Introduction to Ethical Hacking

Ethical hacking is the authorised, scoped, and lawful emulation of adversary tradecraft against an organisation's assets to expose weaknesses before criminals do. The defining word is authorisation — written, signed, with explicit scope, time-box, and rules of engagement. Without it the same actions are felonies under laws like the US CFAA, the UK Computer Misuse Act, and India's IT Act §43/§66.

Every defensive control and every offensive objective ultimately maps to Confidentiality, Integrity, or Availability. Attackers chase the inverse — Disclosure, Alteration, Destruction (DAD). CEH expects you to classify any incident into one of these six outcomes, e.g. ransomware = Availability loss + Disclosure (double-extortion), defacement = Integrity loss.

Script kiddies (low skill, opportunistic), hacktivists (ideology), organised cybercrime (financial), insiders (access + grievance), state-sponsored APTs (espionage/sabotage), and cyber-terrorists (disruption). Motivation drives TTPs — APTs invest in zero-days and long-dwell persistence; ransomware crews prefer IAB-sourced VPN access and rapid encryption.

Seven phases: Recon → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Breaking any single link disrupts the attack. CEH commonly tests which phase a control mitigates — e.g. EDR memory scanning hits Installation, egress filtering hits C2, user awareness training hits Delivery.

A living matrix of 14 Enterprise tactics (the adversary's goal — Initial Access, Execution, Persistence, …, Impact) and hundreds of techniques (the how — T1059 Command Interpreter, T1547.001 Registry Run Keys, T1105 Ingress Tool Transfer). Sub-techniques use dotted notation (T1059.001 = PowerShell). Unlike the Kill Chain, ATT&CK is non-linear and built from observed in-the-wild behaviour.

Pre-engagement (scope, ROE, NDA, get-out-of-jail letter) → Reconnaissance → Scanning & Enumeration → Vulnerability Analysis → Exploitation → Post-Exploitation (privilege escalation, lateral movement, persistence, exfil simulation) → Reporting & Re-test. Engagement types: Black-box (zero knowledge), Grey-box (limited credentials/docs), White-box (full source + architecture). Modes: External, Internal, Web App, Wireless, Social-Engineering, Red Team, Purple Team.

Risk frameworks: NIST CSF (Identify-Protect-Detect-Respond-Recover) and NIST SP 800-30 (risk = likelihood × impact). Governance: ISO/IEC 27001 (ISMS), SOC 2 (trust services). Privacy: GDPR (EU), HIPAA (US healthcare), PCI-DSS (cardholder data — pen-test required §11.3), DPDP Act 2023 (India). Pentest methodologies: PTES, OSSTMM, OWASP WSTG, NIST SP 800-115.

Memorise: 7 kill-chain phases in order, 14 ATT&CK tactics, CIA vs DAD, hat colours (white/black/grey/red/blue/purple/green), vulnerability vs threat vs risk vs exposure, defence-in-depth layers, and the CVSS v3.1 metric groups (Base / Temporal / Environmental). Common traps: confusing risk and threat, calling zone transfer 'passive' (it's active), assuming ATT&CK and Kill Chain are interchangeable (they aren't — ATT&CK starts after Initial Access in Lockheed terms).