Episode 5 — Apply fundamental cyber defense theory to anticipate attacker moves early
In this episode, we’re going to take the core ideas of cyber defense theory and make them useful for one specific skill: anticipating what an attacker is likely to do before the damage is done. That skill is central to success on the Global Information Assurance Certification (G I A C) Security Operations Manager (G S O M) exam because it reflects how strong defenders think, not how they react after the fact. Beginners often picture attackers as unpredictable geniuses, which makes defense feel like guessing, but real attacker behavior follows patterns because attackers want efficiency. When you learn to recognize those patterns, you can shift from a reactive mindset to a proactive one, where you see early signals and understand why they matter. The goal is not to predict the future perfectly, but to reduce surprise by understanding common attacker goals, common paths, and common mistakes defenders make that attackers take advantage of.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A good starting point is to understand what cyber defense theory really gives you at a practical level, because theory is only useful if it changes your decisions. Defense theory teaches that attackers are constrained by time, effort, and opportunity, which means they tend to choose paths that are easier and more reliable. It also teaches that defense is not one action but a cycle of preparation, detection, response, and improvement, and anticipation sits right at the beginning of that cycle. If you can anticipate, you can place controls and monitoring where they matter most, rather than spreading effort evenly and hoping it works. This is why managers care about theory, because it helps prioritize resources and justify why certain decisions come first. Anticipation is a way to use limited time wisely by focusing on what attackers typically do to move from initial access to meaningful impact.
To anticipate attacker moves early, you need to think in terms of attacker objectives instead of attacker tools. Beginners sometimes fixate on a specific malware name or a specific exploit, but objectives are more stable than tools. An attacker usually wants one or more of these outcomes: access, persistence, privilege, movement, data, disruption, or leverage for future access. The specific method can change, but the objective stays the same, and that is what makes anticipation possible. When you look at your environment and ask how an attacker would reach those objectives, you start seeing common weak spots, like overly broad access, unmonitored systems, or poorly controlled data flows. This objective-first thinking helps you avoid being distracted by noise, because you are constantly asking whether an event supports an attacker goal or is just an error with limited consequences.
Another key theory idea is that attacks are rarely a single step, and early moves are often about setting up later moves. That means the first visible action might look small, like an unusual login attempt, a strange email, or a new process running on a device. The early move matters because it can enable a chain of actions that ends in a serious incident. Anticipation is recognizing what that chain could be, even when you do not yet have full proof. This is also where disciplined thinking matters, because you do not want to panic at every anomaly, but you also do not want to ignore patterns that consistently lead to compromise. A mature defender learns to treat early signals as hypotheses, meaning you form a reasonable explanation and then look for evidence that confirms or refutes it. That approach keeps you proactive without becoming reckless.
You can strengthen anticipation by learning to see your environment the way an attacker sees it, which often starts with basic discovery. Attackers typically begin by identifying what exists, what is reachable, and what is poorly defended, because they want to avoid wasting effort. They look for accounts with weak protections, services exposed to the internet, systems that are outdated, and paths that allow them to move without being noticed. Even without deep technical detail, you can understand the logic: attackers prefer the path of least resistance, and they prefer actions that blend in. This is why visibility is so important, because a hidden environment is easier to explore quietly. When you design monitoring and logging with this in mind, you are not just collecting data, you are shaping what you can notice early enough to matter.
A common early attacker move is attempting to gain initial access through human weakness, because humans are often the most flexible and the most error-prone part of any system. That does not mean people are bad, it means people are busy, trusting, and sometimes rushed, which creates opportunities for manipulation. Anticipation here means recognizing that unusual messages, unexpected requests, or changes in behavior can be part of an attacker plan to get credentials or convince someone to take an unsafe action. On the defense side, you anticipate by building habits and controls that make these attacks harder, such as strong identity checks and clear procedures for verifying unusual requests. It also means watching for signals like repeated login failures, logins from unusual locations, or sudden access requests that do not match a person’s normal role. These are not guaranteed signs of an attack, but they are often early indicators worth examining.
Once an attacker has a foothold, the next common move is to increase privilege, because higher privilege makes everything else easier. Privilege is the ability to do things, and attackers want the ability to disable defenses, access sensitive data, or create new access paths. Anticipating privilege escalation is not about memorizing every technique, it is about understanding incentives and pathways. If an attacker starts with a low-level account, they will likely look for misconfigurations, weak permissions, or exposed secrets that let them act as a more powerful account. This is why least privilege matters, because it reduces what a stolen account can do and reduces the number of paths to high impact. Anticipation also means monitoring changes to accounts, roles, and permissions, because attackers often leave traces when they try to turn limited access into broad control.
Another predictable attacker move is persistence, which is the effort to maintain access even if the initial door is closed. If an attacker expects defenders to respond, they will often try to create backup access methods, such as additional accounts, scheduled actions, or modified settings that re-enable entry later. Anticipation means you do not assume that removing the first obvious sign of compromise ends the threat, because attackers plan for setbacks. From a defensive theory perspective, this supports the idea of layered defense and verification, where you confirm the system is trustworthy rather than assuming it is. It also supports the idea of baselines, meaning you know what normal looks like so changes stand out. When you can detect unexpected changes to configurations or accounts, you can interrupt persistence early, which often prevents a small foothold from becoming a long-term problem.
Lateral movement is another stage that is predictable because attackers rarely start exactly where they want to end. If they land on a low-value system first, they will try to move toward systems that hold valuable data or provide greater control. Anticipation here involves understanding trust relationships, because attackers often move along paths that are already trusted inside an organization. If one system can access another without strong verification, that trust can become an attacker highway. This is why segmentation and access boundaries matter, because they force attackers to cross controlled checkpoints rather than moving freely. It is also why monitoring internal movement is important, not just monitoring the edge of the network, because many dangerous actions happen after the attacker is already inside. When you anticipate lateral movement, you design detection that looks for unusual connections, unusual authentication patterns, and unusual access attempts between systems that normally do not interact.
Attackers also tend to spend time on discovery and collection, because they need to locate the data or systems that support their goals. They might search for documents, databases, credentials, or administrative tools that help them understand the environment. Anticipation means recognizing that data is usually not stolen in one dramatic moment, but gathered through many small actions that can be hard to notice without the right visibility. The defensive response is to protect and monitor high-value data stores, control who can access them, and log meaningful activity. It also means thinking about where sensitive information tends to accumulate, such as shared drives, cloud storage, or backups, because attackers know those are efficient sources. When you build your defenses around the idea that attackers will search and collect, you are less surprised when you see patterns that indicate scouting rather than immediate damage.
A beginner-friendly way to connect these attacker moves is to think about early warning signals and how they relate to stages of behavior. An unusual login might be an early access attempt, but it might also be the beginning of privilege escalation if it targets administrative accounts. A new account creation could be normal administration, but it could also be persistence if it appears in a strange context. A new connection between systems might be expected business traffic, but it could also be lateral movement if it is rare and happens alongside other anomalies. Anticipation is not treating any single signal as proof, but treating signals as part of a story that you are trying to confirm. This is where good defenders slow down and ask what would have to be true for this to be an attack, and what evidence would we expect to see next. That question turns security from guessing into structured reasoning.
Another core idea from defense theory is that attackers exploit gaps between people, process, and technology, because those gaps create confusion and slow response. For example, if access reviews are inconsistent, attackers can hide in old accounts that nobody checks. If logging exists but is not reviewed, attackers can act in ways that are technically recorded but practically invisible. If response procedures are unclear, attackers gain time because defenders debate what to do instead of acting. Anticipation includes identifying those gaps and closing them before an incident occurs, because closing gaps removes attacker advantages. This is why operational maturity matters, even for beginners, because the best technical control can fail if the process around it is weak. When you view defense as a whole system, you anticipate not only attacker moves but also defender failure points that attackers count on.
It is also important to anticipate how attackers choose targets inside an environment, because they do not treat all systems equally. Attackers often prioritize systems that offer high leverage, such as identity systems, administration tools, shared file repositories, and systems that control backups. The reason is simple: leverage systems can amplify the attacker’s power and speed. If you anticipate this, you can focus protective layers on those high-leverage areas, which produces more security value than spreading effort evenly across everything. This does not mean you ignore other systems, it means you recognize where a compromise would cause the most cascading harm. For exam thinking, this often shows up as choosing the answer that protects high-impact assets first or choosing the answer that increases visibility where it matters most. That kind of prioritization is a hallmark of good security operations management.
Now bring the anticipation skill back to what success looks like when answering questions under exam conditions. Many questions are essentially asking you to recognize the next likely attacker step or the best defensive action to interrupt that step early. The best answers typically combine two qualities: they reduce risk in a defensible way and they are realistic in an operational setting. An answer that says to rebuild everything instantly may sound strong but is often unrealistic and disruptive, and an answer that says to do nothing until you have perfect proof may be too slow. Anticipation supports the middle path, where you take actions that increase confidence and reduce exposure while you gather more evidence. That might include validating accounts, increasing monitoring, limiting access, or isolating a risky area, depending on what the scenario suggests. When you practice, train yourself to ask what early action gives you the most leverage without causing unnecessary harm.
Anticipating attacker moves early is ultimately about using patterns to reduce surprise, and that skill grows from repeated practice with clear mental models. You do not need to memorize every technique to be effective, but you do need to understand why attackers seek access, privilege, persistence, movement, and data, and how those goals shape what they do next. Defense theory gives you the structure for that thinking, and it turns isolated security facts into a coherent story of behavior and response. When you can explain that story, you can prioritize controls, design monitoring that matters, and make calmer decisions under pressure because you are not reacting blindly. Keep building the habit of asking what an attacker is likely to do next and what evidence would support that hypothesis, because that habit is one of the most valuable outcomes of studying for G S O M. The more consistently you apply it, the more you will feel that security operations is a manageable system of decisions rather than an endless series of surprises.
