5 Stealth Tactics Adversaries Use to Carry Out Their Attacks

Most attacks don’t unfold in plain sight — they thrive in the spaces that your security was never built to reach.

Attackers know exactly where to find these gaps. Because most defensive architectures prioritize blocking known threats, adversaries focus on places where visibility is weakest. They hide in encrypted traffic, exploit opaque protocols, traverse poorly captured networks, overwhelm tools that can’t scale, and leverage fragmented platforms.

Organizations that close these visibility gaps detect attacks faster and can respond before damage spreads.

The Five Critical Gaps

Hiding in Encrypted Traffic

Most enterprise traffic is encrypted, so inspection tools can’t see payload content even when they observe connections.

Attackers exploit this to operate undetected. They use encryption to conceal C2 communications, lateral movement, and data exfiltration, knowing the traffic will resemble legitimate sessions. Ransomware groups, for example, can stage payloads through encrypted channels without triggering alerts because the activity appears routine.

Many security tools rely on encrypted traffic analysis, metadata, or inference, which offer only a partial view of network activity. These approaches can flag anomalies, but because they cannot reveal the actual substance of a session, analysts still lack confirmation of what occurred — such as which sensitive data was transferred, what specific network actions took place, or which credentials were used. Investigations then stall as teams attempt to validate suspicions without direct evidence.

Decryption changes the game by revealing full session content, exposing the data exfiltration, hidden payloads, and credential theft that encryption otherwise conceals. With this level of granular detail, teams can trace attacker activity in real time, identify compromised systems, and respond before threats escalate.

Adversaries are now leveraging artificial intelligence (AI) to make their attack methods indistinguishable from normal user or network activity, which is undermining the efficacy of standard detection tools. Generative AI is being employed to rapidly accelerate exploitation cycles and generate highly believable deepfakes for social engineering campaigns.

Using Your Own Protocols Against You

Attackers often exploit core network protocols to hide malicious activity so attacks look like part of routine operations.

Most enterprises utilize tools like PowerShell andWMI and rely on protocols likeSMB, Kerberos, LDAP, RPC, DNS, and HTTP for legitimate administration, meaning blocking them is rarely feasible. Adversaries leverage these legitimate tools and protocols to easily blend in with normal operations.

Running commands, querying directories, or transferring files can appear routine, but attackers repurpose these actions for malicious objectives like lateral movement or data exfiltration. Because monitoring systems validate whether traffic is permitted rather than whether it is typical, suspicious use may not stand out. The most sophisticated threats go further, manipulating protocol behavior — for example, tunneling one protocol inside another — which makes attacker activity even more difficult for security teams to detect.

Organizations need to be able to decode all these protocols to identify threats and pinpoint attack techniques.

With proper decoding, teams can see when a specific user has requested sensitive files via SMB that they’ve never previously accessed, or that they’re executing unusual commands via RPC. Such deviations matter because they can indicate lateral movement, privilege escalation, or preparation for data exfiltration.

Fully decoding protocol activity exposes attack paths and highlights malicious behavior early, giving security teams the context needed to act before the attack spreads.

The “Trusted” Credential

Unlike traditional credential attacks, token theft exploits the fundamental design of modern authentication: once a user successfully authenticates and receives a token, that token grants access until expiration or revocation. Token theft involves stealing active session tokens (like OAuth, SAML, or JWT) to impersonate users. Attackers steal these tokens through phishing kits, browser compromise, malware, or supply chain breaches, then replay them to access SaaS applications, APIs, and cloud resources without triggering authentication controls.

Once attackers have stolen a token, their activity often blends seamlessly with normal operations, making detection difficult. Standard logs and alerts may show nothing unusual, leaving teams with limited insight into how far an attacker has moved or which resources they’ve accessed.

This attack tactic circumvents Multi-Factor Authentication (MFA) because the stolen token acts as proof that authentication has already been successfully completed. Specifically in Single Sign-On (SSO) environments, this allows adversaries to instantly and persistently access various linked SaaS applications and cloud resources.

Obscuring the Full Picture

Stopping an active breach requires a clear understanding of its scope or “blast radius”, including which systems were affected, what users were involved, and how far it advanced. The more information security teams have, the more easily they can mitigate damages and stop an attack from progressing. 

Sophisticated actors have long understood that endpoint telemetry and logs are where most investigations start — so that’s where they often intervene first. Disabling agents, clearing event logs, and tampering with audit trails are now standard practice, precisely because eliminating the record is as effective as avoiding detection. 

Network-based visibility is harder to tamper with, making it a more reliable foundation for forensic investigation. But the network only tells the full story if the data is complete.

Many network security solutions that leverage network data rely on sampled packets — meaning that the tool is, by design, not recording everything. This can lead to missed critical activity, such as the moment an attacker stole a credential, or the exact point at which an exfiltration was completed. Sampling creates gaps; absence of evidence isn’t evidence of absence.

As a result, teams struggle to answer essential questions: which systems were affected, what data was stolen, how long attackers were present, and the extent of the compromise.

Without those answers, response actions risk being insufficient or unnecessarily disruptive.

Continuous packet capture provides immutable records showing attack paths, compromised systems, and exfiltrated data. Deep Packet Inspection (DPI) and protocol decoding are essential for looking inside the payload to identify malicious activity, rather than just relying on the headers. With full packet capture, organizations can start to assess a breach’s business and regulatory consequences — conclusions are based on complete evidence, not fragmented information.

Exploiting Scale You Can’t Keep Up With

As networks expand across on-premises, cloud, containers, and IoT environments, traffic volumes can easily overwhelm tools not built for scale. When monitoring systems cannot process traffic at line rate, they either drop data or analyze only samples, which leads to missed threats and coverage gaps during periods of increased activity.

Most legacy tools sample traffic or slow down under heavy load, delaying detection. Attackers can take advantage of this by timing operations to coincide with high-traffic periods, knowing monitoring performance is most strained at those moments. For example, an attacker might initiate a large-scale data transfer during end-of-quarter reporting, when internal traffic peaks. Tools that sample packets or degrade under load may fail to flag this activity, allowing the attack to proceed uninterrupted.

To break this pattern, organizations need tools that scale with network volume and maintain full visibility even during traffic spikes, since consistent inspection removes the timing advantage that attackers rely on.

Capitalizing on the Time You Lose Switching Tools

Security teams often rely on separate tools for network detection, monitoring, IDS, and forensics. Each evolved to solve a distinct challenge and most enterprises built their stacks by adding tools as the threat landscape shifted. The problem is that every tool speaks a different language, and translating between them takes time that attackers are more than willing to use.

The delay extends dwell time, providing attackers with the opportunity and time to execute every step of their attack — from initial access and privilege escalation to reconnaissance, lateral movement, data exfiltration, and persistence — before defenders can act.

A unified platform lets teams detect, investigate, review, respond, and collaborate seamlessly in one place, shortening analyst cycles and accelerating containment.

Closing the Gaps

Organizations that close these gaps achieve faster, more confident detection, deeper insight into attacks, and the ability to respond and stop threats before they escalate.

See how enterprises close gaps and accelerate threat detection with ExtraHop.