What stage follows after the initial compromise in a typical cyber attack?

In the context of a typical cyber attack, the stage that follows the initial compromise is lateral movement. After an attacker successfully gains initial access to a system or network, their next objective is often to explore the environment and move across different systems to escalate privileges and gain broader access to valuable resources. This lateral movement involves navigating the internal network, discovering additional vulnerabilities, and leveraging compromised accounts to infiltrate other devices, systems, or applications.

This process is critical for the attacker, as it allows them to strategically position themselves to access sensitive data or deploy additional harmful payloads. The attackers may perform reconnaissance during this stage to identify key servers, databases, and other valuable assets, greatly increasing their ability to inflict damage or exfiltrate data before the attack is detected.

The other stages mentioned, such as data encryption, finding the attack surface, and extortion attempts, do not occur immediately after the compromise and typically follow other steps in a cyber attack lifecycle. Data encryption is often related to ransomware attacks that come after lateral movement has enabled the attacker to gain access to critical systems. Finding the attack surface is part of the initial planning and reconnaissance process before any networks are compromised, while extortion attempts usually happen later, often as a result of successful data theft or