The Attacker's Decision Matrix

Technique selection is not random

Every technique the attacker uses is the output of a decision process constrained by their objective, their resources, and their intelligence about the target. The ransomware affiliate doesn't choose credential stuffing because it is their favorite technique. They choose it because they have breached credentials from reconnaissance, their timeline is 48 hours, and credential stuffing is the fastest path to access with the lowest probability of failure. The espionage operator doesn't choose AiTM phishing because it is the most sophisticated option. They choose it because the target has MFA enabled, their timeline is unlimited, and AiTM bypasses MFA while providing the session token needed for quiet, persistent API access.

Understanding this reasoning gives you predictive power during investigations. Given what you've observed so far, what would a rational attacker do next? This is not mind-reading. It is operational logic. Rational actors facing the same constraints, with the same intelligence, and pursuing the same objective make similar decisions.

The four outputs of the matrix

The decision matrix takes three inputs (objective, constraints, reconnaissance findings) and produces four operational decisions.

Three inputs produce four operational decisions. Each output generates different telemetry that reveals the attacker's constraints and predicts their next move.

Infrastructure design is driven by budget and risk tolerance. Low budget combined with high risk tolerance produces commodity infrastructure: a VPS purchased with cryptocurrency, a leaked copy of Cobalt Strike, a free domain. Disposable and replaceable. Total cost under $50. High budget combined with low risk tolerance produces layered infrastructure: aged domains registered months in advance, redundant redirectors, CDN-fronted C2 that looks like legitimate HTTPS traffic, fallback communication channels in case the primary C2 is blocked. Total cost in the thousands. The infrastructure investment is proportional to the expected campaign duration.

Access method selection is the decision most directly shaped by all three inputs. Consider the decision tree for an M365-heavy target like Northgate Engineering.

If breached credentials are available and legacy auth is not blocked, the attacker chooses credential stuffing: fast, cheap, high probability of success, and produces minimal pre-compromise telemetry. If legacy auth is blocked but MFA uses standard push notifications, the attacker considers MFA fatigue bombing: sending repeated push notifications until the user approves one out of frustration or confusion. This is cheap but has moderate probability and generates suspicious activity in the sign-in logs. If MFA is enforced with Conditional Access blocking unfamiliar devices, the attacker moves to AiTM phishing: more expensive to set up (requires a proxy infrastructure), but bypasses both MFA and device compliance checks by capturing the authenticated session token. If a Citrix NetScaler is on the perimeter with a known unpatched CVE, the attacker may choose vulnerability exploitation: technically demanding but requires no user interaction at all.

Each branch produces different telemetry. Credential stuffing produces a single successful sign-in. AiTM phishing produces a phishing email plus a sign-in from a proxy infrastructure IP. Vulnerability exploitation produces a web application log entry and possibly an EDR alert if the exploit spawns an unexpected process. The access method tells you what the attacker prioritized and what your reconnaissance-layer defenses did or did not prevent.

Movement strategy is driven by the objective and timeline. Ransomware operators move fast toward domain controllers, backup systems, and file servers, touching many systems in hours and producing dense authentication telemetry. Espionage operators may not move laterally at all if the initial compromise provides API access to the target data through OAuth permissions. When they do move, they make one hop per day during business hours, producing minimal and routine-looking authentication events. The movement strategy is where the objective becomes most visible in telemetry, because different objectives require access to different systems.

Objective execution plan determines the final telemetry signature and your last detection opportunity before impact. Ransomware deploys via GPO or PsExec across the domain, producing mass process creation events. Espionage establishes a regular collection cadence with automated exfiltration through legitimate cloud APIs. BEC waits for the right financial transaction to redirect, producing a single modified email that may never trigger an alert. Sabotage triggers a destructive payload on critical systems, producing a burst of file system and service disruption events.

Worked example: two attackers, one target

The power of the matrix is visible when you apply it to the same target with different attacker profiles.

TARGET: Northgate Engineering
865 endpoints, M365 E5, Sentinel, Conditional Access with MFA
Legacy auth still permitted for 12 accounts (finance team EAS)
3 employees' credentials in breach databases (passive recon)
Citrix NetScaler on perimeter (passive recon: CT log + banner grab)
ATTACKER A — Ransomware affiliate
  Inputs:  Financial objective | Low budget | 48hr timeline | High risk tolerance
  Recon:   3 breached credentials, legacy auth open on finance accounts
  Plan:    Credential stuff breached passwords via EAS endpoint
           → Harvest GAL from compromised Exchange mailbox
           → Internal phishing to IT admin using spoofed finance email
           → LSASS dump for domain admin credentials (Mimikatz)
           → PsExec to DC and backup server
           → Delete shadow copies, disable backup agents
           → Exfiltrate 50GB to cloud storage (double extortion)
           → Deploy ransomware via GPO across domain
  Timeline: 48 hours. Six detection opportunities.
ATTACKER B — State intelligence service
  Inputs:  Intelligence objective | High budget | Unlimited timeline | Low risk tolerance
  Recon:   Engineering director identified on LinkedIn, assistant's email format
  Plan:    Build dedicated C2: aged domains, CDN-fronted, HTTPS-only
           → AiTM phishing targeting engineering director's assistant
           → Capture session token (bypasses MFA)
           → OAuth consent grant: custom app with Mail.Read, Files.Read.All
           → Collect engineering drawings weekly via Graph API
           → Maintain access for months, no endpoint contact
  Timeline: Months. Four detection opportunities, each harder.

Same target. Different constraints. Completely different operational plans. The ransomware affiliate produces dense telemetry over 48 hours with six distinct detection opportunities. The espionage operator produces sparse telemetry over months with four detection opportunities, each requiring cloud-layer monitoring rather than endpoint detection.

Reverse-engineering the matrix during investigations

The matrix works in both directions. Forward, it predicts what an attacker with known constraints will do. Backward, it infers constraints and predicts next moves from observed evidence. The reverse-engineering process has four steps.

Step 1: Infer objective from targets. What systems has the attacker accessed? Executive mailboxes indicate intelligence. Backup infrastructure indicates financial. Build pipelines indicate access. Industrial control systems indicate disruption. The target selection is the strongest single indicator of objective.

Step 2: Infer constraints from tools and pace. Commodity tools or custom? Fast movement or slow? Each observation constrains the possible profiles. PsExec and Mimikatz with rapid lateral movement narrows to ransomware affiliate. OAuth consent grant with no endpoint artifacts narrows to intelligence or access.

Step 3: Infer reconnaissance from targeting specificity. Did the attacker target specific people by name? Know which accounts had legacy auth enabled? Exploit a specific vulnerability on the first attempt without scanning first? The precision of the attacker's targeting reveals how much pre-attack intelligence they gathered. High specificity (targeting the exact three accounts with legacy auth, knowing the executive assistant's name, exploiting the exact CVE on the NetScaler without probing other ports first) indicates thorough passive and possibly active reconnaissance. Low specificity (broad phishing, credential spray against all accounts, scanning the entire IP range) indicates minimal target-specific intelligence. The reconnaissance depth directly affects the difficulty of detection: high-specificity attacks bypass the broad monitoring that catches low-specificity attacks.

Step 4: Run the matrix forward. Given the inferred objective, constraints, and reconnaissance depth, what would a rational attacker do next? That prediction tells you what to look for, what to protect, and how to contain.

Partial evidence is sufficient

The four constraint dimensions correlate strongly enough that two dimensions assessed with confidence often let you infer all four and make a useful prediction.

Quiet operations combined with custom tooling predict a long timeline and an intelligence or access objective. Loud operations combined with commodity tools predict a short timeline and a financial objective. Targeted single-mailbox access combined with slow pace predicts intelligence operations with high capability. Rapid multi-system movement combined with backup targeting predicts ransomware deployment within 24-48 hours.

You do not need a complete picture to act. The first two observations from an investigation typically constrain the possible profiles enough to set response priorities. The matrix doesn't require certainty. It requires the minimum evidence needed to distinguish between completely different response strategies: immediate aggressive containment (financial) versus silent scoping (intelligence).

When the matrix changes mid-campaign

The matrix is not static. Attackers adapt when they encounter unexpected resistance. A ransomware affiliate who finds that Conditional Access blocks their stuffed credential from accessing Exchange doesn't abandon the operation.

They re-evaluate: the credential worked for authentication, so the password is valid. Conditional Access is blocking the device. The attacker shifts to AiTM phishing to capture a session from a device that passes the compliance check.

This adaptation produces observable telemetry. A successful credential stuffing authentication followed 24-48 hours later by a phishing email targeting the same organization is not two separate incidents. It is one campaign where the attacker hit a barrier at the access method stage and pivoted. If you are investigating the phishing email in isolation, you miss the failed credential stuffing attempt that explains why the attacker chose phishing as the access method. Correlating the two events tells you the attacker already has valid credentials and is specifically targeting your organization.