Incident Response — Cyberattack lifecycle.

Image by Darwin Laganzon from Pixabay
Image 1 — Cybersecurity Lifecycles
Image 2 — Cybersecurity Lifecycles (2)
  1. Weaponization: After the attacker understands the attack surface (it can be the technology vulnerability or people), the attacker will prepare the “weapon” / the exploit. The attacker can do research of exploits, common attack against the vulnerability, make a phishing website and email, etc.
  2. Delivery & exploitation: In this phase, the attack is launched and try to exploit the vulnerability. If the vulnerability found in the system is SQL Injection, then the attacker will deliver the attack by sending a request with the illegal character to exploit the vulnerability. It also can be delivered via spam/phishing email that exploits human unawareness. The result of a successful delivery & exploitation will be an initial breach in image 2.
  3. Installation: In this phase, the attacker has breached the system temporary, if the organization notices the breach and immediately respond (closing the port, turn off the vulnerable services, update the password), the attacker will immediately lose access. Because of that, the attacker must maintain its presence by finding a way to install any backdoor (so the attacker builds an underground tunnel in the internal organization) to ease up the future exploit activity. In image 2, this is the phase to establish the foothold. Basically, the attacker tries to find a way to maintain its access to the system.
  4. Command and Control: In this phase, the attacker has persistent access to the system and will try to exploit more to gain its objective (credit card number, financial information, customer’s PII, etc). The activity is depicted in image 2. Privilege escalation to gain more control over a machine. Perform another recon activity to gain more targets and attack surfaces. Try to gain access to another system. If successful, maintain the presence and escalate the privilege. All the activity is commanded by the attacker remotely through the backdoor that is installed beforehand.
  5. Actions on Objectives: This is where the damage is severe. The attacker has gained the access they need and may start their malicious means depends on their initial objective (to disrupt the confidentiality, integrity, or availability).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



A humble learner of everything around IT especially in IT implementation, governance, risk management, and cybersecurity.