Understanding Cyber Attack Patterns

The diagram illustrates the relationship between the Open Systems Interconnection (OSI) model layers and corresponding cyberattacks, along with the security measures to mitigate them. The OSI model, a conceptual framework for network communication, is divided into seven layers: • Physical Layer: Deals with the physical medium of data transfer. • Possible Attacks: Physical tampering, eavesdropping, man-in-the-middle attacks, tapping network cables, and disrupting power supply. • Attack Controls: Access controls, CCTV surveillance, secure cabling, regular inspection and monitoring, and preventing unauthorized access to networking infrastructure. • Data Link Layer: Handles the transfer of data between two directly connected nodes. • Possible Attacks: MAC address spoofing, ARP spoofing, VLAN hopping, and Ethernet frame manipulation. • Attack Controls: Port security to limit MAC IDs per port, utilizing ARP spoofing detection, and enabling VLAN trunking protocols. • Network Layer: Manages the addressing and routing of data packets. • Possible Attacks: IP spoofing, ICMP attacks (e.g., ping flood, ping of death), and Denial-of-Service (DoS) attacks. • Attack Controls: Firewall filtering, using Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), and configuring routers to prevent IP address spoofing. • Transport Layer: Provides reliable data transfer between applications. • Possible Attacks: SYN flood attacks, TCP session hijacking, and UDP flooding. • Attack Controls: Monitoring and controlling firewall traffic, mitigating SYN flood attacks, and implementing secure data exchange. • Session Layer: Manages the connections and sessions between applications. • Possible Attacks: Session hijacking, token-based attacks, and session side jacking. • Attack Controls: Randomizing session IDs, enforcing secure logout mechanisms, and using secure tokens for user authentication. • Presentation Layer: Deals with data formatting and encryption. • Possible Attacks: DAT format manipulation, code injection, and serialization attacks. • Attack Controls: Validating and sanitizing user inputs, using secure data serialization libraries, and preventing code injection. • Application Layer: Provides the interface for applications to access network services. • Possible Attacks: SQL Injection, Cross-site Scripting (XSS), and Remote Code Execution (RCE). • Attack Controls: Regular patching, remediating known vulnerabilities, input validation, and using a Web Application Firewall (WAF). The diagram effectively presents a comprehensive overview of potential cyber threats at each layer of the OSI model and outlines corresponding security measures. It serves as a valuable resource for understanding network security and implementing appropriate defenses.

Four attacks. Four actors. Four targets. One pattern. Midnight Blizzard hit Microsoft in January 2024. A Russian state actor password-sprayed a forgotten test tenant without MFA, pivoted through a legacy OAuth app with elevated privileges, and walked into production Exchange mailboxes. No zero-day. No malware. A path through identity relationships no one was watching. M&S, April 2025. Scattered Spider impersonated an employee and convinced IT to reset their credentials. From there, lateral movement, ransomware, and a seven-week shutdown of online operations. £££M in lost profit. No technical exploit. A phone call. Shai-Hulud 2.0, late 2025. A self-propagating worm compromised npm maintainer credentials, trojanized packages, and harvested tokens at scale. 750+ packages infected. 33,000+ secrets exposed. The attack surface was npm tokens, GitHub PATs, and cloud credentials. Identity all the way down. Stryker, March 2026. An Iran-linked group gained access to the Microsoft Intune management console and remotely wiped 200,000 devices across 79 countries. Laptops. Phones. Servers. BYOD devices. Gone. No firewall breach. No exploit. They used legitimate admin features. They didn't break in. They became the admin. Four different actors. Four different industries. Four different attack surfaces. Same underlying failure: exploitable identity paths that no one was looking at. The industry called these "sophisticated attacks." None of them required a novel technique. They required a path. From one compromised credential to everything it could reach. Most security programmes don't start here. They start with controls. With compliance. With techniques and countermeasures. The path layer, what can an attacker actually reach if one thing fails, comes later. If it comes at all. That's the gap. When four unrelated breaches share the same root cause, that's not coincidence. It IS a signal. The foundational control isn't a tool. It's an approach: layering risk analysis on identity attack paths first. Before hardening. Before controls. Before anything else. The teams doing this aren't chasing techniques. They're eliminating adversary options. The ones who aren't are fighting a wildfire with a napkin. #IdentitySecurity #AttackPaths #MidnightBlizzard #Stryker #SupplyChainSecurity #AttackPathManagement

Today I shared this again to give a clearer understanding of what we really mean by “cyber attack.” When we say ransomware, API abuse or account takeover, it is never a single action or a one-off event. “Ransomware” is not a tactic by itself. It is the final outcome after an attacker has gone through multiple stages. An attack usually starts with reconnaissance, then moves through initial access, execution, persistence, privilege escalation, lateral movement, command & control and data preparation, only at the end does the attacker encrypt systems or demand money. In this matrix, I mapped common 2026 attack types to MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) across the full attack lifecycle. The goal is to show that: 1. One “attack” involves many techniques 2. Different attacks often share the same early-stage TTPs 3. SOC teams can stop incidents long before impact, if detection happens early For better understanding, this same mapping method can be used for any attack type cloud, identity, application, insider or infrastructure by breaking it down into TTPs instead of labels.

Clustering is revealing how adversaries systematically target industrial control systems and this has massive implications for OT security teams New clustering methodology shows threat actors like TA551 aren't just randomly hitting infrastructure they're evolving their operational fingerprints specifically for industrial environments. The data reveals some pretty alarming patterns: 🔥 Industrial Protocol Exploitation Clustering: Threat actors are developing consistent operational signatures for exploiting Modbus, DNP3, and IEC 61850 protocols. We're seeing repeated toolchains that specifically target SCADA/HMI systems with identical configuration parameters and deployment sequences. 🔥 OT Network Reconnaissance Fingerprints: Clustering analysis is identifying unique scanning patterns where threat actors use tools like PLCScan and ModbusScan in very specific sequences to map OT network topologies. These aren't random scans these are methodical industrial device discovery operations that show deep understanding of OT architectures. 🔥 Cross Domain Attack Pattern Evolution: The most concerning finding is how clustering reveals threat actors timing their attacks during maintenance windows and demonstrating knowledge of industrial shift schedules. They're not just getting into OT networks they're learning how these environments actually operate. What's really striking is how clustering identifies specialized OT malware deployment patterns. We're seeing operational signatures of TRITON/TRISIS and INDUSTROYER variants that show threat actors establishing multiple persistence mechanisms specifically designed for industrial control systems including firmware modifications and ladder logic injection. The clustering methodology is also revealing something critical for attribution. Nation state actors targeting critical infrastructure show completely different operational patterns than criminal groups. Nation states focus on long term monitoring of industrial processes while criminal groups show more destructive attack signatures with faster operational timelines. For OT security teams this means you can now build threat actor behavioral profiles specific to your industrial sector and identify early indicators of known threat groups before they move from IT networks into your control systems. The data shows threat actors aren't just adapting existing techniques for OT environments they're developing entirely new operational frameworks specifically designed for industrial process manipulation. #OTSecurity #IndustrialCybersecurity #ThreatIntelligence #CriticalInfrastructure #ICS #SCADA

Most MSPs still think of cyber threats as isolated incidents, while data show a different reality: compromise is already part of the baseline in SMB environments. 89% of monitored SMBs have at least one user with a confirmed credential compromise at any given time, and roughly 31% of users use compromised passwords every single month. That’s reality! It’s getting worse fast. We are seeing dozens of thousands of unique spray IPs every month, session-hijacking activity increasing by more than 20% in a matter of months, and OAuth abuse accelerating as attackers move higher in the application layer, where traditional controls are weaker. Ransomware detections surged by 190%, and RMM abuse has become the number one endpoint threat vector.  Business email compromise continues to operate at scale with real incidents costing millions of dollars. Attackers aren’t breaking systems anymore. They’re moving through them. That’s why adding more tools or reacting faster to alerts isn’t solving the problem. The issue isn’t volume, it’s the model itself.  Security is still being operated in silos, while the attack surface is fully connected. What’s needed now is a fundamental shift in how we operate security. Moving from fragmented controls to a unified data fabric, powered by agentic detection and response that can actually understand context and act across the entire environment with automated remediation. We captured these patterns along with the drivers behind them in the 2026 State of MSP Threat Report. https://lnkd.in/eewsqvtd

Your attackers operate in the real world - are your defences keeping up? Most organisations build their cyber security on frameworks and compliance checklists. Attackers aren’t interested in your paperwork, they go straight for the gaps that actually exist. Too often, we invest in controls without seeing evidence they actually stop real, successful attacks. What I’ve learned from systems thinking research in cyber: you need to ground your defences in practical reality: 1️⃣ Review incidents and breaches and identify which controls might have truly changed the outcome. 2️⃣ Focus on how breaches really happen, not just how you imagine they could. 3️⃣ Prioritise controls where there’s evidence they disrupt attack paths you've seen used. 4️⃣ Build feedback loops and update and improve defences based on what you learn from each incident. This is like being a detective: you don’t rely on guesses about what “should” work, you look for the signs and footprints that show you what’s actually moving through your environment. If your controls are just theoretical, it’s easy to mistake feel-good compliance for real resilience. It’s only when you learn from what’s actually happened, good and bad, that you’ll know what’s working. Have you shifted your controls based on patterns found in real incidents? Read more about my research on the ST4C Loop to find out how to think like an attacker. Better Thinking. Better Actions. Better Outcomes. #cybercognition #cybersecurity #systemsthinking

Cybercrime isn't just about code and exploits; it's about psychology. 🧠 Understanding the motivations behind threat actors is key to staying ahead of the game. Why do they do it? Here’s the breakdown 👇 👉 Financial Gain: It's no secret that many cybercriminals are motivated by money. Ransomware, data theft, and fraud are all lucrative avenues for them. 👉 Hacktivism: Some hackers see themselves as activists, using cyberattacks to promote political or social causes. 👉 Thrill and Challenge: For some, the thrill of bypassing security measures and gaining access to sensitive information is the ultimate motivator. 👉 Espionage: State-sponsored actors often engage in cyber espionage to steal intellectual property or gain political leverage. Understanding these motivations helps us anticipate their tactics. ◾️ Social Engineering: Many cybercriminals exploit human psychology through phishing scams, manipulating emotions, and building trust to gain access. ◾️ Technical Exploitation: Others use sophisticated tools and techniques to exploit vulnerabilities in software and systems. By understanding the psychology of cybercrime, we can develop more effective defense strategies that address both the technical and human aspects of the threat. What do you think are the most important psychological factors to consider in cybersecurity? #cybersecurity #psychologyofcybercrime #infosec #threatactors #digitaldefense

One thing that continues to baffle me is how cybercriminals seem to understand the importance of human behaviour but many cybersecurity professionals still don’t. Cybercriminals know that individuals have different motivations, pressures, emotional states, levels of confidence and ways of making decisions. A phishing email aimed at a finance leader looks very different from one aimed at a graduate, a contractor or someone in HR. The tone, timing, language and emotional triggers are carefully chosen because attackers know that behaviour is situational and context matters. Many security programmes, however, still assume the opposite. Security awareness training and acceptable use policies are designed as if knowledge alone will override stress, distraction, authority bias, fear or the desire to be helpful. We expect people to behave “securely” in exactly the same way, regardless of what is happening around them, what pressure or incentives they are under or what past experiences they bring into the moment. Attackers invest time in understanding people as humans first and users second. Too often, security teams are satisfied with generic, one-size-fits-all training, policies and security controls. If we want to reduce risk in a meaningful way, this is something we can learn from  cybercriminals - they already work by understanding human behaviour and the environment people operate in. Security needs to be designed to work for people and not against them. Until we shift our approach to human-centric security, it should not surprise us that those who understand (and exploit!) human behaviour are ahead of those that don’t.

If your incident response playbook has not changed in six months, your adversaries have already adapted to it. Today’s attackers, including those using AI, study how organizations respond to incidents and adjust their tactics. If they know you isolate endpoints within a set window, reset privileged accounts in a specific order, or segment certain networks first, they can plan around those steps and move to areas your playbook does not cover. In practice, every response you run teaches them something about your environment. The systems you protect first show what you view as critical, and the accounts you change or revoke reveal how your access is structured. Over time, a static process becomes a pattern they can predict. Improving response time is important, but speed on its own is not enough. Leadership teams need to review and update incident response regularly, test against modern attack paths, and assume the playbook itself will be studied by the adversary. An adaptive threat landscape demands adaptive response, not just faster versions of the same plan.

Not every change in your data is worth chasing, but some changes almost always mean trouble is coming. I look for three types of shifts first: 1. Volume shifts When normal patterns suddenly change: • Sudden spike in signups from a single region • Weird drops in normal activity levels • Clusters of small transactions testing your defenses 2. Behavioral shifts The HOW matters more than the WHAT: • Suspiciously perfect documentation • Multiple accounts with identical click patterns • Too-similar data entry timing 3. Timing shifts The WHEN that reveals automation: • Actions at unusual hours for user demographics • Completion speeds defying human capabilities • Consistent timing across unrelated accounts One shift alone usually isn’t enough. Two shifts together usually mean a stress testing. Three shifts mean it’s already underway. The most dangerous attacks slowly warp what's "normal" just enough to stay hidden while scaling. Not every change in your data matters. But the subtle shifts in volume, behavior, and timing will cost you everything if you miss them.