CYBERSECURITY AI & RISK MANAGEMENT

Cybersecurity AI Field Insights and Real-world Experiences

Know Yourself & Know Your Enemy: Breaking the Kill Chain to Win Every Cyber Battle

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu, The Art of War

As a CISO, this line has guided much of my career.

In cybersecurity, victory doesn’t come from building higher walls; it comes from understanding both your own terrain and the adversary’s tactics.

Every breach I’ve studied, every incident I’ve led, reinforces this truth: if you can stop the kill chain, you can win the battle.

Below, I’ll break down the modern attack lifecycle through the lens of the MITRE ATT&CK framework — distilled into five plain-language phases:

They find you -> they compromise you -> they move laterally -> they command & control -> they steal your data

For each phase, I’ll share the attacker’s playbook, the real-world lessons I’ve learned, and the defensive strategies that consistently make the difference.

1. They Find You – Reconnaissance & Resource Development

Before the breach comes the curiosity.

Attackers are relentless researchers. They mine and probe your websites, LinkedIn, GitHub, Shodan, even job postings, piecing together a blueprint of your environment.

Common techniques (MITRE ATT&CK):

  • OSINT and scanning (T1595)
  • Phishing for information (T1598)
  • Setting up malicious infrastructure or buying stolen credentials (T1583, T1589)

CISO insight:
In one case, we traced a phishing campaign back to an attacker who used our own job description to craft convincing lures. That moment changed how we wrote postings — and how we managed digital exposure.

Defender’s playbook:

  • Run External Attack Surface Management (EASM) continuously — what attackers can see, they can exploit.
  • Monitor for domain impersonation and brand abuse.
  • Train your people — reconnaissance often starts with human data collection.
  • Build threat-intel partnerships; knowing who’s targeting your industry gives context to alerts.

Break the chain here, and they never get a clean shot.

2. They Compromise You – Initial Access & Execution

Once they find a door, the goal is to slip through it quietly.

Phishing remains king, but attackers increasingly exploit valid credentials and supply-chain trust.

Common techniques (MITRE ATT&CK):

  • Phishing (T1566)
  • Drive-by compromise (T1189)
  • Supply-chain compromise (T1195)
  • Use of valid accounts (T1078)

CISO insight:
In one campaign, attackers gained access using credentials purchased from a dark-web forum. Our MFA stopped them — but only because we had rolled out phishing-resistant hardware tokens six months earlier. Timing matters.

Defender’s playbook:

  • Deploy phishing-resistant MFA and conditional access everywhere.
  • Harden email and web gateways; sandbox attachments and URLs.
  • Patch aggressively — attackers automate discovery of unpatched systems within hours.
  • Implement identity hygiene: disable unused accounts, enforce passwordless where possible.
  • Simulate attacks; test your controls, don’t assume they work.

When you eliminate easy entry points, you force attackers to spend more — time, money, exposure — and that’s how you win.

3. They Move Laterally – Persistence, Privilege Escalation & Evasion

Now the intruder is inside, often under a legitimate user’s identity.

Their goal: spread quietly, collect credentials, escalate privileges, and blend in.

Common techniques (MITRE ATT&CK):

  • Credential dumping (T1003)
  • Remote services (RDP, SMB, WMI – T1021)
  • Living-off-the-land (PowerShell, WMI, PsExec – T1059)
  • Account manipulation (T1098)
  • Defense evasion via disabling logs or security tools (T1562)

CISO insight:
We once detected lateral movement through an anomaly — an administrator logging in at 3 a.m. from an internal server that never initiated sessions. That single behavioral deviation stopped a ransomware precursor in its tracks.

Defender’s playbook:

  • Enforce least privilege and Just-in-Time (JIT) access.
  • Use Privileged Access Management (PAM) to prevent credential sprawl.
  • Segment networks — limit how far one credential can travel.
  • Deploy EDR/XDR with lateral movement analytics.
  • Plant honeytokens or decoy credentials to catch movement early.

You can’t stop every compromise — but you can contain it.
Containment buys you time, and in cyber defense, time equals survival.

4. They Command & Control – Communication & Orchestration

Once attackers establish a foothold, they need to communicate with their infrastructure — to exfiltrate data, issue commands, or coordinate across compromised hosts.
This is the heartbeat of a breach, and one of the most reliable detection points.

Common techniques (MITRE ATT&CK):

  • Application-layer protocols (HTTPS, DNS tunneling – T1071, T1071.004)
  • Encrypted channels and cloud-based C2 (T1573, T1102)
  • Web services or social-media-based C2 (T1102.003)
  • Protocol tunneling or beaconing (T1572, T1008)

CISO insight:
I’ve seen attackers run C2 through Slack-like APIs and legitimate cloud services. They hid in plain sight — encrypted, authenticated, and invisible to signature-based detection.
We caught them by correlating network egress anomalies with user behavior — a lesson that reshaped our telemetry strategy.

Defender’s playbook:

  • Monitor egress traffic for anomalies — time-based beaconing, unusual destinations, consistent packet sizes.
  • Implement Zero-Trust egress controls — restrict outbound communications to known destinations.
  • Use TLS inspection judiciously to identify covert traffic.
  • Correlate proxy, DNS, and identity telemetry for context-rich detection.
  • Employ deception systems — fake C2 endpoints to attract and study attackers.

If you can sever the command channel, the adversary loses control — the attack dies on the vine.

5. They Steal Your Data – Exfiltration & Impact

The final act.
At this stage, attackers consolidate valuable data and prepare to exfiltrate, extort, or destroy.
Often, it’s not just theft — it’s leverage.

Common techniques (MITRE ATT&CK):

  • Data staging and compression (T1074)
  • Exfiltration over web or encrypted channels (T1041)
  • Ransomware or destructive impact (T1486, T1490)
  • Cloud-to-cloud exfil (T1537)

CISO insight:
In one ransomware case, our backups saved the day — not because we restored fast, but because we tested our restore process quarterly. Many organizations learn too late that “having backups” and “recovering from them” are two very different things.

Defender’s playbook:

  • Enforce Data Loss Prevention (DLP) at endpoints and gateways.
  • Monitor for large or unusual outbound transfers.
  • Segment critical data stores; implement air-gapped, immutable backups.
  • Simulate exfil scenarios during red-team and purple-team exercises.
  • Establish tabletop response plans for ransomware and data breaches.

Even if they reach this point, strong containment and recovery turn potential disaster into a learning opportunity.

From Gaps to Governance: Building a Resilient Security Program

Winning isn’t about perfection; it’s about resilience — detecting early, responding fast, recovering completely.

Here’s how I’ve seen mature enterprises evolve:

  1. Map your controls to MITRE ATT&CK — know where you’re strong and where you’re blind.
  2. Prioritize high-value techniques (phishing, credential abuse, lateral movement) and close those first.
  3. Automate detection and response where confidence is high.
  4. Harden identity, not just perimeter. Identity is the new attack surface.
  5. Test relentlessly. Red-team, purple-team, tabletop — pressure reveals weakness before attackers do.

And above all, measure what matters: time-to-detect, time-to-respond, containment rate, and business impact avoided.

Closing Thoughts: The Art of Defense

Sun Tzu taught that “The supreme art of war is to subdue the enemy without fighting.”

In cybersecurity, that means shaping the battlefield — knowing your assets, knowing your enemy, and making their path unviable.

Every CISO knows: no defense is perfect — but with preparation and visibility, any incident can be contained before it becomes a breach. When you build visibility, discipline, and speed — when you know your terrain and your adversary’s playbook — every attack becomes an opportunity to adapt and strengthen.

That’s how you win not just a single battle, but the long war. A great CISO leads with vigilance, expects attacks, and never accepts defeat.

CISO’s 90-Day Action Checklist

  1. Complete an ATT&CK gap assessment and publish a prioritized roadmap.
  2. Roll out phishing-resistant MFA and identity hardening.
  3. Deploy or enhance EDR/XDR for lateral and C2 visibility.
  4. Validate backups and restoration SLAs through live testing.
  5. Establish a cyber resilience dashboard with real metrics for leadership.

Posted

in

, , , ,

by

Ann Chang

Tags:

, , , , , , ,

Comments

Leave a comment