniques: Granular Details
Sub-techniques refine techniques into detailed actions. Techniques that have sub-techniques have a gray sidebar. It is important to note that not all techniques have sub-techniques. If a technique has a sub-technique, you will see a grey area next to the technique name. To see the sub-techniques of the technique you must click in the gray area. Note that their IDs will append a sub-ID to the technique ID (ex. T1550.002)

For instance, under Use Alternate Authentication Material (T1550) there are currently four sub-techniques, two of them are:

• T1550.002: Pass-the-Hash via NTLM, a specific method for bypassing authentication using hash values from NTLM (Windows authentication protocol).

• T1550.004: Web Session Cookie – Stealing and using session cookies to impersonate a user without needing their password.

Another example, OS Credential Dumping (T1003), has 8 sub-techniques so far, two of which are:

• T1003.001: LSASS Memory: Extracting passwords from memory.

• T1003.002: Security Account Manager (SAM): Extracting passwords from registry keys.

The Pyramid of Pain: Why Behavior Matters

The Pyramid of Pain, created by David Bianco, helps us understand why focusing on TTPs is more effective in defending against adversaries than relying on traditional indicators of compromise (IOCs). Unlike IOCs, such as file hashes or IP addresses, which attackers can easily change, behaviors (TTPs) are harder to adapt quickly and provide a much more lasting challenge for threat actors.

Before MITRE ATT&CK, defenses typically focused on low-level indicators like IP addresses or file hashes. However, these indicators are easily changed or masked by attackers, making them less effective at deterring threats. The Pyramid of Pain illustrates how defenses become more effective when they target behaviors (TTPs—Tactics, Techniques, and Procedures) rather than just indicators.

• Lower Levels: Indicators of Compromise (IOCs) like IP addresses, file hashes, or domain names are easy for attackers to change and, therefore, cause minimal “pain” for them. For example, attackers can quickly change a file hash or switch to a new IP address, making this level of defense only a minor hurdle for skilled adversaries. While IOCs can help detect attacks, they don’t provide much resistance.

• Middle Levels: Tactics and Techniques are harder for attackers to change, but they can still adjust their methods. For example, if a defender blocks one phishing technique, attackers might adapt by using a different method. This is where MITRE ATT&CK shines as it provides a detailed catalog of how attackers achieve their objectives, allowing defenders to identify and block common attack strategies that are more difficult to change.

• Higher Levels: Tactics, Techniques, and Procedures (TTPs) represent the strategic approaches attackers use. These are the most challenging aspects for attackers to change because they are part of their overall attack methodology. For example, an attacker’s method for lateral movement or credential dumping will rely on a consistent set of behaviors, even if they use different tools. When defenses are focused on detecting and blocking TTPs, they become much more difficult for attackers to bypass, forcing them to rethink their strategy.

By focusing on TTPs, MITRE ATT&CK helps defenders "raise the pain" for attackers—making it more challenging for them to succeed and forcing them to evolve their methods.

Tracking Threat Actors by Groups and Software

MITRE ATT&CK profiles:

• Groups: Named threat actors (ex. APT29, Lazarus Group, Dragonfly) and their TTPs.

• Software: Tools/malware they use (ex. Mimikatz for credential dumping, ID: S0002).

In MITRE ATT&CK, groups refer to specific threat actor teams or campaigns that engage in cyberattacks. These groups are often associated with certain tactics, techniques, and procedures (TTPs) that MITRE tracks, which help us understand their methods and behaviors. However, threat actors sometimes operate under multiple names or aliases, which can create confusion when reviewing reports or intelligence.

For example, Dragonfly (ID: G0035) is a well-known cyber espionage group attributed to Russia, targeting critical infrastructure. Within the Dragonfly umbrella, one of the notable subgroups is Berserk Bear, which has been particularly active in attacking energy sectors. Although the name "Berserk Bear" is frequently mentioned in some threat intelligence reports, it is ultimately part of the Dragonfly group, and understanding this connection is key. In MITRE ATT&CK, you'll find the complete list of aliases associated with a group, which helps clarify any potential confusion about its identity.

It’s important to remember that groups like Dragonfly and its subgroups may not only use multiple aliases but can also adapt or change their tactics over time. This makes tracking these threat actors a dynamic challenge. For example, Dragonfly uses sub-techniques like PowerShell Scripting (T1059.001) and tools like Mimikatz (S0002), which remain part of the group’s ongoing operations despite potential shifts in their campaigns.

How to Use MITRE ATT&CK

• Threat Intelligence: Map detected activities to known adversary behaviors.

• Detection Engineering: Build alerts for techniques like lateral movement (ex. suspicious RDP logins).

• Red Team Exercises: Simulate attacks to test defenses.

• Incident Response: Investigate breaches by aligning evidence with TTPs.

Getting Started

1. Explore the Matrix: Visit MITRE’s ATT&CK Website.

2. Use Free Tools: Try the ATT&CK Navigator for visual mapping.

3. Focus on Relevance: Prioritize techniques common to your industry (ex. ransomware for healthcare).

4. Join the Community: Contribute insights or use case studies from MITRE’s updates.

Key Takeaways

• MITRE ATT&CK is about behavior, not just indicators.

• Use it to align defenses with real-world attack patterns.

• Start small: focus on high-impact techniques first (ex. phishing).

• MITRE ATT&CK is a living framework, updated regularly with community contributions.

By understanding MITRE ATT&CK, you’ll shift from reactive to proactive cybersecurity—catching attackers by their habits, not just their tools.

If you're eager to get hands-on with MITRE ATT&CK, I highly recommend checking out the ATT&CK Navigator or diving into a Capture the Flag (CTF) challenge to start mapping real-world attacks to tactics and techniques.

The Digital World We Live In

Given our reliance on technology, it's our responsibility to cultivate responsible and informed online behavior. This is where digital citizenship emerges as a critical component of a strong cybersecurity strategy. While this might not sound new—especially for those who've adapted from analog to digital life—digital citizenship isn't just beneficial for specific age groups; it's essential for everyone and should start from a young age. We all need updates and continuous learning to keep up with the evolving digital landscape.

What Is Digital Citizenship?

Think of digital citizenship as your "driver's license" for the internet. It's not just about knowing how to use technology—it's about using it responsibly, ethically, and safely. This includes:

• Understanding and navigating the online world with ethics

• Respecting others in digital spaces

• Discerning reliable information

• Maintaining personal data privacy

• Questioning source reliability

• Avoiding risky behaviors

Why Digital Citizenship Matters for Your Cybersecurity

The Growing Threat Landscape

The digital threat landscape continues to evolve at an alarming pace. According to the ThreatDown report 2024 State of Malware, ransomware attacks surged by 68% in 2023, with the LockBit gang demanding a staggering $80 million in a single attack on Royal Mail. These escalating threats make it crucial for digital citizens to stay informed and maintain strong security practices.

1. Strengthening Information Literacy

Cybersecurity isn't just about technology; it's about making informed choices. According to Check Point Research, Microsoft accounted for 57% of all brand phishing attempts in Q2 2024, while Apple held second place with 10%. These statistics highlight how cybercriminals frequently impersonate trusted brands to trick users into giving away sensitive information.

2. Safeguarding Personal Privacy

As reported by IBM, 343 million individuals were affected by data breaches in 2023, with the average cost of a single breach rising to $4.88 million in 2024. The impact is staggering—compromised business emails alone accounted for over $2.9 billion in losses last year.

3. Understanding Algorithmic Influence

Social media algorithms often amplify sensational or misleading content to increase engagement. This can lead users to unreliable or malicious websites that spread misinformation or scams. According to the SiteLock Website Security Report 2022, roughly 4.1 million websites were infected with malware. By understanding how algorithms work and being critical of the content they promote, individuals can better protect themselves from harmful or compromised sites.

Becoming a Better Digital Citizen: An Action Plan

To safeguard yourself in the face of these growing threats, here are some simple yet powerful steps to improve your digital citizenship

Verify Before You Share

Take time to verify facts by consulting credible sources. Share only content from reputable websites and news outlets to avoid spreading misinformation.

Protect Your Digital Self (a.k.a. Your Personal Information)

1. Use secure passwords: Length over complexity, use 12+ characters and memorable passphrases (ex.“CoffeeTreeSandwich or MyBellyLovesTacoTuesdays”) for stronger security. See How to make passwords more secure

2. Activate two-factor authentication (2FA): Enable 2FA on key accounts, ideally with an app like Google Authenticator. See Why You Should Turn On Two Factor Authentication

3. Be selective about personal information sharing: Many people share to connect, but oversharing is a gift to malicious actors like scammers and fraudsters. See How To Protect Your Online Privacy With A Threat Model

4. Consider using a VPN (Virtual Private Network) for added security: Use a trusted VPN on public Wi-Fi to keep your data private. See What Is A VPN? Explained

The Stakes Are Rising

According to projections, global cybercrime costs could hit $10.5 trillion by 2025. Digital citizenship is an accessible tool to combat this trend by promoting safer online habits. Schools, organizations, and communities must prioritize digital citizenship by implementing workshops, online courses, and programs that equip individuals with skills to verify sources, protect privacy, and engage respectfully.

Research shows that many internet users lack these critical skills, making digital literacy in education essential to developing informed citizens who can confidently navigate misinformation and cyber threats. This education must start young—our children are growing up in an increasingly connected world and need these skills from an early age.

Your Role in the Digital Future

As we navigate an increasingly complex digital landscape, digital citizenship is essential for fostering responsible technology use, enhancing online safety, and promoting positive interactions within our virtual communities. By embracing digital citizenship principles, we empower ourselves and others to engage ethically and thoughtfully online.

For more detailed insights into cybersecurity risks, common attack vectors, and the financial impact of breaches on individuals and organizations, check out this Forbes cybersecurity stats summary.

What steps will you take today to become a better digital citizen? Whether by advocating for digital literacy in your community or practicing safer online habits, each of us plays a role in creating a secure digital space. Share your thoughts and experiences in the comments below.

Additional Resources

• National Cybersecurity Alliance: www.staysafeonline.org

• Digital Citizenship Institute: www.digitalcitizenshipinstitute.com

• FBI's Internet Crime Complaint Center: www.ic3.gov

Let's take a closer look at how this secure communication works, along with important distinctions between SSL and TLS:

1. Client Web Request

When you enter a URL in your browser (e.g., https://cyberyara.com), the browser sends an HTTP request to the web server hosting the website. This request is typically made over port 443, the default port for HTTPS. The "S" stands for Secure, indicating that the connection will be encrypted while in transit.

2. Server Responds

The web server receives the request and responds by sending its SSL/TLS certificate to the client. This certificate contains the server's public key and initiates the secure communication process.

3. Client Validates Certificate and Crypto

Upon receiving the server's certificate, the client (browser) performs several checks to validate it:

• Checking Certificate Authority (CA): The browser checks if a trusted CA issued the certificate. Trusted CAs are entities that browsers recognize as legitimate issuers of certificates.

• Validity Period: The browser checks the certificate's validity period to ensure it is not expired.

• Revocation Status: The browser may check if the certificate has been revoked using methods like Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).

• Digital Signature Verification: The browser extracts the server's public key from the certificate and hashes it. It then compares this hash to the one included in the digital signature of the certificate. If they match, the certificate is verified as authentic.

4. The Client Generates and Encrypts the Session Key

Once the certificate is validated, the client generates a symmetric session key. Symmetric encryption uses the same key for both encryption and decryption, which is faster and more efficient for encrypting large amounts of data.

The client encrypts this session key using the server's public key (obtained from the server's certificate) and sends the encrypted session key to the server. This ensures that only the server, which holds the corresponding private key, can decrypt the session key.

5. Optional Client Certificate Exchange

In some scenarios, the server might request a certificate from the client to authenticate the client. This is more common in environments where both parties need to verify each other’s identity, such as in banking or enterprise settings.

6. Server Decrypts the Session Key

The server receives the encrypted session key and decrypts it using its private key. Now, both the client and the server share the same symmetric session key, which will be used to encrypt and decrypt all subsequent data exchanged during the session.

7-8. Key Exchange Finished

At this point, the key exchange process is complete. Both the client and the server have securely exchanged a session key and can now begin secure communication.

9. Encrypted Messages Are Exchanged

With the session key in place, all data transmitted between the client and the server is encrypted using symmetric encryption. This ensures that even if an attacker intercepts the data, they will not be able to read it without the session key.

Explanation of Key Terms

• HTTPS (HyperText Transfer Protocol Secure): An extension of HTTP that uses SSL/TLS to encrypt data between the client and server.

• SSL/TLS (Secure Sockets Layer/Transport Layer Security): Protocols that provide secure communication over a computer network. It's important to note that SSL is deprecated due to security vulnerabilities, and TLS is the modern, more secure protocol that should be used. Despite this, some people still use the term SSL when referring to TLS.

  • SSL (Secure Sockets Layer): Developed by Netscape in the mid-1990s to secure web traffic. SSL had several versions, with SSL 3.0 being the last before transitioning to TLS.

  • TLS (Transport Layer Security): The successor to SSL, designed to provide stronger encryption and better security. TLS has undergone several updates, with TLS 1.2 and TLS 1.3 being the most widely used versions today. TLS 1.3 offers improved performance and security features over its predecessors.

• Certificate Authority (CA): An entity that issues digital certificates to verify the identity of organizations and individuals.

• Digital Certificate: An electronic document that uses a digital signature to bind a public key with an identity.

• Public Key: A key that can be shared with anyone and is used to encrypt data.

• Private Key: A key that is kept secret and is used to decrypt data encrypted with the corresponding public key.

• Symmetric Encryption: A type of encryption where the same key is used for both encryption and decryption.

• Digital Signature: A cryptographic signature that verifies the authenticity and integrity of a message, software, or digital document.

Real-World Examples and Case Studies

1. Heartbleed Vulnerability: Discovered in 2014, Heartbleed was a serious vulnerability in the OpenSSL cryptographic software library. This bug allowed attackers to steal information protected, under normal conditions, by SSL/TLS encryption. The incident highlighted the importance of keeping cryptographic libraries up to date and ensuring that vulnerabilities are promptly patched.

Latest Trends and Advancements

• HTTP/3 and QUIC Protocol: HTTP/3, the latest version of the HTTP protocol, is designed to improve performance and security. It is built on the QUIC protocol, which uses UDP instead of TCP. QUIC includes built-in encryption and aims to reduce latency, improve connection reliability, and enhance security.

• TLS 1.3 Adoption: The adoption of TLS 1.3 is increasing due to its improved security and performance. TLS 1.3 removes outdated cryptographic algorithms and introduces features like 0-RTT (zero round-trip time) to speed up the handshake process.

Conclusion

Understanding the process of secure web traffic is crucial for ensuring data privacy and security online. By following the steps outlined above, HTTPS establishes a secure channel between the client and server, protecting data from eavesdroppers and ensuring that sensitive information remains confidential and intact during transmission. Remember, while SSL was once widely used, it is now deprecated in favor of TLS, which provides enhanced security and should be the protocol of choice for secure web communication.

Today, the U.S. Department of Justice has released another significant document UNITED STATES OF AMERICA v. CERTAIN DOMAINS: a 277-page affidavit supporting a seizure warrant. This affidavit details a Russian-backed cyber-driven influence campaign known as “Doppelganger” primarily aimed to undermine elections and diminish international support for Ukraine. Additionally, describes how Russian entities, under the direction of high-ranking officials, employed cybersecurity tactics and disinformation techniques to manipulate public opinion in the U.S. and other countries.

Cybersecurity Tactics at the Core of Doppelganger Campaign

The Doppelganger campaign employed a wide array of cybersecurity tools to obfuscate its true origin, often masking the involvement of the Russian government. Central to this operation was the use of Virtual Private Servers (VPSs) and Virtual Private Networks (VPNs). These tools allowed operatives to mask their true locations and appear to be operating from within the U.S. By layering multiple VPS services, they were able to further conceal their identities and locations, making it harder for cybersecurity experts and law enforcement to detect the true origins of the operation (p. 38).

Additionally, Doppelganger operatives purchased compromised IP addresses on cybercriminal forums, allowing them to further mask their activities. Spur, a U.S. cybersecurity firm that analyzed the operation, noted that many of these VPSs were paid for using cryptocurrency, complicating efforts to trace the payments. According to the indictment, some payments were made via cryptocurrency to U.S.-based domain registrars, adding additional layers of anonymity to the operation (p. 35-61)."

Fake News Websites and Social Media Manipulation

A core component of the Doppelganger campaign was to impersonate “news websites, staged videos, and fake social media accounts” (p.12). For example, the creation of fake news websites closely mimicked the branding and appearance of legitimate outlets like The Washington Post, Fox News, and Forward (see exhibit 1, p. 88-107). These websites were designed to deceive users into believing they were accessing trusted news sources. This tactic allowed the operatives to spread false news stories and pro-Russian narratives under the guise of legitimate journalism, a hallmark of the campaign.

The Doppelganger campaign also extensively utilized artificial intelligence (AI) to generate fake social media profiles, posing as U.S. citizens or residents of other target countries. According to the indictment, "Among the methods Doppelganger used to drive viewership to the cybersquatted and unique media domains were the deployment of 'influencers' worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of fake social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the cybersquatted domains, all of which attempted to trick viewers into believing they were being directed to a legitimate news media outlet's website." (p. 2)

Hacking and Technical Infrastructure

In addition to VPS layering and domain spoofing, the indictment reveals that hacking played a key role in Doppelganger’s operations. For example, servers used to host these cybersquatted domains were linked to cybercriminal networks that had been previously involved in hacking activities. The indictment notes that some of these servers had been accessed via known cybercriminal IP addresses and were registered using false identities.

"The IP addresses used to access the registrars all resolved to either VPS services, or IP addresses that the cybersecurity company Spur previously associated with criminal cyber actors who compromise IP addresses and sell access to them, to allow buyers to gain further anonymity online. Even the VPS services used by the personas were accessed through other VPS services and paid for using cryptocurrency." (p.37)

Furthermore, Doppelganger operatives employed botnets, networks of automated accounts, to amplify their disinformation on social media. The bots were used to post links to the fake news articles across social media platforms, creating the illusion of grassroots support for the Russian narratives. The indictment describes how these bots were programmed to mimic the behavior of real users, sharing posts and commenting on them in ways that would appear genuine to the average social media user (p.30). Given these tactics, the document presents evidence of countermeasure efforts implemented by various government and private agencies across Germany, France, the US, and Israel, as well as major online platforms and fact-checkers. Since September 2022, these efforts have included publishing articles critiquing the project's impact on public opinion.on exhibit 2A (p. 108-116)

Social Media Manipulation and AI

The Doppelganger campaign made extensive use of artificial intelligence (AI) to generate fake profiles and posts on social media. These profiles, which posed as U.S. citizens or residents of other target countries, were used to share links to cybersquatting domains and to comment on political topics in order to manipulate public discourse. According to the indictment, social media profiles were created using AI-generated images and used to engage in discussions and share disinformation articles” (p. 123).

"Among the methods Doppelganger used to drive viewership to the cybersquatted and unique media domains were the deployment of “influencers” worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of fake social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the cybersquatted domains, all of which attempted to trick viewers into believing they were being directed to a legitimate news media outlet’s website." (pg 2)

In fall 2023, the Russian company, Social Design Agency (SDA), developed "The Good Old U.S.A. Project" to influence U.S. public opinion ahead of the 2024 federal elections. The project aimed to shift sentiment toward prioritizing domestic issues over foreign spending, particularly in Ukraine. The strategy involved targeting social media users with misleading content disguised as news, using social media advertising, influencers, and bots to amplify "bogus stories" and false narratives. The campaign also employed targeted advertising to track and influence American reactions in real time, adjusting strategies based on user responses. Records from Meta, obtained through a warrant, revealed that Doppelganger used AI tools to create negative ads about U.S. politicians and operated Meta pages with names similar to legitimate news organizations. Additionally, U.S. credit cards were used to purchase ads on Facebook. As detailed on page 31 "Meta records also revealed that Doppelganger used credit cards issued by U.S. financial institutions to purchase Facebook advertisements".

Another notable component of the overall campaign was the “Guerrilla Media Campaign in the United States.” This proposal outlined a strategy for exploiting the perceived polarization of U.S. society by focusing on eight distinct “Campaign Topics.” It anticipated utilizing social media platforms such as Facebook, X (formerly known as Twitter), YouTube, and Truth Social. The campaign's plan included creating multiple “perishable” accounts to manage comments and disseminate propaganda through posts, memes, and “video content, including news stories in the Fox News style”(p.32). The goal was to use a mix of realistic information and minimal fake news to create a perception of reality that contradicted official media narratives.

The indictment further notes that the campaign involved creating numerous fake accounts due to enforcement efforts by U.S. social media companies aimed at identifying and deactivating accounts linked to Doppelganger. These fake profiles, combined with paid advertisements funded by cryptocurrency transactions, were designed to blend in with legitimate political ads, obscuring their true purpose. This AI-driven approach was part of a broader strategy to “engage in targeted social engineering based on information trends and users’ emotional attitudes” (p. 150).

The Accusations:

The Doppelganger operatives are facing serious accusations, including:

1. Money Laundering: The operatives are accused of using cryptocurrency to fund their activities, including purchasing VPS services and domains from U.S.-based registrars. This financial obfuscation was key to maintaining the anonymity of the operation, bypassing traditional financial systems, which complicates law enforcement efforts to trace the funds.

2. Conspiracy: The alleged central actors, including Sergei Kiriyenko, Ilya Gambashidze, and Nikolai Tupikin, are charged with conspiring to influence U.S. elections and reduce international support for Ukraine. The indictment outlines their direct involvement in planning and executing the Doppelganger operation, noting, that these individuals conspired to deploy disinformation aimed at U.S. voters, seeking to exploit political divisions to advance Russian geopolitical interests.

3. Trafficking in Counterfeit Goods: By creating fake news websites that closely mimicked legitimate media outlets, the operatives engaged in the illegal use of copyrighted logos and designs. On page 18, it states that their "use of the marks is likely to cause confusion, mistake, or to deceive the public".

4. Violation of the International Emergency Economic Powers Act (IEEPA): The operatives are also accused of violating U.S. sanctions imposed on Russian entities. By purchasing domains and services from U.S. companies without obtaining the necessary licenses, they violated economic sanctions. Based on the document, the defendants knowingly engaged in prohibited transactions with U.S. entities, including domain registrars, in violation of IEEPA. (p. 18).

The indictment of the Doppelganger campaign exposes the growing threat of cyber-driven disinformation and the sophistication of state-sponsored cyber operations. By using VPSs, compromised IP addresses, AI-generated social media profiles, and bots, the operatives behind Doppelganger were able to carry out a covert influence campaign aimed at manipulating elections and public discourse. As cybersecurity professionals continue to grapple with the challenges posed by disinformation and hacking, this case serves as a stark reminder of the importance of vigilance in the face of evolving cyber threats.

Port scanning involves probing computer systems or networks to uncover open ports and services. Ports act as gateways, each serving a distinct function – for instance, port 80 commonly handles web traffic, while port 22 facilitates secure shell connections. By identifying open ports, cybersecurity professionals can evaluate a system's vulnerability to potential attacks.

Understanding the importance of port scanning is essential. It empowers you to:

• Assess a network's security posture.

• Identify potential entry points for attackers.

• Implement appropriate security measures.

• Detect unauthorized or suspicious activities.

There are many well-known port scanning tools like Nmap, Masscan, and Zmap. However, this article is aimed at you to create your own!

Now, let's discuss how to create a simple command-line interface (CLI) tool that automates network security tasks using Python. I hope that by breaking down the code into chunks and explaining each step in detail, you'll not only enhance your Python programming skills but also deepen your understanding of network security principles.

When developing any tool, especially one that interacts with networks, it's crucial to consider security implications. Before going into the code, let's discuss specific security measures implemented in the tool and how they mitigate potential risks.

• Error Handling and Input Validation: One crucial aspect of security is robust error handling and input validation. In this port scanning tool, I incorporated error-handling mechanisms to handle unexpected scenarios. For instance, catching socket-related errors and handling them appropriately to prevent crashes or unexpected behavior. Additionally, validating user input ensures that only valid IP addresses are accepted, mitigating the risk of injection attacks or unintended behavior.

• Securing Network Communication: When interacting with network resources, we must ensure secure communication to protect against eavesdropping and tampering. This tool utilizes the socket module's capabilities to establish secure TCP connections. By leveraging the built-in features of the socket module, I ensure that communication between our tool and the target host is encrypted and authenticated, reducing the risk of unauthorized access or data compromise.

• Preventing Common Vulnerabilities: Furthermore, I took measures to prevent common vulnerabilities such as buffer overflows or denial-of-service attacks. By carefully managing resources and implementing safeguards within our code, we mitigate the risk of exploitation by malicious actors. Additionally, I followed best practices for secure coding, such as using well-established libraries and avoiding unsafe functions or practices that could introduce vulnerabilities.

• Continual Vigilance: While this simple port scanning tool may provide a foundation for network exploration, it's essential to remember that security is an iterative process. As you continue to develop your skills in cybersecurity and software development, always prioritize security considerations in your projects. Stay informed about emerging threats and best practices, and regularly update your code to address any potential vulnerabilities or weaknesses. By maintaining a vigilant stance on security, you can ensure that your projects remain resilient in the face of evolving threats.

This is a constant, ensuring that your code is secure, never ends!

Now let's go into the code of a simple port scanning tool:

First, we begin by importing the necessary modules.

import socket
import signal
import sys

The socket module provides access to the BSD socket interface, which we'll use for network communication. signal and sys are imported to handle interrupts gracefully, ensuring our tool exits cleanly when the user presses Ctrl + C.

Signal Handling for Interruptions:

def signal_handler(sig, frame):
    """Signal handler for Ctrl + C"""
    print("Thank you for using EZ Port Scanning!")
    sys.exit(0)

Next, we define a signal handler function to catch Ctrl + C interrupts, ensuring a clean exit message is printed before terminating the program.

Scanning Ports:

def port_scans(target):
    """Scan ports for a given target IP address and print open ports"""
    for port in range(1, 1025):
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        result = sock.connect_ex((target, port))

        if result == 0:
            print(f"Port {port} is open")

        sock.close()

The port_scans function takes a target IP address as input and iterates over ports 1 to 1024. For each port, it attempts to establish a TCP connection. If successful, it prints that the port is open.

Main Function and User Interaction:

def main():
    """Main function for the Easy Port Scanner program"""
    print("*** Welcome to Easy Port Scanning! ***")
    print("[Use Ctrl + C to quit at any time.]")

    # Set up a signal handler for Ctrl + C
    signal.signal(signal.SIGINT, signal_handler)

    while True:
        target = input("Enter IP Address to scan (or type 'exit' to quit): ")

        if target.lower() in ['exit', 'quit']:
            print("Thank you for using EZ Port Scanning!")
            break

        print("*" * 30)
        print(f"*** Scanning: {target}  ***")
        print("*" * 30)

        try:
            port_scans(target)
        except socket.gaierror:
            print("Invalid IP Address. Please enter a valid IP.")
        except KeyboardInterrupt:
            print("\nScan interrupted.")
        except Exception as e:
            print(f"An error occurred: {e}")

        response = input("Would you like to scan another IP Address? Type Y / N: ")
        if response.upper() != 'Y':
            print("Thanks for using EZ Port Scanning!")
            break

if __name__ == "__main__":
    main()

Finally, the main function orchestrates the tool's execution. It greets the user, sets up the signal handler, and enters a loop to continuously prompt for target IP addresses. After scanning a target, it asks if the user wants to scan another IP or exit the program. This ensures a smooth user experience with clear prompts and handling for potential interruptions during scanning.

In conclusion, we've covered the development of a simple yet effective port scanning tool in Python. By prioritizing security, code readability, and error handling, we've developed a tool that can be a valuable asset in various network security and administration tasks.

Remember to validate inputs, handle errors gracefully, and follow best practices for secure coding. As you continue to explore and develop your Python skills, consider expanding upon this project with new features and optimizations. For example, consider the following:

1. Implement Multithreading: Consider adding multithreading capabilities to enhance scanning performance, allowing for concurrent scanning of multiple ports or hosts.

2. Enhance Reporting: Improve reporting features to provide detailed logs and analysis of scan results, facilitating comprehensive security assessments.

3. Add Port Range Specification: Provide options for users to specify port ranges for scanning, increasing flexibility and efficiency in target selection.

4. Integrate Port Banner Grabbing: Extend the tool to include port banner grabbing functionality, gathering information about services running on open ports for deeper vulnerability analysis.

Security is an ongoing process, so stay informed about emerging threats and regularly update your code to address any potential vulnerabilities.

Check this project repository on my GitHub

Happy learning and happy scanning!

Here are six essential vulnerabilities that I've learned in my ongoing Cybersecurity journey that I hope can help you with your code. Although the following examples are in C code, these vulnerabilities are not attached to a specific language:

1. Unsanitized Inputs: Trusting user inputs blindly is equal to leaving the front door of your application wide open. Therefore, it is crucial to validate and sanitize inputs to prevent injection attacks like SQL injection or cross-site scripting (XSS). Input validation ensures that only expected and safe data enters your system, protecting it from malicious payloads.

   Example:

    char username[50];
    printf("Enter your username: ");
    fgets(username, sizeof(username), stdin); // Use fgets() for safer input reading
   

   Explanation:

   fgets() is used to read user input into the username array. Unlike other input functions like scanf(), fgets() allows specifying the maximum number of characters to read, thereby preventing buffer overflow. This ensures safer input handling and reduces the risk of vulnerabilities. Note: scanf() opens your code to malicious inputs. Why? It doesn't check if the user input is within the data bytes allocated for an input. Therefore, whatever the amount of data the user inputs, C will put that data at the memory address, even if there isn't enough space for it. This can cause the program to crash and introduce a known exploit: buffer overflow. This is why fgets() is recommended.

2. Improper Error Handling: Neglecting error handling might seem inconsequential until it leads to information leakage or system crashes. Avoid verbose error messages that disclose sensitive information and opt for graceful error-handling mechanisms. Logging errors securely can help you identify and mitigate issues without exposing your system's inner workings.

   Example:

    FILE *file = fopen("example.txt", "r");
    if (file == NULL) {
        fprintf(stderr, "Error: Unable to open file 'example.txt' for reading.\n");
        exit(EXIT_FAILURE);
    }
   

   Explanation:

   fprintf() is used to print a custom error message to the standard error stream (stderr) if the file opening fails. This custom error message provides more descriptive information about the error and the specific file that couldn't be opened, enhancing clarity for the user or the developer. Finding a balance between providing informative error messages for troubleshooting purposes and safeguarding confidential data from potential misuse by malicious individuals is crucial.

3. Using Deprecated or Vulnerable Libraries: Relying on outdated libraries is akin to building your castle on a crumbling foundation. Regularly update dependencies to patch security vulnerabilities and benefit from new features and optimizations. Utilize tools like dependency checkers to stay informed about the latest updates and security advisories.

   Example:

    // Example of using outdated OpenSSL library function
    #include <openssl/sha.h>
   

   Explanation:

   In this example, the code includes a header file from the OpenSSL library, which may contain functions that are deprecated or vulnerable to security exploits. This practice can introduce potential security risks into the codebase. Outdated libraries may have known vulnerabilities that could be exploited. To mitigate these risks, it's important to regularly update dependencies and use the latest versions of libraries, ensuring that security patches are applied and known vulnerabilities are addressed.

   Using deprecated or vulnerable libraries like OpenSSL can introduce significant security risks into your codebase. It's crucial to stay informed about security advisories and regularly update dependencies to mitigate these risks. OpenSSL has encountered notable vulnerabilities in the past, including:

   • Heartbleed (CVE-2014-0160): A critical vulnerability in OpenSSL's TLS Heartbeat extension, allowing attackers to read sensitive information from server memory, potentially exposing private keys, user credentials, and other confidential data.

   • POODLE (CVE-2014-3566): This attack exploited a vulnerability in SSL 3.0, supported by OpenSSL, allowing attackers to decrypt encrypted data by exploiting the padding behavior of SSL 3.0 cipher suites.

   • DROWN (CVE-2016-0800): A vulnerability affecting OpenSSL and other TLS implementations, enabling attackers to decrypt encrypted communications by exploiting servers supporting SSLv2 and modern TLS protocols.

   • BLEichenbacher's ROBOT Attack (CVE-2017-3737): This vulnerability allowed attackers to decrypt encrypted communications by exploiting a flaw in the TLS protocol's RSA decryption process, affecting servers using OpenSSL.

While OpenSSL has tried to address these vulnerabilities, it's essential to consider alternatives like wolfSSL. WolfSSL offers a lightweight, portable, and secure SSL/TLS library for resource-constrained environments like embedded systems and IoT devices, prioritizing security and performance.

4. Insecure Data Storage: Storing sensitive data like passwords or API keys in plaintext is like storing a treasure in a glass jar. Employ cryptographic techniques like hashing and encryption to secure sensitive information. Additionally, implement proper access controls and utilize secure storage solutions to mitigate the risk of data breaches.

   Example:

    // Storing password in plaintext
    char password[50] = "mysupersecretpassword";
   
    // Storing API Keys in plaintext
    char WeatherAPI[200] = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ5SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
   

   Explanation:

   These examples highlight a common security flaw where sensitive information, such as passwords or API keys, is stored in plaintext within the code. It's crucial to exercise caution when handling such sensitive data, especially when considering scenarios like uploading code to public repositories like GitHub. Storing data as plaintext means storing it without any form of protection, leaving it vulnerable to unauthorized access.

   Developers should prioritize the adoption of cryptographic techniques such as hashing and encryption to safeguard sensitive information effectively.

   • Hashing: involves converting data into a fixed-size string of characters, known as a hash, using a mathematical algorithm. Unlike encryption, hashing is a one-way process, meaning it cannot be reversed to retrieve the original data. By hashing passwords before storing them, even if the hashed passwords are compromised, the original password cannot be retrieved by attackers.

   • Encryption, on the other hand, entails transforming data into a scrambled format using an encryption algorithm and a secret key. Unlike hashing, encryption can be reversed with the decryption key to retrieve the original data. Encrypting sensitive data like passwords or API keys ensures that even if unauthorized users gain access to the data, they cannot decipher it without the decryption key.

Moreover, it's essential to implement proper access controls to restrict unauthorized access to sensitive data. Access controls delineate who can access what data and what actions they can perform. By enforcing stringent access controls, developers can significantly mitigate the risk of data breaches and unauthorized access attempts.

It's worth noting that storing passwords in plaintext is highly discouraged in professional environments. The best practice is to hash passwords and compare the hash value for authentication. However, instances of insecure code like storing passwords in plaintext may still be encountered as developers continue to learn and adopt best practices.

5. Ignoring Security Best Practices: Disregarding established security best practices is like navigating a ship without a compass in an unfamiliar sea. Embrace principles like the principle of least privilege, secure by default, and defense in depth. Regularly conduct security audits, penetration testing, and code reviews to fortify your defenses against evolving threats.

   Example:

    // Not validating user permissions before accessing sensitive data
    if (userRole == ADMIN) {
        // Allow access to admin panel without proper authorization check
    }
   

   Explanation:

   In this example, the code fails to validate user permissions before granting access to sensitive data or functionalities. Without proper authorization checks, any user with the ADMIN role can gain unauthorized access to the admin panel, potentially compromising the security of the application. To mitigate this risk, ensure your code implements robust authorization checks based on user roles or specific permissions. Consider using role-based access control (RBAC), access control lists (ACLs), or other authorization mechanisms to restrict access to sensitive functionalities only to authorized users. Regularly audit and review access controls to maintain the integrity and security of your application.

6. Mindful Usage ofprintf():

   When working with user input in C, it’s crucial to exercise caution, especially when using functions like printf() that support format specifiers such as %s, %d, etc. Mishandling user input using printf() can lead to vulnerabilities known as format string vulnerabilities.

#include <stdio.h>

int main() {
    char user_input[50];
    // Unsafe usage of printf with format specifiers
    printf("Enter your name: ");
    fgets(user_input, sizeof(user_input), stdin);
    printf("Hello, %s!\n", user_input);  // Potential format string vulnerability

    return 0;
}

Explanation:

In the example, if an attacker inputs a string containing format specifiers, they could exploit this vulnerability to compromise the program's security and potentially leak sensitive information or execute arbitrary code.

When using printf() with user_input obtained from fgets() without proper validation, it can result in potential format string vulnerabilities. Format string vulnerabilities occur when an attacker provides input that includes format specifiers (e.g., %s) to printf() or similar functions. If the code fails to properly sanitize or validate the user input, the attacker can manipulate the format string to read or write arbitrary memory, potentially leading to unauthorized access or code execution.

Examples of Potential Vulnerabilities:

• Password Leak: An attacker could input a format string containing %s to read sensitive information stored in memory, such as passwords or other confidential data. This information could then be leaked to the attacker, compromising the security of the system.

• Arbitrary Code Execution: By crafting a carefully constructed format string, an attacker could overwrite critical memory addresses and inject malicious code into the program's execution flow. This could lead to arbitrary code execution, allowing the attacker to take control of the system, escalate privileges, or perform other malicious actions.

Safe Usage of printf():

To use printf() safely, it’s essential to properly sanitize the input to prevent format string vulnerabilities. In this example, the user input is sanitized by replacing the newline character (\n) added by fgets() with a null terminator (\0), ensuring that the input is properly null-terminated before being used with printf().

#include <stdio.h>

int main() {
    char user_input[50];

    // Safe usage of printf with proper input sanitization
    printf("Enter your name: ");
    fgets(user_input, sizeof(user_input), stdin);
    for (int i = 0; i < sizeof(user_input); i++) {
        if (user_input[i] == '\n') {
            user_input[i] = '\0';
            break;
        }
    }
    printf("Hello, %s!\n", user_input);  // Safe usage with sanitized input

    return 0;
}

Consideration for Simple String Output:

Additionally, if you're only printing a string without any format specifiers or user input, it’s safer to use puts() instead of printf(). puts() automatically appends a newline character to the output and doesn’t support format specifiers, reducing the risk of format string vulnerabilities. It’s a straightforward and safer alternative for outputting simple strings.

#include <stdio.h>

int main() {
    // Safer alternative with puts() for simple string output
    puts("Good luck in your security journey!");  // No format specifiers used
    return 0;
}

These are only six vulnerabilities that I thought would be helpful to share. However, there are many more! Keep learning and researching how to improve your code. I will continue my journey and share new things I learn along the way.

Now that you've gained insights into common vulnerabilities and best practices for securing your code, it's time to take action. Here's what you can do next:

• Audit Your Code: Conduct a thorough review of your existing codebases to identify any potential security vulnerabilities. Look for areas where unsanitized inputs, improper error handling, or insecure data storage practices may be present.

• Implement Security Measures: Take proactive steps to address the vulnerabilities you've identified. Update your code to incorporate input validation, proper error handling, and secure data storage techniques such as hashing and encryption.

• Stay Informed: Stay abreast of the latest developments in cybersecurity and coding best practices. Follow reputable sources, participate in online communities, and continue learning to enhance your knowledge and skills in code security.

• Share Your Knowledge: Spread awareness about the importance of code security within your professional network and community. Share this article or other resources with colleagues and peers to help them improve their coding practices.

Remember, proactive security measures are essential for safeguarding your code and protecting your applications from potential threats. By taking these steps, you contribute to building a more secure and resilient software ecosystem.

Keep learning, stay vigilant, and prioritize security in your coding journey.

Google mentions the courses help prepare you for the CompTIA Security+ exam, the industry-leading certification for cybersecurity roles. While opinions on this claim may vary, individual learning styles differ. The decision ultimately rests on your personal preferences

Program Overview:

• Estimated Completion Time:
  About 6 months with a commitment of 7 hours per week or quicker with a full-time dedication.

• Trial:
  It offers a 7-day trial (full access to the courses!)

• Where can you take it:
  Available on Coursera

• Cost:
  You need to pay the Specialization subscription which is paid monthly. This monthly subscription gives you access to all the Google Cybersecurity Courses (8). Although, Grow with Google still says is $49 per month,

  

  when I joined through Coursera I paid only $15.44(including taxes) for a month!

  

• Overall learner's sentiment:
  As of Feb 2024: 4.8 out of 17,000+ ratings. Speaking the language of Google reviews if this were a restaurant an order from this place would be in your cart already!

• Content relevance:
  The content is regularly updated to keep pace with industry developments.

Courses Highlights:

1. Foundations of Cybersecurity:

   • An immersive introduction to the dynamic cybersecurity field.

   • Covers significant events, job responsibilities, and ethical considerations.

   • Acquired Skills: Fundamental understanding of cybersecurity principles.

   • Estimated Time: 21 hours.

2. Play It Safe: Manage Security Risks:

   • Focuses on using frameworks and controls for risk management.

   • Hands-on experience in incident response through playbooks.

   • Acquired Skills: Proficiency in risk management and incident response strategies.

   • Estimated Time: 11 hours.

3. Connect and Protect: Networks and Network Security:

   • A comprehensive exploration of network architecture, operations, and security.

   • Relevance to the modern cybersecurity landscape, encompassing cloud computing.

   • Acquired Skills: Recognition and mitigation of network-level vulnerabilities.

   • Estimated Time: 14 hours.

4. Tools of the Trade: Linux and SQL:

   • Focuses on essential computing skills for cybersecurity analysts.

   • Hands-on experience with Linux and SQL.

   • Acquired Skills: Proficiency in Linux command line, SQL queries, and real-world cybersecurity tasks.

   • Estimated Time: 27 hours.

5. Assets, Threats, and Vulnerabilities:

   • In-depth exploration of asset security, security controls, and vulnerability management.

   • Integration of real-world scenarios.

   • Acquired Skills: Effective data handling, encryption, and vulnerability assessment.

   • Estimated Time: 26 hours.

6. Sound the Alarm: Detection and Response:

   • Practical aspects of incident detection and response. For example, activities like documenting incidents in an incident handler's journal.

   • Utilization of tools such as IDS (Suricata) and SIEM tools like (Splunk and Google Chronicle).

   • Acquired Skills: Incident response lifecycle understanding, network analysis.

   • Estimated Time: 24 hours.

7. Automate Cybersecurity Tasks with Python:

   • Introduction to Python programming in a cybersecurity context.

   • Emphasis on automation of tasks.

   • Acquired Skills: Practical Python skills for cybersecurity automation.

   • Estimated Time: 30 hours.

8. Put It to Work: Prepare for Cybersecurity Jobs:

   • Focus on decision-making, incident escalation, ethical considerations, and job preparation.

   • Acquired Skills: Incident escalation decision-making, ethical cybersecurity practices, job search, and interview preparation.

   • Estimated Time: 18 hours.

Target Audience:

The Google Cybersecurity Certificate is well-suited for individuals looking to enter the cybersecurity field, especially those with a keen interest in technology and a desire to contribute to the ever-growing realm of digital security. The program is designed for beginners, making it accessible to those with limited tech backgrounds but willing to learn.

Ideal Candidates:

• Aspiring cybersecurity professionals seeking foundational knowledge and practical skills.

• Individuals with a basic understanding of technology, even without prior cybersecurity experience.

• People who are looking to transition into the cybersecurity domain.

While the program caters to beginners, having a basic understanding of computer systems and networks can be advantageous, finishing the certificate sooner than estimated means reduced cost. Familiarity with fundamental technology concepts will help learners grasp the course content more efficiently. However, the hands-on nature of the program ensures that even those with minimal tech backgrounds can successfully navigate and complete the courses.

The self-paced nature of the Google Cybersecurity Certificate allows learners to progress at their own speed, accommodating varying levels of expertise. The inclusion of real-world scenarios and practical insights ensures that participants gain applicable skills regardless of their starting point.

Premium Perks:

As soon as you finish all eight courses, you receive the following:

• CareerCircle: A career support website featuring a resume builder, interview preparation resources, and a job board exclusive to Google Certificate holders (this doesn't mean you will find a job!). Eligibility to work in the U.S. is required for CareerCircle resources.

• Big Interview: A free one-year subscription offering coaching from experts and opportunities to earn and practice interview skills.

• A 30% discount code for the CompTIA Security+ exam, along with additional practice materials.

Is it worth your 2024 Goals investment? For me, it was YES. While it may not guarantee immediate job openings (despite the unfulfilled roles in the industry, many of them are looking for years of experience), I believe the investment is worthwhile. The structured curriculum, insightful discussions, and material curated by industry experts make it a valuable asset. The encouragement and guidance from Google professionals add an invaluable layer, making this certificate an investment in both knowledge and your future career potential.

Recommendations:

While the Google Cybersecurity Certificate offers substantial value, there's room for enhancement, especially for individuals with a basic tech background. The program could benefit from more hands-on exercises, particularly with widely used tools such as Wireshark, Splunk, Google Chronicle, and deeper Python and SQL practices. For example, providing at least optional advanced challenges can better prepare learners for the diverse and sophisticated threats they may encounter in real-world scenarios.

Conclusion:

The Google Cybersecurity Certificate provides a well-rounded curriculum with hands-on experiences and real-world scenarios. Graduates not only gain foundational knowledge but also practical skills, which are highly needed to enter the field. Continuous program updates and potential advanced challenges could further enhance its value.

Share Your Experience!

Have you taken the Google Cybersecurity Certificate? What was your experience? Are you considering it? Share your thoughts below!

However, diversity in one's professional background can be a unique asset. It brings a breadth of perspectives, adaptable skills, and the ability to connect the dots across seemingly unrelated fields. Embracing this diversity can open doors to innovative solutions, fresh approaches, and a dynamic, well-rounded professional journey.

The key to landing a job or role you are interested in lies in presenting your unique qualifications effectively and putting extra work into your strategy.

1- Customize Your LinkedIn Banner

LinkedIn is often the first platform recruiters and hiring managers check when evaluating candidates. A customized LinkedIn banner can make your profile stand out. Use a high-quality image that represents your personal brand and professional identity. This simple and small touch can leave a lasting impression and set you apart from others.

2- Use the 'Open to Work' Label

The 'Open to Work' label on LinkedIn is a useful tool when job hunting. If you are thinking or have heard that "it looks desperate" ... FORGET ABOUT IT, this SHOULD be part of your strategy. Recruiters are targeting talent that is open to work. Embrace vulnerability, is part of the journey! Therefore, personalize your job preferences to signal your openness to specific opportunities, ensuring that you come across as a qualified candidate who's actively looking to make a positive career move.

3-Highlight Your Hard Skills

Your resume and LinkedIn profile should prominently feature your hard skills. Use bullet points to list your technical abilities, certifications, and expertise. Employers often use keyword searches to find candidates, so make sure your skills align with the job you're seeking. What are hard skills? These are specific, teachable abilities or knowledge that can be measured and quantified, typically acquired through education or training, and are directly applicable to a job or task. Some hard skills: Computer Software Knowledge, Graphic Design, Project Management, Marketing, Copywriting, Languages

4- A/B Test Your Resume

Creating a resume can be a daunting task, especially when you have varied experiences. Consider A/B testing your resume by creating two versions: a hybrid resume that showcases your diverse skills and a tailored resume that aligns with a specific job description. Have both versions on job boards and monitor which one yields better results. This data-driven approach can help you refine your resume for future applications.

5- Attend In-Person Networking Events

While online networking is essential, attending in-person events can provide a significant advantage. Face-to-face interactions allow you to connect more in-depth with hiring managers, gain insights into company culture, and leave a memorable impression. Seek for industry-specific conferences, workshops, and job fairs to expand your network and access hidden job opportunities. Where to start? Meetup, Eventbrite, LinkedIn, Facebook events, and more!

6- Engage Directly with Hiring Managers

Don't limit your job search to recruiters alone. Engage directly with hiring managers whenever possible. Send a personalized message on LinkedIn or email, expressing your genuine interest in their organization and the role. Building a direct connection with decision-makers can set you on a faster track to an interview.

7- Leverage Your Transferable Skills

When you have multiple experiences, it's crucial to showcase how your diverse background equips you with adaptability, problem-solving, communication skills, etc. For example, I have experience as a Program Manager outside of tech. Despite the industry being different, many of the tasks and responsibilities might be very similar. Therefore, I must communicate how I was successful in my role as PM in a way it relates to the tech job I'm applying to. This can look like: "Ensured compliance with X requirements or grants..." or "Fostered relationships with external stakeholders or community partners...".

8- Volunteer and Freelance

If you're struggling to find a job, consider volunteering or taking on freelance projects related to the field you are interested in, if you have the time and resources. This can help you acquire relevant skills or it might help to keep your skills sharp. Additionally, it will also help you to build a network and gain valuable experience. Plus, it can lead to job offers or referrals.
Where: Upwork, Fiver, SimplyHired, and many more.

9- Seek Mentorship

Mentorship can provide you with guidance, insights, and valuable connections. Find a mentor who has experience navigating a career path similar to yours. They can help you overcome challenges, set goals, and make informed career decisions. I know this might be more challenging in action, but don't lose hope.

10- Send Personalized Messages

When connecting with professionals on LinkedIn or reaching out via email, don't limit yourself to just sending connection requests. Take the extra step of sending personalized messages with each connection. Express the specific roles you are looking for and your genuine interest in their industry or organization. A well-crafted message can make a significant difference, showing that you're proactive and focused on building meaningful connections, not just collecting contacts. Personalization demonstrates your commitment to finding the right fit and can help you stand out in a crowded job market.

Summary

To recap, job hunting is a daunting journey, especially when you are making a career switch or are interested in multiple roles (because you are confident you can be a great fit for each). Even though the road can be scary, there is always a good cliché at the end of it with the right approach and strategies. I meant, that we must be confident about securing a job that is the right match for our goals.

Remember: Personalize your LinkedIn profile, use the 'Open to Work' label, highlight your hard skills, and experiment with your resume. Attend networking events, connect with hiring managers, and emphasize your transferable skills. Volunteering, mentorship, and a positive attitude can also go a long way in making your job search successful.

Good luck!