Step Action
In the field of cybersecurity and attack path intelligence, a Step Action is a single, discrete operation or technical maneuver performed by a threat actor during a single phase of a larger attack sequence. While an "attack path" represents the entire journey from entry to impact, step actions are the individual "moves" that comprise that journey.
In professional analysis, step actions are used to break down complex exploit chains into manageable parts, allowing defenders to identify precisely how an adversary is attempting to fulfill a specific tactical objective.
What is a Step Action?
A step action is the functional unit of an attack narrative. It defines the specific activity an attacker is carrying out—such as scanning for open ports, harvesting credentials, or escalating privileges—at a given point in the attack lifecycle.
In standardized security frameworks, step actions are often mapped directly to the Cyber Kill Chain or MITRE ATT&CK techniques. This mapping provides a common language for security teams to describe adversarial behavior and anticipate the tools an attacker might use to carry it out.
The Role of Step Actions in Attack Path Analysis
Security analysts use step actions to move from a high-level threat model to a granular technical roadmap:
1. Identifying the "Tech Stack"
For every step action, there is a corresponding set of tools—often called the Adversary Arsenal. For example, if the step action is "Subdomain Enumeration," the corresponding tools might include subfinder or crt.sh. Knowing the action allows defenders to monitor their logs for the specific footprints of these tools.
2. Mapping Chained Relationships
Step actions are rarely isolated; they are "chained" together. Attack path intelligence identifies how one action creates the conditions for the next. For instance:
Action A: Identifying a missing security header.
Action B: Using that omission to execute a Cross-Site Scripting (XSS) payload.
Result: The two actions combined lead to the next stage of the path, such as session hijacking.
3. Calculating the "Mean Path to Impact"
By counting the number of step actions required to reach a "crown jewel" asset, organizations can calculate the Mean Path to Impact (MPI). A lower number of steps indicates a high-velocity threat that requires immediate prioritization.
4. Detecting "Choke Points"
A Choke Point is a specific asset or vulnerability where multiple-step actions from different attack paths converge. By identifying and blocking a single action at a choke point, a security team can effectively collapse dozens of potential attack paths simultaneously.
Categories of Step Actions Across the Kill Chain
Step actions are typically organized by their functional domain in a cyberattack:
Reconnaissance Actions: These involve data gathering, such as "Identify Metadata Endpoints," "Social Research," or "Archive Scraping."
Exploitation Actions: These are the technical breaches, such as "Parameter Tampering," "API Fuzzing," or "Subdomain Takeover."
Post-Exploitation Actions: These involve maintaining access and moving deeper, such as "Credential Dumping," "Establishing C2 Persistence," or "Data Exfiltration."
Common Questions About Step Actions
How does a step action differ from a technique?
In many contexts, they are interchangeable. However, a "Step Action" usually refers to the specific action taken within a unique, localized attack path (e.g., "Reset MFA on help desk call"). At the same time, a "Technique" is the broader category from a framework like MITRE (e.g., "T1566: Phishing").
Can a step action be non-technical?
Yes. In advanced path intelligence, non-technical events like "LinkedIn Research" or "Mining SEC Filings" are considered step actions because they provide the critical reconnaissance data needed to launch a successful technical exploit.
Why should I focus on individual steps instead of the whole path?
Focusing on individual steps allows you to identify the "weakest link" in an attacker's chain. Often, it is easier to disrupt one specific step action—such as rotating a leaked API key—than it is to try and secure an entire network perimeter.
In the field of cybersecurity, a Step Action is a single, discrete technical maneuver performed by an adversary during one stage of a cyberattack. While an "attack path" is the entire journey, step actions are the individual "moves"—such as scanning a port or harvesting a credential—that fulfill a specific tactical objective.
ThreatNG facilitates the identification and disruption of these actions through its DarChain (Digital Attack Risk Contextual Hyper-Analysis Insights Narrative) capability, which chains disparate findings into a predictive adversarial story.
External Discovery of Step Action Nodes
The first step in neutralizing an attack is identifying its source. ThreatNG uses purely external, unauthenticated discovery to map every internet-facing asset that could serve as a node for an initial step action.
Shadow IT and Unmanaged Assets: ThreatNG uncovers forgotten subdomains or temporary development environments. These often lack monitoring, making them ideal for the first step action: Reconnaissance.
Asset Correlation: It identifies domains, IPs, and cloud buckets associated with an organization. This establishes the technical foundation for mapping potential Initial Access step actions.
Third-Party Connections: ThreatNG identifies dependencies on external vendors. This uncovers step actions that might originate from a compromised partner and move toward your primary environment.
External Assessment and DarChain Narrative Mapping
ThreatNG’s DarChain capability is the primary engine for analyzing step actions. It performs "Digital Risk Hyper-Analysis" to connect findings, revealing how a single minor step can lead to a high-impact breach.
Detailed Examples of Assessment via DarChain
Subdomain Takeover: ThreatNG identifies a "dangling DNS" record pointing to an inactive service. DarChain identifies this as the "Script Injection from Hijacked Subdomain" path.
Step 1 (Entry): An attacker claims the "lost" piece of digital property (e.g., a decommissioned AWS S3 bucket).
Step 2 (Injection): The attacker inserts malicious JavaScript into the hijacked subdomain.
Step 3 (Execution): The attacker uses the brand's implicit trust to bypass security controls and steal user session cookies.
Phishing via Permutation: ThreatNG identifies a registered lookalike domain with an active mail record. DarChain chains this with leaked employee profiles found on LinkedIn to illustrate a "Malware Delivery via Permutation Domains" narrative.
Investigation Modules for Deep-Dive Analysis
ThreatNG includes specialized investigation modules that allow analysts to pivot from a high-level alert to a granular investigation of specific step actions.
Detailed Examples of Investigation Modules
Sensitive Code Exposure: This module scans public repositories, such as GitHub, for leaked "Non-Human Identities" (NHIs), including AWS Secret Access Keys and Jenkins passwords. Finding a hardcoded secret provides a validated step for an "Unauthorized Access" path.
Dark Web Presence (DarCache Rupture): This module monitors hacker forums for mentions of the brand and compromised credentials. An investigation might reveal attackers discussing an unpatched vulnerability, which would mark the "Post-Exploitation and Impact" path as a high priority.
Social Media Discovery: This module turns "conversational risk" from Reddit or LinkedIn into intelligence. If an employee asks for technical help online, an attacker can use that information to build a technical blueprint for a targeted Social Engineering step action.
Intelligence Repositories (DarCache)
The DarCache suite of intelligence repositories provides the real-world context needed to prioritize step actions. It integrates data from the KEV (Known Exploited Vulnerabilities) catalog to confirm active exploitation and EPSS to predict future likelihood. By tracking over 70 ransomware gangs, ThreatNG enables organizations to prioritize the specific steps active threat actors are currently taking.
Reporting and Continuous Monitoring
To maintain a proactive defense, ThreatNG provides:
Continuous Monitoring: The platform continuously rescans for new assets and vulnerabilities, ensuring the map of potential steps is always up to date.
Actionable Reporting: ThreatNG delivers technical workbooks that identify "Attack Path Choke Points"—critical vulnerabilities where multiple-step actions from different paths intersect. Fixing a choke point breaks the chain for dozens of potential attacks at once.
Cooperation with Complementary Solutions
ThreatNG provides the external "outside-in" intelligence that fuels and optimizes internal security solutions. By sharing data with complementary solutions, organizations can leverage ThreatNG's insights to automate remediation of individual step actions.
Identity and Access Management (IAM): When ThreatNG uncovers leaked API keys or credentials in public code, it feeds this data to IAM platforms to trigger immediate key rotation or password resets.
Security Orchestration, Automation, and Response (SOAR): High-priority alerts from a "Subdomain Takeover" path can trigger SOAR playbooks to automatically delete a dangling DNS record or block malicious IP addresses at the perimeter firewall.
Vulnerability Management and EDR: ThreatNG identifies the specific "Tech Stack" and external assets an attacker is targeting. This allows internal scanners to prioritize those assets and enables Endpoint Detection and Response (EDR) tools to increase monitoring sensitivity on the servers identified in a potential attack path.
Common Questions About Step Actions
How does a step action differ from a technique?
A step action is the specific maneuver taken within a unique, localized attack path (e.g., "Identify subdomains without CSP"). A technique is a broader category from a framework like MITRE ATT&CK (e.g., "T1505.003: Subdomain Takeover").
What are "Step Tools" in ThreatNG?
Step Tools are the specific software or utilities an adversary would use to execute a stage of an attack. For a subdomain takeover, this might include tools like Subjack or Nuclei.
Can a step action be non-technical?
Yes. In advanced path intelligence, "Conversational Risk," such as public chatter on Reddit or organizational news (like layoffs), is considered a step action because it provides reconnaissance data needed for a successful technical exploit.
