Skip to main content

Goal:
Enumerate the target environment, identify viable attack vectors, and establish an initial foothold that enables persistent and reliable access.

Typical Activities:

  • Reconnaissance and enumeration: Conducting OSINT collection and asset discovery to identify users, systems, and exposed infrastructure.

  • Exposure assessment: Scanning for and analyzing externally accessible services such as RDP, SSH, VPN gateways, and management APIs.

  • Social engineering: Executing phishing campaigns and credential-harvesting operations to obtain valid user access.

  • Exploitation: Leveraging known vulnerabilities (CVEs) or configuration weaknesses to gain entry.

  • Supply chain and third-party abuse: Exploiting trusted relationships, compromised vendors, or delegated access to infiltrate the target environment.

Goal:
Map the environment, broaden access, and acquire the credentials, privileges, and tooling required to reach and control high-value or critical assets.

Typical Activities:

  • Credential access: Extracting credentials from memory and storage (e.g., LSASS), secrets managers and key vaults, and CI/CD pipelines.

  • Lateral movement: Pivoting between systems using protocols and techniques such as SMB, WinRM, SSH, and pass-the-hash.

  • Privilege escalation: Elevating permissions to obtain administrative or domain-level control.

  • Persistence establishment: Maintaining long-term access via mechanisms such as scheduled tasks, service or managed identities, and cloud IAM roles.

  • Tooling deployment: Installing or staging attacker tools, scripts, or implants to support ongoing operations.

Goal:
Achieve the adversary’s end objective, such as data theft, operational disruption, or destructive impact.

Typical Activities:

  • Data aggregation and staging: Collecting, compressing, and preparing sensitive data for transfer.

  • Covert exfiltration: Transferring data using encrypted or obfuscated channels, including HTTPS, cloud storage services (e.g., S3), secure transfer protocols (SFTP/FTPS), or DNS tunneling.

  • Data transfer to attacker-controlled infrastructure: Moving exfiltrated data to external systems under adversary control for analysis, resale, or leverage.

  • Impact operations: Executing actions intended to cause harm or coercion, such as large-scale ransomware deployment, system encryption, or irreversible data destruction.

Double-Extortion Scenarios:
In double-extortion campaigns, adversaries combine data exfiltration with simultaneous or near-simultaneous widespread encryption or disruption. This approach maximizes operational impact and coercive leverage by threatening both data exposure and service unavailability.

Security Controls & Visibility

  • SIEM platform

  • Log sources ingested: endpoints, servers, cloud, SaaS

  • Log coverage gaps

  • Retention & search-ability

  • Alert ownership / on-call model

  • EDR / AV tooling

  • Coverage % and enforcement

  • Tamper protection enabled?

  • Response capabilities: isolate, kill, quarantine

  • Firewalls / NGFWs

  • IDS/IPS / NDR

  • WAFs

  • VPN / ZTNA solutions

  • Inspection points & encrypted traffic handling

• The ability to detect the adversary

• The cost of that ability to the cyber security organization

• The cost to the adversary to evade that detection

Environment Assess and Inventory

  • Asset types: laptops, desktops, mobile devices, VDI, kiosks

  • OS / version / patch baseline

  • Identity binding: user, role, service account

  • Management plane: MDM / endpoint management tool

  • Security controls: EDR, disk encryption, device control

  • Network exposure: internal only / VPN / internet-reachable

  • Logging & telemetry: endpoint logs sent to SIEM? (yes/no)

  • Notes / risks / exceptions

  • Server role: DC, web, app, DB, file, CI/CD, jump host

  • Hosting model: on-prem, colo, IaaS, PaaS

  • Public exposure: internet-facing? (ports/services)

  • Authentication: local, AD, cloud IAM

  • Privilege model: admins, service accounts, tiering

  • Hardening baseline: CIS/STIG/custom

  • Security tooling: EDR, host firewall, vuln scanning

  • Logs: auth, process, network, forwarded to SIEM?

  • Notes / risks / legacy dependencies

  • Segmentation model: zones, VLANs, VPCs, subnets

  • Trust boundaries: internet ↔ DMZ ↔ internal ↔ prod

  • Ingress / egress controls: firewalls, proxies, NAT

  • Remote access paths: VPN, ZTNA, bastion hosts

  • Critical choke points: where traffic is inspected/logged

  • Diagrams: link to current network diagrams

  • Known gaps / blind spots

Software and Services

  • OS families & versions

  • Support status: supported / EOL

  • Patch cadence & enforcement

  • Standard images vs snowflakes

  • Notes / risks

  • Application name & purpose

  • Business criticality: low / medium / high

  • Hosting location: endpoint, server, SaaS, cloud-native

  • Authentication method: SSO, local creds, API keys

  • Data sensitivity: public, internal, confidential, regulated

  • Update / patch ownership

  • Logging & audit capability

  • Notes / known security concerns

  • Platform name

  • User population & access model

  • Auth method: SSO, MFA, local accounts

  • Privileged roles: admins, API access

  • Audit logging enabled?

  • Data types stored

  • Risk notes / shadow IT

  • Cloud provider & accounts/subscriptions

  • Network model: VPC/VNet layout

  • Identity & access model: IAM roles, service principals

  • Public-facing resources

  • Security controls: CSPM, CWPP, WAF

  • Logging: CloudTrail, Activity Logs, flow logs

  • Notes / risks

Discovery Phase:

  • Requesting Organization: Identify the organization where the request originated.

  • Description: Provide a technical or high-level description of what needs to be detected.

  • Reason: Explain why this requirement has been identified, which will assist in prioritization during later phases.

  • Exceptions: List any possible false positives that should be taken into account.

  • Scope: Specify the relevant locations where these detection should be implemented to reduce false positives.

  • Attach evidence such as packet captures (PCAPs) or logs related to the event trying to be detected.

  • Threat intelligence: Utilize internal and open source sources of threat intelligence to inform detection strategies.

  • Business security requirements: Consider the specific security needs of the organization as a whole.

  • Red team exercises: Take insights from simulated attack scenarios into account.

  • SOC requests: Refer to previous security incidents to identify patterns that require additional detection measures.

  • Continuous activities: Regularly review and refine detection strategies in response to ongoing security issues or developments.

Investigate:

  1. Research context

  2. Data source identification

  3. Detection indicator types

  4. Establish validation criteria

    Develop:

  5. Design

  6. Develop

  7. Unit test

• Indicator type and context: type and context

• Naming conventions: naming conventions