We follow a pretty standard pattern for gaining access within a Network Penetration Test (aka pentest) – recon, exploit, escalate, expand, execute.  First, we look at the environment for any exposed information or misconfigured systems. Next the goal is to gain control or access to a resource using known methods or exploits. From there, we shoot to obtain as high a privilege level as possible. Once we have the appropriate levels of access, we can expand laterally looking for targets or data. When we have achieved a level of control on an environment equal to our goals, we execute our intended goals. This is a straightforward high-level process with a not-so-straight-forward multitude of steps in between. The uniqueness of the path between each step is what can make detection difficult for security teams and SOC’s watching the wheel. 

Threat groups and malware campaigns use similar approaches to the above. Understanding that attack and infiltration methods of a pentester and ‘real world’ attackers will give your organization an advantage when identifying security gaps.

There are several resources that are available that will cover detections at various points in an attack. For example, the MITRE ATT&CK framework is a strong reference to use when looking at the techniques and methodologies used in successful network attacks. There are others, but we like this one. This framework gives organizations a place to begin when thinking about what gaps may exist within their environment in relation to real-world attacks. It is a good exercise for all security teams to look at the framework and determine the security layers your organization has in place to protect against the various attack methodologies. From there, you can create a plan to address the gaps.