You are a Threat Hunter at a law firm that suffered a data breach where...

“Actions on objectives” is the Cyber Kill Chain phase where the attacker achieves their mission goals—such as data theft, disruption, or destruction. In the scenario, the attacker accessed sensitive client records and exfiltrated them over time, which directly represents the adversary achieving the objective of obtaining confidential data. Delivery and exploitation occur earlier (initial delivery of a payload or credential capture and then exploiting access). Command and control is the stage where compromised systems communicate with attacker infrastructure to receive instructions, which may occur during lateral movement and persistence but is not the final objective. The scenario emphasizes that the breach was discovered after the attacker had already accessed the sensitive repository and exfiltrated data, meaning detection happened at or after the mission impact stage. From a SOC improvement perspective, the lesson is that detections should shift “left” in the kill chain: detect credential abuse, anomalous authentication, lateral movement, and suspicious access to file shares before exfiltration. But given where the investigation found the attacker’s success, the correct phase is actions on objectives.