Inside The Mind of a Threat Actor

Tactics, Techniques, and Procedures Explained

Ever wonder what goes on inside the mind of a hacker? Here are some common Tactics, Techniques and Procedures (TTP) that hackers will use to compromise your organization and how CI Security's™ Authentic Managed Detection and Response addresses them.


It sounds like old news and yet it’s so effective that hackers will keep using this tactic.

Untargeted Attacks

Hackers send phishing emails all over the internet in hopes of a bite. It can arrive as an email about your shipment delivery or from your “IT Department” requesting a password change.

Targeted Attacks

Sometimes hackers want something specific that only YOU have access to... so you’ll be targeted with a convincing email: with legitimate company headers, email signatures, etc.

Digging In

When the hacker has an “in,” they can employ a slew of other techniques and procedures to infiltrate deeper into your systems.



The attacker installs a beacon to get back into a compromised computer even if it's temporarily disconnected from the internet. The beacon will then continue to “call out” to the internet and check for commands (from the attacker) to run on the victim machine.

CI Security Analysts monitor for persistence payloads communicating to the internet and command & control (C2) servers. Analysts watch for indicators of active beacons, including quiet beacons configured in "long haul" mode. Rapid remediation includes shutting down connected computer(s) or device(s).


Continued Phishing

Attackers use the original victim to send further phishing emails—this time within the organization’s own email server.

Critical Insight Security Analysts monitor for failed logins and logins on unencrypted pages or unsecure websites. They then correlate events to identify compromised machines for immediate quarantine.

Privilege Escalation

Privilege Escalation

Attackers pivot through the network seeking out credentials of high-integrity or higher-privileged accounts. Trust relationships throughout the network are targeted and exploited.

CI Security Analysts monitor, detect, and respond to common indicators of privilege escalation, including breadth-first password sprays, failed password attempts, network session enumeration, and SMB poisoning.



Attackers exploit the user’s credentials to gather useful information to further compromise other systems.

CI Security Analysts detect signals and correlate events that indicate lateral movement across the network, persistence, and continued privilege escalation activities.


Once you’ve been compromised, hackers can find ways to continue the damage.

Long-term persistence

Hackers can perform beaconing stretched over long periods. Since the activity occurs so infrequently it becomes harder to detect. This allows hackers to harvest data over weeks, months, and sometimes years.

Critical Insight Analysts watch for indicators of active beacons, including quiet beacons configured in "long haul" mode. When unusual network activity is detected, CI Analysts use event correlation techniques to conduct further investigation.

Destruction or Denial of Service

In the case of a total compromise, hackers can alter and/or destroy access. The most effective attacks begin weeks or months before leading to more overt and destructive activities.

CI Security Analysts monitor for brute force attacks and help the client respond quickly with detailed reporting of the attack and steps to remediate.

The CI Security™ MDR Advantage

Threat actors create signals on the network that can be identified in event logs, network traffic, or unusual user behaviors. In order to detect threats, trained InfoSec professionals can monitor logs, review alerts, and leverage advanced threat intelligence for statistical, frequency, signature, and reputation analysis. If you don’t have the staff or technology to monitor, detect, and respond to threats on your network, these TTPs can be addressed with CI Security’s authentic Managed Detection and Response service (MDR).

Contact CI Security to Defend Your Network From Threat Actors