QeeqBox

Author: Giga Alqeeq

Security Controls
Security Controls

Security controls are countermeasures or safeguards designed to protect information systems, networks, and data from cyber threats and attacks. Their main goal is to detect, prevent, and mitigate risks so that valuable assets remain secure, available, and reliable.

These controls can take many forms:
- Technical controls (e.g., firewalls, encryption, intrusion detection systems).
- Administrative controls (e.g., policies, training, incident response procedures).
- Physical controls (e.g., locked server rooms, surveillance cameras, security guards).
By combining these safeguards, organizations create a layered defense strategy that reduces vulnerabilities, ensures regulatory compliance, and strengthens resilience against cyberattacks.

Security Controls Functions
- Deterrent Controls
  - Purpose: Reduce the likelihood of a deliberate attack by discouraging malicious actors.
  - How they work: These controls create the perception that an attack will fail or that the attacker will be caught.
- Preventive Controls
  - Purpose: Stop an attack from happening in the first place.
  - How they work: They block or restrict malicious activity before it causes harm.
- Detective Controls
  - Purpose: Identify when an attack or suspicious activity is happening.
  - How they work: These controls monitor, log, and alert when anomalies or breaches occur.
- Corrective Controls
  - Purpose: Reverse or minimize the damage caused by an incident once it has occurred.
  - How they work: They aim to contain the attack, fix vulnerabilities, and prevent recurrence.
- Recovery Controls
  - Purpose: Restore systems and operations back to their normal condition after an incident.
  - How they work: They ensure business continuity and help the organization return to a fully functional state.
These five functions create a comprehensive security strategy: deterrence (discouraging attacks), prevention (preventing incidents), detection (spotting issues), correction (fixing problems), and recovery (restoring normal operations).

Physical
- Deterrent (Discourage attacks or intrusions)
  - Purpose: Make potential attackers think twice before attempting unauthorized access or damage.
  - Examples:
    
    Warning signs (e.g., “Authorized Personnel Only,” “24/7 Surveillance”).
    
    Visible security guards or patrols.
    
    Well-lit areas around buildings to reduce concealment opportunities.
    
    Fake cameras or dummy equipment (sometimes used to discourage casual intruders).
- Preventive (Block attacks before they occur)
  - Purpose: Create physical barriers to stop unauthorized entry or access.
  - Examples:
    
    Fences and gates securing the perimeter.
    
    Locked doors and cabinets for sensitive equipment.
    
    Biometric access controls (fingerprint, iris scan).
    
    Turnstiles or mantraps in secure facilities.
    
    Security guards checking IDs at entrances.
- Detective (Identify intrusions or incidents in progress)
  - Purpose: Monitor and detect unauthorized activities or physical breaches.
  - Examples:
    
    CCTV (Closed-Circuit Television) for surveillance and evidence collection.
    
    Motion detectors and alarms to spot unusual activity.
    
    Access logs from card readers or biometric scanners.
    
    Environmental sensors (smoke detectors, water leak detectors, temperature sensors).
- Corrective (Mitigate damage after an incident)
  - Purpose: Limit the impact of a physical incident and help restore security.
  - Examples:
    
    Fire suppression systems (sprinklers, inert gas systems) to minimize fire damage.
    
    Emergency response teams handling breaches or accidents.
    
    Lock rekeying or reprogramming after lost/stolen keys or badges.
    
    Containment measures (e.g., sealing off flooded or contaminated areas).
- Recovery (Return to normal operations)
  - Purpose: Restore physical infrastructure and operations after a disruption.
  - Examples:
    
    Disaster recovery sites (alternate office locations or data centers).
    
    Repairing physical damage to buildings, power systems, or equipment.
    
    Restoring utilities (electricity, HVAC, internet connectivity).
    
    Relocating staff and assets temporarily until the primary site is functional again.
Technical
- Deterrent (Discourage attacks or misuse)
  - Purpose: Reduce the likelihood of malicious activity by warning or discouraging attackers before they act.
  - Examples:
    
    Security banners on login screens (e.g., “Access restricted—unauthorized use will be monitored and prosecuted”).
    
    System-generated warnings (e.g., failed login attempt alerts).
    
    False directories or dummy accounts designed to frustrate and deter intruders.
- Preventive (Block attacks before they happen)
  - Purpose: Actively prevent threats from penetrating systems or networks.
  - Examples:
    
    Firewalls to filter unauthorized traffic.
    
    Multi-Factor Authentication (MFA) to stop credential-based attacks.
    
    Encryption to prevent data theft during transit or at rest.
    
    Access control lists (ACLs) to restrict user privileges.
    
    Endpoint security software (antivirus, anti-malware).
- Detective (Identify malicious activity in progress)
  - Purpose: Monitor, detect, and alert on suspicious activities or intrusions.
  - Examples:
    
    SIEM (Security Information and Event Management) for real-time log analysis and threat detection.
    
    IDS (Intrusion Detection Systems) to flag unauthorized access attempts.
    
    Honeypots and honeynets to lure attackers and study their tactics.
    
    Anomaly detection systems to identify unusual traffic patterns or user behaviors.
    
    File integrity monitoring to detect unauthorized modifications.
- Corrective (Mitigate damage after detection)
  - Purpose: Contain, remove, or repair the impact of a cyber incident.
  - Examples:
    
    Applying security patches to close vulnerabilities.
    
    Quarantining malware to prevent further spread.
    
    Disabling compromised accounts to stop unauthorized activity.
    
    Reconfiguring firewalls or access controls after a breach.
    
    Updating signatures in intrusion prevention systems.
- Recovery (Restore systems to normal operations)
  - Purpose: Bring systems back to a secure, functional state after an attack or failure.
  - Examples:
    
    Data backups and restores (offsite, cloud-based, or local).
    
    Disaster recovery solutions (secondary data centers, cloud failover).
    
    System reimaging to ensure a clean, uncompromised environment.
    
    Redundancy mechanisms (RAID, load balancing, failover clustering).
    
    Business continuity tools ensuring minimal downtime.
Administrative
- Deterrent (Discourage violations or malicious behavior)
  - Purpose: Set expectations and warn users or potential attackers of consequences for policy violations or malicious activity.
  - Examples:
    
    Policies and procedures clearly outlining acceptable use, password management, and data handling rules.
    
    Code of conduct agreements that employees must sign before accessing systems.
    
    Awareness campaigns that emphasize disciplinary actions for security breaches.
    
    Regulatory compliance mandates (e.g., HIPAA, GDPR, PCI-DSS) that carry penalties for noncompliance.
- Preventive (Stop incidents before they occur)
  - Purpose: Establish administrative measures to reduce the chance of security breaches.
  - Examples:
    
    Separation of duties (no single individual has complete control over a critical process, reducing insider threats).
    
    Data classification policies to ensure sensitive information is handled appropriately.
    
    User training and awareness programs to prevent phishing and social engineering attacks.
    
    Background checks during hiring to reduce insider threat risk.
    
    Access approval processes requiring managerial authorization.
- Detective (Identify policy violations or suspicious activities)
  - Purpose: Provide oversight to detect security incidents and ensure compliance with policies.
  - Examples:
    
    Audit logs and reviews to track user activity.
    
    Regular compliance audits to verify adherence to security policies.
    
    Internal investigations into unusual or suspicious behavior.
    
    Security assessments and penetration tests to detect weaknesses.
- Corrective (Limit damage and restore order after incidents)
  - Purpose: Define structured administrative processes to mitigate the impact of a security event.
  - Examples:
    
    Incident Response Plan (IRP) with roles, responsibilities, and steps for handling incidents.
    
    Business Continuity Plan (BCP) to maintain essential operations during disruptions.
    
    Policy updates and retraining after identifying gaps that contributed to an incident.
    
    Post-incident reviews (lessons learned) to improve future resilience.
- Recovery (Return operations to normal conditions)
  - Purpose: Establish high-level organizational measures to fully recover from significant disruptions.
  - Examples:
    
    Disaster Recovery Plan (DRP) for restoring IT infrastructure and operations after major incidents.
    
    Communication plans for informing stakeholders during recovery.
    
    Succession planning to ensure leadership continuity during crises.
    
    Periodic DR/BCP testing (tabletop exercises, simulations) to validate readiness.
May 19, 2026
Threat Actors
Threat Actors

Threat actors are individuals, groups, or organizations that intentionally or unintentionally exploit vulnerabilities in systems, networks, or people to achieve a specific goal. These actors vary widely in terms of motivation, skill level, sophistication, and targets. Understanding threat actors is critical for designing effective cybersecurity defenses, as each type employs different tactics, techniques, and procedures (TTPs) and presents unique risks.

Nation-State / Government-Sponsored Actors

Nation-state or government-sponsored threat actors are highly skilled and well-resourced adversaries whose actions are directed by a country or government entity. Unlike financially motivated cybercriminals, their primary goals are strategic: intelligence gathering, disruption of adversaries, geopolitical advantage, and influence operations.

Nation-state actors are some of the most sophisticated and persistent cyber adversaries. Their operations are strategic, long-term, and highly targeted, often leaving significant geopolitical, economic, or military impacts. Understanding their motivations, targets, and TTPs is critical for national security and organizational defense planning
- Motivation
  - Espionage: Stealing sensitive state secrets, military plans, or proprietary business information to gain a competitive or strategic edge.
  - Sabotage / Cyber Warfare: Disrupting or damaging critical infrastructure, military operations, or strategic industries of rival nations.
  - Influence & Psychological Operations: Manipulating political processes, public opinion, or media narratives in target countries.
  - Economic Advantage: Targeting industries such as defense, energy, telecommunications, or technology to benefit domestic companies or national interests.
- Objectives
  - Espionage: Focused on intelligence collection through theft of classified information, trade secrets, or technological research.
  - Cyber Warfare / Sabotage: Includes operations to degrade military capabilities, disable critical infrastructure, or interrupt government functions.
  - Influence Campaigns: Disinformation campaigns aimed at elections, policy-making, or social unrest.
  - Strategic Advantage: Gaining long-term benefits in economics, military positioning, or technology development.
- Typical Targets
  - Government ministries, embassies, and intelligence agencies
  - Defense contractors and military infrastructure
  - Critical national infrastructure: power grids, transportation networks, water systems, and communication networks
  - High-value businesses with sensitive intellectual property (e.g., aerospace, pharmaceuticals, and high-tech sectors)
- Common Tactics, Techniques, and Procedures (TTPs)
  - Spear Phishing: Targeting high-value individuals such as government officials, researchers, or executives with customized emails.
  - Advanced Persistent Threats (APTs): Long-term, stealthy campaigns to maintain access to sensitive networks.
  - Supply Chain Attacks: Compromising software or hardware providers to infiltrate multiple targets.
  - Custom Malware and Exploits: Using sophisticated malware tailored for specific networks or systems, including zero-day exploits.
  - Credential Harvesting and Privilege Escalation: Gaining higher access rights to sensitive systems for deeper infiltration.
- Attack Sophistication
  - Nation-state actors operate at the highest level of sophistication, often combining multiple attack vectors over extended periods.
  - Operations are typically well-funded, coordinated, and stealthy, designed to evade detection while achieving strategic objectives.
- Real-World Examples
  - APT28 (Fancy Bear, Russia): Focused on espionage against government, military, and political targets.
  - APT41 (China): Combines espionage and financially motivated attacks against both governmental and private organizations.
  - Lazarus Group (North Korea): Known for cyber warfare, espionage, and high-profile financial attacks.
  - Equation Group (USA, presumed): Advanced operations targeting foreign networks for intelligence purposes.
- Defensive Considerations
  - Network Segmentation: Isolating critical systems to limit lateral movement.
  - Advanced Threat Detection: Utilizing Security Information and Event Management (SIEM) systems and endpoint detection solutions.
  - User Awareness and Training: Protecting high-value personnel from spear phishing and social engineering.
  - Patch Management and Vulnerability Assessment: Preventing exploitation of unpatched software and zero-day vulnerabilities.
  - Threat Intelligence Sharing: Collaborating with national and international cybersecurity agencies for early detection of APT activity.
Cybercriminals

Cybercriminals are threat actors primarily motivated by financial gain. Unlike nation-state actors, they are not typically interested in geopolitics or ideological objectives. Instead, they target data-rich organizations, financial systems, and individuals to steal money, credentials, or valuable information that can be monetized. Their operations range from opportunistic attacks by individuals to highly organized criminal syndicates with international reach.

Cybercriminals are financially motivated actors targeting both organizations and individuals. Their methods are diverse, ranging from simple phishing scams to highly sophisticated ransomware campaigns. Organizations must adopt multi-layered security strategies, combining technology, training, and proactive threat intelligence to defend against this persistent and evolving threat.
- Motivation
  - Financial Gain: Directly through theft of funds, fraud, or extortion.
  - Identity Theft: Selling stolen personal data (PII) on underground markets.
  - Corporate Espionage for Profit: Stealing trade secrets or intellectual property to sell to competitors.
  - Ransom and Extortion: Using ransomware or data breaches to demand payment from victims.
- Objectives
  - Data Theft: Obtaining personal, financial, or health-related information to sell or exploit.
  - Monetary Fraud: Stealing funds from bank accounts, credit cards, or cryptocurrencies.
  - Business Disruption for Extortion: Encrypting critical systems with ransomware or threatening to release sensitive data.
  - Credential Harvesting: Compromising usernames, passwords, or authentication tokens to facilitate further attacks.
- Typical Targets
  - Financial Institutions: Banks, credit unions, and payment processors.
  - Healthcare Providers: Hospitals, clinics, and health insurance organizations (rich in PII).
  - Retail and E-commerce Platforms: Customer payment data and account credentials.
  - Businesses with Valuable Data: Companies holding intellectual property or sensitive client information.
  - Individuals: Through phishing, malware, or scams targeting personal accounts.
- Common Tactics, Techniques, and Procedures (TTPs)
  - Ransomware: Infecting systems with malware that encrypts files and demands payment for restoration.
  - Phishing and Spear Phishing: Sending deceptive emails or messages to trick users into revealing credentials or downloading malware.
  - Malware Deployment: Trojans, spyware, keyloggers, and remote access tools (RATs) to gain persistent access.
  - Credential Stuffing and Brute-Force Attacks: Exploiting stolen credentials from one service to compromise others.
  - Exploiting Vulnerabilities: Targeting unpatched software or misconfigured systems for unauthorized access.
  - Social Engineering: Manipulating employees or individuals into revealing sensitive information or executing malicious actions.
- Attack Sophistication
  - Cybercriminals vary widely in sophistication:
  - Low-Level Actors: Script kiddies using off-the-shelf malware or simple scams.
  - Organized Syndicates: Coordinated groups with specialized roles, custom malware, and advanced operational security (OpSec).
  - Some cybercriminal operations rival nation-state campaigns in terms of planning, persistence, and technical skill.
- Real-World Examples
  - REvil / Sodinokibi: Known for ransomware attacks against large enterprises worldwide.
  - Conti: Ransomware group targeting hospitals, schools, and government agencies.
  - FIN7: Organized criminal group targeting restaurants, retailers, and financial institutions for profit.
  - DarkSide: Responsible for high-profile ransomware incidents, including the Colonial Pipeline attack.
- Defensive Considerations
  - Email and Phishing Protection: Implement spam filters, phishing detection, and user awareness training.
  - Regular Backups: Ensure offline, immutable backups to mitigate ransomware impact.
  - Endpoint Security: Deploy anti-malware, endpoint detection, and response (EDR) solutions.
  - Patch Management: Keep software, operating systems, and applications updated to prevent exploitation.
  - Strong Authentication: Use multi-factor authentication (MFA) and enforce robust password policies.
  - Threat Intelligence Sharing: Collaborate with cybersecurity networks to monitor emerging cybercrime trends.
Terrorist Groups

Terrorist groups in cyberspace are threat actors primarily motivated by ideological or political objectives. Unlike cybercriminals, their main goal is not financial gain but disruption, intimidation, and societal impact. These actors often target critical infrastructure, governmental institutions, or public services to create fear, chaos, or political leverage. In some cases, their operations may overlap with hacktivist activities, especially when advancing a specific cause.

Terrorist groups leverage cyber operations to achieve ideological and political goals, often aiming to disrupt critical infrastructure or instill fear. While their attacks can vary in technical sophistication, their impact is amplified by targeting essential systems and public confidence. Effective defense requires coordination between public and private sectors, continuous monitoring, and robust incident response planning.
- Motivation
  - Ideological Violence: Driven by religious, political, or social ideologies.
  - Disruption and Sabotage: Aiming to weaken public confidence, governmental authority, or essential services.
  - Political Messaging and Propaganda: Using cyberattacks to spread messages, recruit followers, or influence public opinion.
  - Psychological Impact: Instilling fear or uncertainty in a population or organization.
- Objectives
  - Critical Infrastructure Sabotage: Attacking energy grids, transportation systems, water supplies, or communication networks.
  - Disruption of Government or Public Services: Harming governmental operations, emergency response systems, or public safety functions.
  - Recruitment and Radicalization: Leveraging social media, forums, and online campaigns to recruit new members and spread ideology.
  - Collaboration with Hacktivists or Other Actors: Occasionally partnering with politically motivated hackers to amplify attacks or visibility.
- Typical Targets
  - Utilities: Power plants, water treatment facilities, and energy distribution networks.
  - Transportation Systems: Railways, airports, public transit, and logistics networks.
  - Government Agencies: Ministries, emergency services, and law enforcement systems.
  - Public Networks and Services: Hospitals, schools, and public communication platforms.
  - Online Platforms: Social media accounts or websites to spread propaganda and recruit followers.
- Common Tactics, Techniques, and Procedures (TTPs)
  - Distributed Denial-of-Service (DDoS) Attacks: Overwhelming websites or networks to make services unavailable.
  - Website Defacement: Altering web content to display ideological or political messages.
  - Malware and Ransomware Deployment: Targeting critical systems to disrupt operations.
  - Information Operations: Spreading propaganda, disinformation, or extremist content online.
  - Low-Sophistication Social Engineering: Manipulating individuals or organizations to gain access to systems or spread misinformation.
- Attack Sophistication
  - Varies widely:
    
    Low-Sophistication Actors: Use off-the-shelf tools, basic hacking techniques, and social engineering.
    
    High-Sophistication Actors: Coordinated cyber operations targeting industrial control systems (ICS) or critical infrastructure, sometimes leveraging nation-state–level techniques.
  - Terrorist groups often rely on stealth, timing, and psychological impact rather than advanced technical complexity.
- Real-World Examples
  - Anonymous (hacktivist overlap): While primarily politically motivated, sometimes collaborates with terrorist-aligned campaigns for sabotage or disruption.
  - LulzSec/Terror-Linked Hacktivists: Conducted website defacements and DDoS attacks to disrupt public services or promote ideological causes.
- Defensive Considerations
  - Critical Infrastructure Protection: Implement robust ICS/SCADA security, network segmentation, and redundancy.
  - Threat Intelligence and Monitoring: Track emerging terrorist cyber threats and collaborate with law enforcement and national security agencies.
  - Public Awareness and Training: Educate employees and the public on social engineering, phishing, and suspicious activity.
  - Incident Response Planning: Develop specialized plans for attacks on infrastructure, including continuity of operations and emergency response.
  - Collaboration: Work with governments, CERTs (Computer Emergency Response Teams), and international agencies for coordinated defense.
Thrill-seekers

Thrill-seekers are threat actors motivated primarily by excitement, curiosity, or the desire for social recognition rather than financial gain, political objectives, or ideology. They engage in cyber activities for fun, personal challenge, or peer approval. Despite typically having lower skill levels compared to professional cybercriminals or nation-state actors, thrill-seekers can still pose significant risks, particularly to poorly secured systems.

Thrill-seekers are opportunistic threat actors driven by curiosity, excitement, and peer recognition. While often less skilled than professional cybercriminals, they can still exploit unprotected systems, causing disruptions or accidental damage. Understanding their stratification (from novices to advanced hobbyists) helps organizations implement targeted defenses and reduce exposure to these lower-level but frequent threats.
- Motivation
  - Excitement and Challenge: Engaging in hacking activities for the adrenaline rush of overcoming digital defenses.
  - Social Recognition: Gaining notoriety or respect within peer groups or online communities.
  - Curiosity and Experimentation: Exploring vulnerabilities, system weaknesses, and software exploits without a formal objective.
  - Expression of Skills: Demonstrating technical competence or problem-solving ability in a competitive or public environment.
- Objectives
  - Testing and exploiting network or system vulnerabilities for personal satisfaction.
  - Gaining temporary unauthorized access to systems or networks.
  - Creating minor disruption to prove capability or gain attention.
  - Sometimes collaborating with or mimicking more advanced threat actors to improve skills.
- Stratification of Thrill-Seekers
  - Thrill-seekers can be stratified based on technical skill, risk tolerance, and impact potential:
  - Novice / Low-Skill:
    
    Rely heavily on pre-written scripts or publicly available hacking tools.
    
    Focus on low-value targets such as personal websites, online games, or social media accounts.
    
    Primary goal: Fun or social recognition, minimal strategic planning.
  - Intermediate / Curious Hackers:
    
    Some knowledge of networks, coding, or exploitation.
    
    Target small businesses, misconfigured servers, or low-security organizational systems.
    
    Goal: Challenge and exploration, occasional minor disruption.
  - Advanced / Competent Thrill-Seekers:
    
    Higher technical skills, sometimes bordering on professional capabilities.
    
    Able to exploit moderate-level vulnerabilities, including SQL injection, weak authentication, or outdated software.
    
    Goal: Reputation in online communities, experimentation with complex tools, and testing defenses.
- Typical Targets
  - Publicly accessible websites or applications with minimal security.
  - Online game servers and social media platforms.
  - Small businesses or personal networks lacking strong defenses.
  - Systems where disruption is easy but risk of severe consequences is low.
- Common Tactics, Techniques, and Procedures (TTPs)
  - Exploiting publicly known vulnerabilities with off-the-shelf tools.
  - Website defacement or minor vandalism of content.
  - Low-level Denial-of-Service (DoS) attacks.
  - Unauthorized access for exploration or bragging rights rather than financial or political gain.
  - Use of forums, paste sites, or social media to announce exploits or achievements.
- Attack Sophistication
  - Generally low to moderate, depending on skill level.
  - Often opportunistic, targeting easy-to-access systems rather than highly secured or high-value networks.
  - Threat lies in volume, unpredictability, and the potential for accidental damage to critical systems.
- Defensive Considerations
  - Basic Security Hygiene: Regular patching, strong authentication, and network monitoring.
  - User Awareness: Educating employees and users about phishing, weak passwords, and social engineering.
  - Monitoring and Logging: Detect unusual access patterns or attempts to exploit vulnerabilities.
  - Segmentation and Access Control: Limit potential impact if an attacker gains access.
  - Capture and Reporting: Engage with law enforcement or cybersecurity forums to track repeat offenders and emerging threats.
Insider Threats

Insider threats are cybersecurity risks originating from individuals within an organization, such as employees, contractors, or business partners. These actors have authorized access to systems and data, which they can misuse either intentionally or accidentally, making them uniquely dangerous. Insider threats are often difficult to detect because the actors are already trusted users with legitimate credentials.

Insider threats are a critical cybersecurity risk because they exploit trust and authorized access. Malicious insiders deliberately harm organizations for personal gain, while negligent insiders inadvertently create vulnerabilities through mistakes. Effective defense requires a combination of technical controls, monitoring, and ongoing user education to minimize both intentional and accidental threats.
- Motivation
  - Insider threats can be driven by a variety of factors:
  - Financial Gain: Selling confidential information or assisting external attackers for money.
  - Revenge or Disgruntlement: Acting against an organization due to dissatisfaction, anger, or retaliation.
  - Negligence or Carelessness: Mistakes that unintentionally compromise security.
  - Ideology or Loyalty: Acting on behalf of a political, social, or organizational cause.
- Types of Insider Threats
  - Malicious Insiders
    
    Definition: Individuals who intentionally exploit their access to assist external threat actors, steal information, or disrupt operations.
    
    Motivation: Often financial, personal gain, or revenge.
    
    Examples: Selling trade secrets to competitors, leaking sensitive customer data, or sabotaging systems for personal grievances.
  - Incautious / Negligent Insiders
    
    Definition: Individuals who unintentionally create vulnerabilities or security incidents due to mistakes, lack of awareness, or poor judgment.
    
    Motivation: Usually not malicious—these insiders simply fail to follow security policies or best practices.
    
    Examples: Clicking on phishing emails, misconfiguring servers, losing unencrypted devices, or accidentally sharing sensitive documents.
- Typical Targets
  - Organizational databases containing sensitive information (financial records, personal data, intellectual property)
  - Internal communication systems (emails, intranets, messaging platforms)
  - Access-controlled networks, servers, and endpoints
  - Cloud storage platforms and third-party applications with organizational data
- Common Tactics, Techniques, and Procedures (TTPs)
  - Data Exfiltration: Transferring sensitive data outside the organization without authorization.
  - Privilege Misuse: Exploiting elevated access rights to access restricted files or systems.
  - Credential Theft: Using others’ credentials to gain unauthorized access.
  - Policy Violations: Ignoring security protocols or using unsecured devices/networks.
  - Accidental Disclosure: Sending sensitive information to unintended recipients or public channels.
- Attack Sophistication
  - Insider threats vary in sophistication:
  - Malicious Insiders: Often highly knowledgeable about internal systems, capable of carefully planned attacks that avoid detection.
  - Negligent Insiders: Typically low sophistication, but their mistakes can still result in significant breaches.
  - Insiders pose a high-risk threat because they bypass many external security defenses by using legitimate access.
- Real-World Examples
  - An employee selling proprietary source code to a competitor.
  - A contractor accidentally uploading confidential client data to a public cloud directory.
  - A disgruntled employee sabotaging internal servers, causing operational downtime.
- Defensive Considerations
  - Access Controls: Implement least-privilege policies and restrict access to only necessary systems.
  - Monitoring and Logging: Track user activity for unusual patterns, including file access, downloads, and privileged operations.
  - Security Awareness Training: Educate employees about phishing, social engineering, and proper data handling.
  - Incident Response Planning: Include procedures to quickly respond to suspected insider activity.
  - Data Loss Prevention (DLP): Tools to detect and prevent unauthorized data transfers or sharing.
  - Behavioral Analytics: Use AI or analytics tools to detect deviations from normal user behavior.
Hacktivists

Hacktivists are threat actors motivated primarily by ideological or political goals rather than financial gain. Their main objective is to advance a social, political, or environmental cause by leveraging cyberattacks to gain attention, disrupt targeted organizations, or influence public opinion. Hacktivism is often highly visible and designed to make a statement rather than achieve direct material benefit.

Hacktivists are ideologically driven threat actors who use cyberattacks to advance political, social, or environmental causes. While they rarely seek financial gain, their campaigns can cause reputational, operational, and societal impact. Organizations can mitigate these threats through proactive security measures, monitoring, and effective incident response planning.
- Motivation
  - Ideological / Political Causes: Promoting social justice, political reform, environmental activism, or anti-corruption campaigns.
  - Advocacy and Awareness: Drawing attention to perceived wrongdoing or societal issues.
  - Protest and Retaliation: Targeting organizations or governments perceived as unethical or oppressive.
  - Reputation and Recognition: Gaining visibility and respect within activist or online communities.
- Objectives
  - Disrupt operations of organizations seen as adversaries to their cause.
  - Publicly expose unethical or illegal practices.
  - Amplify messages to influence public opinion or political discourse.
  - Recruit supporters and build awareness through high-profile cyber incidents.
- Typical Targets
  - Government websites and agencies, especially those linked to controversial policies.
  - Large corporations involved in environmental, social, or political disputes.
  - Media outlets or platforms that shape public narratives.
  - International organizations, NGOs, or advocacy groups.
- Common Tactics, Techniques, and Procedures (TTPs)
  - Distributed Denial-of-Service (DDoS) Attacks: Overwhelming websites or services to make them temporarily unavailable.
  - Website Defacement: Altering web content to display political or ideological messages.
  - Doxing: Publishing personal or sensitive information of individuals associated with opposing views.
  - Data Leaks / Exfiltration: Releasing confidential documents to embarrass or pressure organizations.
  - Social Media Campaigns: Coordinated online campaigns to promote ideology or recruit supporters.
  - Low-Sophistication Exploits: Often using publicly available tools, though some groups develop moderate-level malware or scripts.
- Attack Sophistication
  - Varies widely:
    
    Low-Skill Hacktivists: Use off-the-shelf tools or simple scripts for DDoS attacks or defacements.
    
    Moderate-Skill Groups: May exploit web application vulnerabilities, access databases, or coordinate multi-platform campaigns.
  - Sophistication is typically less than nation-state actors, but high visibility can cause significant reputational and operational damage.
- Real-World Examples
  - Anonymous: International collective known for politically motivated DDoS attacks, website defacements, and information leaks.
  - LulzSec: Conducted high-profile attacks against corporations and government agencies, often for ideological or notoriety reasons.
  - OurMine: Targeted high-profile social media accounts for awareness and reputation campaigns.
- Defensive Considerations
  - Website and Network Hardening: Protect public-facing applications against DDoS, SQL injection, and defacement attacks.
  - Monitoring and Threat Intelligence: Track potential hacktivist campaigns and online chatter for early warning.
  - Incident Response Planning: Prepare for rapid mitigation of website defacements or service outages.
  - Access Controls: Limit exposure of sensitive data and enforce strong authentication on critical systems.
  - Public Communication Strategy: Have a crisis communication plan to respond to attacks that aim to generate public attention.
Script kiddies

Script kiddies are low-skilled threat actors who rely on existing tools, scripts, and tutorials created by others to launch attacks. They typically lack deep technical knowledge of how the tools work or how to develop their own exploits, but they can still cause damage—especially to poorly secured systems.

Script kiddies are amateur attackers who use pre-built tools to exploit obvious weaknesses. While individually less dangerous than advanced adversaries, they are persistent and can cause real damage to poorly secured systems. Strong baseline security controls and good operational hygiene are the most effective defenses.
- Motivation
  - Curiosity / Thrill: Experimentation and the rush of “breaking into” systems.
  - Recognition / Reputation: Seeking attention in online forums or among peers.
  - Pranks / Vandalism: Causing disruption for fun, spite, or notoriety.
  - Learning: Some use public tools as a crude way to learn the basics of hacking.
- Characteristics
  - Low technical skill: Depend on pre-made exploits, automated scanners, DDoS tools, and malware builders.
  - Opportunistic: Scan for obvious, known vulnerabilities or misconfigurations rather than targeting high-value, well-defended networks.
  - Poor operational security: Often leave forensic trails and are easier to attribute or block than sophisticated actors.
  - Inconsistent behavior: Actions can be random, noisy, and short-lived.
- Typical Targets
  - Small or poorly maintained websites
  - Home networks and IoT devices with default credentials
  - Game servers, community forums, and chat servers
  - Public-facing services with known, unpatched vulnerabilities
- Common TTPs (Tactics, Techniques, and Procedures)
  - Running automated vulnerability scanners and exploit frameworks.
  - Using readily available DDoS/booters to flood services.
  - Deploying commodity malware or ransomware kits with default configurations.
  - Website defacement and basic SQL injection attacks using publicly available scripts.
  - Credential stuffing using leaked credential lists and simple bots.
- Attack Impact & Risk
  - Impact: Often low-to-moderate per incident, but can be serious if they hit critical but poorly protected systems (e.g., medical devices, small business servers, IoT hubs).
  - Risk Factor: High frequency and unpredictability—script kiddies create a constant background noise of attacks that can expose underlying vulnerabilities and attract more skilled attackers if weaknesses are discovered.
- Real-World Examples
  - Automated scanners exploit an unpatched CMS plugin causing a website defacement.
  - Credential stuffing bots break into an account where the owner reused a breached password
- Detection: Noisy activity (scans, repeated failed logins, obvious exploit signatures) makes detection easier with basic IDS/IPS and centralized logging.
- Attribution: Easier than for advanced adversaries due to poor OpSec, but false flags and reused infrastructure can still complicate attribution.
- Defensive Considerations
  - Basic security hygiene first: Ensure patch management, remove default credentials, and harden IoT devices.
  - Strong authentication: Use multi-factor authentication and enforce robust password policies.
  - Network controls: Rate-limiting, firewalls, and DDoS protection services to blunt automated attacks.
  - Logging and alerting: Centralized logs, anomaly detection, and automated alerts for scanning or brute-force behaviors.
  - Least privilege & segmentation: Reduce blast radius when an account or device is compromised.
  - User/owner education: Teach small-business owners and home users about basic security (changing defaults, updates).
  - Honeypots and deception: Can trap or slow script kiddies and yield useful intel on attack tools being used.
May 17, 2026
Indication of Pivot
Indication of Pivot (IoP)

An Indication of Pivot, also known as a Lateral Movement Indicator, refers to signs that an attacker is moving from one system to another within a network after gaining initial access. This indicates that the attacker is expanding their control by utilizing compromised accounts, remote administration tools, shared resources, or internal communication paths to access additional hosts, applications, or sensitive systems. Instead of remaining on the initially compromised machine, the attacker “pivots” deeper into the environment. This allows them to increase their privileges, locate valuable data, establish persistence, or prepare for a broader compromise.

Key Characteristics
- Occurs After Initial Compromise: This phase happens once the attacker has gained access to at least one system within the network.
- Indicates Exploration or Spreading: This suggests that the attacker is moving between systems in search of additional access points or valuable targets.
- Critical Sign of Escalation Toward Full Environment Compromise: This shows that the attack is advancing toward broader control over the network.
- Focuses on Internal Lateral Movement Activity: This highlights suspicious behavior as attackers navigate between hosts using stolen credentials or remote tools
Examples
- Internal remote login attempts between hosts
  - Earth Lusca (APT)
  - powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list – property * | findstr “Address””
- Authentication using stolen or new credentials
  - Stolen Legacy VPN Credentials
    
    User/Password: test,IWQ1rv04VFiXSCFU (leaked passwords on the dark web)
    
    VPN Server: legacy-vpn.exmaple.local
    
    Login Time: 03:12 AM
    
    Source IP: 1.2.3.4 (unrecognized ASN, could be free tire hosted on famous cloud service)
    
    Device: Unknown
- Access from a system that normally shouldn’t connect to another
  - Canary Token: database_settings.xlsx
  - database_settings.xlsx is accessed on 4/26/2025 by PC201823
- Use of tools like PsExec, WMI, WinRM, etc.
  - wmic /node:SERVER01 process call create “powershell.exe Get-Process”
  - psexec.exe \\server01 cmd.exe
  - Enter-PSSession -ComputerName SERVER01
  - Invoke-Command -ComputerName SERVER01 -ScriptBlock { Get-Process }
- Repeated authentication failures
  - HermeticWizard (a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec)
  - HermeticWizard Spreader (5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48)
  - rundll32 <spreader> #1 -s <HermeticWizard> – i <IP>
  - Multiple failed logins:
    
    User: root
    
    Source IP: 10.1.2.99
    
    Attempts: 100+ in 1 minutes
May 17, 2026
Indicators of Attack
Indicators of Attack (IoA)

Indicators of Attack (IoAs) are behavioral signs that suggest an attack is either in progress or being attempted. Unlike Indicators of Compromise (IoCs), which provide evidence after a breach has occurred, IoAs concentrate on detecting suspicious behaviors, tactics, and techniques used by attackers in real-time.

IoAs assist security teams in identifying malicious activities at an earlier stage in the attack lifecycle. Instead of searching for known malicious artifacts, IoAs focus on monitoring how attackers operate. This makes IoAs particularly valuable against advanced persistent threats (APTs), fileless malware, insider threats, and zero-day attacks, which may not have recognizable signatures or hashes.

Rather than depending on static indicators, such as known malicious IP addresses or file hashes, IoAs evaluate abnormal or suspicious activities. These activities can include attempts at privilege escalation, unusual command executions, lateral movements between systems, credential dumping, persistence techniques, or suspicious authentication behaviors.

Key Characteristics
- Proactive: Emphasizes the detection of suspicious behavior as it occurs, which aids in identifying attacks early in their lifecycle.
- Behavior-Anomaly Focus: Identifies unusual patterns of activity instead of relying solely on known malicious signatures or artifacts.
- Early Attack Detection: Allows security teams to respond while an attack is ongoing, thereby minimizing potential damage.
- Based on Attacker Tactics, Techniques, and Procedures (TTPs): Concentrates on understanding how attackers operate rather than just the tools they employ.
Examples
- PowerShell execution with encoded commands
  - Emotet Downloader (ff76ff1440947e3dd42578f534b91fdb8229c1f40fed36a3dd5688dbc51f0014)
  - powershell.exe -w hidden -en JABBHoAe…
- Suspicious execution chain
  - Emotet Downloader ff76ff1440947e3dd42578f534b91fdb8229c1f40fed36a3dd5688dbc51f0014
  - winword.exe -> powershell.exe -> 937.exe
- Privilege escalation
  - Digital Eye (APT)
  - bK2o.exe used for pass-the-hash (Similar to mimikatz)
- Credential Dumping
  - FIN13 (APT)
  - procdump.exe -ma lsass.exe lsass.dmp
May 17, 2026
Indicators of Compromise
Indicators of Compromise (IoC)

Indicators of Compromise (IoCs) are pieces of forensic evidence or observable data that suggest a system, network, or account has been compromised by malicious activity. IoCs are typically discovered during or after a cybersecurity incident and are used by security teams to identify, investigate, and contain attacks.

IoCs are considered reactive security indicators because they confirm that suspicious or malicious activity has already occurred. Security analysts use them to trace attacker behavior, detect infected systems, block known threats, and improve future defenses.

These indicators are often static and signature-based, which means they rely on previously identified malicious artifacts, such as known malware file hashes, attacker-controlled IP addresses, suspicious domains, registry modifications, or unauthorized file changes. Because attackers frequently change their infrastructure and malware signatures, IoCs can quickly become outdated. As a result, they are usually most effective for detecting known threats rather than new or evolving attacks.

Key Characteristics
- Reactive: They are identified after an attack has already occurred and are used to confirm and investigate a breach. They indicate that a malicious event has taken place.
- Confirms something bad has already happened: They provide evidence of a compromise or malicious activity, such as known malicious files, IP addresses, or unauthorized system changes.
- Often signature based: They rely on established patterns or indicators (such as hashes or domains). This makes them effective for detecting known threats but less useful against new or evolving attacks.
Examples
- Malware hashes
  - NetWalker Ransomware (Double-Extortion)
  - SHA256: 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
- Suspicious file changes
  - NetWalker Ransomware (Double-Extortion)
  - File: C:\Program Files (x86)\f7ccbf3501\f7ccbf3501.exe
- Registry modifications
  - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  - Value: “f7ccbf3501” = “C:\Program Files (x86)\f7ccbf3501\f7ccbf3501.exe”
- Malicious IPs/domains
  - Emotet (8e37a82ff94c03a5be3f9dd76b9dfc335a0f70efc0d8fd3dca9ca34dd287de1b)
  - Traffic: 10.1.0.99 -> 5.2.136.90 (known Emotet C&C server)
- Unexpected processes
  - Lucifer (66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e)
  - Action: schtasks /create /sc minute /mo 1 /tn “QQMusic” /tr %SAMPLEPATH% /F
May 17, 2026
Diffie Hellman
Diffie Hellman

A cryptographic method that allows two parties to securely establish a shared secret key over an insecure communication channel, such as the internet, without ever directly transmitting the key itself. This shared secret can then be used to encrypt subsequent communications using symmetric encryption algorithms.Developed by Whitfield Diffie and Martin Hellman in 1976, the algorithm was a groundbreaking advancement in cryptography because it solved the problem of secure key exchange over unsecured networks.

#The safe_prime is generated by the server and sent to the clients
#If you change the 1024 to 2048 bits, the safe prime will take longer

openssl # an open-source cryptography toolkit
dhparam # generates Diffie-Hellman parameters
-out safe_prime.key # output file for DH parameters
1024 # size of the prime in bits (minimum for learning; modern use: 2048+)
```
openssl dhparam -out safe_prime.key 1024
```
openssl # an open-source cryptography toolkit
genpkey # generates a private key based on specified parameters
-paramfile safe_prime.key # DH parameters to use
-out alice_private.key # output private key file for Alice
```
openssl genpkey -paramfile safe_prime.key -out alice_private.key
```
openssl # an open-source cryptography toolkit
genpkey # generates a private key based on specified parameters
-paramfile safe_prime.key # DH parameters to use
-out bob_private.key # output private key file for Bob
```
openssl genpkey -paramfile safe_prime.key -out bob_private.key
```
openssl # an open-source cryptography toolkit
pkey # public/private key utility
-in alice_private.key # input file containing Alice’s private key
-text # show key parameters in plain text (human-readable)
-noout # do NOT output the PEM/DER encoded key
```
openssl pkey -in alice_private.key -text -noout
```
openssl # an open-source cryptography toolkit
pkey # public/private key utility
-in bob_private.key # input file containing Bob’s private key
-text # show key parameters in plain text (human-readable)
-noout # do NOT output the PEM/DER encoded key
```
openssl pkey -in bob_private.key -text -noout
```
openssl # an open-source cryptography toolkit
pkey # public/private key utility
-in alice_private.key # input file containing Alice’s private key
-pubout # output the corresponding public key
-out alice_public.key # save the public key to this file
```
openssl pkey -in alice_private.key -pubout -out alice_public.key
```
openssl # an open-source cryptography toolkit
pkey # public/private key utility
-in bob_private.key # input file containing bob’s private key
-pubout # output the corresponding public key
-out bob_public.key # save the public key to this file
```
openssl pkey -in bob_private.key -pubout -out bob_public.key
```
openssl # an open-source cryptography toolkit
pkeyutl # utility for public/private key operations
-derive # derive a shared secret (used in Diffie-Hellman key exchange)
-inkey alice_private.key # Alice’s private key
-peerkey bob_public.key # Bob’s public key
-out alice_shared_secret # output file containing the derived shared secret
```
openssl pkeyutl -derive -inkey alice_private.key -peerkey bob_public.key -out alice_shared_secret
```
openssl # an open-source cryptography toolkit
pkeyutl # utility for public/private key operations
-derive # derive a shared secret (used in Diffie-Hellman key exchange)
-inkey bob_private.key # Bob’s private key
-peerkey alice_public.key # Alice’s public key
-out bob_shared_secret # output file containing the derived shared secret
```
openssl pkeyutl -derive -inkey bob_private.key -peerkey alice_public.key -out bob_shared_secret
```
cmp # Unix command to compare two files byte by byte
alice_shared_secret # file containing the shared secret derived by Alice
bob_shared_secret # file containing the shared secret derived by Bob
```
cmp alice_shared_secret bob_shared_secret
```
xxd # Unix command to create a hex dump of a file
alice_shared_secret # file containing the derived shared secret
```
xxd alice_shared_secret
```
xxd # Unix command to create a hex dump of a file
alice_shared_secret # file containing the derived shared secret
```
xxd bob_shared_secret
```
May 16, 2026
Rivest Shamir Adleman
Rivest Shamir Adleman (RSA)

A public-key cryptosystem that uses a pair of mathematically related keys: a public key for encryption and a private key for decryption. It was developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman and remains one of the most widely used asymmetric encryption algorithms in the world.RSA relies on the mathematical difficulty of factoring large prime numbers to ensure security. While the public key can be freely shared to encrypt messages, only the holder of the corresponding private key can decrypt the ciphertext. This allows secure communication between parties without the need to share a secret key in advance.

echo “test” > input.txt # Create a file named input.txt containing the text “test”
```
echo "test" > input.txt
```
openssl # an open-source cryptography toolkit
genrsa # generates an RSA private key
-out private.key # output file for private key
2048 # key size in bits (secure for most uses)
```
openssl genrsa -out private.key 2048
```
openssl # an open-source cryptography toolkit
rsa # RSA key utility
-in private.key # input private key
-pubout # output the corresponding public key
-out public.key # output file for public key
```
openssl rsa -in private.key -pubout -out public.key
```
openssl # an open-source cryptography toolkit
pkeyutl # utility for public/private key operations
-encrypt # encrypt mode
-pubin # input key is a public key
-inkey public.key # the public key used for encryption
-in input.txt # plaintext input file
-out encrypted.txt # output ciphertext file
```
openssl pkeyutl -encrypt -pubin -inkey public.key -in input.txt -out encrypted.txt
```
openssl # an open-source cryptography toolkit
-decrypt # decrypt mode
-inkey private.key # the private key used for decryption
-in encrypted.txt # input ciphertext file
-out decrypted.txt # output plaintext file
```
openssl pkeyutl -decrypt -inkey private.key -in encrypted.txt -out decrypted.txt
```
cat decrypted.txt # Display the decrypted file contents
```
cat decrypted.txt
```
May 16, 2026
Advanced Encryption Standard
Advanced Encryption Standard (AES)

A symmetric block cipher selected by the U.S. National Institute of Standards and Technology (NIST) in 2001 to replace the older Data Encryption Standard (DES). AES is widely used to protect sensitive and classified information in both government and commercial applications.AES encrypts data in fixed-size blocks of 128 bits and supports key lengths of 128, 192, or 256 bits, providing strong security against modern cryptographic attacks. It operates using a series of substitution, permutation, and mixing operations across multiple rounds, depending on the key size (10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys).

echo “test” > input.txt # Create a file named input.txt containing the text “test”
```
echo "test" > input.txt
```
openssl # OpenSSL command-line cryptography tool
enc # encryption/decryption utility
-e # encrypt mode
-aes-256-cbc # AES algorithm with 256-bit key in CBC mode
-in input.txt # plaintext input file
-out encrypted.txt # output encrypted file
-k test # password used to derive the encryption key
-iv 0 # initialization vector (IV) set to all zeros (INSECURE)
```
openssl enc -e -aes-256-cbc -in input.txt -out encrypted.txt -k test -iv 0
```
openssl # OpenSSL command-line cryptography tool
-d # decrypt mode
-aes-256-cbc # same algorithm and mode used for encryption
-in encrypted.txt # input ciphertext file
-out decrypted.txt # output decrypted file
-k test # same password used to derive the key
-iv 0 # same IV must be used for decryption
```
openssl enc -d -aes-256-cbc -in encrypted.txt -out decrypted.txt -k test -iv 0
```
cat decrypted.txt # Display the decrypted file contents
```
cat decrypted.txt
```
One liner
```
echo test123 | openssl enc -k 33 -aes-256-ctr -nosalt -a | openssl enc -d -k 33 -aes-256-ctr -nosalt -a
```
May 16, 2026
Rivest Cipher 4
Rivest Cipher 4 (RC4)

A stream cipher designed by Ronald Rivest in 1987. Unlike block ciphers, which encrypt fixed-size blocks of data, RC4 encrypts data one byte at a time. This makes it well-suited for applications where data arrives in variable-length streams, such as network communications.RC4 generates a pseudorandom key stream based on an initial secret key. Each byte of plaintext is then combined with the key stream using the XOR operation to produce ciphertext. Decryption uses the same key to regenerate the key stream, and XOR is applied again to recover the original plaintext.

echo “test” > input.txt # Create a file named input.txt containing the text “test”
```
echo "test" > input.txt
```
openssl # an open-source cryptography toolkit
-e #encrypt
-rc4 # RC4 algorithm (deprecated / insecure)
-in input.txt # input plaintext file
-out encrypted.txt # output encrypted file
-K ‘000102030405060708090A0B0C0D0E0F’ # raw encryption key in hexadecimal (128-bit key)
-provider legacy # required because DES is deprecated in OpenSSL 3+
```
openssl enc -e -rc4 -in input.txt -out encrypted.txt -K '000102030405060708090A0B0C0D0E0F' -provider legacy
```
openssl # an open-source cryptography toolkit
-d # decrypt
-rc4 # same algorithm and mode used for encryption
-in encrypted.txt # input ciphertext file
-out decrypted.txt # output decrypted file
-K ‘000102030405060708090A0B0C0D0E0F’ # raw encryption key in hexadecimal (128-bit key)
-nosalt # disables salt (needed because encryption used raw key)
-provider legacy # enables deprecated DES support
```
openssl enc -d -rc4 -in encrypted.txt -out decrypted.txt -K '000102030405060708090A0B0C0D0E0F' -nosalt -provider legacy
```
cat decrypted.txt # Display the decrypted file contents
```
cat decrypted.txt
```
May 16, 2026
Data Encryption Standard
Data Encryption Standard (DES)

A symmetric key block cipher that was widely used for securing electronic data. DES operates by encrypting 64-bit blocks of data using a 56-bit key, producing a corresponding 64-bit ciphertext block.DES follows the Feistel structure, which means it divides the data block into two halves and applies multiple rounds of substitution and permutation to increase security. Each round uses the key in a complex transformation process to scramble the data, making it difficult for unauthorized parties to recover the original plaintext without the correct key.

echo “test” > input.txt # Create a file named input.txt containing the text “test”
```
echo "test" > input.txt
```
openssl # an open-source cryptography toolkit
-e #encrypt
-des-ecb # use DES algorithm in ECB mode
-in input.txt #input plaintext file
-out encrypted.txt # output encrypted file
-K 0001020304050607 # explicit 64-bit DES key in hex
-provider legacy # required because DES is deprecated in OpenSSL 3+
```
openssl enc -e -des-ecb -in input.txt -out encrypted.txt -K 0001020304050607 -provider legacy
```
openssl # an open-source cryptography toolkit
-d # decrypt
-des-ecb # same algorithm and mode used for encryption
-in encrypted.txt # input ciphertext file
-out decrypted.txt # output decrypted file
-K 0001020304050607 # same key used for encryption
-nosalt # disables salt (needed because encryption used raw key)
-provider legacy # enables deprecated DES support
```
openssl enc -d -des-ecb -in encrypted.txt -out decrypted.txt -K '0001020304050607' -nosalt -provider legacy
```
cat decrypted.txt # Display the decrypted file contents
```
cat decrypted.txt
```
May 16, 2026