Understanding How Attacks Actually Work
Why You Need to Think Like an Attacker
There is a saying in security: defenders have to be right every time, attackers only have to be right once. That is true, but it is also incomplete. The better you understand how attacks actually work - not in theory but in practice - the better you can anticipate and prevent them.
I have spent years analyzing breaches, both publicly reported ones and private incident response engagements. The patterns repeat. The same mistakes show up again and again. Once you can recognize these patterns, you are already more effective than many working professionals who have never studied attack chains systematically.
This chapter walks through real-world breaches step by step, introduces you to the MITRE ATT&CK framework, and teaches you to think about attacks as chains of events rather than single moments of failure.
Anatomy of an Attack Chain
Before we look at specific breaches, you need to understand the general structure of how attacks unfold. Almost every significant breach follows a predictable chain:
TYPICAL ATTACK CHAIN
=====================
+----------------+
| 1. RECON | Research target, find employees,
| | discover systems, identify weaknesses
+-------+--------+
|
v
+----------------+
| 2. INITIAL | Phishing email, exploited vuln,
| ACCESS | stolen credentials, supply chain
+-------+--------+
|
v
+----------------+
| 3. ESTABLISH | Install backdoor, create accounts,
| FOOTHOLD | deploy RAT, persist across reboots
+-------+--------+
|
v
+----------------+
| 4. ESCALATE | Local admin -> domain admin,
| PRIVILEGES | exploit misconfigs, steal tokens
+-------+--------+
|
v
+----------------+
| 5. LATERAL | Move to other systems, map network,
| MOVEMENT | access file shares, find crown jewels
+-------+--------+
|
v
+----------------+
| 6. DATA ACCESS | Find sensitive data, stage for
| & STAGING | exfiltration, encrypt for ransom
+-------+--------+
|
v
+----------------+
| 7. EXFIL OR | Steal data, deploy ransomware,
| IMPACT | destroy backups, demand payment
+----------------+
The key insight is that every step in this chain is a potential detection point. If you can catch the attacker at step 2 or 3, you prevent the catastrophic damage that happens at steps 6 and 7. This is why defense in depth matters - you want multiple chances to catch the attacker.
Case Study 1: The AT&T Breach - When the Cloud Is the Target
In 2024, AT&T disclosed one of the largest telecommunications breaches in history. Attackers accessed call and text metadata for nearly all AT&T wireless customers - approximately 110 million people. The data covered a six-month period and included phone numbers, call durations, and cell tower location data.
Here is how the attack chain unfolded:
The Attack Chain
| Step | What Happened | Detection Opportunity |
|---|---|---|
| Recon | Attackers identified that AT&T used Snowflake for cloud data warehousing | Monitor for unusual interest in your tech stack |
| Initial Access | Compromised credentials for AT&T's Snowflake account - no MFA was enabled | Enforce MFA on all cloud platform accounts |
| Privilege Use | Used the valid credentials to access massive datasets through normal Snowflake queries | Monitor for anomalous query patterns and data volumes |
| Data Access | Queried six months of call/text metadata for 110M customers | Data loss prevention controls, query auditing |
| Exfiltration | Extracted data through Snowflake's normal export functionality | Monitor data export volumes, alert on large transfers |
Lessons for Beginners
This breach is instructive because it was not technically sophisticated. There was no zero-day exploit, no custom malware, no brilliant hacking. The attackers had valid credentials and the account did not have multi-factor authentication enabled. That is it.
The AT&T/Snowflake breach reinforces a painful truth: the most devastating attacks are often the simplest. No MFA on a cloud platform that holds 110 million customers' data. This is not a technology problem - it is a process and governance problem. The most basic security controls, properly implemented, would have prevented it entirely.
This breach also hit other Snowflake customers including Ticketmaster and Santander Bank. The common thread was the same: stolen credentials plus no MFA on Snowflake accounts. Snowflake subsequently made MFA mandatory for all accounts.
Case Study 2: Chrome Extension Supply Chain Attack
In late 2024 and early 2025, a sophisticated supply chain attack targeted Chrome browser extensions. Attackers compromised the developer accounts of legitimate extension publishers and pushed malicious updates to millions of users.
How Supply Chain Attacks Work
SUPPLY CHAIN ATTACK FLOW
=========================
Legitimate Developer
+-------------------+
| Creates useful |
| browser extension |
| (e.g., VPN tool, |
| productivity app)|
+--------+----------+
|
| Publishes to Chrome Web Store
v
+-------------------+ +-------------------+
| Chrome Web Store | | ATTACKER |
| 500K+ installs | | |
| | | 1. Phishes the |
| | | developer |
| | <-- | 2. Steals OAuth |
| | | token for |
| | | Web Store |
| | | 3. Pushes |
+--------+----------+ | malicious |
| | update |
| Auto-updates +-------------------+
v
+-------------------+
| 500K+ Users |
| Now running |
| malicious code |
| in their browser |
+-------------------+
The Attack Chain
| Step | What Happened | Why It Worked |
|---|---|---|
| Recon | Attackers identified popular extensions with large install bases | Extension developers are often individuals, not security teams |
| Initial Access | Phishing emails targeting extension developers, stealing OAuth tokens for Chrome Web Store | Developers are humans too - they click links |
| Code Injection | Pushed updates with data-stealing code disguised as legitimate functionality | Auto-update mechanism delivered malware silently |
| Data Theft | Malicious extensions harvested browser cookies, session tokens, and credentials | Extensions have broad access to browser data by design |
| Persistence | Updates looked legitimate, users had no reason to suspect anything | Trust in the official extension store |
What This Teaches You
Supply chain attacks are one of the most important attack categories for aspiring security professionals to understand. They exploit trust relationships rather than technical vulnerabilities. The user did not do anything wrong. The extension store did not do anything wrong. The attacker found the weakest link in the chain - the individual developer - and exploited that trust to reach millions of end users.
This is the same pattern we saw with the SolarWinds attack in 2020 and the MOVEit breach in 2023. Attackers are increasingly targeting the software supply chain because one compromise can cascade to thousands of victims.
Case Study 3: Healthcare Ransomware - Change Healthcare
The February 2024 attack on Change Healthcare by the ALPHV/BlackCat ransomware group was devastating. Change Healthcare processes about 15 billion healthcare transactions annually - roughly one in three patient records in the United States passes through their systems.
The Attack Chain
| Step | Detail | Time |
|---|---|---|
| Initial Access | Compromised credentials for a Citrix remote access portal - no MFA | Day 0 |
| Reconnaissance | Mapped internal network, identified critical systems | Days 1-5 |
| Privilege Escalation | Gained domain admin access through lateral movement | Days 5-7 |
| Data Exfiltration | Stole 6 TB of data including patient records, insurance info, financial data | Days 7-9 |
| Ransomware Deployment | Encrypted systems across the network | Day 9 |
| Impact | Healthcare payments across the U.S. disrupted for weeks | Days 9-30+ |
The aftermath was catastrophic. UnitedHealth Group (Change Healthcare's parent company) paid a $22 million ransom. The outage affected pharmacies, hospitals, and clinics nationwide. Patients could not get prescriptions filled. Providers could not submit insurance claims. Small medical practices faced bankruptcy from cash flow disruption.
The Change Healthcare breach started the same way as the AT&T breach: stolen credentials and no multi-factor authentication on a remote access system. Two of the most impactful breaches of 2024, and both were preventable with a security control that has existed for over 20 years. This is why identity security is so important - we will cover it deeply in the next chapter.
The MITRE ATT&CK Framework
Now that you have seen how real attacks unfold, let me introduce you to the framework that the security industry uses to categorize and discuss attack techniques: MITRE ATT&CK.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a comprehensive matrix of everything attackers do, organized by tactical objective.
The Tactics (What Attackers Are Trying to Do)
| Tactic | Description | Example |
|---|---|---|
| Reconnaissance | Gathering information about the target | Scanning for open ports, OSINT research |
| Resource Development | Setting up infrastructure for the attack | Registering lookalike domains, buying credentials |
| Initial Access | Getting into the target environment | Phishing, exploiting public-facing applications |
| Execution | Running malicious code | PowerShell scripts, malicious macros |
| Persistence | Maintaining access across reboots | Scheduled tasks, registry modifications, implants |
| Privilege Escalation | Getting higher-level permissions | Exploiting sudo misconfigs, token theft |
| Defense Evasion | Avoiding detection | Disabling logging, obfuscating malware |
| Credential Access | Stealing passwords and tokens | Keyloggers, credential dumping, pass-the-hash |
| Discovery | Learning about the environment | Network scanning, enumerating AD objects |
| Lateral Movement | Moving to other systems | RDP, SMB, SSH with stolen credentials |
| Collection | Gathering target data | Screenshots, keylogging, data from shared drives |
| Exfiltration | Stealing data out of the environment | DNS tunneling, cloud storage uploads |
| Impact | Damaging or disrupting the target | Ransomware, data destruction, defacement |
How to Use ATT&CK as a Beginner
You do not need to memorize the entire framework. Here is how to use it productively:
-
Read breach reports through the ATT&CK lens. When you read about a breach, identify which tactics and techniques were used. This builds your pattern recognition.
-
Use it for study structure. Pick one tactic per week and study the techniques within it. This gives you a systematic way to learn about attacks.
-
Map it to defenses. For each technique, ask "how would I detect this?" and "how would I prevent this?" This is exactly how security teams think about defense.
-
Use the ATT&CK Navigator. MITRE provides a free web-based tool that lets you create heat maps of coverage. As you learn detection techniques, map them on the Navigator to visualize your knowledge gaps.
Common Attack Patterns You Will See Repeatedly
After studying hundreds of breaches, I can tell you that the same patterns repeat with remarkable consistency. Here are the ones you should know:
Pattern 1: Credential Theft to Data Exfiltration
Phish User --> Steal Creds --> Login (no MFA)
--> Find Data --> Exfil Data
Frequency: ~60% of breaches involve credentials
Prevention: MFA, phishing-resistant auth, monitoring
This is the most common attack pattern by far. The AT&T, Change Healthcare, and Snowflake breaches all followed this pattern. It is also the simplest to prevent with proper identity controls.
Pattern 2: Exploit to Ransomware
Exploit Vuln --> Gain Access --> Escalate Privs
--> Disable Backups --> Deploy Ransomware
Frequency: Common in unpatched environments
Prevention: Patch management, network segmentation, offline backups
Ransomware groups scan the internet for known vulnerabilities - often ones that have had patches available for months. They exploit the vulnerability, gain a foothold, then work their way through the network until they can deploy ransomware to as many systems as possible.
Pattern 3: Supply Chain Compromise
Compromise Vendor --> Inject Malicious Code
--> Distributed via Update --> Thousands of Victims
Frequency: Growing rapidly
Prevention: Vendor assessment, software composition analysis, monitoring
This is the pattern from the Chrome extension attack, SolarWinds, and MOVEit. It is particularly dangerous because the malicious code arrives through trusted channels.
Pattern 4: Insider Threat
Disgruntled Employee --> Abuses Existing Access
--> Exfil Data --> Sells or Leaks
Frequency: ~20% of breaches
Prevention: Least privilege, monitoring, behavioral analytics
Not all threats come from outside. Employees with legitimate access can cause tremendous damage. This is why the zero trust principle of least privilege is so important - we will cover this in Chapter 6.
Building Your Attack Analysis Skills
Here is how to develop the skill of analyzing attacks, which is valuable in virtually every security role:
Exercise 1: Breach Report Analysis
Pick any major breach from the last two years. Read at least three different accounts of the breach (the company's disclosure, a security vendor's analysis, and a journalist's report). Then answer:
- What was the initial access vector?
- What was the attacker's ultimate objective?
- How long was the attacker in the environment before detection (dwell time)?
- Which MITRE ATT&CK tactics were used?
- What single control would have most likely prevented the breach?
Exercise 2: Kill Chain Diagramming
For the same breach, draw an attack chain diagram like the ones in this chapter. This forces you to think about the sequence of events and the dependencies between steps.
Exercise 3: Defense Mapping
For each step in your attack chain, identify:
- What would a defender see in the logs at this step?
- What detection rule could catch this?
- What preventive control could block this step?
Start a breach analysis journal. Every time you read about a new breach, spend 20 minutes analyzing it using the framework above. After six months, you will have pattern recognition skills that take most professionals years to develop. This is one of the highest-leverage learning activities you can do.
Resources for Staying Current
Attack techniques evolve constantly. Here are the best resources for keeping up:
| Resource | Type | What You Get |
|---|---|---|
| MITRE ATT&CK (attack.mitre.org) | Framework | Comprehensive catalog of attack techniques |
| Mandiant Threat Intelligence Blog | Blog | Detailed analysis of real-world campaigns |
| Krebs on Security | Blog | Investigative journalism on breaches |
| CISA Advisories (cisa.gov) | Government | Vulnerability and threat alerts |
| The DFIR Report (thedfirreport.com) | Blog | Step-by-step intrusion analysis |
| Darknet Diaries (podcast) | Podcast | True stories of hacking and cybercrime |
| SANS Internet Storm Center | Blog | Daily threat analysis and commentary |
The Defender's Advantage
I want to end this chapter on an empowering note. While attackers only need to be right once, defenders have an advantage that is often overlooked: we have context.
Attackers are operating in an unfamiliar environment. They do not know the network topology, the normal patterns of behavior, or the detection capabilities deployed against them. Every step they take risks making noise. Every query they run could trigger an alert. Every lateral movement could be their last.
As a defender, you know what normal looks like. You know the network. You know the users. You know where the crown jewels are. That context, combined with understanding of how attacks actually work, is what makes effective security professionals so valuable.
The breaches we studied in this chapter all had something in common: the attackers were not geniuses. They exploited basic failures - missing MFA, unpatched systems, compromised developers. Understanding how attacks work is not about matching wits with brilliant adversaries. It is about understanding the predictable patterns of exploitation and building defenses that address them systematically.
That understanding starts with identity - the attack vector behind the vast majority of breaches. That is where we are going next.