In order to actually exploit the vulnerability identified during weaponization, the attacker must deliver it to the target. In the case of the castle example, even if we know that the wall is vulnerable to tunneling, we need to get the engineers and shovels to the wall. This activity might be a little bit suspicious!

Having developed a great tool during weaponization that will open a backdoor into any system that executes it, the attacker must get the tool to the right place and get it to execute. Delivery vectors may include tricking someone into opening a connection over the internet (for example, through a rogue link in an email), or through mobile storage devices like USB sticks (for example, a USB drop attack). There are also other vectors, which will be discussed later in this chapter.

To combat threats during the delivery phase, security professionals may consider scanning emails and/or restricting USB drives which may be connected to the system. These will cover many attacks. The difficulty with this is that the security systems themselves may end up being so restrictive that they achieve a denial of service all of their own; might this be achieving the attacker's aim for them?

Remember that, in cybersecurity terms, it isn't possible to monitor activity outside of the network or office. Where defenders in the castle example can look over the wall, and physical security guards can look out or have CCTV, it is very difficult for an organization to monitor outside their logical network. If they were to create a demilitarized zone or buffer between the public internet and their own internal networks, this would just shift the boundary of their network outwards. Even when checking for USB drives connecting to network devices, this relies on direct contact between the USB memory device and the USB port on the network device. In the case of an email, the email has to actually arrive at the email servers to be scanned and categorized.