The Kroll Intrusion Lifecycle: Threat Actor Behavior from a Visual Perspective

Many Threats – One Framework

Across the thousands of cyber incidents that Kroll’s global team investigates every year, our experts are constantly on the hunt to spot established patterns of threat actor activity—and to discover new ones. In observing attack patterns, our experts discovered that threat actors like repeatability. Certain actors can be predictable not only in how they attack, but also in the tools and tactics they use once they have access.

Our Digital Forensic and Incident Response (DFIR) experts know that the behavior of individual threat actors may not be easy to anticipate. But from our unique vantage point, we have discerned clear and distinct stages when it comes to the common progress of attacker behavior, processes and intrusion steps—what we call the Kroll Intrusion Lifecycle.

The Constancy of the Criminal Mindset

The Kroll Intrusion Lifecycle reflects the fact that threat actors are first and foremost people, albeit acting with criminal intent. Regardless of the tools they deploy, the methods they leverage or the speeds at which they move, threat actors make their way through a networked environment like trespassers entering your home office through an open window in the living room.

Our team includes many experts with backgrounds in local and federal law enforcement and extensive experience in studying the criminal mindset in the pursuit of justice. The world of incident response is much like the world of criminal and civil investigations. Investigators must look for, acquire, preserve, catalog and review clues left behind to understand what happened before they arrived, just as law enforcement does when called to the scene of a crime.

Like all criminals, threat actors learn from every crime they commit. They consciously or unconsciously develop their patterns, preferences and cadence. They may rely on third parties for different aspects of their operations. The most successful will document or automate their activities to “rinse and repeat” more easily. In fact, threat actors often cast themselves as businesspeople, replicating their methodology with each victim they target.

A New Way to Identify and Understand Threats

Kroll’s DFIR experts developed the Intrusion Lifecycle in order to help organizations and their leaders and quickly and more easily understand and anticipate different types of cyber threats. We distilled the knowledge and experience from our thousands of investigations and developed a standardized approach that quantifies the behavioral elements of the lifecycle from the beginning, middle and end.

This framework specifies each stage of the intrusion threat sequence in simple, easy-to-understand terms. It provides a visual, step-by-step behavioral model to enable stakeholders at every level to track and explain the stages of modern attacks. Members of an executive board, lawyers at regional and global law firms or claims managers at cyber insurance carriers—as well as engagement or project managers across global incident response firms—will find the framework useful for various audiences.

Greater Insight into Diverse Types of Threat Actors

Kroll’s lifecycle model works to explain and visually describe adversarial actions regardless of whether the attacker is a lone wolf, an organized crime group or a nation-state-sponsored advanced persistent threat (APT) group.  Similarly, the model applies to the entire spectrum of attacker missions: from a business email compromise to a network intrusion resulting in ransomware to an insider threat.

Kroll’s model functions as both an overview and a succinct visual timeline to enable insight and clarity while supporting better informed security decision-making. It was also designed to allow for overlay and natural cross-compatibility with existing and in-depth frameworks, such as MITRE ATT&CK®.

A Familiar Behavior Pattern: The Kroll Intrusion Lifecycle, Stage by Stage

The Intrusion Lifecycle illustrates how attacks follow a clear behavioral sequence of distinct stages.

0. External Victim Scouting

Nearly all intrusions involve some type of scouting stage, although attackers may not have specific targets in mind when they start. This is the stage where the attacker may collect information about a victim through the review or scanning of external-facing infrastructure, email account passwords, social media profiles, previously dumped passwords of employees or any other resources they can find or purchase. Their techniques may be automated through scanning, undertaken manually through collections or purchased through dark net or deep web marketplaces.

Rather than targeting specific companies, a threat actor will often have an exploit they can leverage and will scan the internet for organizations and their internet-accessible environments, which could be vulnerable and responsive to that exploit. From there, they can automate what is identified in the Intrusion Lifecycle as the initial chain for moving from External to Initial Exploit/Actor Foothold and seeing which organizations they are able to compromise for a further attack. The actor has identified the proverbial house to target, gained intelligence about the house from what they can “see” at a distance and is now preparing to act.

1. Initial Exploit/Actor Foothold

Regardless of the chosen initial intrusion vector, the goal for the threat actor remains the same: to gain and maintain a foothold within a victim’s environment. Whatever the exercise or intention, there is always some level of initial exploitation. This varies widely and can include but is not limited to zero-day vulnerabilities, unpatched CVE exploits, phishing for credentials, supply chain attacks and purchasing previously gained footholds from others.  The actor has now moved from outside of the house (perimeter defenses or networking hardware) to the inside.

2. Internal Victim Scouting

This is the "where am I moment?" for the threat actor—when they are scanning for internal IP addresses and host names, mapping Active Directory object relationships and accessible shares, identifying naming conventions, etc. At this stage, the attacker is exploring options and inventorying paths in order to identify how to reach their next objective. They are becoming oriented and assessing the position in the network or system that Stage 1 took them to. This stage is sometimes limited by the nature of the host or by domain account role/permissions. The actor has arrived in a location they have not likely been before and are quickly searching for where to go next.

3. Toolkit Deployment

At this point, the threat actor makes the decision to launch forward and choose the tools they need to achieve that goal based on Stage 2 scouting results. They implant persistence mechanisms, backdoors, alternate network access methods and enable communications with command-and-control (C2) servers. This will allow them to install malicious tools, push/pull commands, increase their reach within the network, escalate privileges and monitor endpoints—anything that can enable them to affect their attack. Typically, our experts have observed threat actors utilizing password stealers, freeware remote access tools and other tools that allow for lateral movement within a network. This is the stage that increases the difficulty of meaningful actor ejection and the one at which the MITRE ATT&CK framework gives hundreds of indicators of compromise and tactics, techniques and procedures (Stages 3, 4 and 5). At this stage, the threat actors are noisier, and the likelihood of detection is increasing with every moment and tool execution. They are disturbing the contents and furniture of the rooms in the proverbial home they are moving through.

4. Escalation

The threat actor uses their tools to escalate from lower privileges to higher privileges and increase their reach within the victim’s environment. This is because, even with tools, an attacker at Stage 3 does not typically have access to everything in the network. While we have observed network intruders that go from internal scouting straight to execution of mission, most of the time we see an actor entering with a lower set of privileges and access and then leveraging tooling to gain or increase their level of access within the environment. Having escalated roles and privileges allows the actor to have more power to move on to the next stage.

5. Lateral Movement/Reconnaissance

If necessary, the attack involves the cyclical repetition of Stages 2 to 5 but continues the exploitation of trust relationships between machines and networks to expand attacks to other target computers or networks. This is usually the stage of lateral movement with the goal of accessing the source of valuable or sensitive data. The attacker now needs to go to where their target is. Typically, in an intrusion lifecycle, threat actors gain access on an external-facing system or through the victim’s virtual private network (VPN). From there, their aim is to reach the domain controller for purposes of broader privileged access and domain reach, as well as a file server for purposes of data acquisition and exfiltration.

6. Execution of Mission

The final stage of the Intrusion Lifecycle is where the attacker achieves their final objective, whether that is collecting, staging, exfiltrating and/or destroying data. Once they have achieved their objective, the attacker moves on to their next victim and repeats the Intrusion Lifecycle all over again, starting from Stage 0.

Learn More

While cyberattacks constantly evolve, Kroll’s global Digital Forensic and Incident Response experiences have proved that many types of attackers work to the same tried-and-tested, structured methodology. Due to the nature of the cyber risk landscape, there is little doubt that attackers’ tooling or specific vulnerability exploitations will diverge over time, but Kroll’s Intrusion Lifecycle fits any threat actor scenario because the stages of the intrusion do not change.

Kroll is ready to help, 24x7. To learn more about the Kroll Intrusion Lifecycle Framework, contact us via our 24x7 cyber incident hotlines or our contact page.