The Complete Attack Lifecycle
Every sophisticated attack follows a lifecycle. Understanding this progression helps both attackers plan operations and defenders anticipate threats. This page maps the complete journey from reconnaissance to consequences.
┌─────────────────────────────────────────────────────────────────────────────┐
│ THE ATTACK LIFECYCLE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ RECON │────►│WEAPONIZE │────►│ DELIVER │────►│ EXPLOIT │ │
│ │ │ │ │ │ │ │ │ │
│ │ Target │ │ Build │ │ Phishing │ │ Execute │ │
│ │ Research │ │ Payloads │ │ Watering │ │ Code │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │ │
│ ┌──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ INSTALL │────►│ C2 │────►│ ACTIONS │────►│ COVER │ │
│ │ │ │ │ │ │ │ TRACKS │ │
│ │ Persist │ │ Control │ │ Exfil │ │ │ │
│ │ Beacon │ │ Lateral │ │ Ransom │ │ Cleanup │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │ │
│ ┌──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────┐ │
│ │ CONSEQUENCES │ │
│ │ │ │
│ │ Success: Data stolen, ransom paid, access maintained │ │
│ │ Failure: Attribution, arrest, prosecution, prison │ │
│ └──────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Phase 1: Reconnaissance
Before any attack begins, operators gather intelligence about the target. This phase can last weeks or months for sophisticated campaigns.
Phase 2: Weaponization
Build the tools, infrastructure, and payloads needed for the operation. This happens entirely on attacker-controlled systems.
Phase 3: Delivery & Exploitation
Get the payload to the target and execute it. This is the first moment the attacker touches the target network - detection risk begins here.
Phase 4: Installation & Persistence
Establish a foothold that survives reboots and detection. Multiple persistence mechanisms ensure continued access even if some are discovered.
Phase 5: Command & Control
With persistence established, operators explore the network, steal credentials, and move laterally to reach high-value targets.
Phase 6: Actions on Objectives
The attacker's payday. Whether stealing data, deploying ransomware, or maintaining long-term access for espionage - this is what the operation was for.
Phase 7: Covering Tracks
Smart attackers clean up after themselves. Log tampering, artifact removal, and counter-forensics techniques make attribution difficult.
Phase 8: Consequences
Every operation has an ending. Success means achieving objectives undetected. Failure means attribution, investigation, and potentially serious legal consequences.
Special Attack Types
Some attacks don't follow the standard lifecycle or have unique characteristics that warrant dedicated coverage: