Breaking down the cyberattack lifecycle: Actions on Objectives

Nicholas Koken
May 23, 2024

Every breach that hits the news, large and small, means that the attacker successfully made their way through each stage, completing their objective.

In this blog series, we’re diving into every stage of the cyberattack lifecycle, their associated techniques, and what you can do to defend against them. Previously, we covered Command & Control. Now it’s time for the penultimate step, Actions on Objectives.

Making away with the crown jewels

The Action on Objectives stage represents success for cyber attackers. They have put in the work, avoided detection, and taken hostile actions against their target. Now, they can achieve the goal they set out to accomplish from stage one.

What are attackers accomplishing?

Ultimately, the final goals of attackers can vary, but they all have massive ramifications on the organizations affected. Here are some examples:

  • Data exfiltration: Stealing sensitive data is a primary action in many security breaches, but can represent multiple final goals:
    • Ransom: A prominent outcome of data theft is to encrypt and ransom data from the affected organization. Upon payout, the attacker may decrypt and return the stolen data, or simply not release it to the general public.
    • Brokerage: Attackers may just seek to profit off the data they stole. Initial access markets allow them to find suitable buyers for the information they’ve gathered, such as PII (Personally Identifiable Information), credentials, and vulnerabilities.
    • Business disruption: By stealing data, and creating other obstacles, attackers can slow or even sometimes halt the operations of the targeted organization.
  • Reputation Damage: Attacks aimed at publicly disclosing sensitive or embarrassing information can tarnish the reputation of an organization, leading to loss of customer trust and a decline in market value.
  • Compromise of Supply Chain: Attackers might use the compromised organization as a gateway to infiltrate its partners or suppliers, thereby expanding their reach and impact.
  • Clout: Budding threat groups may want to make their mark on history and make their name known. Attacking a high-profile target gives them coverage and notoriety among their peers and the general public.

How are organizations affected?

The result of successful actions on objective can spell tragedy for the affected organization, including:

  • Soft costs
    • Reputational harm
    • Operational downtime
    • Loss of intellectual property
    • Customer breach notification
  • Long tail breach costs
    • Incident response and investigation
    • Regulatory and compliance fines
    • Attorney fees and litigation
    • Cost to improve cybersecurity programs
    • Insurance premium increases
    • Lost customers
    • Vendor replacement

How can you defend against actions on objectives?

At this stage, even if other defenses have been compromised, you can still take measures to protect the organization from further impacts.

  • Data Loss Prevention (DLP): DLP solutions monitor and prevent the unauthorized transfer of sensitive data such as banking information, PII, and confidential company data.
  • Backups and disaster recovery: Keeping routine data backups allows organizations to recover their encrypted data without paying ransoms. A disaster recovery plan helps restore critical systems quickly in case of an attack.
  • Incident response plan: A key part of any cybersecurity strategy, IR planning helps align the team on how to react during security breaches. Develop a clear playbook for how to identify, contain, and recover from a security incident. This includes having a security operations team in place to respond quickly and effectively. Here are seven best practices we’ve developed for IR.

Like in other steps within the cyberattack lifecycle, using multiple layers of security solutions creates a defense-in-depth approach. With defense-in-depth, attackers have greater barriers between each stage, securing your data from being taken or disrupted.

Keep reading our blog to learn about each stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against these new and emerging threats.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.