Module 3 of 6 โ€” SOC Analyst Path
Module 03

How Attacks Work

โฑ 14 min read ยท 1 quiz question

To defend against attackers, you need to think like one. Not to do what they do โ€” but to understand their patterns, so you recognize an attack in progress before it's too late. This module walks through how real attacks unfold from start to finish.

The Cyber Kill Chain

The Cyber Kill Chain is a model developed by Lockheed Martin that breaks a cyberattack into 7 stages. Most attacks follow this pattern, which makes it a useful mental framework for SOC analysts. When you understand where an attacker is in the chain, you know what to look for next.

1
Reconnaissance
The attacker gathers information โ€” scanning for open ports, looking up employee names on LinkedIn, finding exposed login pages.
2
Weaponization
They build or obtain a weapon โ€” usually malware or an exploit โ€” tailored to the target's systems.
3
Delivery
The weapon is delivered to the target โ€” most commonly via phishing email, malicious attachment, or compromised website.
4
Exploitation
The weapon activates โ€” exploiting a vulnerability, tricking a user into running a file, or abusing a misconfiguration.
5
Installation
The attacker installs a persistent backdoor so they can return even if the initial entry point is closed.
6
Command & Control (C2)
The malware calls home โ€” connecting to the attacker's server to receive instructions and send stolen data.
7
Actions on Objectives
The attacker does what they came to do โ€” steal data, deploy ransomware, sabotage systems, or move to other targets.
Key insight: The earlier in the kill chain you detect and stop an attack, the less damage it does. A SOC that catches an attacker at stage 3 (delivery) prevents far more damage than one that only notices at stage 7.

Common attack types

Phishing

The most common initial attack vector by far. An attacker sends a fake email that looks legitimate โ€” from a bank, a coworker, or a service you use โ€” and tricks the recipient into clicking a link or opening an attachment. One click can install malware or steal login credentials.

Ransomware

Malware that encrypts the victim's files and demands payment for the decryption key. Ransomware attacks often start with phishing, then the attacker spends days or weeks moving through the network before triggering the encryption โ€” maximizing the damage.

Credential stuffing

Attackers take lists of username/password combinations leaked from previous data breaches and automatically try them on other sites. Because people reuse passwords, this works surprisingly often.

SQL injection

An attacker sends malicious code inside a web form or URL that the server accidentally executes as a database command. This can let them read, modify, or delete data in a database without authorization.

Man-in-the-middle (MitM)

An attacker positions themselves between two parties โ€” say, a user and their bank โ€” intercepting and sometimes modifying the communication. More common on unencrypted networks.

Insider threats

Not all attacks come from outside. Employees, contractors, or ex-employees with access can intentionally or accidentally cause serious damage. SOC analysts watch for unusual behavior from internal users too.

Malware basics

Malware (malicious software) is any program designed to harm a system or its users. The main categories:

  • Virus โ€” Attaches to legitimate files and spreads when those files are shared.
  • Worm โ€” Spreads automatically across networks without needing a user to do anything.
  • Trojan โ€” Disguises itself as legitimate software. You install what you think is a game, it installs a backdoor.
  • Spyware โ€” Silently monitors activity and sends data to the attacker โ€” keystrokes, screenshots, browsing history.
  • Rootkit โ€” Hides itself deep in the operating system to avoid detection, often granting the attacker administrator-level access.
  • Ransomware โ€” Encrypts files and demands payment. Often delivered as a Trojan.

How attackers move around: lateral movement

Once an attacker gets into one machine, they rarely stop there. They use that machine as a launching pad to move to other systems on the same network โ€” this is called lateral movement. They're looking for higher-value targets: servers with sensitive data, admin accounts, or systems connected to critical infrastructure.

Signs of lateral movement are a major focus for SOC analysts. Seeing one workstation suddenly trying to connect to many other internal machines is a classic red flag.

Key Terms
Kill chain
A model describing the 7 stages of a cyberattack from initial research to final action. Used to identify where an attack is and how to stop it.
Phishing
A social engineering attack using fake emails or messages to trick users into revealing credentials or installing malware.
Ransomware
Malware that encrypts a victim's files and demands payment for the key to unlock them.
C2 (Command & Control)
The server an attacker uses to communicate with malware on infected machines โ€” sending commands and receiving stolen data.
Lateral movement
An attacker's technique of moving from one compromised machine to other systems on the same network to expand their access.
Persistence
Methods attackers use to maintain access to a system after a reboot or credential change โ€” like creating a hidden user account or scheduled task.
โœฆ Quick Check
A workstation inside your network is making repeated outbound connections to an unfamiliar server on the internet. Based on the kill chain, which stage does this most likely represent?
Reconnaissance
Command & Control (C2)
Delivery
Weaponization
โ† Previous
Next: SIEM & Log Analysis โ†’