The cyber kill chain, also known as the cyber-attack chain, is a seven-stage process used by attackers to launch sophisticated malware attacks like ransomware. It is called a chain because each stage, or step, is dependent upon the one before it and lays the foundation for the one after. While this makes attacks a semi-smooth process, knowing the cyber kill chain is also beneficial for defenders because it reveals the next step in an ongoing cyberattack.
The seven stages of the cyber kill chain are:
1. Reconnaissance– The attacker hunts for information about the target
2. Weaponization– The attacker creates the payload (malware, virus, ransomware, worm, etc.)
3. Delivery– The attacker launches the attack
4. Exploitation– The attacker executes the payload
5. Installation– The attacker installs the payload on the victim’s services
6. Command & Control– The attacker remotely takes control of the victim’s services or device via C2 commands
7. Actions on Objectives– The attacker accomplishes their ultimate aim: exfiltrating, encrypting, or deleting data, or any other compromising measures
In this blog, we’ll be reviewing the first and most foundational stage: reconnaissance.
The First Stage: Reconnaissance
Reconnaissance is the preliminary step, central to launching a successful attack against a target. At this phase, attackers gather all the information they can, so they know where to infiltrate, how to attack, and what opportunities are available. The information attackers typically look for at the reconnaissance stage includes:
Exploitable vulnerabilities
Attackers snoop around looking for any low-hanging fruit. Leverage a vulnerability management program and offensive security to find those stale CVEs before attackers do!
Key personnel
Executives are a favorite target for their elevated privileges. Attackers will snoop on websites, social media, professional platforms, and more. Watch out for spear phishing campaigns!
Network configurations
If this were a physical break-in, this would be considered “casing the joint.” Attackers need to get the lay of the land and see how the network is configured so they can work out just how to infiltrate, and where to go once inside.
Third-party entry points
We all know about the risk of third-party threats. Supply chain attacks are responsible for nearly one-third of all breaches, and attackers look for these types of entry points because they’re typically less guarded. Small supply chain partners often make the mistake of thinking they’re not a big enough target, while forgetting the fact that they may be a tantalizing opening into one. It’s never too late to level-up your third-party risk management.
It’s also important to note that the information gathered at this stage falls into either the “passive” or “active” reconnaissance categories:
- Passive reconnaissance includes gathering publicly available information, or open-source intelligence (OSINT). OSINT is used by white hats and black hats alike, though for very different purposes.
- Active reconnaissance is when threat actors “jump fences” to get the information they want, engaging in probes, checking for open ports, and scanning the target’s systems.
Aside from passive and active forms, which both happen online, the reconnaissance phase also can happen offline. Anything from physical knowledge (picking up a business card) to making an investigative phone call to compromising an employee’s personal email account is “fair game” for attackers.
Cybersecurity Solutions for Reconnaissance
We’ve established that the reconnaissance phase gives attackers “all the cards.” So, how do defenders stop what goes on at this phase, or prevent it from being successful even if attempted? The security solutions that revolve around anti-reconnaissance are the ones that can find and plug holes in security, giving organizations the advantages they need: time and fair warning.
To that end, here are some cybersecurity solutions that do the most to thwart reconnaissance:
- Vulnerability Management | Find vulnerabilities before attackers do and have them automatically prioritized by severity.
- Application Security Testing | Test code before it rolls off the line (SAST) and even after it goes live (DAST) to check for errors in scripting and even at runtime.
- Pen Testing | Act like an attacker and probe your network to discover which vulnerabilities are the most exploitable — and therefore the best option — for an imminent attack.
- Cobalt Strike & Outflank Red Team Tools | With a high-powered duo of automated red team software and a highly sophisticated red team toolkit, you can act like a “low and slow” attacker embedded long-term in the network.
- Security Configuration Management | Make sure the security measures you put in place today are still in place tomorrow, despite updates, changes, additional devices, and more. Thinking your security configuration is secure when it really isn’t is as good as flying blind.
These tools are all about providing defenders with the notice they need to bridge security gaps before attackers can get through them. The main goal of the reconnaissance phase is to identify vulnerabilities within an organization; if little useful information is available, attackers are more likely to move on in search of an easier target.
