7
Reference Pages
08
Module
1
Tabletop Lab
The historical trajectory of malware is not a story of attackers getting smarter, exactly — the techniques in WannaCry (2017) were already old in Code Red (2001). The story is one of monetization: once attackers worked out how to convert access to dollars at scale, every other piece of the lifecycle — delivery, persistence, lateral movement, exfiltration — got industrialized to feed the pipeline.
The rule that ties this module together: defenses must disrupt the chain, not catch the payload. Catching the binary signature was a 1990s sport. Modern defense is about breaking the kill chain at as many stages as possible so that no single defensive failure ends the game.
08.A
Reference Pages
08.01
Live
08.02
Live
08.03
Live
08.04
Live
08.05
Live
08.06
Live
08.07
Live
Foundations & Taxonomy
What malware is, the three-axis taxonomy (intent + propagation + payload), and the parasitic family — spyware, adware, cryptojackers — covered briefly here. A framework for classifying any new sample you encounter.
Viruses & Worms
The propagating originals. Virus = host-dependent; worm = self-propagating. From Morris (1988) through ILOVEYOU, Code Red, Conficker, and the worm component of WannaCry that turned a ransomware family into a global outage.
Trojans, Droppers, Loaders
The deception family. The user runs them voluntarily. Modern multi-stage chains (Emotet → TrickBot → Ryuk) where each stage's only job is to fetch the next, defeating signature-based detection.
Ransomware
The killer app of the 2020s. Crypto-locker mechanics, RaaS economics, double extortion, the named incidents (Colonial Pipeline, JBS, Maersk/NotPetya, Change Healthcare, MGM). Interactive timeline of a typical attack.
Rootkits & Bootkits
Persistence and stealth at the lowest possible layer. User-mode vs kernel-mode rootkits, bootkits, UEFI implants (LoJax, MoonBounce, BlackLotus). The Sony BMG rootkit scandal that defined the category for the public.
The Kill Chain
Lockheed Martin's seven phases (Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives) plus MITRE ATT&CK as the modern, finer-grained alternative. Step through a real ransomware attack mapped to each phase.
Defenses
EDR/XDR, application allowlisting, network segmentation, immutable backups (3-2-1-1-0), least privilege, patch cadence, security awareness. Mapped to which kill-chain stages each defense disrupts, with the trade-offs each one carries.
08.B