brown padlock on black computer keyboard

Every cyberattack has a few phases as we can see below:

The first phase is Reconnaissance. In this phase, attackers try to find as much as possible about the organization, about the product, and about the employees. This is typically done through public information sources like: DNS, domain registration information, specially crafted google queries called google dorks, probing the network for open ports and vulnerabilities, finding out the software and versions running on the servers, and getting contacts from social networks.

Be Careful How You Use This Knowledge

In this learning program, we will discuss and practice ways of gaining access to systems. Be aware that using this information legally is only possible with the consent or upon the request of the organization you are probing.

AWS Credentials

Many developers have pushed to public source control such as github their AWS credential files by mistake.
These can be found through various “google dorks”, one of them being:
intitle:index of "aws/credentials"

The second phase is Initial Exploitation. In this phase, attackers use the information gathered to identify attack vectors they can use to gain access to some systems. The vectors can include: exploiting vulnerabilities in the deployed services, authentication data leaked online, injecting malware, or obtaining access from employees through phishing or other forms of social engineering. The problem now is that these exploits are ephemeral, so the attacker needs to move to the next step.

The third phase is Establish Persistence. In this phase, attackers find ways to obtain persistent access to the internal systems, less dependent on the external vulnerabilities. For example, malware software might be stored in ephemeral memory and therefore disappear upon reboot; a trojan needs to be installed to maintain the malware’s presence.

The fourth phase is Move Laterally, or we can call it metaphorically digging for gold. Once attackers have persistent access to systems, they start to access various systems to find valuable data that helps them profit.

The fifth phase is Collect, Exfill, Exploit. In this phase, attackers extract all the useful data and move to scoring the money and/or reputation. They also make sure to delete their tracks.

It’s important to understand that the timeline for a cyberattack can be very long, taking months or even years. Attackers have a lot of time to spend, particularly since some of the phases are a waiting game. For example, if a keylogger has been installed, it’s a matter of waiting for the right secrets to be typed in, which can happen in a few hours or a few months.




The paper describing the Capital One attack – source:

Scroll to Top