# Hacker — Extended Definition & Operational Mind-Map

## What a hacker is

A **hacker** is a person with deep technical understanding of systems (hardware, software, networks) who explores and tests their limits to solve problems in non-conventional ways. Historically the term described a mindset of curiosity and mastery (see classic hacker culture); the modern pejorative meaning—“criminal”—is only one subset of the broader concept.
Ethical categories describe intent, not skill: **white-hat (ethical)** — tests with permission to improve security; **gray-hat** — may operate without explicit consent but not primarily to harm; **black-hat** — acts for illicit gain or damage.

## What hackers do (conceptually)

* Map **assets** and the **attack surface**.
* Model **threats** and identify **vulnerabilities**.
* Demonstrate impact and translate findings into **risk** (probability × impact) and practical remediation.
* In ethical contexts, operate under **scope** and rules of engagement and produce evidence-backed reports.
* Malicious actors aim at data/theft, extortion, sabotage, or espionage; ethical actors aim at risk reduction and resilience.

## Typical initial access vectors

* **Social engineering / phishing** (human trickery).
* **Compromised credentials** (password reuse, credential stuffing, brute force).
* **Unpatched software / zero-days.**
* **Misconfigurations** (open storage, overly permissive IAM).
* **Exposed services** (RDP, VPN, admin panels).
* **Supply-chain compromises** (malicious updates or vendor compromise).
* **Physical/insider access** (USBs, badges, direct access).

After initial access attackers typically pursue **persistence**, **privilege escalation**, **lateral movement**, and finally actions on objectives (exfiltration, sabotage, ransom).

## Methodologies and frameworks to structure thinking

* **Cyber Kill Chain (Lockheed Martin)** — attacker-centric sequence: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objective. Useful to decide where to interrupt attacks.
* **MITRE ATT&CK** — taxonomy of real-world tactics and techniques; essential for mapping observed behavior to detection and mitigations.
* **PTES (Penetration Testing Execution Standard)** — practical ethical test workflow: pre-engagement → intelligence gathering → vulnerability analysis → exploitation → post-exploitation → reporting.
* **NIST CSF (and CSF 2.0)** — governance and risk management: Govern, Identify, Protect, Detect, Respond, Recover. Use to link technical controls to business risk.
* **Unified Kill Chain / advanced models** — blend of Kill Chain and ATT&CK for describing complex APT and ransomware campaigns.

## Malware & ransomware — high-level concepts (non-operational)

* **Malware**: software designed to compromise confidentiality, integrity or availability. Common classes: Trojans, Worms, Spyware/Keyloggers, Backdoors, Rootkits, Botnets. Typical components: payload, persistence, C2, and anti-detection/evasion.
* **Ransomware**: malware that encrypts data (often after exfiltrating it) and demands payment. Typical lifecycle: initial access → execution → network discovery → credential harvesting & escalation → lateral movement → exfiltration (often) → encryption → ransom demand.
* **Ransomware-as-a-Service (RaaS)**: an ecosystem where developers provide panels, payloads and infrastructure to affiliates, who execute attacks for revenue share. This industrializes and professionalizes extortion operations.

## Core defensive measures (quick checklist)

* **Govern & Risk**: roles, policies, supply-chain risk, risk appetite.
* **Continuous patching & hardening** for OS, apps, firmware; enforce **MFA** and secrets management.
* **Least privilege** and network segmentation to shrink attack surface.
* **Strong backups (3-2-1)** with offline/immutable copies and regular restore tests.
* **Monitoring & detection**: centralized logs, EDR, SIEM, telemetry mapped to ATT&CK.
* **Email defense & user training** to reduce social engineering success.
* **Vulnerability management** and asset inventory.
* **Incident response playbooks** and regular tabletop/exercise drills.
* Embrace **Zero Trust** principles: verify continuously; don’t trust implicitly.

## Minimal glossary (objects & concepts to recall)

* **Asset**: anything of value (data, systems, identities).
* **Attack surface**: collection of reachable entry points.
* **Threat**: actor or event that can cause harm.
* **Vulnerability**: weakness that can be exploited.
* **Exploit**: technique used to take advantage of a vulnerability.
* **Risk**: likelihood × consequence.
* **Initial Access, Persistence, Privilege Escalation, Lateral Movement, C2 (Command & Control), Exfiltration.**
* **IoC**: Indicator of Compromise (artifact showing compromise).
* **TTP**: Tactics, Techniques, and Procedures (how adversaries operate).
* **Defense-in-Depth**: layered security controls.

## Practical, copy-ready summary (short)

* **Definition**: A hacker is a technically skilled problem-solver who probes systems’ limits; “black-hat” is a criminal subset, while “white-hat” is the ethical practitioner.
* **Initial access**: social engineering, stolen creds, unpatched software, misconfigurations, exposed services, supply-chain or physical access.
* **Method**: think in terms of **Kill Chain** (where to stop attackers), **ATT&CK** (what techniques they use), **PTES** (how ethical tests are run), and **NIST CSF** (how to govern and recover).
* **Ransomware**: top threat vector — access → spread → exfiltrate → encrypt → extort; RaaS lowers attacker barrier.
* **Defense essentials**: governance, patching, MFA, least privilege, segmentation, backup strategy, detection/telemetry, IR playbooks, training.

## Ethical & legal note

Use these capabilities **only** on equipment you own or where you have explicit, written authorization. In professional contexts, document scope and evidence. Aim to apply knowledge toward protection and resilience rather than harm.


