Modern cyber attacks are highly sophisticated and profit-driven, and cybercriminals have adopted a nuanced approach to ensure their success. This generally entails the use of a multi-step cyber-attack strategy, otherwise identified as a cyber kill chain model by security researchers at Lockheed Martin.
For instance, professional hackers typically begin with a period of careful research of their targets. This ranges from overt scans using automated tools to find and catalogue existing network and security hardware, to manually identifying the identities of key employees from publicly available information.
Information in hand, attackers proceed to determine possible methods to gain a foothold in the target organisation. One popular technique would be to embed malware in seemingly harmless files, and sending them along in emails crafted to appear as coming from colleagues. Even more highly-targeted attacks could see email messages designed to catch the personal interests of individuals, and could even extend to the hacking of third-party websites frequented by a targeted employee.
To be clear, infiltration attempts are typically made on more than one employee at a time. However, only one such successful attempt is needed for attackers to establish persistence within the organisation. This is quickly followed by the establishing of an encrypted two-way command channel for real-time communication between the compromised host and the attackers.
Attackers then proceed with their nefarious schemes from this launch pad, be it stealing data, disrupting critical infrastructure, or attempting to extort. Depending on the role of the host, the compromised machine could also be leveraged as a base to probe or attack a higher valued target through the corporate network.