Cybercrime has become a big business as tech-savvy criminal gangs are becoming increasingly skilled, causing larger corporations to employ dedicated cyberattack security teams. Cybersecurity goes beyond security professionals.

Security is everyone’s job, from system administrators down to individual users, and education is the first line of defence. Understanding the anatomy of a cyber attack will help prevent and mitigate ransomware and data theft.

Anatomy of a Cyber Attack

The anatomy of a cyberattack has six components: reconnaissance, initial access, attack deployment, attack expansion, getting paid, and cleanup. At each phase, companies and individual users can take positive steps to protect user devices and IT systems.

1. Reconnaissance


At the beginning of every cyberattack is reconnaissance as criminal gangs begin by researching the target organisation. They scan for IP addresses, network ranges, domain names, and email addresses within the organisation, like IT professionals, CFOs, and CTOs.

They may also gather employee email addresses to use later for phishing emails. Next, attackers scan for network vulnerabilities; this is a process that can take months. Here are some of the ways cybercriminals gather information.

– Assessing Corporate Websites

Corporate websites yield a plethora of information, and it is one of the first places a hacker will look. If the website has structural vulnerabilities, they can use it as the point of attack and continue searching for weaknesses in other systems.

Companies should keep their websites, plugins, and firewalls up to date and be sure to contract with a reputable hosting provider. Only authorised users should be accessing the site at the administrator level.

Criminals also use corporate websites to gather information about employees listed on the site. This is like the ‘yellow pages’ of who’s who, and this information aids in creating phishing and social engineering attacks.

– Reviewing the Company’s Social Media Footprint

- Reviewing the Company’s Social Media Footprint

Another source for spear-phishing and whaling attacks is social media sites like LinkedIn. Spear phishing involves using believable emails tailored to the recipient. Whaling is similar, though the targets are individuals at higher levels within the organisation, such as the CFO or CEO.

Employers should monitor corporate social media accounts for sensitive information and secure any data that could lead to an issue. Staff should also be trained on social media threats and follow security guidelines.

– Assessing Your Corporate Network

Cybercriminals check the strength of your network. With so many mobile workers, endpoint security is an issue, and security vulnerabilities can exist anywhere a device connects to the corporate network.

Companies should invest in robust cybersecurity systems, which include firewall security, email security, and antivirus and anti-malware protection systems for the network and the devices that access it.

2. Initial Access

Initial Access

The goal of a cybercriminal is to infiltrate an organisation’s network; however, they need access privileges to do that. They use various means of phishing to acquire credentials, which often upgrades their access to administrator privileges.

Once hackers gain access to their target network, they spend time discreetly reviewing systems. They assess what they see, including the security systems and sensitive databases, and investigate ways to gain access. This ‘initial access ’stage can go on for months, sometimes years.

Often, cybercriminals gangs discover vulnerabilities through third-party businesses or other systems that are part of the target company’s broader network environment.

For instance, some attacks may begin at operational network points such as office maintenance systems, fire alerting, and air conditioning systems. These criminals simply need a single entry point for initial access and can travel undetected from there.

3. Attack Deployment

Attack Deployment

This ominous stage begins the moment hackers launch their full-scale attack. Such a raid could involve removing data from your company’s network (exfiltration), service disruption, or the hacker’s latest favourite, ransomware.

Ransomware is malicious software spread by malware that encrypts the victim’s data, and hackers then extort a ransom to release the data by giving the company an unlock code. In today’s tech world, ransomware is the primary reason businesses remain at risk of encryption-based malware corrupting their systems.

Once ransomware is successfully deployed, the company must choose to either pay the ransom or risk losing critical data. What’s worse, there’s the likelihood that the company will lose its data, even if they pay the ransom. Most companies hit by a ransomware attack never recover their data.

Most ransomware makes its way into a network through links contained in malicious emails. Phishing often appears as fraudulent texts, emails, and websites trick victims into providing sensitive information like passwords, login credentials, and credit card information. Phishing emails can also deliver malware and viruses that can upend your business operations altogether.

4. Attack Expansion

Attack Expansion

The anatomy of a cyberattack includes an expansion phase that describes how hackers use malicious software to intrude on all systems connected to the network. These programs enable attackers to hide within multiple systems and regain network access even after they are detected.

For example, if the intruder gains access to customer accounts or third-party vendor accounts that connect to the company network, they open the door to breaching those 3rd party networks.

As these compromised 3rd party user and vendor accounts are recognised parts of the network ecosystem, the hacker no longer needs higher access to infiltrate the network.

5. Getting Paid

Getting Paid

Ransomware is a common cyberattack trend that compromises a user’s mobile device or workstation via malware. The attack encrypts the user’s data so they can’t access it.

Such ransomware eventually spreads to other computers on the company network, distributing the same damage to each device, including servers and data backup storage systems. It’s payday for cybercriminals.

The victim will eventually be asked to contact the attacker by email or sometimes through a dedicated web page and directed to make a ransom payment in return for their data being unencrypted. The demand payment is often a cryptocurrency like Bitcoin because it is untraceable.

The company may choose to pay the ransom, though that’s not a guarantee that they will recover the files. Too many times, the victims’ files are never recovered. In fact, sometimes the intent is data theft, and there is never a ransom. The criminals know they will make money by selling sensitive data on the dark web.

6. Cleanup

Cleanup is the last step in the cyber-attack process. Sophisticated attackers take time to remove evidence of their presence in the victim’s network and systems.

They clean out logs to remove any history of their presence. Covering their tracks in this way allows them to get away. But it also allows them to reinfiltrate the network at a future time.

To help counter this, companies should be diligent about cyber security alerting and logging. Detailed logging can help organisations detect and recover from security events. It also allows your security team to give all your devices a check-up to ensure they are updated and in compliance with security policies.

How to Prevent a Cyber Attack

How to Prevent a Cyber Attack

Despite the growing challenge of defending against a cyberattack, there are several measures companies can take to mitigate the damage they cause.


First and foremost, companies must have a solid backup strategy as part of their business continuity and disaster recovery plans. In the event ransomware pushes past security, having backups increases the organisation’s chances of recovery.

IT teams should maintain regular daily and monthly backups and store them in more than one location. At least one of those locations should be in an offsite physical location to isolate it from the enterprise network altogether. At Securus, we highly recommend adopting an immutable backup solution.

Email Filtering and Alerting

Email Filtering and Alerting

Most often, ransomware enters a network through a phishing email that contains a link or attachment sent via email. An employee clicks a link and releases ransomware.

One way to combat this is email filtering, which most modern email solutions have built-in but are not always fully enabled or configured. Email filtering software analyses incoming emails and flags potential spam and phishing content, which security admin teams should fine-tune.

Antivirus Software with Ransomware Protection

EPP software suites and most antivirus software utilities usually include ransomware protection, especially now that ransomware is on the rise. Be sure your EPP or antivirus software solution is up to date across the network, down to each individual device.

Remember, this includes devices with limited security protection, including personal devices not issued by the company, BYOD, and IoT devices that sometimes lack security features straight out of the box.

Employee Security Education and Awareness

Employee Security Education and Awareness

Cyberattacks are possible because users click malicious links or inadvertently give away access credentials through phishing and other social engineering attacks.

It is vital that employees should receive adequate cybersecurity training on recognising phishing emails and handling sensitive data. What may seem like an expensive initial outlay can pay dividends if a full-scale ransomware attack is avoided.

Security Patching

A critical part of any security protocol is applying the latest patches to operating systems, devices, and applications. Software suppliers release patches that address specific vulnerabilities and announce this in security news updates.

The downside is that this also notifies cybercriminals of these vulnerabilities. If your organisation does not install a patch immediately, it’s left open for hackers to exploit from the moment the vulnerability is identified (also known as day zero attacks).

Disaster Recover (DR) Plan

Disaster Recover (DR) Plan

A formidable DR plan ensures business continuity in the event of a security breach, and a critical part of any DR plan is data protection. A DR plan reduces the impact of ransomware attacks and enables your organisation to restore business operations quickly.

As mentioned earlier, at Securus, we highly recommend that all our customers consider adopting an immutable backup solution. Not sure what immutable backup is? No problem; here is a link to our immutable backup deep-dive article.



Businesses must make cybersecurity a priority. Data protection is a crucial part of any cybersecurity strategy. Understanding the anatomy of a cyberattack is the first step to understanding how to protect enterprise networks.

At each phase of the attack, there are protections organisations can put in place to either prevent or mitigate the damage. You may think that your final saviour will be your backups; however, any respectable ransomware attache will encrypt that backup data too. Hence we feel that an immutable backup is the backup solution of the future.

From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. 

If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.

Further Technology Articles