Understanding the Cyber Exploit Cycle- Part 1

With cyber-attacks becoming increasingly advanced and sophisticated it becomes important for organizations to update their security solutions. With the changing nature of malware threats, it can be challenging for security solutions to be perfect.

Cyber exploitation frequently occurs as specifically targeted attacks. With the end goal of taking an organization’s data, attackers continuously probe the systems, and search for vulnerabilities in order to gain access to a computer. Once they have access, they can steal or distort the information stored on it, corrupt its operations or program it to exploit other computers and any systems to which it is connected.

The cyber exploit cycle breaks down the phases of a cyber-attack and the process attackers take to break into an organization’s computer and network. With a better understanding of the cycle, organizations can better train and implement security procedures to best protect their network.

Reconnaissance and Weaponization

Reconnaissance is the learning stage of a cyber-attack where attackers are on a mission to obtain information from a targeted source either through observation or detection methods. These methods are often indistinguishable from normal network activity. Information is gathered from publicly accessible sources such as network scans, social networking websites, or internet search engines; the intruder’s goal is to collect enough intelligence to profile the targeted network, organization or person. The information gathered and vulnerabilities discovered can then be used to tailor the attack method against the target.


The delivery method is the method the intruder will use to compromise the network. Delivering malware can be done through software updates for system files that contain deeply hidden Trojans, through phishing attacks or simply brute force. Phishing uses e-mail messages that “look normal” and may even have a sender or subject that seems familiar to the recipient. The messages typically come with an attachment, or a link to a website and when clicked or opened, will trigger a malicious chain of events.


The install step of the cyber exploit cycle, is when the malware is secretly installed and provides remote control over the systems. Once installed, the attacker is granted complete access and control of the environment. This one point in time is a part of an elaborate attack process that takes significant time to fully operate.

Modern malware attacks go to significant lengths to hide their presence within an operating system, often avoiding off-the-shelf antivirus and intrusion protection techniques. This makes the attacks difficult to identify and malware challenging to fully remove.


The victim”s host will now behave according to the attacker’s wishes as a direct result of the delivered/installed intrusion. It’s a pivotal point in the exploit cycle where the intruder now has usage of legitimate credentials, could potentially access confidential information and continue to map the network in search for higher and higher domain privileges that will ultimately provide access to all the network resources.

The victim won’t necessarily see anything happen immediately. However, depending on the nature of the malware, if the attackers goal is to deliver ads and spam, a spike in network usage will become apparent. In other scenarios, where the end goal is sensitive data extraction, the user may never notice any obvious signs of intrusion. In recent years, small and medium sized businesses were specifically targeted in ransom-ware campaigns that encrypted all accessible data and requested payment in exchange for the decryption key.

Command and Control

The attackers now leverage the exploitation of the system in the command and control phase. They ensure their prolonged presence and control the key system components within the network environment of their target by communicating with the “Command and Control” servers.

This is especially done to conceal the attacker’s true identity and origin of the attack, allowing the perpetrators to cover their tracks in the digital world.

Action Objective

The primary aim of cyber exploitation is: attaining valuable data such as intellectual property, classified projects, policy documents, business, contracts, banking information, etc. When the data (their target all along) has been taken and transferred to the intruder’s system their mission is complete.

Usually at this stage, the attacker will try to monetize the data in one way or another (i.e., through blackmail- as in the case of ransom-ware or by selling it on the dark web- as in the case of banking information).

Looking Ahead

With an understanding of the cyber exploit’s process and motivations, organizations can begin to put recommendations into place and utilize technologies to strengthen their defenses and limit their exposure in the event of a security breach.

In Understanding the Cyber Exploit Cycle- Part 2, we will look at protocols the Communications Security Establishment implements to best protect the Government of Canada’s data and infrastructures.

(image via Flickr.)