Cyber attackers use a methodology that must be studied in order to understand how to effectively defend against their attacks.
There is a reconnaissance phase used to collect information that will define how the attack is planned and executed.
The actual attack usually aims to penetrate any defenses and take over a system that can be used as a foothold for further expansion.
The attacker then works at entrenching his position that it can continue to be useful. It may become necessary to exfiltrate information that the attacker is interested in. This could be simply information about the configuration of the local system, or it could be information gathered about other systems on the network, or it could be data with some value.
At some point, the attacker may decide use the established foothold to attack and compromise another system. This is called a pivot attack and can be very effective because it comes from a source inside the perimeter defenses that is probably considered less of a threat than systems outside the perimeter.
Depending on the motivation of the attacker, a variety of techniques might be used to disrupt the network that has been penetrated.
Counter-defensive techniques may be used. Stealth techniques may be used to prevent detection of an attacker’s presence or exfiltration of data or other activities. OODA loops describe the process flow of conflict and can be used to find and take advantage of an opponents weaknesses. Situational awareness is part of this process.