Threat Behaviors in the Attack Lifecycle

Threat Behaviors in the Attack Lifecycle

Threat Behaviors in the Attack Lifecycle

Chris Morales
June 20, 2019

There are multiple phases in an active cyberattack and each is a perilous link in a complex kill-chain that gives criminals the opportunity to spy, spread and steal critical information in native and hybrid cloud workloads and user and IoT devices.

By providing high-fidelity visibility into all workloads and network traffic, the AI-driven Cognito platform from Vectra detects threat behaviors in real time in every phase of the attack lifecycle.

Phases of the attack lifecycle

Phases of the attack lifecycle include command and control, internal reconnaissance, lateral movement, data exfiltration and botnet monetization.

It is critical to know when an attack progresses from one phase to the next. For example, an attack that advances from the internal reconnaissance phase to the lateral movement phase can be more significant than the sum of its parts.

Some events in phases of the attack lifecycle are more indicative of targeted attacks than others. For example, opportunistic botnet monetization behaviors might indicate the presence of crimeware but is not a targeted attack. But internal recon and lateral movement behaviors are strong indicators of targeted attacks.

Following is a breakdown and general description of each phase in the attack lifecycle.

Command and control

C&C behaviors occur when devices appear to be under the control of an external malicious entity. Most often, the control is automated because the device is part of a botnet or has adware or spyware installed. Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case and it often means the attack is targeted at a specific organization.

Internal reconnaissance

Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure. This activity is often part of a targeted attack, although it might indicate that botnets are attempting to spread internally to other devices. Detection types cover fast scans and slow scans of systems, network ports and user accounts.

Lateral movement

Lateral movement covers scenarios of lateral action meant to further a targeted attack. This can involve attempts to steal account credentials or to steal data from another device. It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of the attack lifecycle is the precursor to moving into private data centers and public clouds.

Data exfiltration

Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer. Normally, legitimate data transfers do not involve the use of techniques meant to hide the transfer. The device transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it are indicators of exfiltration.

Botnet monetization

Botnets are opportunistic attack behaviors in which a device makes money for its bot herder. The ways in which an infected device can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks. To turn a profit, the bot herder utilizes devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.

For more information about threat behaviors in each phase of the attack lifecycle, download the 2019 Attacker Behavior Industry Report or reach out to us at

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author



December 10, 2020
Read blog post
Threat detection

攻撃者がビジネスメールを使ってOffice 365を侵害する方法

December 3, 2020
Read blog post

攻撃者が使用するOffice 365ツールとオープンサービス

October 19, 2020
Read blog post