Skip to main content

The 7 Steps of a Cyberattack

  |  Dashlane

When cyberattacks happen in film and TV, they often go off with a bang. But in reality, it’s more of a whimper. Cybercriminals rarely barge in—more often than not, they sit quietly inside systems, gathering information and seeing what they might be able to get ahold of before choosing the opportune time to strike.

On average, it takes 277 days to identify and contain a data breach. That’s a lot of watching and waiting. Read on to learn how an attack develops and see some real-world examples of these steps in action.

How a common cyberattack unfolds 

Cybersecurity professionals often use a 7-step model called the Cyber Kill Chain (first introduced by Lockheed Martin Corp.) to describe the stages of an attack. Here’s what each stage typically looks like—although some attacks don’t follow this pattern. 

  1. Reconnaissance
    Threat actors establish the infrastructure (tools, tactics, and so on) needed for the attack. This establishment may entail using a phishing kit, probing the target entity’s systems for vulnerabilities, finding high-value targets within the organization, collecting employee info from social networks, and gathering other intelligence about the organization. They may also “shop” on the dark web for leaked corporate credentials at this stage.

  2. Weaponization
    The attackers create their attack vector and payload, such as malware, to harvest credentials or exploit a vulnerability.

  3. Delivery
    The adversaries launch the attack. This attack could be delivered through a phishing email with a malicious link to steal credentials or an email with a malware attachment. The attacker could also break into a system or virtual private network (VPN).

  4. Exploitation
    Once inside, the attackers look for additional weaknesses to exploit. They may escalate privileges by accessing more logins, mapping the environment, or compromising new systems.

  5. Installation
    The attackers establish control by installing more malware, remote access trojans, and backdoors.

  6. Command and control (C2)
    Establishing a C2 connection allows the attackers to control the system or identity remotely to deliver further instructions, expand access, and establish new access for future intrusions.

  7. Actions
    In this final stage, the intruders carry out their objectives. For example, if their goal is to steal data, they might begin collecting it on a staging server and then exfiltrate it.

“Our strongest tools are our reputation and relationships. A breach could do more than take our security; it could remove the trust from our name that we’ve worked so hard to build.”

Chelsea Richardson
Principal, Vice President at JD+A

Real-world cyberattacks involving compromised credentials

Uber (September 2022)

A hacker claiming to be 18 years old gained access to multiple critical Uber systems, including email, Slack, and source code. The attacker used a contractor’s credentials, likely obtained on the dark web, along with social engineering, to trick the person into approving a 2-factor authentication (2FA) request. While the full impact of the attack won’t be known for some time, Uber’s reputation took a hit, especially since it’s not the first time the company’s systems have been compromised.

SolarWinds (December 2020)

A sophisticated supply chain attack that compromised the security of dozens of government and private sector organizations started with hackers gaining access to SolarWinds’ software code. The initial access point was attributed to an intern who used the password solarwinds123, which attackers likely obtained on the dark web. The attackers, who went undetected for months, inserted malicious code into one of SolarWinds’ software updates, giving them access to high-profile companies and U.S. government agencies.

Twitter (July 2020)

A group of amateur hackers led by a 17-year-old mastermind used social engineering to trick Twitter employees into revealing their login credentials. They gained control of an internal support tool for the social media platform and commandeered more than 130 accounts, including those of high-profile people like Elon Musk, Barack Obama, Bill Gates, and Kanye West. The hackers tweeted a series of messages promoting a Bitcoin scheme, damaging Twitter’s reputation.


No organization is 100% safe from a cyberattack. But the more you educate your employees on what to watch out for and how to practice secure password habits, the better poised you’ll be against common methods and attacks like these. 

Want to learn more about password security best practices? Our Password Management 101 White Paper has the knowledge you need.

Sign up to receive news and updates about Dashlane