๐ฏ Actions on Objectives
After initial access, privilege escalation, and lateral movement, an adversary transitions to their true goalโcalled Actions on Objectives.
This phase reflects the "why" behind an operation. Itโs when an attacker acts on the intended mission objectives, which vary based on motivation, funding, and opportunity.
๐งญ Goals and Motivationsโ
Cyberattacks serve a wide spectrum of purposes. Below are the most common strategic objectives grouped by intent:
๐ฆ 1. Financial Gainโ
| Method | Example Use Cases |
|---|
| ๐ฐ Direct Theft | Wire fraud, draining wallets, siphoning bank accounts |
| ๐ธ Ransomware | Encrypting data and demanding payment for recovery |
| ๐๏ธ Fraud | Selling stolen credit card or PII data |
| ๐งฎ Cryptojacking | Covert crypto mining on compromised systems |
๐ต๏ธ 2. Espionageโ
| Method | Example Use Cases |
|---|
| ๐ข Corporate Espionage | Stealing proprietary source code, M&A docs |
| ๐ฐ๏ธ State-Sponsored Ops | Surveillance of foreign agencies or adversaries |
| โ๏ธ Industrial Espionage | Compromising ICS/SCADA for economic advantage |
โก 3. Disruptionโ
| Method | Impact |
|---|
| ๐ DDoS Attacks | Taking down websites or services |
| โ ๏ธ Critical Infra Hits | Disrupting power, transit, or healthcare |
| ๐งจ Data Corruption | Causing operational failure |
๐งพ 4. Data Theftโ
| Data Targeted | Use |
|---|
| ๐ค Personal Info (PII) | Identity theft, doxxing, resale |
| ๐ Credentials | Enable lateral movement, resale |
| ๐งพ Corporate Records | Competitive intelligence, leaks |
โ 5. Political or Ideological Goalsโ
| Tactic | Objective |
|---|
| ๐ผ๏ธ Website Defacement | Making a public statement |
| ๐ฃ๏ธ Info Warfare | Disinformation, propaganda, election meddling |
| ๐ Whistleblowing | Leaking corporate/government misdeeds |
๐ฅ 6. Destruction or Manipulationโ
| Goal | Example |
|---|
| ๐ฃ Data Wiping | Malware like NotPetya targeting disks |
| ๐งช Data Tampering | Altering financial or sensor data |
๐ ๏ธ 7. Infrastructure Accessโ
| Mechanism | Purpose |
|---|
| ๐ช Backdoor Creation | Persistent access for later operations |
| โ๏ธ Pivoting | Move deeper into the environment |
| ๐ค Botnet Enlistment | Future DDoS, spam, or proxy use |
๐งผ 8. Reputation Damageโ
| Method | Impact |
|---|
| ๐๏ธ Defacement | Undermines public trust |
| ๐ช Leaks | Embarrassment, PR crises |
| ๐ญ Social Eng | Manipulating internal stakeholders |
๐ช 9. Military or National Securityโ
| Goal | Description |
|---|
| ๐ฅ Cyber Warfare | Cripple enemy systems |
| ๐ฐ๏ธ Surveillance | Monitor adversaries |
| ๐ Capability Disruption | Disable defense, comms, logistics |
๐งช 10. Capability Testingโ
| Purpose | Examples |
|---|
| ๐ง PoC Exploits | Showcasing 0-day effectiveness |
| ๐งโ๐ป Recruitment | Impressing threat actors |
| ๐ฎ Cyber Range Games | Practicing in the real world |
๐ 11. Extortion & Coercionโ
| Mechanism | Application |
|---|
| ๐งจ Blackmail | With leaked photos, chats, emails, or data |
| ๐ค Coercion | Forcing execs or officials into compliance |
๐ณ๏ธ 12. Influence Operationsโ
| Tactic | Target |
|---|
| ๐ฆ Social Media Hacks | Controlling narrative or speech |
| ๐ณ๏ธ Election Interference | Tampering, discrediting institutions |
๐ง The Takeawayโ
Understanding Actions on Objectives helps defenders:
- Prioritize post-compromise detection
- Monitor exfil and data manipulation patterns
- Tag alerts with intent (espionage vs disruption)
๐ Initial access is just the door. The real damage happens during Actions on Objectives.