Attackers can also add steps to their game plan, he said. For example, they can take time to clean up traces of their presence, set up disruptions, spread false data, or install backdoors that they can use for future attacks.
They can also do the steps out of order, or go back and repeat steps. It's not a simple linear process, he said. "It's usually more like the spreading branches of a tree," he said. "Or spreading tentacles, with lots of things happening."
Monetizing the attack: It ain't over till it's over
In the denial of service example, disruption isn't necessarily the last step of an attack. Once they've successfully disrupted, corrupted or exfiltrated, attackers can go back in and do it all over again.
Or they can move on to another stage -- monetization. According to Ajit Sancheti, CEO at Preempt Security, that can take any number of forms. For example, they can use compromised infrastructure to commit ad fraud or send out spam, extort the company for ransom, sell the data they've acquired on the black market, or even rent out hijacked infrastructure to other criminals. "The monetization of attacks has increased dramatically," he said.
The use of Bitcoins makes it easier and safer for the attackers to receive money, he added, which contributes to the change in the motivation behind attacks. The number of different groups involved in the consumption of stolen data has also become more complicated. That could, potentially, create opportunities for enterprise to work with law enforcement authorities and other groups to disrupt the process.
Take, for example, stolen payment card information. "Once credit card data is stolen, the numbers have to be tested, sold, used to procure goods or services, those good or services in turn have to sold to convert them to cash," said Monzy Merza, head of security research at Splunk, Inc.
All of this is outside the traditional kill chain of a cyberattack, he said. Another area where the black market ecosystem impacts the cyberattack life cycle is before the attack begins. Attackers share lists of compromised credentials, of vulnerable ports, of unpatched applications.
That's a treasure-trove of low-hanging fruit, said Nils Stewart, head of products at Skyport Systems, Inc. "I'd expect more datasets to become available," he said.
Beyond the firewall
The traditional cyberattack life cycle also misses attacks that never touch enterprise systems at all. For example, companies are increasingly using third-party software-as-a-service (SaaS) providers to manage their valuable data. "Compromising credentials into SaaS applications means there are no exploits, no installation," said Johnson.
Defending against attackers who buy their logins on the black market and never even touch a company's own infrastructure requires a completely different defense strategy, such as switching to a centralized, single sign-on system with two-factor authentication.