What is a cyber attack? The 14 stages of a cyber attack

As cyber attacks become more prevalent, it’s more important than ever to understand how they’re carried out. In this article, we’ll walk you through the different stages of a cyber attack.

These stages are described by ATT&CK®, a knowledge base of tactics and techniques used during real-world cyber attacks. It’s maintained by the MITRE Corporation, a private not-for-profit organization that manages several research and development centers for the US government, and collaborates through public–private sector partnerships. 

Your keys to a better career

Get started with ACG today to transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

Let's take a deeper look at what a cyber attack looks like.

The first stage of a cyber attack is called the reconnaissance. This is where attackers gather intelligence about their potential target. They'll gather publicly available information such as websites, social media, physical locations, and information about high-ranking employees within your organization.

Attackers will also leverage open-source intelligence (OSINT) tools and information available on the dark web, which may contain credentials and vulnerabilities associated with your organization. 

Once this intel is gathered, attackers move onto resource development. This is where tools are crafted to use against your organization. Attackers may also develop additional capabilities, including acquiring infrastructure – such as buying or leasing physical or cloud servers, domains or third-party web servers – to compromise your infrastructure and service accounts. 

After enough resource preparation is in place, the cyber attackers will gain initial access to your environment using techniques like phishing attacks, compromising your supply chain or public-facing assets.

Once inside the environment, things really start to ramp up. Attackers perform execution of malicious code using the developed tools, and exploit native APIs, containers, services, scheduled jobs, or shared modules. 

The cyber attackers maintain a foothold in your environment during the persistence stage. They’ll then move to performing privilege escalation, where they begin to obtain higher privilege levels. This allows them to perform actions that are normally reserved for administrators or root users.

To persist in your organization's environment, the cyber attackers will practice defense evasion to avoid detection. This includes using techniques like “living off the land”, where they mimic methods already being used within your environment. So if you use PowerShell scripts, the attackers will also use PowerShell commands to mask their attack and avoid suspicion. 

By flying under the radar, the cyber attackers can move onto obtaining credential access by stealing account names and passwords. They use these to map out the target environment during the stage of discovery. This allows the attackers to identify additional systems for the lateral movement stage. This is where they pivot from the initially compromised system to access other, preferably more sensitive, systems across the environment. 

Now is a critical point in stopping a cyber attack, because the attackers are embedded within your environment. They will soon begin the collection of high-value data, including trade secrets and personally identifiable information (PII).

With this level of compromise comes the ability for attackers to install command and control malware. This allows them to communicate and manipulate compromised systems using encrypted channels, data encoding, and exploited application protocols.

These tools aid in the exfiltration stage, where the collected data is transported from the environment to an external location. 

The final stage of a cyber attack is the impact stage. This is where attackers may destroy confidential information, modify configurations, or disrupt availability of services.

More stealthy attackers will attempt to cover up their tracks, with their actions going unnoticed for months, or even years.

If you discover malicious activity within your environment, knowing this cyber attack framework can help you to identify the level of compromise and potential next steps the attacker may take. And understanding these tactics and techniques can enable you to reactively respond and prevent further damage to the security, confidentiality, integrity, and availability of your systems. 

My Certified Information System Security Professional (CISSP) course will help prepare you for the CISSP certification exam. I cover the ATT&CK framework in detail, as well as other critical information security concepts.