You should start by reading the paper about The Diamond Model https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

The Diamond Model

This model discusses the relationships of four basic components. Adversary, Capability, Infrastructure and Victim. The model is split into 7 Axioms with the first one stating:

Axiom 1 – For every intrusion event there exists an adversary taking a step towards
an intended goal by using a capability over infrastructure against a victim to produce a
result.

Axiom 1 – The Diamond Model of Intrusion Analysis