Networking

An Anatomy of Common Attacks: From Phishing to Data Exfiltration

13 min read Part of pathway: Networking from Scratch

Almost every breach you read about — an inbox compromised, a database dumped, a network ransomwared — follows roughly the same shape. The attacker doesn’t teleport into the data; they walk through six predictable stages, each using protocols you already know. The reason this article comes at the end of the pathway is that you can finally read the playbook with technical understanding instead of just dread.

This is lesson 12, the last lesson, of Networking from Scratch. We’ll walk the six stages of a typical intrusion, look at which protocols and middleboxes appear in each stage, and map the corresponding defences. By the end you’ll see why the BEC investigation guide we published earlier maps so cleanly onto this framework — it’s the same chain, just specialised for email-based intrusions.

The kill chain in one paragraph

The original Lockheed Martin Cyber Kill Chain has seven stages; MITRE ATT&CK has dozens of techniques across about a dozen tactic categories. For a working mental model, six steps cover the operational reality:

  1. Initial access — the attacker gets onto the network or one of its hosts.
  2. Foothold & discovery — they look around to figure out where they are and what’s reachable.
  3. Lateral movement — they hop to other hosts using stolen credentials or exposed services.
  4. Privilege escalation — they become someone more powerful (local admin, domain admin, root).
  5. Command-and-control + persistence — they install a callback channel and a way to survive a reboot or password change.
  6. Exfiltration + impact — they take what they came for: data, money, or destruction.

Defenders don’t need to win every stage. Breaking the chain at any one step stops the intrusion. That’s why the framework is useful even if you only have the budget to harden one stage at a time.

Stage 1: Initial access

How attackers get a foot in the door, in rough order of frequency:

Technique Mechanism Protocol involved
Phishing Email tricks a user into entering credentials, opening a malicious attachment, or running a script SMTP / IMAP / HTTPS
Valid credentials Attacker uses passwords from prior breaches, password reuse, or guessing HTTPS, SSH, RDP, VPN portals
Exploiting public-facing services Unpatched VPN, web app, or remote-access service has a known CVE HTTPS, SSH, RDP, vendor-specific
Drive-by / supply chain A compromised software update or a malicious script on a website lands a payload HTTPS
USB / removable media Physical access. Rare but real, especially for OT and air-gapped networks. None — bypasses the network entirely

Phishing is the dominant vector in any threat report you’ll read — usually north of half of all initial-access events. The other major source is “valid credentials”: attackers buy or harvest password lists from prior breaches and try them against your VPN, your Microsoft 365, or any web app you exposed. The defence is the same one I covered in the BEC article: multi-factor authentication on every login surface. Phishing-resistant MFA (FIDO2 hardware keys, passkeys) is even better, but any MFA is enormously better than none.

Stage 2: Foothold and discovery

An attacker on a single host knows almost nothing about your network. They figure it out by running standard tools (or built-in OS commands) to enumerate. Watch for:

  • Unusual net view, net user, nltest, or whoami /groups activity on a workstation.
  • Port scans from internal hosts that have no business scanning the internal network (ordinary laptops never run nmap).
  • DNS queries for service-discovery records they don’t need (_ldap._tcp, _kerberos._tcp, etc.) coming from non-IT hosts.
  • Bulk file-system reads in directories the user doesn’t normally touch.

Most modern EDR platforms (CrowdStrike, SentinelOne, Defender for Endpoint, etc.) catch a lot of this in real time because the behaviour is so out of pattern for a typical user. Network-side, segmentation matters: if a phished marketing laptop can’t even reach the database tier’s subnet, none of its scanning produces useful results.

Stage 3: Lateral movement

This is where the attacker turns one compromised host into many. The most common techniques on a Windows / Active Directory environment:

Technique How it works Detection signal
RDP with stolen credentials Attacker uses keyboard/mouse on a remote host as if they were the user RDP logins (Event ID 4624 type 10) from unusual sources, off-hours, or new clients
SMB + admin shares Attacker copies tools to \\HOST\C$ and runs them via WMI or remote services SMB writes from one workstation to another, especially to admin shares
Pass-the-hash / pass-the-ticket Attacker uses a stolen NT hash or Kerberos TGT instead of needing the cleartext password Kerberos events without a corresponding NTLM logon, ticket requests from odd hosts
WinRM / PowerShell remoting Attacker runs PowerShell remotely on multiple machines from one compromised host WinRM connections from unexpected hosts; WSMan logs
Exploited service An internal service (a CMS, a database, a CI runner) has a vuln; attacker uses it to pivot Web logs showing exploitation patterns; egress from a server that should never originate connections

The routing/switching mental model matters here directly: lateral movement happens across L3 segments via routing, and within an L2 segment freely. Tight segmentation (especially between user VLANs and server VLANs) raises the cost of every lateral hop. Zero-trust architecture, in its less-buzzwordy form, is just “authenticate every connection regardless of where it’s coming from inside your network,” which kills most lateral-movement techniques outright.

Stage 4: Privilege escalation

The attacker started as a normal user; they want to be a powerful one. On Windows / AD, the canonical path is compromise → harvest credentials from memory → find a host where someone with higher rights logged in → use those credentials → eventually reach domain admin. Variations:

  • Kerberoasting — request service tickets for any domain account with an SPN, then crack them offline. Service accounts with weak passwords get owned.
  • AS-REP roasting — same idea but for accounts that have pre-authentication disabled. Rarer but very fast when present.
  • Local admin password reuse — if every workstation has the same local admin password, owning one workstation owns them all. (Microsoft’s LAPS is the answer.)
  • Unpatched local privilege escalation — an OS or application bug lets the attacker jump from user to SYSTEM. Patching closes these.
  • Misconfigured service / scheduled task — a service that runs as a privileged user but is writable by a less-privileged one.

The defensive principle is tier-0 hygiene: domain controllers, identity stores, and the accounts that have control over them are the crown jewels. Don’t let a workstation admin double as a domain admin. Don’t check credentials into source control. Use Privileged Access Management (PAM) so admin credentials are checked out just-in-time.

Stage 5: Command-and-control and persistence

Once the attacker has a useful foothold and ideally privileged access, they want to keep it. Two needs:

Command-and-control (C2)

The attacker installs an implant on the host that periodically calls back to attacker-controlled infrastructure. The callback is usually outbound — outbound is rarely as filtered as inbound — and it usually rides on a protocol the security team won’t notice in the noise:

  • HTTPS to a benign-looking domain. The most common channel. The attacker often hides the C2 traffic inside what looks like normal browser activity, sometimes through CDN-fronted infrastructure to inherit the CDN’s reputation.
  • DNS tunneling. The implant encodes data into DNS queries and exfiltrates it via the responses. Slow but very stealthy.
  • WebSockets, gRPC, or HTTP/2 streams. Long-lived bidirectional channels that look like normal app traffic.
  • Cloud services. Implants that talk to attacker-controlled buckets, Slack channels, Telegram, or GitHub repos. The traffic goes to a service the firewall trusts.

The best defences here are egress filtering (most workstations don’t need to talk to the entire internet), DNS-layer security (Cisco Umbrella, Cloudflare Gateway, NextDNS-style filtering), and TLS inspection at the perimeter where regulation allows. Modern threat-intel feeds know most C2 domains within hours of them going active; a properly-configured egress filter blocks the callback before the implant can reach its operator.

Persistence

The implant has to survive reboots and password resets. Common mechanisms:

  • Scheduled tasks / cron jobs that re-run the implant.
  • Service registrations that auto-start.
  • Modified Run keys or auto-start locations in the registry.
  • Web-shell on a public-facing server that the attacker can re-trigger any time.
  • For BEC specifically: a malicious mailbox forwarding rule that survives any password reset, exactly as we covered in the BEC investigation guide.

EDR catches most of these, especially the OS-level ones. The mailbox-rule case requires email-side controls (block external forwarding, periodic forwarding-rule audits).

Stage 6: Exfiltration and impact

What the attack was for. The two main categories:

Data exfiltration

The attacker copies sensitive data out. The data leaves over HTTPS to attacker-controlled infrastructure, over the C2 channel itself, or via direct upload to a cloud-storage account the attacker controls. Volume gives this stage away — sustained outbound transfers from a host that doesn’t normally upload anything are a red flag, which is why DLP (Data Loss Prevention) tools focus on traffic volume + content classification.

Impact: ransomware, sabotage, or fraud

Or the attacker monetises by destroying or holding hostage what they reached. Ransomware encrypts file shares and demands payment for the keys; sabotage just deletes; BEC redirects payments. The financial motive is the most common; nation-state actors might focus on espionage and leave persistence behind for later.

Defensive priorities at this stage:

  • Backups, including offline copies. If your backups are reachable from your domain, ransomware can encrypt them too. Air-gapped or immutable backups are the difference between a bad week and a company-ending event.
  • DLP for the highest-value data. Watch outbound for the kinds of files that should never leave (customer PII dumps, source-code exfil patterns).
  • Volume anomaly detection. “This host normally uploads 10 MB/day; today it’s done 200 GB” is a signal worth alerting on.

Mapping defences to stages

Stage Highest-leverage defence Layer / where it lives
Initial access MFA + email filtering + security awareness Identity + email gateway + people
Foothold & discovery EDR with behavioural detection; principle of least privilege Endpoint
Lateral movement Network segmentation; unique local-admin passwords (LAPS); restrict admin tooling Network + endpoint
Privilege escalation Patching; tier-0 hygiene; PAM / just-in-time admin Identity + endpoint
C2 + persistence Egress filtering; DNS-layer security; EDR for persistence detection Network egress + endpoint
Exfil + impact DLP; offline / immutable backups; volume anomaly detection Network + storage

You don’t need every row to be perfect. Two or three good rows make most attacks fail.

The protocols of the attack chain — everything you’ve already learned

Here’s the closing observation that ties this entire pathway together: attackers don’t use exotic protocols. They use the protocols you do. The kill chain in protocol form looks like this:

Stage Common protocols in play You learned this in
Initial access (phishing) SMTP, HTTPS, sometimes SIP Lessons 7, 8 (transport, DNS for the link they click)
Initial access (cred reuse) HTTPS, SSH, RDP, IPSec/OpenVPN/WireGuard Lessons 7 and 10 (transport + middleboxes)
Discovery ICMP, ARP, mDNS, DNS, SMB, LDAP Lessons 1, 4, 8 (the basics + DHCP/ARP + DNS)
Lateral movement SMB, RDP, WinRM, Kerberos Lesson 10 (these are middlebox-traversed services)
C2 HTTPS, DNS, WebSocket, custom over TCP/UDP Lessons 7, 8
Exfil HTTPS, FTP/SCP, cloud APIs Lessons 7, 11

Every protocol an attacker uses is one you spent an article understanding. That’s why a network engineer who can read packet captures has a head start on threat hunting that pure security people have to study to catch up to. The protocol layer doesn’t care whether the user is legitimate; you read the same headers, the same handshakes, the same DNS queries. Only the context of who’s sending them and what they want is different.

What you can now answer

  • What are the six stages of a typical intrusion? — Initial access, foothold/discovery, lateral movement, privilege escalation, C2/persistence, exfil/impact.
  • Why is MFA the single highest-leverage control? — Because most initial access is phishing or credential reuse; both fall apart in the face of a working second factor.
  • What is C2 and why is it usually outbound? — A callback channel from a compromised host; outbound because outbound is rarely filtered as tightly as inbound.
  • Why does network segmentation matter so much? — It bounds lateral movement. A flat network lets one compromised host reach everything.
  • Why does ransomware hit the backups too? — Because the backups are usually reachable from the domain. Offline / immutable copies are the fix.
  • What protocols do attackers actually use? — The same ones you do. Reading packet captures is reading attacker telemetry.

The end of the foundation tier

That closes out the foundation tier of the Networking from Scratch pathway. Twelve lessons covering, in order:

  1. What actually happens when you click a link
  2. IPv4 addressing without panic
  3. Subnetting math: the cheat sheet that actually sticks
  4. DHCP and ARP: how your computer gets and uses its address
  5. Routing vs switching: the one-paragraph mental model
  6. Cables, Wi-Fi, and the physical layer
  7. TCP, UDP, and QUIC: when to use each
  8. DNS deep dive: how a name becomes an IP
  9. OSI vs TCP/IP: which reference model to actually think in
  10. What’s actually inside a network
  11. Cloud networking 101 for on-prem admins
  12. An anatomy of common attacks (this one)

You started the pathway with no required prior experience and you finish it able to: read a packet capture, subnet by hand, build a small VPC from scratch, debug DNS with confidence, recognise the layer where any given problem lives, and read a security incident timeline against the protocols an attacker actually used.

Going deeper

The foundation tier is complete on its own — you can stop here and have a working understanding of every topic in the CCST Networking 100-150 exam blueprint. The pathway also includes follow-on articles that extend specific topics with more depth and hands-on practice. They’re not required, but if you want to go from “understands the concept” to “can do it on the job”, they’re where to spend your time next:

  • Subnetting practice set — 25 worked problems across five difficulty tiers.
  • IPv6 deep dive — link-local, SLAAC, multicast, and Neighbour Discovery in detail.
  • NAT deep dive — the types, hairpin, and what changes (and doesn’t) with IPv6.
  • VLANs and trunking — slicing one switch into many, the right way.
  • Wi-Fi tuning — channels, roaming, site surveys, and why your office Wi-Fi feels worse on Tuesdays.
  • Network troubleshooting tools — ping, traceroute, dig, tcpdump, and Wireshark, with the patterns that find problems fast.
  • Hands-on labs — setting up a home lab, capturing your first packets, and building a real VPC from scratch.

Where to go next

Certification. The CCST Networking 100-150 exam objectives are essentially the contents of this foundation tier plus some Cisco-specific terminology. If you’ve worked through all twelve articles, you’re ready to study for it directly.

Specialisation. Pick one of the other pathways on the site that matches the work you do day-to-day — cloud, security, AD/identity, virtualisation. The networking foundation transfers cleanly.

Hands-on. Nothing replaces actually building a network. A home lab with two switches, a router, and two VMs on different segments will teach you more in a weekend than any textbook — the hands-on lab article in this pathway walks you through the cheapest way to set one up.

Thanks for reading the foundation tier. The hard part is over — everything else in networking, including the deeper-dive articles below, is just more depth on the foundations you now have.

Tags: #Beginner #CCST #Kill Chain #MITRE ATT&CK #Networking #Security

Leave a Reply