Can you explain the concept of the reconnaissance phase in the cyber kill chain? Why is it critical to cyber defense?
Assuming that a threat has been detected and determined its origin, be that of internally spawned or from an external source, the path to the reconnaissance phase is laid out by the initial network traffic detected.
Recon can be as simple as looking for soft targets via brute force attacks. However, brute force attacks are openly hostile and mostly designed to bring down services.
I believe the Cyber Kill Chain should be employed from the “Inside Out” you start by assuming you are compromised and start looking for patterns in network traffic.
Normal traffic ports are DNS (53) , smtp (25) ssh (22) . One must pay attention to any traffic sent over Port 1 , ICMP is the primary use for port 1 and data exfiltration. For instance if you start seeing encrypted traffic outside of HTTPS over ports 8080 or 8443, then you have to look at the connection times and duration. Reconnaissance is the foundation to the success of the mission be that of a defensive or offensive posture.
What are the most common techniques used by attackers during the reconnaissance phase?
Target selection, economic impact on the recon process, risks associated with failure, and return on investments. All these factors come into play before any attack can commence. In my opinion, low tech approaches....