Security for Beginners
by Sergey Okinchuk
Chapter 7: Attacks on Systems and NetworksEavesdropping and the Man in the Middle
Topic 29

The Attacker's Path

Concept

In the news, a breach can sound like one sudden event — a company is fine on Monday and "hacked" by Friday, as if someone flipped a switch. The reality is slower and more orderly. A real attack on a system is almost never one dramatic moment; it is a sequence of small steps, each one setting up the next.

And the steps tend to follow the same shape, attack after attack: the attacker looks around, gets in, gains more power, and finally acts. Security people often call this sequence the attacker's path — the ordered stages an intruder moves through. Once you can see the stages, a confusing breach story turns into a readable timeline.

Think of a burglary. A thief doesn't teleport into the master bedroom. They case the neighborhood first, find an unlocked window, slip inside, work their way through the house, and only then carry off the valuables. Each of those stages is a separate step — and a separate chance for someone to notice and stop them.

The four stages of an attack — and where defenders can break the chain
Reconnaissancelook around
Initial accessget a foothold
Escalate & movegain power
Act on goaldo the damage

A defender can try to break the chain at any of those four points — not just at the front door. That single idea is what the rest of this page is really about.

Reconnaissance: Looking Around First

The first stage is reconnaissance — quietly gathering information before touching anything. The attacker wants to know what they are dealing with: which systems a company runs, who works there, what is exposed to the internet, and which of those things looks weak.

A lot of this can be collected without ever breaking a rule. Public websites, job postings, social media profiles, and leaked email addresses all tell a story about an organization. At this stage nothing has been broken into — the attacker is just reading the map before choosing a door.

Initial Access: Getting a Foothold

The second stage is initial access — getting in through one weakness. This is where the attack stops being passive. It usually rides on a single opening: a password stolen through a phishing email, an unpatched flaw in some software, or a malicious file someone downloaded — the kinds of tricks earlier chapters covered.

Getting in sounds like the end of the story. Usually it is not. The first way in is often a foothold — a small, low-value spot inside, like one ordinary employee's account. By itself that account may not reach anything worth stealing. The real damage almost always comes from what happens next.

Escalation and Movement: Gaining Power

From that foothold, the attacker works to gain broader access and reach more valuable systems. Going from a limited account to a high-privilege one is called escalation; spreading from the first machine to others is called lateral movement — moving sideways across the network.

This stage is exactly why giving every account only the access it needs matters so much. If that first foothold account can touch very little, the attacker is stuck and has to fight for every step. If it can touch everything, one stolen password quietly becomes the keys to the whole building.

Acting on the Goal: The Payoff

The final stage is the one the attacker came for. Now that they have enough access, they do the actual damage: copy out sensitive data, lock the files and demand a ransom, or sit quietly and spy for months. Everything before this was setup; this is the payoff.

Seeing this as the last stage changes how you read a breach. The headline damage — the leaked records, the locked systems — is the end of a chain, not the beginning. Behind it sits a path of earlier steps, each one a place where the attack could have been caught.

Why Seeing the Path Helps Defenders

If an attack were a single instant, a defender would get exactly one chance: keep the intruder out, or lose. Because it is a sequence, they get several. Reconnaissance can be noticed, initial access can be blocked, escalation can be detected, and the final action can be caught before it finishes.

This is the logic behind stacking many defenses instead of relying on one strong wall — the idea earlier chapters called defense in depth. The goal is not only to keep attackers out, but to break the chain at whatever stage you can. A single missed step no longer has to mean a full compromise.

Common Confusions
  • "A breach is a single instant of 'getting hacked'." It is almost always a multi-step process that plays out over time — sometimes days or months — not one dramatic moment.
  • "Once they get in, it's over." Initial access is often just a low-value foothold. The serious damage comes from the escalation and movement that follow, not from the first toehold itself.
  • "Defenders only get one chance to stop an attack." Each stage is a separate opportunity to spot the attacker and break the chain. That is the whole reason for layering defenses.
  • "Reconnaissance means they already broke in." Recon is just looking around — often using public information. Nothing has been broken into yet at that stage.
Why It Matters
  • The four stages give you a mental timeline that makes almost any breach story understandable — you can place each piece of news on the path.
  • It explains why defenders aim to break the chain at any stage, not just to "keep attackers out" at the front door.
  • It reframes a foothold as a beginning, not an ending — which is why catching an attack early, before escalation, matters so much.

Knowledge Check

Which order do the four stages of the attacker's path usually follow?

  • Reconnaissance, initial access, escalation and movement, acting on the goal
  • Acting on the goal, escalation, initial access, reconnaissance
  • Initial access, reconnaissance, acting on the goal, escalation
  • Escalation and movement, acting on the goal, then reconnaissance, and finally initial access

An attacker phishes one employee's ordinary account and gets in. Why isn't this usually the end of the story?

  • That foothold is often low-value, and the real damage comes from escalating afterward
  • Getting in is always the final stage, so the attack is finished once they have a foothold
  • The stolen password stops working the moment they log in
  • Phishing only counts as reconnaissance, so nothing has happened

Why is seeing an attack as a sequence of stages good news for defenders?

  • Each stage is a separate chance to detect the attack and break the chain
  • Because the stages make every attack take exactly the same amount of time
  • Because it means defenders only ever need to guard the front door
  • Because it removes the reconnaissance stage from the attack entirely

You got correct