5 Phases of a Cyber Attack

No one has resources to do everything perfectly. In cyber security, your goal should be constant improvement. Knowing your enemy’s objectives helps. What happens in each phase of an attack?

Here, F-Secure Cyber Security Team lay it out for us:

Phase 1: Recon
Timeline: months before detection

The attacker’s first goal is to identify potential targets for their mission. Attackers are often motivated by financial gain, access to sensitive information or damage to your brand.

The attacker may collect information about the company from LinkedIn and the corporate website, information on security systems and available entry points. They may even visit the company building, an event or call the secretary. The attacker might set up a fake company, register domains and create fake profiles for social engineering purposes.

Once the attacker determines what defences are in place, they choose their weapon. The selected vector is often impossible to prevent or detect. It can be a zero-day exploit, a spear-phishing campaign or bribing an employee. Usually there is a minimal business impact.

Phase 2: Intrusion and presence
Timeline: months before detection

At the second phase of a cyber-attack, the attacker seeks to breach the corporate perimeter and gain a persistent foothold in the environment.

They may have spear-phished the company to gain credentials, used valid credentials to access the corporate infrastructure and downloaded more tools to access the environment. This is virtually untraceable.

Phase 3: Lateral movement
Timeline: months or weeks before detection

Once the attacker has established a connection to the internal network, they seek to compromise additional systems and user accounts. Their goal is to expand the foothold and identify the systems housing the target data.

The attacker searches file servers to locate password files and other sensitive data, and maps the network to identify the target environment.

The attacker is often impersonating an authorized user. Therefore it is very difficult to spot the intruder in this phase.

Phase 4: Privilege escalation
Timeline: weeks or days before detection

Finally the attacker gains access to the target data. Mail servers, document management systems and customer data are compromised.

Phase 5: Complete mission
Timeline: day 0

The attacker reaches the final stage of their mission. They exfiltrate the customer data they were after, corrupt critical systems and disrupt business operations. Then they destroy all evidence with ransomware.

The cost to the company rises exponentially if the attack is not defeated.

In this example the target was reached before detection. This is typical. Data breaches are extremely difficult to detect, because attackers use common tools and legitimate credentials.

That’s why you need to stay alert at all times. With cyber security, you are never done.

This fictional example is based on experience from real-life cases and experience of our ethical hackers. F-Secure Cyber Security Team test is an eye-opening exercise, where the defensive capabilities of companies are tested using the same model the real hackers use.

For more information on how we can support your security needs, call your local TCT Office today.

Robert Brown

Follow us on LinkedIn:

Related Articles:
Exponential Growth Expected for Ransomware
Cyber Security – It’s Important

Written by