It’s vital that you fully understand how the cyber kill chain works and have a good posture in detecting traces of the first stage: Reconnaissance.

Reconnaissance or recon is the step of gathering support information about a possible target for a future attack. This may include network diagrams, hostnames, or even user account information.

Key takeaways: 

  • Lockheed Marting created the cybersecurity kill chain.
  • Recon activity is essential to detect.
  • What you can do to identify and deal with lingering traces on your network.

What Is the Cyber Kill Chain?

cyber kill chain banner

The cybersecurity kill chain was a method of identifying a cyberattack by placing the observed activity into a specific phase.

The cyber kill chain was created by Lockheed Martin and has been adopted over the years by many other authors, including The MITRE Corporation. The cyber kill chain is broken down into the following categories:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command & control (C2)
  • Actions on objectives

In this article, we focus solely on the first phase, reconnaissance. For a more in-depth review of the entire chain and its rich history, look at this article covering the basics of the cyber kill chain.

Why Is Reconnaissance So Important?

reconnaissance banner

This is the phase where the attacker gathers the who, what, where, when, and how metrics for their attack. If proper recon isn’t performed ahead of time, it could lead to failure, broad attempts at accessing a network risk tipping the entity of the attacker’s presence.

Most of the time, compromising a host or a network isn’t as easy. Even if you have a way into an organization’s network, the threat actor must have a plan to execute a payload that provides success properly.

Whether this payload ends up being sensitive data or company secrets, recon gathers all required information needed to both navigate and compromise a network.

How Does Someone Perform Reconnaissance?

Essentially, it’s performed however is best for the attacker to gather the data as it becomes available.

Usually, once attackers obtain specific data, such as email addresses and important individuals at the company, they can use that data to craft a phishing email to gather even more data.

There are automated scanning tools that scrape company websites and social media sites for any publicly available information surrounding a specific target. Also, social engineering is a vast tactic used through email and even over the phone to gather live data about a company, most of the time without tipping them off, either.

Most Common Data Found During Cybersecurity Reconnaissance

The following are the most common types of data attackers pursue to gain an advantage over an entity. Types of recon data that is valuable to an attacker:

  • Internet protocol (IP) addresses
  • Email addresses
  • Workstation details, such as operating system, versions, and more
  • Web browser details, including version, type, and enabled extensions
  • Running services on workstations
  • Security tools in use on a network
  • Account management setup
  • Network topology
  • Business vendors used
  • Names of Important individuals
  • Email policies applied like sender policy framework (SPF), DomainKeys Identified Mail (DKIM), and domain-based message authentication reporting and conformance (DMARC)
  • Network subnets
  • Network firewall rules
  • Business websites or portals

The objective of recon is to gather enough data that provides a path into a company. One course that provides valuable information or monetary benefits once accomplished. Most attackers want to pick systems and tools used to scan the target to determine if any unpatched vulnerabilities can be exploited.

What Can You Do To Detect Reconnaissance Efforts?


The best way to understand if someone is attempting to gather internal data from your company is to ensure you have a solid security posture.

This includes visibility into all systems and network communications, proper patching processes enabled, effective detection/prevention security solutions running, and working toward a proactive posture vs. a reactive one.

Use a Security and Event Management System for Visibility

Having a security information and event management (SIEM) solution in place is essential to gather all your logs into one area that’s actively correlating them together to create valuable metrics that can be acted on.

Without a SIEM or properly supplying your SIEM with effective data sources, you are left without any efficient means of detecting signs of recon activity. Modern-day SIEMs can even tag log events by kill chain phase.

This feature allows you to search easily for activity about a specific phase, highlight trends, or track an attack through the attack kill chain lifecycle.

Implement Proper Updating and Patching Systems

It’s best to assume that an attacker can gather system information about your internal and external assets. The best thing you can do to prevent unwanted compromise of these assets is to ensure you have proper updating procedures in place and are followed regularly.

By patching the latest updates from vendors, you’re at least ensuring that 90% of the “easy” low-hanging fruit vulnerabilities are halted. There are some vulnerabilities that go through a period without a patch or fix for them.

These are called zero-day vulnerabilities and should be identified promptly for enhanced monitoring.

Use the Best Security Tools

Visibility is only one piece of the security puzzle that needs to be accounted for in controlling your overall security posture. Ensuring that you have created enough of a hindrance for attackers at every level of your environment is key to stopping or slowing their pace of attack.

The following are some popular tools you should consider looking into that only helps to establish a strong security foothold.

  • Endpoint detection and response (EDR)
  • Network detection and response (NDR)
  • Extended detection and response (XDR)
  • Cloud access security broker (CASB)
  • Data loss prevention (DLP)
  • File integrity monitor (FIM)
  • SIEM
  • Security, orchestration, automation, and response (SOAR)
  • Secure access service edge (SASE)
  • Vulnerability scanning
  • Network access control (NAC)

These are only a handful of the defensive security solutions topics that have tons of vendors nested within them. Each vendor offers its own spin on the same sets of data, so it’s best to attend some product demos or have a proof of concept (POC) completed to ensure each solution satisfies your team’s immediate needs.

Proactive vs. Reactive

One last way to consistently lower the spectrum of what attackers can gather from your company during recon is by proactively taking steps to clean up unnecessary data. Even if data isn’t considered sensitive, you have to ask yourself, “what could an attacker do with this information if they had it.” Shifting towards a proactive security posture, where you’re constantly scanning hosts for vulnerabilities and performing activity penetration tests, is a great way to close that gap.