Unveiling Cyber Threats: Understanding Reconnaissance in the Cyber Kill Chain and the importance of Threat Intelligence

July 3, 2024


Many enterprises have significantly improved their cybersecurity posture the past decades, effectively preventing known attacks through the integration of security tools, employee education initiatives, and adherence to regulatory standards. However, with the rise of sophisticated cyber threats and the evolving AI threat landscape, many organisations are still susceptible to successful security incidents and data breaches.

A popular framework, named Cyber-Kill-Chain, developed in 2011 helps organisations to identify and prevent cyber intrusion activities by understanding attacker’s behaviour and mapping defence strategies to their lifecycle. This article will explore the phases of the Cyber Kill Chain, focusing on the Reconnaissance phase in detail as. It covers commonly used tools and tactics during all phases, but also emphasises the advantages of proactively accessing Threat Intelligence feeds.

How the Cyber Kill Chain Works

Cyber-Kill-Chain, developed from a military model built by Lockheed Martin, in order to analyse attackers' tactics and prevent cyber attacks. The model illustrates the steps malicious actors must take to achieve their goal, which includes attacking the organisation's network, exfiltrating sensitive data, and maintaining persistence within the company's systems. To achieve their main goal, they must successfully complete each phase; however, from the defender's perspective, success is simply dependent on preventing the attacker's progress at all stages.

The seven stages of the Cyber Kill Chain include:

  1.   Reconnaissance

Attackers:  In this step, the attacker selects a target and begins gathering information about it, such as finding potential vulnerabilities, open ports, network configuration, and other potential entries. Reconnaissance can be carried out via active techniques, such as connecting directly with the target via port scanning, network enumerations, vulnerability scanning or passive techniques, such as obtaining information about the target using open source intelligence and publicly available information. 

Defenders: Defenders must remain vigilant against both active and passive reconnaissance activities. Deploying Honeypots and IPS/IDS systems at the perimeter layer and enabling real-time monitoring and response strategies could be critical. Additionally, utilising up-to-date Threat Intelligence feeds could support in identifying critical information that could be exploited by threat actors during this phase.

  1.   Weaponizations

Attackers: In this stage, the adversaries will begin to develop their weapon, which will combine malware and exploits into a payload that can be delivered to the target. For example, the attacker can embed macro-virus in a Word document, attach a malicious file or URL in an email that redirects visitors to a malicious website, or prepare scripts such as XSS scripts or SQL injections to insert into a vulnerable website. 

Defenders: During this stage, defenders must proactively scan their networks and systems to assess the exposure of their assets against known payloads or exploits. Leveraging threat intelligence can aid in identifying malicious tools and malware used by threat actors. Additionally, monitoring threat feeds enables defenders to detect if their company's sensitive data is being sold in the dark market or if there are potential campaigns targeting their organisation or relevant industries.

  1.   Delivery

Attackers: In this phase the payload is prepared to be delivered to the target and the attacker has a variety of options for delivering his payload or malware, such as email attachments, phishing emails, USB devices, or exploiting a weakness in a website or a system.

Defender: As the primary layer of defence, implementing key security controls such as Firewalls or EDRs is essential to block potential attack deliveries. Analysing the logs of all critical systems is crucial to determine if an attack was initiated and its target system. Additionally, examining threat feeds provides insights into known malicious domains, IP addresses, malicious attachments, and URLs used in delivering malware, phishing emails, or other malicious content. 

  1.   Exploitation

Adversary:  After the payload is successfully delivered to the target, this stage consists of exploiting vulnerabilities discovered during the reconnaissance. The vulnerabilities might be of any type, such as vulnerabilities due to unpatched systems, insecure configurations, or human errors, allowing the attacker to escalate privileges or move laterally across the network, from one system to another. 

Defender:  To proactively identify unpatched systems and assess potential vulnerabilities, organisations can implement several measures such as regular vulnerability Scanning and pentesting as well as automated patch management. Threat Intelligence can provide insights about ongoing exploitation campaigns and zero-day vulnerabilities. 

  1.   Installation

Adversary: After the target is exploited, the attacker will create persistent access by opening a backdoor on the target.

Defender: Defenders should always install and regularly update endpoint security solutions such as IDS/IPS systems and Endpoint Detection and Response tools to detect and block malicious software.  Subsequently, monitoring for any artefacts of remote access tools is necessary.

  1.   Command-and-Control (C2)

Adversary: C2 allows the attacker to gain remote control over the system, thereby granting them extensive command and manipulation privileges from a distance.

Defender:  Monitoring network traffic for suspicious connections or unusual data transfers is essential, along with disabling remote access by default. Implementing firewall rules and Access Control Lists (ACLs) to limit unnecessary outbound connections and block communication with unauthorised destinations is critical. Threat Intelligence feeds can aid security analysts in analysing malicious IPs with low reputation and automatically blocking them.

  1.   Actions on Objectives

Adversary: In this concluding phase, it signifies that the Threat Actor has successfully accomplished their objectives. During this stage, the attacker will gather login details, gain higher levels of access, conduct lateral movement through the network, extract data, and engage in various unauthorised actions.

Defenders: A comprehensive incident response programme should be maintained and playbooks should be developed to minimise the effects of a cyberattack. Strategies such as employing an internal honeypot strategy could help to detect and alert unauthorised access or suspicious behaviour. 

 The significance of Reconnaissance in Cyber-Kill-Chain:

In the Cyber-Kill-Chain framework, the first phase, known as reconnaissance or the 'pre-attack phase', plays a pivotal role. Its aim is to gather comprehensive information about the target, including network structure, system weaknesses, employee details, and other critical data. Armed with this knowledge, attackers can tailor their strategies for optimal results while reducing the risk of detection.

Methodologies of Reconnaissance:

When attackers attempt to gather important information about their target, they typically do so either actively or passively.

Active Reconnaissance

In this method, active reconnaissance involves direct interaction with the target's system to collect information. It acts as a link between gathering information and initiating specific cyber attacks. This approach enables threat actors to obtain a more comprehensive understanding of the target's infrastructure, services, potential weaknesses, and identify open or closed ports.

Techniques of Active Reconnaissance include:

  1. Port Scanning

Port scanning examines target systems to find open ports and services. Threat actors may use port scanning to find vulnerabilities in the target's infrastructure or have more information about potential entry points and services operating on the target's systems.

Tools: Common tools for scanning TCP, UDP, and other protocol ports are: Nmap, Nessus, Metasploit, Angry IP Scan and Netcat.

  1.   Network Enumeration

Network enumeration is the process of querying network devices and systems to obtain information about the network topology, domain names, IP addresses, and active hosts.

Methods:  ICMP ping sweeps, DNS enumeration, and SNMP queries are standard methods for enumerating network resources and identifying possible targets for further exploitation.

Tools: Nmap, Nessus, Metasploit, Firewalk and Zenmap.

  1.   Service identification

Once open ports are identified, attackers will attempt to determine the services running on these ports and their versions. This information helps in identifying vulnerable services that can be exploited to gain unauthorised access.

Methods: Techniques such as banner grabbing and service fingerprinting are employed to identify running services and their versions.

Tools: Nmap, Nikto, amap and WPScan.

  1.   Vulnerability Scanning

Vulnerability scanning is a method used to examine target systems for potential weaknesses by conducting thorough static or dynamic scans. It helps identify known vulnerabilities within the system, allowing for proactive measures to be taken to enhance security.

Method: By identifying outdated software, misconfigurations, and known vulnerabilities in the services identified in previous steps, attackers can exploit these weaknesses to compromise target systems.

Tools: Automated tools such as Nessus, OpenVAS, or Qualys, BurpSuite Professional and ZAP are typically used.

  1.   Password Cracking

Password cracking involves attempting to decipher passwords, typically using methods like brute force attacks and dictionary attacks. These techniques aim to gain unauthorised access to systems and accounts by systematically guessing passwords until the correct one is found.

Method: Attackers utilise automated tools to guess passwords or try commonly used passwords to gain access to target systems.

Tools: CrackStation, Aircrack, RainbowCrack, Cain and Abel and John The Ripper.

Practical techniques to prevent active reconnaissance involve:

  1. Intrusion Detection/Prevention Systems 

Deploying IDS/IPS systems helps in identifying and alerting on suspicious network traffic and reconnaissance activities.

  1. Firewall Configuration

Configure firewall rules to block or restrict access to specific IP addresses, ports and services that are not used in your organisations. This helps prevent attackers from scanning your network and identifying potential vulnerabilities.

  1. Encryption

Strong encryption should be used on the sensitive data both at rest and in transit to prevent attackers from intercepting reconnaissance information and eavesdropping.

  1. DNS Monitoring

DNS logs should be analysed for any suspicious activities such as attempts to gather information through DNS enumeration or scanning of domains. If any suspicious activity is detected, it's essential to take action by blocking malicious queries to safeguard the network's security. Regular monitoring and analysis of DNS logs help ensure the integrity and safety of the network infrastructure.

  1. Employee Training

It's crucial to offer comprehensive education to employees about the risks associated with active reconnaissance. This should include training on recognizing common tactics employed by attackers, such as phishing emails and social engineering attempts. By increasing awareness and enhancing knowledge, employees can be encouraged to use stronger passwords and to limit the amount of sensitive information they share online.

  1. Honeypots and Honeynets

Establishing decoy systems or networks, such as honeypots or honeynets, serves to attract potential attackers and gain valuable insights into their reconnaissance methods, all while safeguarding essential assets from exposure. This proactive approach allows for the collection of intelligence on potential threats without risking the security of critical resources. 

  1. Threat Intelligence

Threat intelligence plays a critical role in mitigating active reconnaissance for several reasons. It enables continuous monitoring of dark web marketplaces to detect whether any of the organisation's sensitive credentials, even those in hashed format, are being sold or bought. Additionally, it assists in identifying suspicious activities that may indicate insider threats, such as unauthorised access to sensitive data or atypical patterns of file access. This is achieved by correlating threat feeds with security logs and user behaviour analytics. Threat feeds also include information on data breaches, specifying which organisations were affected and what type of data was exposed. Consequently, it becomes easier to ascertain whether any third-party affiliates of the organisation have been compromised.


Passive Reconnaissance

Unlike active reconnaissance, in this approach the attacker does not interact directly with the target, but it gathers information using publicly available sources such as social media platforms, company websites, online forums, hr portals etc. By analysing data openly accessible on the internet, threat actors can identify potential targets, understand organisational hierarchies and gather intelligence without the risk of detection.


Techniques of Passive Reconnaissance

  1. Online Support Forums

Technical support forums like Stack Overflow and Glassdoor serve as virtual communities where users can seek help for technical issues they encounter. They can share details such as screenshots of their setups and error messages to receive assistance from others. However, these platforms also pose a risk as attackers can potentially gather sensitive information about a company's software or platforms by analysing the discussions and shared content.

  1. OSINT (Open Source Intelligence)

Open Source Intelligence (OSINT) serves as a crucial asset for acquiring data from diverse outlets such as social media platforms, governmental records, news sources, and publicly accessible databases. Consequently, a hacker could potentially gather extensive details about their target, spanning from information about partners and employees to insights into the infrastructure and technologies utilised by the target organisation. Shodan is a powerful search-engine that uses various scanning techniques to gather information about devices, including open ports, banner information, and other metadata.

  1. Google Dorking

Google Dorking utilises specialised search techniques to locate files of a specific format, search within particular websites, and identify specific keywords. By employing Google Dorking, sensitive information may become accessible to individuals conducting searches, potentially leading to privacy breaches or data exposure.

  1. Whois Lookup

Performing a Whois Lookup can provide valuable insights into organisational information, including IP ranges for scanning purposes, as well as contact details such as email addresses for technical staff members. This helps in gaining a comprehensive understanding of the digital footprint and infrastructure of the target entity.

 Practical techniques to prevent passive reconnaissance:

Mitigating passive reconnaissance involves implementing measures to safeguard confidential data and increasing the complexity of information gathering for potential attackers targeting a company. Below are several strategies aimed at preventing passive reconnaissance efforts:

  1. Minimise Online Presence

Enhance organisational security by minimising the exposure of sensitive information across various online platforms such as social media, company websites, and other public channels like hr forums. Exercise discretion when sharing details regarding the organisational structure, employee identities, and technical infrastructure to mitigate potential risks. 

  1. Robust Privacy Policy

Develop and enforce strict privacy policies that govern the collection, use, and sharing of sensitive information, as well as ensuring that employees understand their responsibilities regarding data privacy.

  1. Regular Security Audits

Conduct regular security audits and assessments such as website configuration, server settings and third-party integrations to identify and address vulnerabilities in the organisation's online presence.

  1. Monitor Online Activities

Continuously observe the organisation's presence across social media, forums, and other public channels for any mentions or activities. Employ monitoring tools to carefully track conversations and detect any unauthorised sharing of confidential information.  

  1. Web Scraping Protection

Employing technologies like CAPTCHA is crucial to safeguarding website data against automated bots. CAPTCHA prompts users to complete tasks that are easy for humans but challenging for automated bots, thereby ensuring the integrity of the data and protecting user privacy. 

  1. User Education and Awareness Training

Enhance awareness among employees regarding common tactics used by attackers to gather information, emphasising the critical importance of exercising increased caution when disclosing company information online, including on social media platforms. This training should stress the potential risks associated with sharing sensitive data and underscore the need for maintaining strict confidentiality in all forms of digital communication. 

  1. Threat Intelligence

Continuous monitoring of Threat Intelligence feeds is crucial as it provides deep insights into attackers, including their motivations, tactics, techniques, and procedures (TTPs). This valuable information allows organisations to discern whether specific threat actors are actively gathering data about theirs or similar industry sectors as well as facilitates the proactive identification of company information that may be exposed on the web. This approach ensures that organisations are not only alerted to immediate threats but also understand broader adversarial patterns affecting their industry, allowing them to fortify further their defences against potential future attacks.


In light of the increasingly sophisticated nature of cyber threats and the expanding landscape of AI-based risks, it is strongly advised for organisations to invest in Cyber-Kill-Chain frameworks and incorporate threat intelligence as a key defensive strategy to bolster their cybersecurity defences. The Cyber-Kill Chain framework offers a structured methodology for understanding the lifecycle of cyber attacks, spanning from initial reconnaissance to data exfiltration. Furthermore, by aligning threat intelligence with each stage of the Cyber-Kill Chain, organisations can gain a deeper understanding of the tactics, techniques, and procedures (TTPs) employed by attackers. Ultimately, the combination of Cyber-Kill Chain frameworks and threat intelligence equips organisations with the knowledge and tools needed to anticipate, detect, and mitigate cyber threats more efficiently, thus enhancing their overall cybersecurity posture.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.