OD1 Module Summary

Module 1 — How Attackers Plan Operations

This module taught you how offensive operations are planned and executed at the operational level — the decision logic that connects target selection through objective execution.

The Offensive Lifecycle (OD1.1)

Six phases: target selection → reconnaissance → infrastructure build → initial access → post-exploitation → objective execution. The lifecycle is not linear — attackers iterate, adapt, and abandon. Three detection windows: pre-attack (infrastructure staging), active (post-exploitation), and damage (objective execution).

Target Selection and Objective Mapping (OD1.2)

Four primary objectives: financial (ransomware, BEC), intelligence (espionage, IP theft), disruption (sabotage, wiper), and access (supply chain, MSP compromise). The objective shapes every operational decision. Three diagnostics identify the objective during investigations: what are they targeting, how fast are they moving, and how noisy are they.

Constraint Analysis (OD1.3)

Four constraints shape every operation: budget (determines tooling), time (determines pace), capability (determines sophistication), and risk tolerance (determines noise). Constraint profiles map to adversary classes: ransomware affiliate, RaaS operator, state-sponsored, initial access broker, insider.

Risk Tolerance and Operational Security (OD1.4)

The noise spectrum: loud (accepts detection, objective imminent), visible (commodity tools, detectable with existing rules), quiet (blends with legitimate traffic, requires campaign-level correlation), and silent (below detection surface, requires integrity monitoring and threat hunting). Noise is a deliberate operational choice, not a skill indicator.

Passive Reconnaissance (OD1.5)

Five categories of publicly available information: infrastructure (DNS, CT logs, Shodan), people (LinkedIn, org charts), technology (job postings, GitHub), credentials (breach databases, infostealer logs), and documents (metadata, cached pages). Passive reconnaissance is invisible to your SIEM. Credential exposure is the highest-priority finding.

Active Reconnaissance (OD1.6)

Network probing, credential testing, and cloud enumeration. Attackers stay below alerting thresholds: one attempt per account per hour, distributed source IPs, slow scan rates. Detection requires long correlation windows (24hr+ for scans, 7-day for sprays) and cross-account correlation.

The Attacker's Decision Matrix (OD1.7)

Objective + constraints + reconnaissance = operational plan. The matrix produces: infrastructure design, access method selection, movement strategy, and objective execution plan. Reverse-engineer the matrix during investigations: infer objective from targets, constraints from tools and pace, reconnaissance from target knowledge, then predict next steps.

Operational Timing (OD1.8)

Three timing strategies: maximum impact (Friday nights, holidays — ransomware), blend with baseline (business hours — espionage), and exploit known gaps (shift handovers, skeleton staffing). Attack timing reveals the objective and the attacker's knowledge of your operational rhythm.

Team Structures and Attacker Roles (OD1.9)

Modern cybercrime operates as a supply chain: initial access brokers, ransomware affiliates, RaaS operators, developers-for-hire. The handoff between actors creates a detectable skill discontinuity — sophisticated initial access followed by crude post-exploitation indicates a broker-to-affiliate handoff. State-sponsored teams show consistent tradecraft (unified command); criminal teams show discontinuities (independent actors).

Documented Campaigns — Ransomware (OD1.10)

Typical 72-hour timeline: initial access → discovery (T+1hr) → credential access (T+2-6hr) → lateral movement (T+6-24hr) → staging/exfiltration (T+24-48hr) → encryption (T+48-72hr). Five detection priorities: credential access, discovery clustering, backup destruction, lateral movement velocity, data exfiltration volume. Staging is the last realistic containment window.

Documented Campaigns — Espionage and Supply Chain (OD1.11)

Espionage: months-to-years timeline, 1-2 events per week, collection cadence detectable through 30-60 day time-series analysis. Persistence via OAuth grants and mail forwarding rules. Supply chain: months to position, nearly invisible during positioning, detected post-distribution through behavioural baselines for trusted applications.

The Defender's Operational Profile (OD1.12)

Four-step adversary-profiling methodology: observe (systems, tools, tempo, noise) → classify (objective, budget, timeline, risk tolerance) → predict (next targets, speed, techniques, exit strategy) → act (containment, evidence, scope, brief). Partial evidence is sufficient — two dimensions often imply the other two. The one-paragraph leadership brief delivers the analysis in actionable form.

What comes next

Module 2 begins the paid content with Offensive Infrastructure: Build, Stage, Burn — how attackers build and manage C2 infrastructure, and what that infrastructure looks like to your network monitoring. From M2 onward, every sub follows the offense/defense structure: an offense deep-dive (how the attacker executes the phase step by step) followed by a defender counter-section (detection, hunting, mitigation, and logging gaps) with hands-on labs throughout.