How to Map an Attack
For any incident, ask three questions in order. Did someone see data who should not have? Did someone change data who should not have? Did someone prevent legitimate access to data or systems?
The answers are not mutually exclusive. Most real incidents violate more than one pillar. A ransomware attack that exfiltrates data before encrypting it violates confidentiality, integrity (changed file contents through encryption), and availability simultaneously. The discipline is to identify every pillar that was actually touched and explain how, rather than picking one favored answer.
When mapping, also distinguish between direct and downstream violations. A phishing email that steals credentials directly violates authenticity. The credentials are then used to log in, which downstream may violate any pillar depending on what the attacker does next. Most courses, and most exam questions, ask about the direct violation. Production incident analysis should usually consider both.
How to Read the Table
The table below uses three letters in fixed positions to show which pillars an attack violates.
Cin the first position means the attack violates Confidentiality.Iin the second position means the attack violates Integrity.Ain the third position means the attack violates Availability.- A dash (
-) in any position means the attack does not directly violate that pillar.
So C-A means confidentiality and availability are violated; integrity is not. CIA means all three are violated. The Justification column gives a one-sentence reason for each tag.
The Attack Map
| Attack | Pillars | Justification |
|---|---|---|
| Eavesdropping / sniffing | C-- | Captures plaintext traffic the attacker is not authorized to read. No modification, no denial. |
| Phishing (credential capture) | C-- | Direct violation is disclosure of credentials. Downstream violations depend on what the attacker does with the credentials. |
| SQL injection (data read) | C-- | Attacker extracts database contents they are not authorized to see. |
| SQL injection (data modify or drop) | -IA | UPDATE or DELETE via injection breaks integrity; DROP TABLE additionally breaks availability. |
| Cross-site scripting (XSS) | CI- | Steals session tokens (confidentiality) and can modify rendered content or perform actions on the user's behalf (integrity). |
| Cross-site request forgery (CSRF) | -I- | Forces authenticated user to perform unintended state-changing requests; primary harm is unauthorized modification. |
| Man-in-the-middle (passive) | C-- | Reads traffic between two parties without altering it. |
| Man-in-the-middle (active) | CI- | Reads and modifies traffic between two parties. |
| Malware: data exfiltration | C-- | Copies sensitive data to attacker infrastructure. |
| Malware: keylogger | C-- | Captures input including credentials and sensitive content. |
| Malware: rootkit | CIA | System integrity is violated by design; attacker uses that foothold to violate any pillar. |
| Ransomware | CIA | Modern ransomware exfiltrates (C), encrypts in place (I), and denies access until ransom is paid (A). |
| Wiper malware | -IA | Destroys data and makes systems unusable. No data leaves the victim. |
| Denial of service (DoS / DDoS) | --A | Pure availability attack. No data is read or modified. |
| Spoofing (IP, ARP, DNS) | CI- | Tricks systems into trusting attacker-controlled endpoints; enables interception (C) and content manipulation (I). |
| Tampering with logs | -I- | Modifies the integrity of audit records. Often a cover-up for another attack, in which case the primary attack determines additional pillars. |
| Privilege escalation | CIA | Once elevated, the attacker can violate any pillar. Direct effect is on integrity (system permissions); downstream is unbounded. |
| Brute-force / credential stuffing | C-- | Gaining unauthorized access. Like phishing, the direct violation is the credential; downstream violations depend on actions taken. |
| Social engineering (data disclosure) | C-- | Tricks a human into disclosing information they are authorized to know but not authorized to share. |
| Business email compromise (BEC) | -I- | Forged sender authority causes recipient to take action (wire transfer, credentials reset) under false pretenses. Authenticity in hexad terms. |
| Insider data theft | C-- | Authorized read access used to copy data for unauthorized purposes. |
| Insider sabotage | -IA | Authorized write access used to destroy or corrupt data. |
| Supply-chain attack | CIA | Compromised vendor software inherits the privileges of the legitimate product, enabling any pillar to be violated downstream. |
| Physical theft of device | C-A | Confidentiality at risk depending on encryption; availability is reduced for the original owner. Possession in hexad terms is always violated. |
| Buffer overflow (exploit) | CIA | Successful exploitation gives attacker code execution; outcome depends on payload but enables any pillar to be violated. |
| Misconfiguration disclosure | C-- | Open S3 bucket, public database, exposed dashboard. Disclosure without modification. |
| Replay attack | -I- | Re-sending a legitimate message to cause an unauthorized action; authenticity in hexad terms. |
Ambiguous Cases Worth Discussing
A few attacks resist clean mapping and are worth thinking through carefully. They often appear on exams precisely because they expose whether a student understands the model or has memorized the table.
Log tampering. If logs are the audit record of other activity, modifying them affects integrity of the logs themselves. But the reason an attacker modifies logs is usually to conceal a different attack. The direct violation is integrity. The fact that detection of the original attack is now impaired touches all three pillars indirectly.
Phishing with no action taken. If a phishing email is delivered but the recipient does not click, has any pillar been violated? Most analyses say no, because no actual disclosure or modification occurred. The email is a threat, not an incident. But some frameworks count the unsolicited delivery itself as a violation of confidentiality of contact information (the attacker now knows the address is live), which is defensible.
Data destroyed by accident. An admin runs rm -rf / on a production server and destroys data. Is this an integrity violation, an availability violation, or both? The CIA model classifies both: integrity because the data was changed (specifically, deleted) by someone not authorized to delete it in this manner; availability because the data is now inaccessible. Whether the change was malicious does not affect the mapping.
Watering-hole attack. Attacker compromises a legitimate site that the target visits. Visiting the site downloads malware to the target. Which pillars are violated, and on which system? On the watering hole site, integrity is violated (page contents modified to serve malware). On the target, depending on the malware, any pillar may be violated. The mapping requires you to specify which system is being analyzed.
Practice: The Security Incident Triage Exercise
The Security Incident Triage exercise in Rolling Thunder Security gives you eight scenarios. For each one, you identify the violated pillars, justify your tagging, and propose a control that would have prevented the incident. The exercise is graded on the consistency of your reasoning, not on whether you match this table exactly.
The scenarios, with one-line answers from this table:
- Unlocked laptop photographed by a passerby. C through physical disclosure.
- Disgruntled admin modifies payroll figures. I through insider sabotage of authorized write access.
- Ransomware encrypts file server with no backups. CIA through modern ransomware behavior plus the absence of recovery capability.
- Unencrypted API tokens intercepted on the network. C through eavesdropping. Downstream depends on what is done with the tokens.
- Admin drops production table by accident. I and A.
- Executive email compromise leaks product roadmap. C through unauthorized disclosure.
- Log files tampered with to hide unauthorized access. I on the logs; the unauthorized access itself is a separate confidentiality violation.
- DDoS attack overwhelms website during product launch. A.
If your tagging differs from the table here in a defensible way, your tagging is right. The model is a thinking aid, not a binary classifier.