Can you explain the concept of the reconnaissance phase in the cyber kill chain? Why is it critical to cyber defense? Assuming that a threat has been detected and determined its origin, be that of internally spawned or from an external source, the path to the reconnaissance phase is laid out by the initial network traffic detected. Recon can be as simple as looking for soft targets via brute force attacks. However, brute force attacks are openly hostile and mostly designed to bring down services. I believe the Cyber Kill Chain should be employed from the “Inside Out” you start by assuming you are compromised and start looking for patterns in network traffic. Normal traffic ports are DNS (53) , smtp (25) ssh (22) . One must pay attention to any traffic sent over Port 1 , ICMP is the primary use for port 1 and data exfiltration. For instance....