Meritshot
Cyber Security

How Do Hackers Actually Get In? A Beginner's Map of Real Attack Paths

Most successful attacks follow well-documented, repeatable paths using credential theft, phishing, and commodity exploits — not the cinematic zero-days. Here's the operational map of how attackers actually move from entry to damage.

Meritshot Team11 min read
Cyber SecurityAttack PathsPhishingCredential StuffingKill ChainBlue TeamMITRE ATT&CK
Back to Blog

How Do Hackers Actually Get In? A Beginner's Map of Real Attack Paths

The mental image most people have of a hacker — someone typing furiously at a terminal, cracking encryption in real time — is almost completely wrong.

Real intrusions are slower, more methodical, and more boring than the movies suggest. They exploit predictable human behavior, misconfigurations that have existed for years, and the natural complexity of systems that were never designed with adversarial use in mind.

More importantly: most successful attacks don't require sophisticated techniques. They follow well-documented, repeatable paths that security teams have studied, named, and published — and that organizations still fail to close because they're defending against the cinematic version of hacking rather than the operational reality.

Hacker attack path visualization

The Fundamental Reality That Changes How You Think About This

Before mapping the paths, one mental model shift matters more than anything else:

Attackers don't look for the most sophisticated way in. They look for the easiest way in.

The barrier to entry for most attacks is not technical skill — it's patience and tool access. Automated scanning tools identify vulnerable services. Credential stuffing tools test leaked passwords at scale. Phishing toolkits generate convincing emails from templates. A significant percentage of real-world intrusions require no original research or novel technique.

The second reality: Most breaches are not single-step events. They're kill chains — sequences of actions that move an attacker from initial access to their ultimate objective, which is almost never "get into the network." The objective is usually data exfiltration, ransomware deployment, financial fraud, or persistent intelligence collection. Getting in is step one of a process that has many more steps.

Attack Path 1: Phishing — The Entry Point That Never Gets Old

Phishing is the most common initial access technique in real breaches — not because defenders don't know about it, but because it bypasses technical controls by targeting humans, and humans are consistently the most accessible entry point in any organization.

What actually happens in a phishing intrusion:

A mid-size logistics company receives a surge in emails purporting to be from their freight carrier partner. The emails contain a link to "review updated shipment documentation." The link goes to a convincing clone of a DocuSign portal. An accounts payable employee clicks, enters their Microsoft 365 credentials, and receives a "session expired" error — a normal-looking failure that the phishing page generates intentionally.

The attacker now has valid Microsoft 365 credentials. They log in from a residential IP address in Eastern Europe using an anonymizing proxy. The login triggers no alerts because multi-factor authentication was not enforced on this account — it was an older account that was exempted during the MFA rollout.

The attacker reads 90 days of email, identifies the CEO's communication style, finds a pending wire transfer discussion, and inserts themselves into the thread to redirect a $240,000 payment.

What made this work:

  • MFA was not enforced on all accounts (one exception was enough)
  • No anomalous login detection for geographic impossibility
  • Email thread hijacking is extremely difficult to detect because the account and credentials are legitimate

The non-obvious part about phishing defense: Technical phishing simulations — sending fake phishing emails to employees — have weak evidence of reducing real phishing susceptibility. What reduces susceptibility is specific, scenario-based training tied to the types of phishing the organization actually receives, combined with MFA on every account, no exceptions.

Attack Path 2: Exposed Services With Default or Weak Credentials

This attack path requires no social engineering and no sophisticated exploit. It requires a Shodan search and a list of default passwords.

The scenario:

A healthcare network deploys a new remote monitoring platform. The IT contractor sets up the web management interface with the default administrative credentials from the vendor documentation: admin/admin123. The interface is accessible from the internet because the contractor didn't know whether remote access was needed.

Three months later, a ransomware affiliate purchases a list of IP ranges associated with healthcare organizations. They run automated credential testing against management interfaces, VPN portals, and remote desktop services. The default credential succeeds on the first attempt. The affiliate has administrative access to a network-connected system in a healthcare environment.

From that position, they enumerate the internal network and deploy ransomware. The clinic locations are offline for eleven days.

Why this attack path persists:

  • Default credentials are documented in publicly available vendor manuals
  • Asset inventory in most organizations is incomplete — systems get deployed and forgotten
  • Automated scanning tools make discovery of exposed services trivially fast
  • The entire initial access process can be automated — human involvement only comes after a successful login

Attack Path 3: Supply Chain and Third-Party Compromise

This attack path is increasingly common because organizations have improved direct defenses but often have weaker visibility into the security posture of their vendors, partners, and software suppliers.

What makes supply chain attacks different:

When an attacker compromises a trusted third party and uses that access to reach the ultimate target, the initial access often arrives through a trusted channel — legitimate software updates, vendor VPN access, API integrations with established trust. The defenses designed to block untrusted access don't fire because the access looks trusted.

The 2020 SolarWinds incident is the canonical supply chain attack. Attackers compromised SolarWinds' build pipeline and inserted malicious code into a software update for Orion. When SolarWinds customers updated their software through the normal update process — the process their security teams had whitelisted and trusted — they installed the malicious code. The attack reached 18,000 organizations including US federal agencies.

The practical supply chain attack most organizations actually face isn't a sophisticated build-pipeline compromise. It's simpler: a vendor with legitimate VPN access has poor security hygiene. The vendor's credentials are phished or stolen. The attacker uses the vendor's legitimate VPN access — which was scoped for "full network access" — to enter the target environment through a trusted channel.

Attack Path 4: Unpatched Public-Facing Applications

This path requires slightly more than the default credential path but is still largely automated. An attacker identifies a public-facing application running software with a known, exploited vulnerability — one already in the CISA KEV catalog — and uses a commodity exploit module.

In March 2021, Microsoft disclosed four critical vulnerabilities in Exchange Server (ProxyLogon) that could be chained together to achieve unauthenticated remote code execution. Within days of disclosure, automated exploitation was occurring globally. Organizations that hadn't patched within the first week found their Exchange servers with webshells installed.

Why organizations fail to patch in time:

  • Patching Exchange requires maintenance windows, compatibility testing, and coordination — it can't be done immediately in most organizations
  • The gap between "patch released" and "all instances patched" in large organizations is measured in weeks, not hours
  • Asset inventory failures mean patching teams don't know all instances exist
  • Shadow IT systems never get patched because they're never tracked

Attack Path 5: Credential Stuffing and Password Reuse

This attack path requires no exploit, no phishing, and no technical vulnerability in your systems. It requires a list of leaked credentials from a breach of a different organization and the fact that 65% of people reuse passwords across accounts.

How it works operationally:

A user of a popular fitness tracking application uses the same email/password combination for their corporate VPN, their Microsoft 365 account, and their bank. The fitness app suffers a breach in 2022. The leaked credentials are sold on dark web markets and distributed freely in hacker forums.

An attacker purchases a combo list containing this user's credentials. They run an automated credential stuffing tool — rotating through residential proxies to avoid IP-based blocking. The corporate VPN accepts the credentials. The attacker has network access.

The scale of the problem:

  • HaveIBeenPwned contains over 12 billion breached email/password combinations
  • Commercial credential combo lists are updated continuously as new breaches occur
  • Credential stuffing tools can test thousands of combinations per minute

The only fully effective defense is MFA — because the correct password plus a second factor the attacker doesn't have still fails authentication.

The Kill Chain: How Entry Points Lead to Actual Damage

Understanding individual entry points is incomplete without understanding what happens after initial access. The entry point is rarely where the damage occurs.

The anatomy of a full compromise:

  1. Initial Access — Any of the paths above. Attacker has a foothold in the environment.
  2. Persistence — Attacker installs a mechanism that maintains access even if the initial vulnerability is patched: webshells, scheduled tasks, registry modifications, new administrative accounts.
  3. Discovery and Reconnaissance — From their foothold, the attacker enumerates the environment. What systems exist? What accounts? Where is the high-value data? Sophisticated attackers spend weeks in reconnaissance before acting.
  4. Credential Harvesting — Dumping credentials from the compromised system — password hashes, browser storage, SSH keys, API tokens in configuration files.
  5. Lateral Movement — Using harvested credentials to move from the initial foothold to higher-value systems.
  6. Privilege Escalation — Gaining administrative or system-level access that exceeds the initial compromise level.
  7. Objective Achievement — Ransomware deployment, data exfiltration, financial fraud, or persistent intelligence collection.

Network security monitoring

What Defenders Look for That Attackers Try to Hide

Understanding attack paths from the offensive perspective directly informs what defenders monitor.

Reconnaissance leaves traces:

  • Unusual volumes of failed authentication attempts
  • External scanning of non-standard ports
  • Anomalous outbound connections from systems that don't normally make external requests

Lateral movement has signatures:

  • Authentication from unusual source systems (a workstation authenticating to 40 different servers in an hour)
  • Use of administrative tools from non-administrative accounts
  • RDP sessions at unusual hours or from unusual source IPs

Privilege escalation leaves evidence:

  • LSASS process access (common in credential dumping)
  • New privileged accounts created outside normal provisioning process
  • Modifications to group policy or domain configurations

Data exfiltration has patterns:

  • Large outbound transfers to unfamiliar external destinations
  • Compression of large directory structures
  • Cloud storage uploads from systems that don't normally perform them

The Compounding Factor: How Attackers Chain Multiple Paths

Real incidents rarely follow a single clean attack path. They chain multiple techniques together, using the output of one stage to enable the next.

A representative chained attack:

  1. Attacker runs credential stuffing against a company's VPN portal. One set of credentials works — but MFA is enforced on VPN. Access fails.
  2. Attacker pivots to the company's ticketing system, which uses the same credentials but has no MFA. Legitimate access to the helpdesk portal.
  3. From the helpdesk portal, the attacker submits a ticket requesting MFA removal "for travel purposes." A tier-1 helpdesk analyst processes the request.
  4. With MFA removed from the VPN account, the original credential stuffed credentials now grant VPN access.
  5. Inside the VPN, the attacker finds an unpatched internal web application with a known vulnerability.

What this shows:

  • MFA was present but was socially engineered away
  • Multiple different systems were involved
  • None of the individual steps required sophisticated technique
  • The chain combined credential stuffing + social engineering + unpatched internal vulnerability

Closing: Attack Paths Are the Foundation of Everything Else in Security

Mapping how attackers get in is where security knowledge starts. After understanding attack paths, the questions that follow naturally are: How do you systematically find these vulnerabilities before an attacker does — the discipline of penetration testing and red teaming? How do you build the detection and response capability that catches attacks in progress — the discipline of security operations and threat hunting? How do you build the threat model that tells you which of these attack paths is most relevant to your specific organization's risk profile — the discipline of security architecture?

You can't build effective detection without knowing what attacker behavior looks like. You can't run a useful penetration test without understanding the kill chain you're trying to demonstrate. You can't build a meaningful threat model without knowing which attack paths your adversaries actually use.

The security professional who understands how attackers think is the one who builds defenses that actually work.

Recommended

View all Cyber Security articles