Five phases of a cyber attack
Five phases of a cyber attack

How to control the five phases of a cyber attack

Cyber Security

When a business experiences a cyber-attack, it’s probably not the first time they’ve had contact with their cyber attacker. Without their knowledge, the invader may have gained access to their network weeks ago, had a good look around and planned their attack for a time when the business would be most vulnerable. It’s no coincidence that cyber-attacks occur when IT’s team lead is away, or there’s an opening in the network for a vendor update.

These are the five phases of a cyber-attack and what you can do to halt one in its tracks.

1. Reconnaissance

One of the first things that goes through the minds of a cyber-attack victim is ‘why us’? This is a question that was answered long ago by the cyber attacker, after a period of thorough research. Usually, the short answer is because you or your organisation has something that the hacker wants – more often than not, that thing is money.

Once the intruder has confirmed you have what they want, they will patiently observe your operations to gather useful information. They might start with your website, or LinkedIn to collect employee names, then email addresses and phone numbers. Even job adverts can provide an insight into the IT technologies in use in an organisation. From here they can determine the organisational structure, workflows and supply chains. As their knowledge builds, they may even leave the house to visit your business for an opportunity to see what hardware and software you are using and how they are secured.

The aim of this phase is for the cyber attacker to build a digital blueprint of your business and network operations – something that would be the envy of your own IT team.

2. Access

Once a cyber attacker has built their digital blueprint, their next goal is to gain access to your network, which is often achieved through phishing. Phishing is an attempt to obtain passwords and other sensitive information by pretending to be a trusted entity. It could be a phone call, an email or even through face-to-face contact. 

Most of us receive phishing emails on a fairly regular basis, so we think we wouldn’t be foolish enough to fall for that sort of ruse. But here’s a story that may cause you to think again. When Special Counsel for the US Department of Justice, Robert Mueller, was the director of the FBI he explained how he received an email that looked like it was from his bank. Mueller responded accordingly and was unwittingly about to hand over some very sensitive personal information to hackers – but stopped just in time. 

So, if they can fool someone who advises others on the risks of cyber-crime and who would go on to investigate Russian phishing attacks during the 2016 US election – they can probably fool the rest of us too. And if you’ve only received phishing emails that stink like the sea dwellers they are named after, here are a few examples of some very successful phishing bait.


Once they’ve gained access, cyber attackers can be very difficult to spot if they are using an existing username and password. It requires a very keen eye on network logs to spot an unusual login time or location for an individual employee.


3. Exploration  

This phase is all about maintaining access and not doing anything to draw attention. Just like the reconnaissance mission in phase one, here the cyber attacker takes a patient approach to mapping out the network from the inside. The goal is to work out where the sensitive and valuable information is kept and then track down passwords for access. To do all this, cyber attackers use the existing systems of the organisation to avoid introducing anything new into the network environment. 

Recently a malicious extension for Google’s Chrome internet browser was used to gain access to some American universities. While North Korean hackers are suspected of launching this cyber-attack, authorities are no wiser on why they were there, or what they wanted. It appears they simply wanted to maintain access and have a good look around.

Network and operating system logs are the first line of defence in identifying unwelcome visitors in the network. Using a combination of automation and skilled human analysis, logs should be monitored constantly to detect and disarm infiltrators.

4. Increase privileges  

A common tactic in cyber security is to employ the principle of least privilege which says that each user, program or process only needs access to the information it requires to do its job. So, an employee working in accounts won’t have access to the information or systems used by HR and vice-versa. 

As the cyber attacker who has taken up residence in the network is most likely using an existing employee’s user account, their goal now is to increase their privileges. They scour the data that they already have access to for more usernames and passwords. This is where that list of staff passwords, or that one time you shared your password with a colleague to expedite a process can bring you unstuck.

While usernames and passwords should never be the only things protecting sensitive systems, they are often the first line of defence. Your Cyber Security Policy should outline protocols for healthy password management. In addition to changing default usernames and passwords, it’s essential to update passwords regularly. This requires password management software that holds passwords securely.


5. Cyber attack 

This is the day that the cyber attacker has been training for. They’ve done their research, honed their skills and warmed up their cyber attacking muscles. On the flip side, the business that they are targeting is unlikely to have prepared an adequate cyber security policy, let alone prepared for a zero-day attack.

In the first half of 2019, more than half of the businesses in the UK reported that they had already experienced a cyber-attack. Three-quarters of the firms surveyed were ranked as cyber security novices, which must be good news for cyber attackers. 

Cyber-attacks are now so common that it takes a high-profile organisation or an enormous data breach to make the news. Lists of cyber-attacks are no longer compiled annually but are more likely to be quarterly or monthly.

An in-house cyber security expert can help businesses avoid reaching phase five of a cyber security intrusion. They can also prepare and manage a response team in the event of a cyber incident. It’s essential to have cool heads to contain the attack, identify the source, then inform customers and prepare for public relations management.

Find out more about how to protect against these threats by studying a Master of Cyber Security.