Mandiant’s Attack Lifecycle Model

Initial compromise: The attacker penetrates a target organization’s network for the first time (for example, via spear phishing) and successfully executes malicious code on one or more systems within that environment.

Establish foothold: The attacker seeks to strengthen their position in the environment by installing a persistent backdoor on the just-compromised endpoint. Thus, they ensure control of the target network’s systems from outside the network.

Escalate privilege: The attacker seeks to obtain further access to systems and data in the target environment. This is usually done by acquiring items that will allow access to more resources within the network, such as usernames and passwords.

Internal reconnaissance: The attacker explores the organization’s environment to better understand its infrastructure, how and where it stores information of interest and critical users’ roles.

Lateral movement: The attacker uses the accounts and knowledge of the network gathered in previous phases to move to additional systems in the environment.

Maintain presence: The attacker ensures continued access to the environment (e.g., through legitimate VPN sessions).

Complete mission: The attacker accomplishes the objectives of the intrusion, such as theft or disruption of business operations.