How Attacks Typically Unfold: From Opportunity to Impact

Why Most Attacks Follow a Pattern

Many real-world cyberattacks look chaotic from the outside, but they often unfold in recognizable stages. Attackers tend to move from noticing an opportunity, to gaining a foothold, to expanding access, and finally to causing impact (or extracting value). Understanding this “attack flow” helps beginners do two practical things: spot early warning signs and place defenses where they break the chain.

Not every incident includes every stage, and the order can vary. A quick credential-stuffing attempt might jump straight to account takeover. A targeted intrusion might spend weeks quietly exploring before doing anything obvious. Still, the same core ideas show up repeatedly: find a way in, keep access, increase privileges, reach valuable systems or data, and then act.

Stage 1: Opportunity and Target Selection

Attacks start when an attacker sees an opportunity: a vulnerable system, an exposed service, a careless workflow, or a person who can be persuaded. Sometimes the attacker is actively hunting; sometimes they are running automated tools that scan the internet and wait for something to respond.

Common sources of opportunity

• Exposed services: Remote access portals, web apps, file shares, or admin interfaces reachable from the internet.
• Weak or reused passwords: Especially when the same password is used across multiple sites.
• Unpatched software: Known vulnerabilities in operating systems, browsers, VPNs, routers, plugins, or web frameworks.
• Misconfigurations: Publicly accessible cloud storage, overly permissive access rules, default credentials, or open database ports.
• Human workflows: Invoices, HR requests, password resets, vendor onboarding, and customer support processes that can be manipulated.

What you can observe at this stage

Often, you won’t see anything yet. But in organizations, early indicators can include unusual spikes in inbound traffic, repeated login attempts, or automated scanning patterns in logs.

Stage 2: Reconnaissance (Learning the Environment)

Reconnaissance is the attacker’s information-gathering phase. The goal is to reduce uncertainty: identify systems, software versions, user accounts, business processes, and potential paths to access.

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...

Download the app

Two types of reconnaissance

• External recon: Learning from outside the target. Examples include discovering public IP addresses, domains, subdomains, exposed services, employee emails, and third-party vendors.
• Internal recon: Learning after initial access. Examples include enumerating network shares, listing users and groups, finding where backups live, and locating sensitive systems.

Practical example: what an attacker might look for

• “Where is the login page?”
• “Which employees handle payments?”
• “Is remote desktop exposed?”
• “What cloud services are used (email, storage, CRM)?”
• “Are there password reset paths that rely on easily guessed information?”

Reconnaissance is also where attackers decide whether a target is worth deeper effort. If they find strong controls, they may move on to easier targets.

Stage 3: Initial Access (Getting a Foot in the Door)

Initial access is the moment the attacker gains some level of entry: a user account, a session token, a foothold on a device, or access to a web application function that can be abused. This is one of the most important stages to understand because many defenses aim to prevent or detect it.

Common initial access paths

• Phishing and social engineering: Tricking a person into clicking a link, opening a file, approving a login, or sharing credentials.
• Credential attacks: Password spraying, credential stuffing (reusing leaked credentials), or brute force against weak passwords.
• Exploiting vulnerabilities: Using a software flaw to run code, bypass authentication, or access data.
• Malicious files: Documents with harmful macros, trojanized installers, or fake browser updates.
• Supply chain and third-party access: Compromising a vendor account or tool that has access to the target.

Step-by-step example: a typical phishing-to-login flow

This is a simplified sequence to show how quickly “opportunity” becomes “access”:

• Step 1: Attacker sends an email that looks like a routine request (invoice, shared document, HR form).
• Step 2: The email contains a link to a lookalike login page or a file attachment.
• Step 3: The victim enters credentials or opens the file.
• Step 4: Attacker uses the captured credentials to log in to email or a cloud app.
• Step 5: Attacker confirms access and begins exploring what the account can reach.

In many modern incidents, attackers prefer stealing credentials over dropping obvious malware because credential-based access can look like normal user behavior.

Stage 4: Establishing Foothold and Persistence

A foothold is the attacker’s ability to remain in the environment beyond a single moment. Persistence means they can come back even if the original entry method is removed (for example, the user changes their password).

How persistence commonly happens

• Adding or modifying accounts: Creating a new user, adding an SSH key, or registering a new device.
• Session/token persistence: Stealing session cookies or refresh tokens so access continues without re-entering a password.
• Email rules and forwarding: Creating inbox rules to hide security alerts or forward messages externally.
• Scheduled tasks/services: On computers, setting something to run automatically at startup.
• Backdoor access in apps: Planting a hidden admin user or API key in a web application or configuration.

Practical step-by-step: persistence via email rules (conceptual)

• Step 1: Attacker logs into a mailbox using stolen credentials.
• Step 2: They create a rule: “If subject contains ‘invoice’ or ‘payment’, forward to external address.”
• Step 3: They create another rule: “If sender is ‘security@…’, move to RSS/Archive.”
• Step 4: They monitor forwarded emails to learn processes and intercept payment conversations.

This kind of persistence is dangerous because it can be quiet and doesn’t require malware on a device.

Stage 5: Privilege Escalation (Getting More Power)

Once inside, attackers often try to increase their privileges. A regular user account may not have access to sensitive systems, administrative tools, or security settings. Privilege escalation is about moving from limited access to more powerful access.

Common ways privileges increase

• Finding stored credentials: Passwords saved in browsers, scripts, configuration files, or shared documents.
• Abusing weak permissions: A user can access admin tools because of misconfigured roles or group memberships.
• Exploiting local vulnerabilities: A flaw on a computer that allows a standard user to become an administrator.
• Capturing admin sessions: Stealing tokens or cookies from an already-logged-in admin device.

Privilege escalation is often the turning point between a small incident (one account compromised) and a major breach (many systems compromised).

Stage 6: Lateral Movement (Spreading Through the Environment)

Lateral movement means moving from one system or account to others. Attackers do this to reach valuable targets, avoid detection, and gain redundancy (multiple ways to stay in).

Why lateral movement happens

• To reach high-value systems: File servers, databases, finance systems, identity systems, admin consoles.
• To find better credentials: Some machines store service account secrets or have admins logged in.
• To bypass controls: A protected system might not be reachable directly from the internet, but it is reachable from an internal machine.

Practical example: “one password leads to many doors”

Imagine an attacker compromises a single employee’s email. They find a message containing a shared spreadsheet link. That spreadsheet includes a note like “VPN password for vendor access: …” or an API key pasted for convenience. With that, the attacker can access another system, where they find more credentials, and so on. This chain reaction is why credential hygiene and access segmentation matter so much.

Stage 7: Command and Control (Remote Coordination)

In many intrusions, attackers need a way to control compromised systems and issue commands. This is often called command and control (C2). In simple terms, the attacker sets up a communication channel so the compromised system can receive instructions or send data out.

How C2 can look in practice

• Remote administration tools: Legitimate tools used maliciously.
• Outbound connections: A compromised machine repeatedly contacting an external server.
• Cloud-based channels: Using common platforms or APIs to blend in with normal traffic.

Not all attacks require classic C2. If the attacker is operating purely through a cloud account (email, storage, admin portal), the “control” may simply be their web login session.

Stage 8: Actions on Objectives (Impact)

This is the stage where the attacker does what they came to do. The objective varies: stealing data, extorting money, disrupting operations, or manipulating business processes. The same intrusion path can lead to different impacts depending on the attacker’s goals and what they discover.

Common impact types

• Data theft: Copying customer records, employee data, intellectual property, or internal documents.
• Account takeover and fraud: Changing payment details, issuing refunds, purchasing goods, or redirecting payroll.
• Ransomware: Encrypting systems and demanding payment for recovery.
• Destruction/sabotage: Deleting data, wiping systems, or breaking configurations.
• Espionage: Quiet, long-term access to monitor communications and plans.

Step-by-step example: business email compromise (BEC) leading to payment fraud

• Step 1: Attacker gains access to an employee mailbox (often finance or an executive assistant).
• Step 2: They read past email threads to learn how invoices are approved and paid.
• Step 3: They wait for a real invoice conversation or start one by impersonating a vendor.
• Step 4: They send “updated banking details” and apply pressure (urgency, confidentiality).
• Step 5: Payment is sent to the attacker-controlled account.
• Step 6: Attacker deletes or hides related emails using mailbox rules to delay discovery.

Notice that this impact can happen without malware, without exploiting a technical vulnerability, and sometimes without triggering obvious security alerts. It exploits trust and process.

Step-by-step example: ransomware impact chain (high level)

• Step 1: Attacker gains initial access (phishing, stolen credentials, exposed remote access).
• Step 2: They escalate privileges and move laterally to reach many machines.
• Step 3: They locate backups and attempt to delete or disable them.
• Step 4: They deploy encryption broadly (servers, endpoints, shared drives).
• Step 5: Systems become unavailable; a ransom note appears; operations stop.

In many ransomware cases, the encryption event is the final step of a longer intrusion. The earlier stages may have been happening quietly for days or weeks.

Where Defenders Break the Chain (Practical Mapping)

To make the attack flow actionable, map each stage to defensive opportunities. The goal is not to memorize attacker jargon, but to recognize where small improvements prevent big outcomes.

Opportunity & Recon: reduce what’s visible and learnable

• Maintain an inventory of internet-exposed services and remove anything unnecessary.
• Harden configurations (disable default accounts, restrict admin interfaces).
• Monitor for unusual scanning and repeated authentication attempts.

Initial access: make “getting in” harder

• Use multi-factor authentication (especially for email, remote access, and admin portals).
• Use strong, unique passwords and a password manager.
• Train on phishing recognition with realistic internal examples (invoices, shared docs, HR messages).

Foothold & persistence: make “staying in” harder

• Review mailbox rules, forwarding settings, and new device registrations.
• Alert on creation of new admin accounts or role changes.
• Limit who can create app passwords, API keys, or OAuth grants.

Privilege escalation & lateral movement: limit blast radius

• Apply least privilege: users should not have admin rights by default.
• Separate admin accounts from daily-use accounts.
• Segment networks and restrict access between systems where possible.

Impact: reduce damage when something slips through

• Maintain tested backups and protect them from easy deletion.
• Use logging and alerting to detect mass file changes, unusual data downloads, or suspicious admin actions.
• Have a clear incident response playbook for account compromise, fraud attempts, and ransomware scenarios.

Mini Case Study: One Attack, Multiple Possible Outcomes

Consider a small company where an employee reuses a password from an old website breach. An attacker uses credential stuffing and successfully logs into the employee’s email.

• Path A (fraud): The attacker sets forwarding rules, watches invoices, and changes payment instructions.
• Path B (data theft): The attacker searches the mailbox for “contract,” “SSN,” “passport,” “confidential,” then downloads attachments and shared links.
• Path C (ransomware): The attacker uses email access to find remote access details, logs into internal systems, escalates privileges, and deploys ransomware.

The initial access is the same, but the impact differs based on what the attacker finds and what defenses slow them down. This is why early detection (odd logins, new forwarding rules, unusual downloads) is so valuable: it can stop the story before it reaches the impact stage.

Practical Checklist: Questions to Ask During Any Incident

When you suspect an attack, these questions help you quickly map what stage you might be in and what to do next:

• What was the initial access? Phishing, stolen credentials, exposed service, vulnerability?
• What accounts are involved? Which users, which roles, any admin access?
• Is there persistence? New rules, new devices, new accounts, scheduled tasks?
• Has privilege increased? Role changes, group membership changes, new tokens/keys?
• Has the attacker moved laterally? Logins from unusual machines, new remote connections, access to new systems?
• What is the objective? Fraud, theft, disruption, extortion?
• What evidence exists? Authentication logs, email audit logs, endpoint alerts, file access logs.

Even for beginners, thinking in stages turns a confusing situation into a structured investigation: identify where the attacker entered, what they touched, whether they can return, and what they were trying to achieve.