Breaking down the cyberattack lifecycle: Reconnaissance

When one thinks of a cyberattack, it’s easy to jump straight to the conclusion: headlines as another organization gets popped out of nowhere and faces millions in ransom payments. In reality, today’s sophisticated attackers are hardly impulsive. Months of work go into a successful cyberattack, even in those against small-to-medium businesses.

In this blog series, we’re tackling each aspect of the cyberattack lifecycle to give you insights into how to best defend your organization. Let’s start with the primary, and arguably most important stage of any cyberattack: reconnaissance.

Reconnaissance: the basics

Picture your typical heist movie, as the team of burglars stands around blueprints and a montage rolls, showing the multiple steps they need to sneak in, get to the vault, and score. It all begins with “casing the joint,” learning guard patterns, obtaining floorplans, finding weaknesses, etc.

It’s no different in the world of cybercrime, albeit somewhat less filmable. Just like their physical counterparts, sophisticated cybercriminals identify targets and painstakingly learn about their mark to find the best ways to exploit them. Some threat actor groups even specialize in reconnaissance, gathering intelligence and selling it to other groups, who then use this information to attempt initial access and establish a foothold in victim networks.

What are they looking for?

• Your valuables: Although the intended outcome of a cyberattack can vary (financial, ideological, nation-state, etc.), cybercriminals generally always target the same end goals:
  • Financial information
  • Personally Identifiable Information (PII)
  • Customer data
  • Intellectual property
• Your environment layout: In order to successfully make off with the valuables, cybercriminals need to know what they’re up against. Evaluating your network, what systems and infrastructure are in play, and the individuals involved, helps attackers paint a bigger picture and identify what to exploit.
• Your weak spots: Even the strongest suits of armor have vulnerabilities, and your network is no different. Whether it’s an unpatched system, a negligent employee, or some other opening, attackers will find a way to get in.

How do they find this information?

• Open-source intelligence: You can learn a lot by perusing a company’s website, social media, and job postings, not to mention the social media accounts of employees. Recent funding announcements, new hires, and gaps in security personnel present potential opportunities as well.
• Scanning and probing: Hackers use automated tools to scan your network for vulnerabilities and identify open ports or outdated software. These tools are becoming increasingly available on the dark web, so anyone could be sneaking around your network at any time.
• Social engineering: Attackers go to great lengths to trick employees into giving away sensitive information or clicking on malicious links. Phishing emails and fake websites are common tactics used in social engineering.
• Shared information: Cybercriminals share their findings on organizations just as blue teams do with threat actor groups. Whether it’s communicating over boards or selling information to the highest bidder, there may just be a little bit of “honor” among thieves after all.

Thankfully, there are ways you can help combat the efforts of cybercriminal reconnaissance.

What can you do about it?

If you have that prickle on the back of your neck feeling like your organization is being watched, don’t worry. Although there are never silver bullets in cybersecurity, there are steps you can take today to prevent cybercriminals from easily collecting information on your business.

• Patch your systems regularly: Outdated software is a hacker's best friend. Make sure all your devices and software are up-to-date with the latest security patches.
• Educate your employees: Train your employees on cybersecurity best practices, including how to identify phishing attempts and avoid social engineering tactics, as well as to be mindful of the information they share about their workplace since it could be exploited for targeted social engineering attacks. Instruct your marketing/PR team that manages the company's social media platforms, such as X and LinkedIn, to be cautious about the information they post. Even if the content is not sensitive, it can still be leveraged for reconnaissance by malicious actors.
• Harden your network: By implementing perimeter firewalls and restricting ports, protocols, and IP ranges, you can prevent the constant scanning and prodding that access to the open internet produces.
• Create a software-defined perimeter: Using solutions like SASE, you can establish a virtual perimeter around your entire network—remote users and cloud apps and infrastructure included. In essence, your organization can operate invisibly from the prying eyes of attackers while still connecting securely to resources.
• Segment your network: Isolate critical systems and data from the rest of your network to make it harder for attackers to move laterally once they gain access. By granting access to these segments by the principle of least privilege, you can also cut down on insider threats as well.
• Monitor your network activity: Use a managed cloud SIEM to keep an eye out for suspicious activity across your entire IT ecosystem, such as unauthorized login attempts or unusual traffic patterns.
• Minimize publicly accessible information: Cut down what unauthorized users and the general public can see when they poke around. Reduce verbose error messages, limit directory listings on web servers, and control the visibility of network and system details.

Of course, these are only a few of the techniques you can employ to defend yourself from cyberattack reconnaissance. And, on the flip side, reconnaissance is only the first stage in the attack lifecycle.

Keep reading our blog to learn about each stage in the cyberattack lifecycle, and how a defense-in-depth approach helps you to prevent and defend against new and emerging threats.