Up to this point, we've talked about individual threats. But in the real world, individual threats are less interesting than the chains that bring them together into an attack on a system.

Rebels analyze the stolen Death Star plans and find a weakness. The Death Star conveniently shows up (rather than a fleet of Star Destroyers), and the Rebels are able to use their X-Wing fighters and Jedi-in-training to deliver a torpedo to precisely the right spot, where it destroys the Death Star.

Other than X-Wings and Death Stars, threats don't show up in a vacuum. Technology has a context, and that context defines the attacker's journey. For every attack, an attacker will engage in some reconnaissance or experimentation. That may be as limited as “Send attack packets to sequential IP addresses” or as sophisticated as “We'll set up a collection of fake businesses, and then recruit people to ‘work from home,’ reshipping packages and laundering money for us.” Even the folks who scan sequential IP addresses need to hear the responses, put those into a database, and then use the results.

To this point, we've looked at individual threats: the building blocks that attackers will combine into something useful to them. Let me present an example of a chain:

1. Analyze the plans for the Death Star. (Reconnaissance.)
2. Discover that a small fighter might deliver a torpedo. (Weaponization.)
3. Fly to the Death Star, fly down a trench. (Delivery.)
4. Make the shot. It's like shooting womp rats ...