Unit 5: Cyber Threats and Attack Vectors

Lesson at a glance

| Item | Detail | | --------------------- | --------------------------------------------------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Weeks 7–8 of Cybersecurity I | | Prerequisite | Units 1–4 complete | | Materials | Three sample phishing emails (provided), malware-behavior case study handouts, threat actor profile cards |

Safety: We analyze sample phishing emails and descriptions of malware behavior. We do not download, open, or execute malware samples in Cyber I. Anyone caught downloading "real" malware to a school device - even on a VM - is removed from the program pending review. Wait for Cyber II Unit 10 for safe sample handling.

Standards & credential alignment

• EHE Domain 2: Information Security Threats and Vulnerabilities.
• VA CTE: Identify common attack vectors and threat actor types.
• MITRE ATT&CK: Initial Access, Execution, Credential Access tactics (introductory exposure).

Learning objectives

By the end of this unit, students can:

1. Define and give examples of: virus, worm, trojan, ransomware, spyware, keylogger, RAT, rootkit, botnet.
2. Identify at least 6 phishing indicators in a sample email.
3. Distinguish phishing, spear phishing, whaling, smishing, and vishing.
4. Describe the social-engineering lifecycle (research → engage → exploit → exit).
5. Profile the four major threat-actor categories (cybercriminal, hacktivist, nation-state, insider) and give a real example of each.
6. Explain credential attacks (brute force, password spray, credential stuffing) at the conceptual level - without ever running them outside the lab.

Vocabulary

• Malware - Umbrella for malicious software.
• Virus / Worm / Trojan - Needs a host file / spreads itself / disguised as legitimate.
• Ransomware - Encrypts files and demands payment.
• RAT - Remote Access Trojan; gives attacker remote control.
• Botnet - Network of compromised hosts under one C2.
• C2 - Command and control. The attacker's "phone home" infrastructure.
• Phishing - Mass-targeted email-based social engineering.
• Spear phishing / Whaling - Targeted at one person / targeted at executives.
• Smishing / Vishing - Phishing over SMS / voice.
• Credential stuffing - Reusing leaked username/password pairs against other sites.
• Password spray - One common password tried against many usernames (avoids lockout).
• Insider threat - A current or former insider misusing legitimate access.

Teacher background

This is the unit where students start recognizing the news. Every cyber-news headline they encounter in the rest of the year will fit somewhere in this taxonomy. Take time to build the mental hooks.

The most useful framing for high school: threat = who, vector = how, impact = what it costs. Use that triple every time.

Phishing is the right place to spend 40% of the unit. Phishing is the entry vector in roughly 80–90% of real-world breaches. If a student leaves only able to spot a phishing email, you have done useful work.

Materials checklist

• [ ] Three printed sample phishing emails (provided below)
• [ ] Threat-actor profile cards (4 categories, 1 real example each)
• [ ] Malware-behavior case-study handout (Stuxnet, WannaCry, NotPetya, Emotet - pick three)
• [ ] Worksheet PDF
• [ ] Wall poster: 6 phishing indicator categories

Pacing - Day 1 (60 min): Malware taxonomy

| Time | Segment | Notes | | ----------- | ------------------------------------- | ------------------------------------------------ | | 0:00 – 0:25 | Mini-lesson - malware family tree | Definitions + behaviors. | | 0:25 – 0:50 | Activity - case study jigsaw | Three groups, three malware samples, share back. | | 0:50 – 1:00 | Discussion - what they have in common | C2, persistence, impact. |

Day 1 - Case studies (run as a jigsaw)

Group A - WannaCry (2017). Ransomware. Spread via SMB (port 445) using the EternalBlue exploit. NHS hospitals couldn't admit patients. Killed by a researcher registering a sinkhole domain. Lessons: patch management, network segmentation, backup hygiene.

Group B - NotPetya (2017). Disguised as ransomware, was actually destructive wiper. Spread through a compromised Ukrainian accounting software update (supply chain). Damages estimated at $10B globally. Lessons: supply chain risk, the difference between criminal and state-sponsored attacks.

Group C - Emotet (2014–present). Banking trojan turned malware-as-a-service distribution platform. Delivered via phishing. Drops follow-on malware (Trickbot, Ryuk). Lessons: phishing-as-initial-access, layered malware ecosystems, takedowns are temporary.

Each group reports out for 4 minutes. Students fill the comparison table on the worksheet.

Pacing - Day 2 (60 min): Phishing investigation

| Time | Segment | Notes | | ----------- | ----------------------------------------------- | ----------------------------------------------------------- | | 0:00 – 0:15 | Mini-lesson - six phishing indicator categories | Sender, urgency, payload, content, context, infrastructure. | | 0:15 – 0:45 | Activity - three-email triage | Pairs analyze the three sample emails on the worksheet. | | 0:45 – 0:55 | Share-out + answer key | Walk all three. | | 0:55 – 1:00 | Exit ticket | "Which indicator did you find first on Email #1?" |

Day 2 - The 6 phishing indicator categories

1. Sender - Display name vs. actual address. Free domain (@gmail.com) for an "official" sender. Typosquatting (yourschoool-district.org).
2. Urgency - "Your account will be suspended in 24 hours." Real institutions don't operate this way.
3. Payload - Suspicious link, attachment, or QR code.
4. Content - Unusual grammar, awkward greetings, specifics that don't match reality.
5. Context - Did you expect this email? Does the time of day make sense?
6. Infrastructure - Unusual mail headers (SPF/DKIM/DMARC fail), reply-to ≠ from address.

Day 2 - Sample emails (printed for student analysis)

Email 1 - The 3:14 AM alert

From: IT Support <support@yourschoool-district.org>
To: alex.morrow@yourschool-district.org
Date: Tuesday at 3:14 AM
Subject: !!URGENT!! Your mailbox is full and will be deleted

Dear User,

Your school mailbox has reached 99% capacity and will be permanently
deleted in 24 hours unless you verify your credentials immediately.

Click here to keep your account: http://your-school-mailfix.com/login

Sincerely,
IT Support Team

Indicators: typosquatted domain (yourschoool not yourschool), 3:14 AM timestamp, urgency, generic greeting, suspicious off-domain link, threat of data loss, unsigned. Verdict: phishing.

Email 2 - The legitimate field-trip permission slip

From: Coach Jamal Reed <j.reed@yourschool-district.org>
To: parents-grade-10@yourschool-district.org
Date: Wednesday at 2:15 PM
Subject: 10th-grade field trip permission slip - return by Friday

Hi parents,

Please find attached the permission slip for our 10th-grade field trip
to the science museum next Thursday. Please sign and return to the
front office by Friday afternoon.

Thanks!
Coach Reed

Indicators: matches expected context (field-trip slips are normal), legitimate sender domain, no urgent threats, no off-domain link, attachment is a PDF from a trusted internal sender. Verdict: legitimate. Lesson: not every email with an attachment is phishing.

Email 3 - The principal-impersonation gift card scam

From: Principal Linda Park <l.park.principal@yourschool-district-admin.com>
To: alex.morrow@yourschool-district.org
Date: Saturday at 9:47 AM
Subject: Quick favor

Alex,

Are you available? I need you to grab a few gift cards for a teacher
appreciation thing this weekend. Reply when you can - I'll send details.

Thanks,
Principal Park
(sent from my phone)

Indicators: sender domain is a lookalike (yourschool-district-admin.com, not the real domain), Saturday morning, urgency framed as a "favor," gift cards (the universal scam tell), "sent from my phone" is a manipulation tactic to excuse brevity. Verdict: business email compromise (BEC) - gift card variant. This pattern has cost real schools real money.

Pacing - Day 3 (60 min): Social engineering and threat actors

| Time | Segment | Notes | | ----------- | ------------------------------------------ | -------------------------------------- | | 0:00 – 0:20 | Mini-lesson - social engineering lifecycle | Research → Engage → Exploit → Exit. | | 0:20 – 0:45 | Activity - threat actor profile cards | Match the breach to the actor type. | | 0:45 – 1:00 | Discussion - insider threats | Hardest case; least technical defense. |

Day 3 - Threat actor profiles

| Type | Motivation | Real example | | ----------------- | -------------------------------- | ---------------------------------------------------------------- | | Cybercriminal | Money | Conti / LockBit ransomware crews | | Hacktivist | Ideology | Anonymous, recent operations against ideologically-targeted orgs | | Nation-state | Strategic / espionage | Sandworm (NotPetya), APT29 (SolarWinds) | | Insider | Disgruntlement, money, espionage | Edward Snowden, the average frustrated sysadmin with a USB |

Press: "Which of these does your school's $300/year antivirus stop? Spoiler: none of them, by themselves. Defense in depth, again."

Pacing - Day 4 (60 min): Credential attacks and password hygiene revisited

| Time | Segment | Notes | | ----------- | ------------------------------------------ | ----------------------------------------------------------------------- | | 0:00 – 0:25 | Mini-lesson - brute force, spray, stuffing | Conceptual only - no live tools. | | 0:25 – 0:50 | Activity - Have-I-Been-Pwned reflection | Students search their own email (with consent). | | 0:50 – 1:00 | Exit ticket | "What's the difference between password spray and credential stuffing?" |

Day 4 - The credential-attack family tree

| Attack | What it does | Why it works | | ----------------------- | -------------------------------------------------------- | ------------------------------------ | | Brute force | Tries every password against one user | Simple but slow; lockouts kill it | | Password spray | One common password against many users | Avoids lockouts | | Credential stuffing | Tries leaked username:password pairs from other breaches | Works because people reuse passwords | | Phishing for creds | Asks the user to type their password into a fake site | Bypasses lockouts and some MFA |

Day 4 - HIBP reflection (10 min)

Students go to haveibeenpwned.com (with consent - never required), check their personal email. The conversation that follows is the reason this lesson exists. Tie back to: password manager + unique passwords + MFA on the accounts that matter.

Common misconceptions

• "Antivirus stops malware." - Modern malware bypasses signature-based AV routinely. Behavior-based EDR helps; user training helps more.
• "Hackers care about me personally." - Most attacks are opportunistic. You are a target because you are a target, not because you are special.
• "I would never fall for phishing." - Anyone, on a bad day, with the right pretext, will. Treat phishing defense as a process, not a personality trait.

Differentiation

• Reading support: phishing emails are also available with indicators pre-highlighted as a scaffolded version.
• Verbal processing: have students roleplay the social engineering lifecycle in pairs.
• Stretch: have advanced students write their own pretext for a fictional target - and then write the defense.

Assessment

• Day 2 worksheet: 6 indicators per email, 18 total points.
• Day 3 threat-actor matching: 4 questions, 1 point each.
• Day 4 exit ticket: short answer, rubric scored.

Career connection

Tier-1 SOC analysts triage phishing reports as their primary daily work. Threat intelligence analysts ($75K–$110K) build the actor profiles you saw today. Awareness-program managers ($65K–$95K) design the training that protects entire organizations.

Homework / next class

Bring in one real phishing email you have personally received (forward it to yourself first; do not click anything). Be ready to identify three indicators next class.