Types of Cyber Threats

Cyber threats span a broad and technically distinct taxonomy that shapes how organizations, regulators, and security professionals classify risk, assign responsibility, and implement controls. The categories covered here — from malware and social engineering to supply chain compromise and denial-of-service attacks — are defined by their mechanism of action, target surface, and the regulatory frameworks that govern response obligations. Accurate classification matters because the applicable legal requirements, detection methods, and cyber safety listings for qualified response professionals differ substantially across threat types.

Definition and scope

A cyber threat is any circumstance or event with the potential to adversely impact organizational operations, assets, individuals, or national security through unauthorized access, destruction, disclosure, modification, or denial of service to an information system (NIST SP 800-30 Rev. 1). The definition used by the National Institute of Standards and Technology (NIST) grounds threat classification in three components: the threat source (who or what initiates the threat), the threat event (the action taken), and the vulnerability being exploited.

The Cybersecurity and Infrastructure Security Agency (CISA) — the primary federal civilian authority for threat identification and coordination — organizes threats across 16 critical infrastructure sectors, each carrying sector-specific exposure profiles. The scope of this taxonomy encompasses threats to networked systems, cloud environments, operational technology (OT), and supply chains. For context on how the service sector around these threats is structured, see the Cyber Safety Directory Purpose and Scope.

How it works

Cyber threats operate through a recognizable attack lifecycle. MITRE ATT&CK, a publicly maintained adversarial knowledge base, documents threat actor tactics in 14 sequential phases, from initial reconnaissance through impact. The lifecycle framework — frequently referenced alongside the Lockheed Martin Cyber Kill Chain model — breaks adversarial action into discrete steps:

  1. Reconnaissance — Gathering intelligence on targets through open-source channels, network scanning, or social platforms.
  2. Weaponization — Developing or acquiring exploit tools, malicious payloads, or phishing infrastructure.
  3. Delivery — Transmitting the attack vector via email, removable media, compromised websites, or software supply chains.
  4. Exploitation — Triggering vulnerability execution on the target system.
  5. Installation — Establishing persistence through backdoors, rootkits, or scheduled tasks.
  6. Command and Control (C2) — Maintaining remote access channels to direct compromised systems.
  7. Actions on Objectives — Executing the intended outcome — data exfiltration, ransomware deployment, or service disruption.

Understanding which phase an incident has reached determines the appropriate containment strategy and drives mandatory incident reporting timelines under frameworks such as CISA's Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which establishes a 72-hour reporting window for covered entities.

Common scenarios

The threat landscape resolves into distinct categories with different mechanisms, legal implications, and professional response requirements.

Malware encompasses ransomware, spyware, trojans, and worms — software designed to damage, disrupt, or gain unauthorized access. Ransomware specifically has triggered sector-wide regulatory attention; the U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has issued guidance (OFAC Ransomware Advisory, 2020) warning that ransom payments to sanctioned entities may violate federal law regardless of victim circumstance.

Phishing and social engineering exploit human behavior rather than technical vulnerabilities. Spear phishing targets specific individuals with tailored pretexts; business email compromise (BEC) — a subcategory tracked by the FBI's Internet Crime Complaint Center (IC3) — generated adjusted losses exceeding $2.9 billion in 2023 (FBI IC3 2023 Annual Report).

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks flood systems or networks with traffic to degrade or eliminate availability. DDoS differs from DoS in that attack traffic originates from distributed botnets rather than a single source — a distinction with significant forensic and attribution consequences.

Supply chain attacks compromise software or hardware upstream of the target organization. The SolarWinds incident — in which threat actors embedded malicious code into a widely distributed software update — demonstrated how a single supply chain compromise can cascade across 18,000 or more downstream organizations (CISA Alert AA20-352A).

Insider threats originate from current or former employees, contractors, or partners with authorized access. NIST defines the insider threat specifically as "the potential for an insider to use their authorized access, wittingly or unwittingly, to do harm to the security of the United States" (NIST SP 800-53 Rev. 5).

Advanced Persistent Threats (APTs) represent nation-state or sophisticated criminal actors maintaining long-term, stealthy access to targeted networks. APTs are distinguished from opportunistic threats by their persistence, resourcing, and specific strategic objectives.

Decision boundaries

Distinguishing between threat types is not merely taxonomic — it governs which regulatory obligations activate, which response professionals hold relevant credentials, and which technical controls are prioritized.

Malware vs. insider threat: Malware intrusion evidence points toward external actor response protocols, while insider threat indicators trigger HR, legal, and access-control review procedures under frameworks like the NIST Insider Threat Guide and applicable employment law. The distinction affects whether the Computer Fraud and Abuse Act (18 U.S.C. § 1030) applies to prosecutorial pursuit.

Phishing vs. supply chain: A phishing attack targets an individual credential or session; supply chain compromise targets the integrity of a trusted artifact before it reaches the organization. Detection tooling, forensic scope, and vendor notification obligations differ substantially between these categories.

DoS vs. APT: Availability attacks are typically detected and resolved within hours; APT intrusions may persist for months undetected. The response timeline, forensic resource requirements, and federal notification thresholds differ — CIRCIA applies to critical infrastructure operators regardless of threat type, but post-incident analysis methodology varies by attack class.

Organizations navigating response options can reference the How to Use This Cyber Safety Resource page for guidance on locating qualified professionals by threat specialization.

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Cyber Safety Directory: Purpose and Scope Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. How to Use This Cyber Safety Resource The Cyber Safety Listings index presents categorized service provider information, while the Directory Purpose and Scope page... Cyber Safety Listings Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified...