What You'll Learn
- Understand the Cyber Kill Chain and how attackers progress through its seven stages
- Apply the Diamond Model to break any attack into four core components
- Identify the most common attack patterns that Blue Team analysts encounter daily
- Explain why understanding the attacker's perspective makes you a better defender
- Map real-world attack scenarios to frameworks used in SOC operations
Why Study the Attacker?
In the previous lesson, you learned how the SOC operates — the structure, the tiers, the data flow. Now we flip the perspective. To defend effectively, you need to think like the adversary.
This isn't about learning to hack. It's about understanding the playbook that attackers follow so you can recognize their moves when you see them in logs, alerts, and network traffic. Every experienced SOC analyst will tell you the same thing:
The best defenders are the ones who understand the offense.
Attack frameworks give you a structured vocabulary for describing what the attacker is doing at each stage. Instead of saying "something weird is happening," you'll say "we're seeing lateral movement via pass-the-hash — that's post-exploitation, likely TA0008." That precision changes everything: your triage speed, your escalation quality, and your ability to predict what the attacker will do next.
Real-World Context: The 2024 Verizon Data Breach Investigations Report analyzed over 30,000 security incidents. The most common attack pattern? Stolen credentials + web application exploitation, accounting for nearly 50% of all breaches. Understanding these patterns — not just as statistics but as step-by-step attack sequences — is what separates effective analysts from checkbox operators.
The Cyber Kill Chain
Developed by Lockheed Martin in 2011, the Cyber Kill Chain is the foundational framework for understanding how targeted attacks unfold. It describes seven sequential stages an attacker must complete to achieve their objective. The key insight: if you break any link in the chain, you stop the attack.
Stage 1: Reconnaissance
The attacker researches the target before launching any attack. This is information gathering — finding out who works at the organization, what technologies they use, which servers are internet-facing, and where the vulnerabilities might be.
What the attacker does:
- Scans public-facing IP ranges with tools like Shodan, Nmap, or Masscan
- Harvests employee names, emails, and roles from LinkedIn, company websites, and social media
- Enumerates subdomains, DNS records, and exposed services
- Searches for leaked credentials on paste sites and dark web forums
- Maps the organization's technology stack (web server versions, CMS, email gateway)
What SOC analysts see:
- Unusual port scans hitting multiple services on perimeter hosts
- Spikes in DNS queries for internal subdomains from external IPs
- Threat intelligence feeds flagging your organization's domain in recon tool databases
Defender's Advantage: Reconnaissance is the attacker's longest and most visible phase. Network monitoring tools like Suricata (which you'll master in Module 3) can detect scan patterns. Threat intelligence platforms like MISP can alert you when your organization's assets appear in known attacker reconnaissance datasets.
Stage 2: Weaponization
The attacker creates the weapon — typically a piece of malware, a malicious document, or an exploit package — tailored to the vulnerabilities they discovered during reconnaissance.
What the attacker does:
- Pairs a Remote Access Trojan (RAT) with an exploit (e.g., a PDF with a zero-day)
- Creates a malicious macro-enabled Office document
- Builds a phishing page that mimics the target's login portal
- Generates a custom payload to evade the target's specific antivirus
What SOC analysts see:
- Usually nothing at this stage — weaponization happens on the attacker's infrastructure
- However, threat intel feeds may surface new malware samples targeting your industry or tech stack
Stage 3: Delivery
The weapon reaches the target. This is the first point where the attack crosses from the attacker's world into the defender's environment.
What the attacker does:
- Sends a spear-phishing email with a malicious attachment or link
- Compromises a legitimate website the target visits (watering hole attack)
- Exploits a public-facing vulnerability (unpatched VPN, web application)
- Uses USB drops in the target's physical location
- Leverages a compromised supply chain partner
What SOC analysts see:
- Email gateway flags a suspicious attachment (or misses it)
- Web proxy logs show a user visiting a newly registered domain
- IDS/IPS alerts for exploit attempts against public-facing services
- Wazuh alerts for unusual process execution on endpoints
| Delivery Method | Detection Point | CyberBlueSOC Tool |
|---|---|---|
| Phishing email | Email gateway logs, endpoint | Wazuh |
| Watering hole | Web proxy, DNS logs | Suricata, Wazuh |
| Public exploit | IDS/IPS, web server logs | Suricata |
| Supply chain | Endpoint behavior, network | Wazuh, Velociraptor |
Stage 4: Exploitation
The delivered weapon fires. A vulnerability is exploited — in a browser, an application, the operating system, or simply the human (social engineering).
What the attacker does:
- User opens the malicious document, triggering a macro that executes code
- Browser exploit runs when the user visits the compromised website
- Unpatched service is exploited remotely (EternalBlue, Log4Shell, ProxyLogon)
- User enters credentials into the phishing page
What SOC analysts see:
- Unusual process creation (e.g., Word spawning PowerShell)
- Application crash logs or unexpected error patterns
- Wazuh rule triggers for known exploitation patterns
- Endpoint detection alerts for suspicious code execution
Common Misconception: Exploitation doesn't always mean "hacking." The most successful exploitation technique in 2024 was simply credential theft through phishing. The user willingly enters their password on a fake login page. No vulnerability was exploited in the software — the vulnerability was the human. As a SOC analyst, you'll see far more credential-based attacks than technical exploits.
Stage 5: Installation
The attacker establishes a persistent foothold on the compromised system. If the attacker only had temporary access during exploitation, installation ensures they can come back even after the system reboots or the initial vulnerability is patched.
What the attacker does:
- Drops a backdoor, web shell, or Remote Access Trojan (RAT)
- Creates scheduled tasks or registry run keys for persistence
- Modifies system services to auto-start malware
- Installs a rootkit to hide their presence
- Creates new user accounts or adds SSH keys
What SOC analysts see:
- New scheduled tasks or services created at unusual times
- Registry modifications to autorun keys
- New local user accounts or SSH authorized_keys changes
- Web shells appearing in web server directories
- Wazuh file integrity monitoring (FIM) alerts
Stage 6: Command & Control (C2)
The installed malware phones home to the attacker's infrastructure, establishing a Command & Control (C2) channel. This gives the attacker remote, interactive access to the compromised system.
What the attacker does:
- Malware connects to a C2 server via HTTPS, DNS tunneling, or social media APIs
- Uses encrypted channels to avoid content inspection
- Beacons at random intervals to mimic legitimate traffic
- May use legitimate cloud services (AWS, Azure, GitHub) as C2 relay points
What SOC analysts see:
- Beaconing patterns — regular outbound connections to the same external IP/domain
- DNS queries to newly registered or suspicious domains (DGA detection)
- Unusual outbound traffic patterns (high DNS TXT queries, encoded data in HTTP headers)
- Connections to known C2 infrastructure flagged by threat intelligence (MISP)
- Suricata network signatures matching known C2 protocols
Detection Opportunity: C2 communication is one of the best detection points for SOC analysts. The attacker must maintain an ongoing communication channel, and that traffic has to cross your network. Tools like Suricata for network-level detection and MISP for threat intel correlation make this a high-value focus area. You'll build C2 detection rules in Modules 3 and 8.
Stage 7: Actions on Objectives
The attacker achieves their goal. All previous stages were building toward this moment.
What the attacker does:
- Exfiltrates sensitive data (customer records, intellectual property, credentials)
- Deploys ransomware across the network
- Moves laterally to access higher-value targets
- Destroys data or systems (wiper malware)
- Establishes long-term espionage access
- Manipulates data for fraud
What SOC analysts see:
- Large data transfers to external destinations
- Mass file encryption events (ransomware)
- Lateral movement patterns (RDP, PsExec, WMI across multiple endpoints)
- Privilege escalation events (normal user → admin)
- Data staging in unusual directories before exfiltration
The Diamond Model of Intrusion Analysis
While the Kill Chain shows you the sequence of an attack, the Diamond Model (developed by Caltagirone, Pendergast, and Betz in 2013) shows you the components of any intrusion. Every single security event can be broken down into four interconnected vertices:
The Four Vertices
| Vertex | What It Represents | Example |
|---|---|---|
| Adversary | Who is attacking | APT29 (Cozy Bear), FIN7, a lone script kiddie |
| Infrastructure | What tools/servers the attacker uses | C2 servers, phishing domains, exploit kits, VPN nodes |
| Capability | What the attacker can do (malware, techniques) | Cobalt Strike beacon, phishing emails, zero-day exploits |
| Victim | Who/what is being targeted | Your organization, a specific employee, a server |
Why SOC Analysts Use the Diamond Model
The power of the Diamond Model is pivot analysis. When you discover one vertex, you can pivot to discover others:
-
You find a malicious IP (Infrastructure) → Query MISP for threat intel → Discover it's linked to APT28 (Adversary) → Learn they use Mimikatz and PsExec (Capability) → Check if those tools have been used on your endpoints (Victim)
-
You detect Cobalt Strike traffic (Capability) → Trace the destination C2 server (Infrastructure) → Look up who owns that infrastructure → Link it to a threat group (Adversary) → Predict what they'll target next in your environment (Victim)
-
An employee reports a phishing email (Victim) → Extract the phishing domain (Infrastructure) → Analyze the payload → Identify the malware family (Capability) → Match to known APT group (Adversary)
Practical Application: Every time you investigate an alert, mentally map it to the Diamond Model. Ask: "What do I know about the adversary, their infrastructure, their capabilities, and the victim?" Even if you can only fill in one or two vertices initially, that gives you a structured path for investigation. This is how L2 and L3 analysts think — and it's a skill you can start building from day one.
Common Attack Patterns Blue Teams Face
Frameworks are powerful, but you also need to know the specific attacks that fill your alert queue every day. Here are the patterns you'll encounter most frequently as a SOC analyst, ranked by how often they appear:
1. Phishing & Credential Theft
Frequency: Daily — this is the #1 attack vector globally.
The attacker sends emails designed to trick users into revealing credentials or executing malicious code. Variants include spear-phishing (targeted), whaling (targeting executives), and business email compromise (BEC).
What triggers SOC alerts:
- Email gateway detects suspicious URLs or attachments
- User reports a suspicious email
- Impossible travel: user logs in from New York, then from Moscow 30 minutes later
- Multiple failed MFA attempts followed by a successful login
Kill Chain mapping: Delivery → Exploitation (user clicks link / opens attachment)
2. Brute Force & Credential Stuffing
Frequency: Daily — automated attacks run 24/7.
Attackers use automated tools to try thousands of username/password combinations against login portals, VPNs, RDP, and SSH services. Credential stuffing specifically uses passwords leaked from other breaches.
What triggers SOC alerts:
- Multiple failed login attempts from a single IP
- Distributed failed logins across many accounts from many IPs (low-and-slow)
- Account lockout events
- Successful login from a known-malicious IP after multiple failures
Kill Chain mapping: Delivery → Exploitation (successful credential compromise)
3. Malware & Ransomware
Frequency: Weekly to monthly for serious incidents, but malware-related alerts fire daily.
Malicious software designed to damage, disrupt, or gain unauthorized access. Ransomware — which encrypts files and demands payment — is the most financially devastating variant.
What triggers SOC alerts:
- Endpoint detection of known malware signatures
- Suspicious process behavior (PowerShell downloading executables, cmd.exe spawned by Office)
- Mass file rename/encryption events (ransomware indicator)
- C2 beaconing detected by network IDS
- File integrity monitoring alerts (new DLLs in system directories)
Kill Chain mapping: Spans Installation → C2 → Actions on Objectives
4. Lateral Movement
Frequency: Seen during active incidents — a critical escalation indicator.
After gaining initial access to one system, the attacker moves through the network to reach higher-value targets. This is where a minor breach becomes a catastrophic one.
What triggers SOC alerts:
- RDP connections between workstations (workstation-to-workstation is abnormal)
- PsExec, WMI, or WinRM execution across systems
- Pass-the-hash or pass-the-ticket Kerberos anomalies
- A service account suddenly accessing systems it's never touched before
- New admin shares created (C$, ADMIN$)
Kill Chain mapping: Actions on Objectives (though it can also be Exploitation of internal systems)
5. Data Exfiltration
Frequency: The ultimate objective in many breaches — harder to detect than earlier stages.
The attacker copies sensitive data out of the network. This can be sudden (grab-and-go) or gradual (low-and-slow over weeks).
What triggers SOC alerts:
- Large outbound data transfers to cloud storage or unusual external IPs
- DNS tunneling (unusually large or frequent DNS queries)
- Encrypted traffic to newly registered domains
- Uploads to personal email/cloud accounts from corporate endpoints
- Compression and staging of files before transfer
Kill Chain mapping: Actions on Objectives
Critical Insight: The average time from initial compromise to data exfiltration has dropped to just 4 days (CrowdStrike 2024 Global Threat Report). Some ransomware groups complete the entire kill chain in under 24 hours. This is why SOC speed matters — every hour of detection delay gives the attacker more time to achieve their objectives. The frameworks you're learning aren't academic exercises; they're the foundation for rapid, effective response.
Putting It All Together: A Real-World Scenario
Let's trace a realistic attack through both frameworks to see how everything connects.
Scenario: An attacker targets a financial services company to steal customer data.
| Kill Chain Stage | What Happens | Diamond Model Vertex |
|---|---|---|
| Reconnaissance | Attacker finds the company uses Outlook Web Access (OWA) and identifies 3 finance team members on LinkedIn | Adversary researches Victim |
| Weaponization | Creates a convincing invoice PDF with an embedded macro that downloads a Cobalt Strike beacon | Adversary develops Capability |
| Delivery | Sends spear-phishing email to the 3 finance employees from a spoofed vendor domain | Infrastructure (phishing domain) targets Victim |
| Exploitation | One employee opens the PDF and enables macros. The macro executes PowerShell | Capability exploits Victim |
| Installation | Cobalt Strike beacon is downloaded and installed. A scheduled task is created for persistence | Capability deployed via Infrastructure |
| C2 | Beacon connects to attacker's server via HTTPS on port 443, blending with normal traffic | Infrastructure communicates with Victim |
| Actions | Attacker dumps credentials, moves laterally to the database server, exfiltrates 50,000 customer records | Adversary achieves objective against Victim |
As a SOC analyst, you might detect this at any stage: Suricata flags the phishing domain, Wazuh catches the unusual PowerShell execution, network monitoring spots the C2 beaconing, or MISP matches the C2 IP to a known threat group. The more stages you understand, the more detection opportunities you have.
Key Takeaways
- The Cyber Kill Chain describes seven sequential stages: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives
- Breaking any single link in the kill chain stops the entire attack
- The Diamond Model maps every intrusion to four vertices: Adversary, Infrastructure, Capability, Victim
- Pivot analysis lets you discover unknown vertices from known ones — the core of investigation
- The top 5 attack patterns are: phishing, brute force, malware/ransomware, lateral movement, and data exfiltration
- Understanding the attacker's playbook gives you predictive power — you know what they'll try next
- Frameworks aren't theoretical — they're the language SOC teams use to communicate during live incidents
What's Next
You now understand both sides of the battlefield — how the SOC operates (Lesson 1.1) and how attackers think (this lesson). The next lesson introduces the framework that brings it all together: MITRE ATT&CK. ATT&CK is the universal language of cyber defense — a comprehensive catalog of adversary tactics and techniques that every SOC in the world uses for detection, investigation, and threat hunting. You'll learn to "speak ATT&CK" fluently, a skill that will be referenced in every module that follows.
Knowledge Check: The Attack Landscape
10 questions · 70% to pass
What is the primary purpose of studying attack frameworks as a SOC analyst?
In the Cyber Kill Chain, which stage is the FIRST point where the attack enters the defender's environment?
A SOC analyst detects regular HTTPS connections from an internal workstation to an unknown external IP every 60 seconds. Which Kill Chain stage does this most likely represent?
In the Diamond Model, you discover a malicious IP address (Infrastructure) linked to a phishing campaign. What is the most effective next step using pivot analysis?
Which attack pattern is the #1 most common initial access vector according to recent industry reports?
In Lab 1.2, you mapped APT29 techniques to the ATT&CK Navigator and performed a gap analysis. What was the primary deliverable you created to communicate detection blind spots to SOC leadership?
An analyst sees a workstation making RDP connections to three other workstations in sequence over 20 minutes. Which attack pattern does this most likely indicate?
What is the key defensive insight of the Cyber Kill Chain model?
In Lab 1.2, you mapped APT29's real-world attack to the ATT&CK framework. Which initial access technique was central to APT29's campaign, involving malicious email attachments sent to targeted employees?
In Lab 1.2, you used the ATT&CK Navigator to color-code detection coverage for APT29 techniques. When you found techniques your SOC had no detection rules for, what did those cells look like in the Navigator?
0/10 answered