Phases of a Cyberattack Explained | AP Cybersecurity
The Phases of a Cyberattack (Recon to Evading Detection)
Adversaries usually work in phases. Topic 2.1 asks you to describe these phases, which run from gathering information to covering tracks. Not every attack uses every phase, but the sequence is the mental model.
Contents
The six phases
Reconnaissance: gather information, often using open-source intelligence (OSINT), freely available data. Initial access: establish a foothold, often through social engineering or weak credentials. Persistence: keep access without needing to re-enter, sometimes via a command-and-control channel or malware like a remote access trojan.
Lateral movement: escalate privileges and reach accounts and systems with more access. Taking action: collect and exfiltrate data, disrupt services, or destroy data. Evading detection: remove or edit logs and erase planted files to avoid being caught.
An attacker scrapes an employee's public LinkedIn and company org chart before sending a tailored phishing email. Which phase is the scraping?
Reveal answer
Reconnaissance using OSINT. They are gathering freely available information about the target before attempting initial access.
The phases are a sequence, but not every attack uses all six. Match the described activity to the phase: gathering info = recon, getting in = initial access, staying in = persistence, spreading = lateral movement, acting = taking action, hiding = evading detection.
Why phases help defenders
Mapping an incident to phases helps responders understand how far an attacker got and what to do next. Catching an attack during reconnaissance or initial access is far cheaper than after data exfiltration.
Defenders place controls and detection at each phase, which connects directly to defense in depth later in this unit.
During an investigation, logs show the attacker accessed an admin account they did not start with. Which phase does this indicate?
Reveal answer
Lateral movement, specifically privilege escalation. The attacker moved from their initial foothold to an account with greater access.
The kill chain in real intrusions
Major breaches follow this arc: weeks or months of quiet reconnaissance and lateral movement before the visible 'taking action' step. Catching an attacker during recon or initial access is far cheaper than after data is stolen.
Detection at every phase is the goal.
Key Terms
| Reconnaissance | Gathering information about a target, often via OSINT. |
| OSINT | Open-source intelligence: freely available information. |
| Persistence | Maintaining access without needing to re-enter. |
| Lateral movement | Escalating privileges and reaching more systems. |
| Exfiltration | Stealing data out of a target environment. |
Match It Up
Common Mistakes
Assuming every attack uses all six phases
The framework notes phases may not all be used in every attack.
Confusing persistence with initial access
Initial access is getting in; persistence is staying in without re-entering.
Mixing up lateral movement and taking action
Lateral movement spreads access; taking action is acting on the objective.
Forgetting evading detection
Many attackers erase logs at the end; missing logs can itself be a signal.
Check for Understanding
Frequently Asked Questions
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]