Skip to content

5 stages of a cyberattack

By Christopher Fieger, CPA, McKonly & Asbury

Cyberattacks have become an efficient and effective means for cybercriminals to create chaos, and oftentimes benefit financially, all while operating from a safe distance. As seen with recent events, the effects of an attack can be widespread. These attacks can happen at any time and can be a result of poor security practices. To better prepare for and defend against an attack, it is important to understand the stages cybercriminals often take to perform a cyberattack.

Stage 1: Reconnaissance

The first stage of a cyberattack involves information gathering. During this stage, cybercriminals will attempt to explore all publicly accessible information about a potential target. This can include information listed on the dark web or on a company’s website, such as employees, physical locations, social media sites, and other platforms. All of this information is used when determining their target. In order to better plan their attack, cybercriminals will often use the information gathered during the reconnaissance stage to build a blueprint of their target.

Stage 2: Scanning

Scanning is the second stage of a cyberattack. After the cybercriminal identifies their target, more information is needed in order for them to perform their attack. Attempting to ping devices on the target network, such as routers, or performing vulnerability scans could provide additional information about the target network. Email phishing can be considered a form of scanning. For example, a cybercriminal could obtain employee email addresses from a company website and send out phishing emails in an attempt to gather additional information such as account names, passwords, and other employee information. Cybercriminals will often times target employees to obtain access to a network.

Stage 3: Gaining Access

The third stage of a cyberattack involves the cybercriminal gaining access to the computer system, account, or network. The cybercriminal could do this based on data, credentials or other information obtained in the prior two stages of reconnaissance and scanning. At this stage, the target has been compromised. Cybercriminals could attempt to gain access physically through a building and plug into the target network or access the target network remotely. Once the cybercriminal obtains access, they could have free reign to the network or system and company data depending on the permissions and controls in place.

Stage 4: Maintaining Access

Once a cybercriminal gains access to a target, it is important for them to maintain access to the target. The cybercriminal may attempt to remain hidden on the network long enough to determine the extent of the information or data they can obtain. Depending on the controls in place at the target, they could have full or limited access to the target data. If the cybercriminal has limited access to data, they may attempt to escalate their access privileges from a basic user to an admin user to have greater access to the target data. Cybercriminals may also install malware on the target to provide them repeated access to the target, often referred to as a “backdoor”.

Stage 5: Covering Tracks

The final stage of a cyberattack involves covering the tracks of the cybercriminal. This could include erasing log entries or deleting any malware installed during the maintaining access stage. If a cybercriminal were to hack a user’s email, deleting sent phishing emails sent from the account could be a form of their covering tracks. Stealth is the name of the game in cyberattacks. Apart from ransomware attacks, cybercriminals often look for ways to quickly get to the data, gather as much as they can and get out of the network without being detected. Ransomware attacks have become more common in recent years. Instead of deleting or corrupting data, cybercriminals will encrypt the data, hold it hostage and demand payment for its release.

With cyberattacks on the rise, it is critical to remain alert. As mentioned earlier, cyberattacks can happen at any time and companies should be prepared and implement the necessary security measures to combat the various stages of a cyberattack. In the case of the Colonial Pipeline cyberattack, this attack was perpetrated with a compromised user password. Although there is no approach that can fully prevent cyberattacks, companies that implement the right security measures, train employees on security best practices, and closely monitor the network or system can drastically reduce their likelihood.

If you have any questions regarding this article or would like to discuss cybersecurity related topics further; be sure to visit McKonly & Asbury’s System and Organization Controls Services page as well as their Cybersecurity Services page at and don’t hesitate to contact us with any questions.

McKonly & Asbury is a leading regional accounting and business advisory services firm that serves as trusted advisors and valued business partners, providing a range of services from their offices in Camp Hill, Lancaster, and Bloomsburg, Pennsylvania. McKonly & Asbury’s industry-specific solutions meet the intricate needs of clients, providing services to Affordable Housing, Construction, Employee Benefit Plans, Family-Owned Business, Healthcare, Manufacturing and Distribution, Nonprofit, and Technology industries. For more information, visit

You can also subscribe to McKonly & Asbury’s blog at to keep up-to-date on the latest business and financial information across a variety of industries as well as upcoming webinars and presentations to help your business profit.



Scroll To Top