Sage Advice - Cybersecurity Blog

Threat Hunting: Anatomy of a Cyber Attack

threat-hunting-anatomoy-of-a-cyber-attack.jpgHackers are people, so when threat hunting, it’s important to think like they do. You need to understand the tricks and techniques that are commonly used. This intellectual capital can provide mature threat hunters with an advantage as they share common skills and traits with their unethical counterparts. 

Unfortunately, cybercriminals and other cyber adversaries don’t follow a specific play book. There isn’t a single process or simple path of execution when perpetrating an attack. Nor is there a silver bullet for detecting that attack.

Nevertheless, it’s instructive to have an understanding of how a typical attack unfolds. Just keep in mind that hackers can skip steps, add steps, and even backtrack.

The Progression of a Typical Cyber Attack

#1. Research

Before launching an attack, cybercriminals gather as much publicly available information about the target organization and its network, as possible. This often includes, network ranges, IP addresses, and domain / hosts names.

Part of the reconnaissance may include looking for email addresses of key players in the organization (IT Manager, CFO, etc.) that could be used in a phishing attack during the exploit phase.

#2. Penetrate

Now the attacker is ready to engage with the intended target and subvert the perimeter defenses. This is often achieved through a phishing attack or another common attack vector.

But hackers also have other tools that can be used to gain entry. These include, port scanners, vulnerability exploitation tools, traffic monitoring tools, password crackers, and encryption tools.

#3. Expand

Once in, an attacker will employ a technique called pivoting, using a compromised device to access other devices that would not otherwise be accessible.

Various techniques are deployed to escalate privileges and gain system administrator credentials.

Lateral movement optimizes transparency into available network assets in order to obtain high-value / sensitive information.

#4. Exploit

Once an attacker finds what they are looking for, they take the final steps to achieve their goal.  Successful outcomes include:

  • Gaining administrative access;
  • Opening Command & Control (C&C) communications;
  • Achieving persistence;
  • Denying access to systems;
  • Exfiltrating data;
  • Destroying data; and/or
  • Covering their tracks.


As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.


Topics: Threat Detection Tips, Threat Hunting

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More