Here is a first view, without details, on the APT kill chain:

killchain3 m


From the victim perspective, the risk evolution can be easily translated from this simple killchain:

killchain2 m


When the data exfiltration is done, the story goes on: the attackers are still there, they stay on the system, connecting to it from time to time, and continuig the access strengthening : checking their backdoors are ok, updating their malware, keeping their high level accesses, and exfiltrating more data. It goes on and on.

This cycle, a bit more explained, can be represented this way:



Our next blog post in this serie will cover the “reconnaissance” part, sometimes also called “data gathering” phase.