How Attackers Plan Operations

0.1 What this module covers

Every campaign starts with a plan. The attacker has an objective, constraints, and intelligence about the target. The plan connects the objective to the target through the constraints. This module teaches the planning stage of offensive operations in enough depth that you can reverse-engineer the plan from investigation evidence and predict the attacker's next move before they execute it.

You will learn to classify adversaries from partial evidence within the first hour of an investigation, produce structured predictions of their next actions, and translate that classification into a leadership brief that drives response decisions.

0.2 What you will learn

Section 1.1 — The Offensive Lifecycle. The complete lifecycle from planning through exfiltration. Not a kill chain poster but the operational reality of how campaigns unfold over days and weeks, with different telemetry at each phase.

Section 1.2 — Target Selection and Objective Mapping. Why attackers choose specific organizations and what determines their objective. The four objective classes (financial, intelligence, disruption, access) and the telemetry diagnostics that distinguish them.

Section 1.3 — Constraint Analysis. Budget, time, capability, and risk tolerance. Why the technique an attacker uses tells you as much about what they cannot do as what they can.

Section 1.4 — Risk Tolerance and Operational Security. Four noise levels (loud, visible, quiet, silent) and why noise is a deliberate operational choice. The constraint that most clearly separates adversary classes.

Section 1.5 — Passive Reconnaissance. Everything the attacker learns before sending a single packet to your network: DNS records, certificate transparency, LinkedIn, job postings, breach databases, and infostealer logs.

Section 1.6 — Active Reconnaissance. When the attacker touches your infrastructure. Password spraying, network probing, cloud tenant enumeration, and why your per-entity detection thresholds miss the professional.

Section 1.7 — The Decision Matrix. The framework that connects adversary classification to operational prediction. Given partial evidence, the matrix narrows the likely next moves to a manageable set.

Section 1.8 — Operational Timing. Time as an operational weapon. Weekend deployments, business-hours blending, shift-change exploitation, and what the timing choice reveals about the objective.

Section 1.9 — Team Structures and Attacker Roles. IABs, RaaS operators, affiliates, and state-sponsored teams. The handoff signature that tells you multiple actors are involved in the same campaign.

Section 1.10 — Documented Campaigns: Ransomware. The six-phase ransomware operational pattern with five detection windows before encryption. Detection priority stack for maximum impact with limited engineering resources.

Section 1.11 — Documented Campaigns: Espionage and Supply Chain. Cloud-native espionage with 122-day dwell times. Supply chain compromise via trusted update channels. Detection approaches that have nothing in common with ransomware detection.

Section 1.12 — The Operational Profile. The deliverable. A four-step methodology (Observe, Classify, Predict, Act) that produces a structured adversary classification from partial evidence within the first hour of an investigation.

0.3 What you need

Module 1 is free and requires no lab environment. A browser and your attention. The detection concepts in Sections 1.5, 1.6, and 1.8 reference KQL queries that can be run against your Sentinel workspace if you have one. They are optional enrichment, not prerequisites.

0.4 How to use this module

Each section builds on the previous one. Sections 1.1-1.4 establish the attacker's operational model. Sections 1.5-1.6 cover reconnaissance. Sections 1.7-1.9 teach the decision framework. Sections 1.10-1.11 apply the framework to documented campaigns. Section 1.12 synthesizes everything into the Operational Profile methodology you will use throughout the course.

0.5 Go to Section 1.1