External reconnaissance
In this phase, an attacker is simply looking for a vulnerable target to attack. The motive is to harvest as much information as possible from outside the target's network and systems. This may be information about the target's supply chain, obsolete device disposal, and employee social media activities. This will enable the attacker to decide on the exploitation techniques that are suitable for each vulnerability identified about a particular target. The list of targets might be endless, but attackers have a particular taste for naïve users that hold certain privileges in systems. However, anyone in an organization can be targeted, including suppliers and customers. All that is needed is a weak point for the attackers to get an entrance into an organization's network.
There are two commonly used techniques in this stage-phishing and social engineering.
Phishing is done through emails where attackers send the target some carefully crafted emails to cause them to reveal secret information or open a network to attacks. It is common for attackers to attach malware to their emails that infect a target's computer after the infected attachment is opened. At other times, phishing emails will claim to be from reputable institutions, thereby inducing unsuspicious targets into divulging some sensitive information. Social engineering works in a similar fashion where attackers closely follow targets, collecting information about them which they, later on, use to get some private information. Social engineering happens mostly through social media where an attacker will follow a target through his/her various favorite social networks.
The attacker will find the target's likes, dislikes, and in between, their weaknesses.
Once either of these or another technique is used, the attacker will find a point of entrance. This might be through stolen passwords or malware infection of a computer within the target organization's network. Stolen passwords will give the attacker direct access to computers, servers, or devices within the internal network of an organization. Malware, on the other hand, can be used to infect even more computers or servers, thus bringing them under the command of the hacker.