The 7 Steps of a Cyberattack
When cyberattacks happen in film and TV, they often go off with a bang. But in reality, it’s more of a whimper. Cybercriminals rarely barge in—more often than not, they sit quietly inside systems, gathering information and seeing what they might be able to get ahold of before choosing the opportune time to strike.
On average, it takes 277 days to identify and contain a data breach. That’s a lot of watching and waiting. Read on to learn how an attack develops and see some real-world examples of these steps in action.
How a common cyberattack unfolds
Cybersecurity professionals often use a 7-step model called the Cyber Kill Chain (first introduced by Lockheed Martin Corp.) to describe the stages of an attack. Here’s what each stage typically looks like—although some attacks don’t follow this pattern.
Threat actors establish the infrastructure (tools, tactics, and so on) needed for the attack. This establishment may entail using a phishing kit, probing the target entity’s systems for vulnerabilities, finding high-value targets within the organization, collecting employee info from social networks, and gathering other intelligence about the organization. They may also “shop” on the dark web for leaked corporate credentials at this stage.
The attackers create their attack vector and payload, such as malware, to harvest credentials or exploit a vulnerability.
The adversaries launch the attack. This attack could be delivered through a phishing email with a malicious link to steal credentials or an email with a malware attachment. The attacker could also break into a system or virtual private network (VPN).
Once inside, the attackers look for additional weaknesses to exploit. They may escalate privileges by accessing more logins, mapping the environment, or compromising new systems.
The attackers establish control by installing more malware, remote access trojans, and backdoors.
- Command and control (C2)
Establishing a C2 connection allows the attackers to control the system or identity remotely to deliver further instructions, expand access, and establish new access for future intrusions.
In this final stage, the intruders carry out their objectives. For example, if their goal is to steal data, they might begin collecting it on a staging server and then exfiltrate it.
Real-world cyberattacks involving compromised credentials
Uber (September 2022)
A hacker claiming to be 18 years old gained access to multiple critical Uber systems, including email, Slack, and source code. The attacker used a contractor’s credentials, likely obtained on the dark web, along with social engineering, to trick the person into approving a 2-factor authentication (2FA) request. While the full impact of the attack won't be known for some time, Uber’s reputation took a hit, especially since it’s not the first time the company’s systems have been compromised.
SolarWinds (December 2020)
A sophisticated supply chain attack that compromised the security of dozens of government and private sector organizations started with hackers gaining access to SolarWinds’ software code. The initial access point was attributed to an intern who used the password solarwinds123, which attackers likely obtained on the dark web. The attackers, who went undetected for months, inserted malicious code into one of SolarWinds’ software updates, giving them access to high-profile companies and U.S. government agencies.
Twitter (July 2020)
A group of amateur hackers led by a 17-year-old mastermind used social engineering to trick Twitter employees into revealing their login credentials. They gained control of an internal support tool for the social media platform and commandeered more than 130 accounts, including those of high-profile people like Elon Musk, Barack Obama, Bill Gates, and Kanye West. The hackers tweeted a series of messages promoting a Bitcoin scheme, damaging Twitter’s reputation.
No organization is 100% safe from a cyberattack. But the more you educate your employees on what to watch out for and how to practice secure password habits, the better poised you’ll be against common methods and attacks like these.