How do hackers choose their victims?

by Egress
Published on 22nd Aug 2022

Cybercriminals rarely choose their victims at random. The first stage of the cyber kill chain is reconnaissance, where an attacker narrows down a list of targets based on organization profile, security posture, and vulnerable individuals. Here’s how they use tools and tactics from the hacker’s toolkit to do it – and how your business can defend itself.

Searching for a target organization  

There’s no shortage of potential cybercrime targets out there. An attacker might choose their target list through readily available data online, such as employee count, industry, or existing vendor relationships, then narrow their search down further from there. Once they’ve found several organizations that fit their target profile, they can get even more specific by assessing the relative levels of email security they’re up against an individual targets within the organization.

Assessing email security  

Understanding the target’s security technology is a key part of reconnaissance, as it will help the attacker to successfully weaponize an email in the next stage of the cyber kill chain. The tools and databases they use to discover whether any existing vulnerabilities can be exploited are typically legal and available to marketers.

For example, there are free-to-use tools they can use to perform a DNS MX record lookup on the target’s domain and discover what email security solution they’re using. They might find that the target organization is relying on Microsoft365’s native security features with no secure email gateway to do any pre-filtering.

This would be valuable information for when it comes to weaponizing an email and sending test attacks to target individuals.

Finding an individual target

Once an organization has been selected, it’s time to choose the actual people to target with phishing emails. A targeted well-researched attack aimed towards an individual is far more likely to succeed than a mass email sent to multiple people.

Attackers use social media platforms to build a list of people who might be especially useful to compromise. For example, they could easily find out who works in a finance role by researching job titles on LinkedIn, or a new joiner who might not yet be familiar with security processes and the communication habits of their colleagues. They also gather information about the target individual’s personal life and interests, which will help craft a sophisticated social engineering attack.

Next, they’ll send scouting emails to gauge whether someone is likely to fall for a phishing email. These scouting emails use trackers that show whether the recipient has opened and engaged with the email – showing who will be likely to fall for a weaponized email. Finally, they will try to discover whether the target has had personal data exposed from a previous breach. This might include a phone number that can be used in an attack that impersonates a service using text-based multi-factor authentication (MFA).  

How to defend against reconnaissance 

It’s hard to keep every aspect of our professional and personal lives hidden from attackers online. And it’s unlikely that an organization could (or would even want to) force employees to remove information about themselves from social media. However, you can use targeted security awareness training (SAT) to help people understand the impact of their social media activities and be wary of oversharing sensitive information, or accepting connections from suspicious sources. 

You can also limit cybercriminals from performing some types of attack. For example, senior staff members are often impersonated, so their email addresses can be added to an email security impersonation protection policy. Advising these high-risk people to not update their LinkedIn profile until they have been added to the protection policy will help to mitigate these types of attack.  

Similarly, trying to keep your technology stack secret is almost impossible. As a protective step, best practice is to ensure that all applications are patched to the latest revisions. You can also perform regular penetration testing and red team exercises to highlight vulnerabilities in technology, processes, and people. This will also allow your organization to understand what information is available to a bad actor, and you can then tailor your security policies with this in mind.  

Discover the full hacker’s toolkit

Reconnaissance is just the first step of the cyber kill chain. Learn how attackers use the hacker’s toolkit to weaponize and deliver phishing emails in the full report. Download yours for free.