OD1.1 The Offensive Lifecycle — Planning to Objective

Operational Objective

When you investigate an incident, you map attacker activity to ATT&CK tactics. But ATT&CK is a classification system — it tells you what category the activity belongs to. It doesn't tell you why the attacker did this step before that step, or what they'll do next.

The offensive lifecycle is the attacker's actual decision sequence. Understanding it lets you read early evidence and predict what's coming. This sub maps six phases of the offensive lifecycle with the decision logic at each phase, the telemetry each produces, and the detection windows each creates.

Learning Objectives

By the end of this sub you will be able to:

• Map attacker activity to the six-phase offensive lifecycle and explain the decision logic at each phase — the same lifecycle Mandiant uses to structure campaign analysis in M-Trends and that Microsoft DART uses to reconstruct incidents. This matters because lifecycle mapping reveals which phases your detection covers and which are blind spots, directly identifying where to invest detection engineering effort.

• Identify the three detection windows (pre-attack, active, damage) and explain why Phase 5 (post-exploitation) is the highest-value opportunity — the phase where the attacker produces the most telemetry and the campaign is most exposed. This matters because most SOCs detect during Phase 6 (damage); shifting detection left to Phase 5 or Phase 3 dramatically reduces dwell time.

• Annotate an incident timeline with lifecycle phases and calculate the dwell time between the attacker's first action and first detection. This matters because dwell time measured against lifecycle phases reveals exactly where your detection pipeline failed — not just "we detected late" but "we had no coverage for Phase 3 infrastructure staging and our Phase 5 coverage was technique-level without campaign correlation."

Phase 1 — Target selection

The attacker decides who to attack. You have no telemetry for this phase.

Target selection is internal to the attacker's operation. A ransomware crew picks targets based on estimated revenue (the ransom payment is sized to what the victim can pay). An espionage operator picks targets based on intelligence requirements (what information does the sponsor need). A financially motivated crew picks targets based on accessible attack surface (who has vulnerable internet-facing infrastructure).

You can't detect target selection. But you can understand what drives it — because the selection criteria predict the campaign characteristics. An organisation targeted for ransomware will see fast, loud operations. An organisation targeted for espionage will see patient, quiet ones. The attack that hits you was chosen for a reason, and that reason shapes everything that follows.

Phase 2 — Reconnaissance

The attacker learns about your environment. You might see passive signals.

Reconnaissance is where the attacker builds the intelligence that shapes every subsequent decision. What technology stack does the target use? What email gateway? What authentication provider? What's on the public attack surface? Who are the employees? What are their roles? What have they posted on LinkedIn about internal projects, tools, and security measures?

Most reconnaissance is passive — it doesn't touch your infrastructure. OSINT collection, LinkedIn profiling, DNS enumeration, technology fingerprinting from publicly visible headers. You won't see it in your SIEM.

Active reconnaissance — port scanning, directory brute forcing, credential spraying against the login page — does produce telemetry. But it's hard to distinguish from the background noise of the internet. Your public-facing infrastructure gets scanned thousands of times a day. The attacker's targeted scan is one drop in that ocean.

The defensive value of understanding reconnaissance isn't in detecting it — it's in understanding what the attacker knows about you. If your LinkedIn profiles reveal your security stack, the attacker knows what to evade. If your job postings list the tools you use, the attacker knows what to bypass.

Phase 3 — Infrastructure build

The attacker builds their operational infrastructure. External signals may be visible.

Before the first phishing email is sent, the attacker builds the infrastructure: C2 servers, redirectors, phishing domains, payload hosting, exfiltration channels. This phase can take days to weeks — domains need to age, certificates need provisioning, redirector chains need testing.

This is the pre-attack detection window. Certificate transparency logs show when new certificates are issued for typosquatting domains. Passive DNS services show when new domains resolve to cloud hosting ranges. Module 2 covers infrastructure in depth. The key insight: the infrastructure build creates a window — sometimes weeks long — where detection is possible before the attack begins. Most organisations don't monitor for pre-attack staging. Those that do catch campaigns before the first email.

Phase 4 — Initial access

The attacker makes first contact. This is your first definitive telemetry.

Initial access is the phase most defenders are familiar with: the phishing email, the VPN exploit, the brute force, the OAuth consent grant. What ATT&CK doesn't capture is the decision process behind the technique selection.

The attacker's choice is driven by what they learned during reconnaissance: what email gateway the target uses, what MFA is deployed, what applications are internet-facing, what trust relationships exist. The access method reveals information about the attacker: their capability level, their reconnaissance depth, and their objective. AiTM phishing against a well-defended M365 tenant indicates a sophisticated operator. Password spraying against an internet-facing VPN indicates an opportunistic one. Module 4 covers the initial access decision tree in depth.

Phase 5 — Post-exploitation

The attacker is in your environment. Full telemetry is available. This is the highest-value detection window.

Post-exploitation encompasses everything between initial access and objective execution. Discovery, persistence, privilege escalation, credential harvesting, lateral movement, defense evasion. In ATT&CK terms, this spans eight tactics. In operational terms, it's one continuous problem: the attacker is navigating your environment toward their objective.

Modules 5 through 8 cover post-exploitation: the first 30 minutes (M5), credential operations (M6), lateral movement (M7), and defense evasion (M8). The key insight: post-exploitation is where the attacker produces the most telemetry and where the campaign is most exposed. But it's also where the attacker is most careful, because they know this phase is when defenders are most likely to catch them.

Phase 6 — Objective execution

The attacker achieves their goal. Detection here is damage mitigation, not prevention.

Objective execution is the culmination: ransomware deployment, data exfiltration, espionage collection, sabotage. By this phase, the attacker has the access, the credentials, and the position to execute. Detection here limits damage but doesn't prevent it.

Different objectives produce radically different telemetry. Ransomware is fast, loud, and unmistakable. Data exfiltration can be quiet. Espionage is nearly invisible. Module 9 covers objective execution.

The lifecycle is not linear

The diagram shows a left-to-right sequence, but real campaigns iterate. The attacker attempts initial access and fails — they return to reconnaissance. They move laterally and hit a locked system — they go back to credential operations. They start objective execution and get detected — they either accelerate or retreat to a persistence mechanism and try again later.

Understanding the iteration logic helps during investigation. If you find evidence of a failed initial access attempt followed by a successful one using a different technique, you know the attacker adapted — which tells you they're specifically targeting your organisation (opportunistic attackers move on after the first failure) and that they did additional reconnaissance between attempts.

STEP 1 — Select an incident report
   Use one of:
   a. Your own most recent confirmed investigation timeline
   b. A published report. Recommended sources:
      - Mandiant M-Trends (annual report with case studies)
      - Microsoft DART blog: https://www.microsoft.com/security/blog/
      - CrowdStrike blog: https://www.crowdstrike.com/blog/

STEP 2 — Annotate each action with a lifecycle phase
   For each attacker action in the timeline, assign a phase:
   Phase 1 — Target selection (rarely visible)
   Phase 2 — Reconnaissance (scanning, OSINT — sometimes visible)
   Phase 3 — Infrastructure build (domain reg, cert provisioning)
   Phase 4 — Initial access (phishing, exploit, credential spray)
   Phase 5 — Post-exploitation (discovery, creds, movement, evasion)
   Phase 6 — Objective execution (ransomware, exfil, espionage)

   Most events will cluster in Phase 5. That's expected.

STEP 3 — Calculate dwell time
   First attacker action timestamp: ___
   First detection timestamp: ___
   Dwell time = detection - first action = ___ hours/days

   Industry median: 10-16 days (Mandiant M-Trends 2025).
   If your dwell time exceeds 14 days, detection happened during
   or after Phase 6 — the active window (Phase 5) was missed entirely.

STEP 4 — Identify detection gaps by phase
   For each phase, answer: "Did we have detection coverage?"
   Phase 3 coverage? (CT monitoring, passive DNS, NRD blocking)
   Phase 4 coverage? (email gateway, auth anomaly, exploit detection)
   Phase 5 coverage? (technique-level rules + campaign correlation?)
   Phase 6 coverage? (ransomware detection, exfil detection?)

   Write one sentence per phase: "Phase X: [covered/not covered]
   because [specific rule or gap]."