top of page

Phishing 101 – The 8 steps of an attacker

How do you fight an enemy that can attack you from a thousand different angles, armed to the teeth with sophisticated tools, and remain unseen until it’s too late?

At face value, you can’t. But if we unpack what’s involved in a standard attack, it suddenly becomes clear where businesses should be focusing their defensive efforts.

Mapping out the likely pathway of an attacker is the first step for businesses hoping to get a glimpse into the minds of their enemies. Below we examine each stage of the pathway and offer tactical recommendations on how to counter the offense.

1. External reconnaissance

During the first stage, the attacker will identify their target through active or passive reconnaissance, using open-source tools (OSINT) for limitless access to public information that could inform them of the target company’s defence layout. Defender: Social media platforms like LinkedIn are a gold mine of information that could give attackers unnecessary visibility of your network, e.g. security team certifications. Restricting what employees can or cannot put on social media channels, is therefore logical.

On the tech side, deploy tools, such as Web Application firewalls, domain name system (DNS) honeypots, and IP address range obfuscation to set up those frontline defences.

2. Delivery

Next, they will use convincing bait to encourage targets towards a phishing link sent via common paths such as email, SMS or social media. Attackers will also assess business security controls and create vocal scripts and landing pages that align with the bait’s branding and formatting.

Once all of that is complete, they will commence the phishing wave to deliver the landing pages and scripts via the path identified.

Defender: Pinpoint critical assets that might be targeted and identify open ports to assess their criticality to ensure all vulnerable ones are closed. Introduce advanced prevention tools, such as Sender Policy Framework (SPF), external vulnerability scanning and vulnerability management, Sandboxing and Fast Identity Online (FIDO) keys.

3. Code execution

The third stage involves running code on an endpoint and distributing blanket emails over several weeks to understand and map out what controls the target business has in place.

Defender: Prevent sandbox applications from communicating out to the internet to stop attackers from gaining information about your business systems. Also, assess and restrict local administrative privileges to reduce the number of exploitable pathways for attackers.

4. Take command & control

It’s at this stage that attackers will deploy malware to communicate back to an owned server, noting down resistances to determine what controls are in place across the network. If the malware communicates back, it proves that the phishing attempt has been successful.

Defender: Conduct least frequency analysis to investigate all domains that have received the least communications from the company on any given day as these are the most likely to be malicious. Establish practices whereby communication is restricted to new domains that have been set up in the last few months.

5. Internal reconnaissance

From here, attackers will collect and analyse internal data on the target’s network over a span of weeks or months.

Defender: Maintain an EDR/SIEM solution that provides valuable data that can be used to determine the extent of the compromise.

6. Persistence

This is the point where attacker’s will be granted access to a network. They’ll likely remain linked to a targeted machine so that when it restarts, they get their window of opportunity.

Defender: In reality, an attacker is already latched to an endpoint by this point, and is waiting for a restart in order to gain access. Prevention efforts should therefore align with understanding your critical assets and prioritising security around those.

7. Lateral movement

Once inside the network, attackers will exploit interconnections between servers to access the wider network and additional assets.

Defender: Prevent inter-server communications through local firewalls and network segmentation, and ensure company-wide domain password policy improvements are enforced with rules based on the latest password research, not basic ‘compliance’ regulations.

8. Objective

All that’s left is for attackers to repeat and continue previous stages until the objective has been met, traversing through the network and harvesting data to use in ransomware campaigns or sell on the dark web.

Defender: Determine your most valuable assets as a business and prioritise strong defences around these in the first instance.

Do not fall into the trap of underestimating your enemies and overestimating your defences. If there’s a particular section of the attacker’s pathway that you’d like help with, get in touch!


bottom of page