Welcome back to Day 18! Yesterday, we got the big picture of how cyberattacks work. Today, we're diving into the first three stages, basically what happens before the actual breach. This is where attackers are most vulnerable, and where you have the best chance to stop them cold.

Think of these stages as the "planning phase" of the heist. The criminals are still outside, watching, preparing, and making their first move. Let's see what they're up to.

Stage 1: Reconnaissance — The Stalking Phase

What happens here is that attackers are gathering information about you, your organization, your systems, and your people. They're building a detailed profile of their target before making a move.

Remember the homework I gave you yesterday about what information is publicly available about you? Well, here's what attackers are doing with it:

For individuals, they might be checking out:

  • Your social media profiles (Facebook, LinkedIn, Instagram, Twitter)
  • Your posted photos (looking for details in the background)
  • Your friends and connections (who could they impersonate?)
  • Your hobbies and interests (what might you click on?)
  • Where you work, what you do, and who you know

For organizations, they're digging into:

  • Company websites and employee directories
  • Job postings (which reveal technologies used)
  • LinkedIn profiles of employees
  • Public financial records and news articles
  • Technical information (IP addresses, domain names, email formats)
  • Business partners and suppliers
None
Image from Pinterest

Let me tell you about "Sarah." Sarah works in accounting and loves golden retrievers; her social media is full of dog photos. She recently posted about being excited for her upcoming vacation to Hawaii.

A hacker doing reconnaissance sees all this. They now know:

  • Sarah works in accounting (probably has access to financial systems)
  • She loves dogs (emotional trigger for phishing)
  • She'll be on vacation soon (maybe less vigilant, might check work email from unsecured locations)
  • Her email format is probably firstname.lastname@company.com (based on LinkedIn)

That's everything they need to craft a targeted attack. And Sarah shared it all willingly, thinking she was just posting cute dog photos.

How Attackers Do Reconnaissance

Passive Reconnaissance: the process of gathering information about a target without directly interacting with it, using only publicly available sources. It involves:

  • Google searching your name, email, company
  • Browsing social media profiles
  • Reading company websites and press releases
  • Checking public databases and records
  • Using tools like LinkedIn to map organizational structures
  • Viewing metadata in publicly available documents

Active Reconnaissance: the process of directly interacting with a target's systems to gather information, often by sending probes and testing system responses.

It involves:

  • Scanning your network for open ports
  • Probing your website for vulnerabilities
  • Sending test emails to verify addresses
  • Calling your company pretending to be someone else (social engineering)
  • Physically visiting locations (yes, really!)

How To Defend Yourself Against Reconnaissance

  1. The Privacy Audit: This would normally take an average of 30 minutes to Google yourself and search for;
  • Your full name in quotes
  • Your email address
  • Your phone number
  • Your username on different platforms
  • Your company name + your name

Whatever comes up, ask yourself, would I be comfortable with a stranger knowing all that? if no. Then conduct what is called a Social Media Hygiene.

For Individuals:

  • Reviewing privacy settings on all platforms (make them as restrictive as possible)
  • Be cautious about posting work-related information
  • Avoid posting vacation plans before you leave (post after you return)
  • Don't tag your workplace in location services
  • Think twice before accepting connection requests from strangers
  • Remove old posts that contain sensitive information

For Organizations:

  • Implement social media policies for employees
  • Be mindful of what information job postings reveal
  • Clean metadata from publicly shared documents
  • Monitor for reconnaissance attempts (unusual network scans, suspicious inquiries)
  • Educate employees about OSINT (Open Source Intelligence) risks

Truth is, you can't be invisible online, and you shouldn't try to be, but you can be mindful of what you share or say. Ask yourself: "If I were planning to hack myself, what would I find useful?" Then remove or protect that information.

None
Photo by Matias Luge on Unsplash

Stage 2: Weaponization — Building the Attack

At this stage, Attackers create or obtain the tools they'll use to breach your defenses. This could be malware, exploit kits, or even a convincing phishing email.

Here's something that surprises people: most attackers aren't coding custom malware from scratch. They're using readily available tools and techniques.

I know you're wondering how they do it.

Here's How:

  • The Dark Web Marketplaces: Dark markets provide a one-stop shop for cybercriminals, offering a wide range of services attacks for hire. Think of it as Amazon, but for cybercrime. You can buy:
  • Ransomware-as-a-Service (yes, really — you can rent ransomware)
  • Stolen credentials databases
  • Exploit kits that target known vulnerabilities
  • Phishing templates that look incredibly legitimate
  • Custom malware development services

Prices vary, but many tools are shockingly affordable. A decent ransomware kit might cost a few hundred dollars, with potential returns in the hundreds of thousands.

  • Legitimate Security Tools (used for evil): Many hacking tools are actually legitimate security testing tools that attackers repurpose:
  • Metasploit (penetration testing framework)
  • Nmap (network scanning tool)
  • Wireshark (network analysis tool)
  • Kali Linux (operating system packed with security tools)

These tools aren't illegal — they're used by security professionals every day. But in the wrong hands, they become weapons.

  • Open-Source Malware: Some malware code is published online by researchers for educational purposes. Attackers download it, modify it slightly, and use it in real attacks.

The Weaponization Process

Let's walk through a typical weaponization scenario:

  1. Based on reconnaissance, the attacker knows Sarah loves golden retrievers and works in accounting
  2. They create a malicious Word document titled "Adorable_Golden_Retriever_Rescue_Charity_Event.docx"
  3. Inside the document, they embed an exploit that takes advantage of a known vulnerability in Microsoft Office
  4. They set up a fake website that looks like a dog rescue charity
  5. They craft a phishing email that appears to come from the charity, with the malicious document attached

Notice how reconnaissance feeds directly into weaponization? The weapon is specifically crafted based on the information gathered in Stage 1. This is what makes targeted attacks so effective.

How to Defend Against Weaponization

The good news is that you can't directly stop weaponization because it happens on the attacker's computer, not yours. But you can make their weapons useless:

Keep Everything Updated: Most exploits target known vulnerabilities that already have patches available. If you keep your software updated, their weapons won't work.

  • Enable automatic updates on all devices
  • Don't ignore update notifications
  • Replace software that's no longer supported (looking at you, Windows 7 users!)

Use Security Software: Modern antivirus and anti-malware tools can detect many common attack tools:

  • Install reputable security software
  • Keep it updated (yes, it needs updates too)
  • Don't disable it because it "slows things down"

Stay Informed: Know what threats are current:

  • Follow security news from reliable sources
  • Pay attention to security alerts from vendors
  • Understand what vulnerabilities affect your systems

The Email Shield: Since many weapons are delivered via email:

  • Use email security solutions that scan attachments
  • Enable advanced threat protection if available
  • Implement email authentication (SPF, DKIM, DMARC) for organizations
None
Photo by Kira auf der Heide on Unsplash

Stage 3: Delivery — The First Contact

Here, the attacker is trying to get their weapon to you. This is the moment of first contact; the delivery method bridges the gap between the attacker's system and yours.

Delivery isn't just about email, though that's the most common method. Here are the main delivery channels:

Email Phishing (most common):

  • Malicious attachments disguised as legitimate files
  • Links to websites hosting malware
  • Links to fake login pages (credential harvesting)
  • Business Email Compromise (impersonating executives)

Spear Phishing (targeted): Remember Sarah? An email just for her about golden retriever rescue might include:

Subject: Help Needed: Golden Retriever Rescue Event This Weekend!
Hi Sarah,
We noticed you're a golden retriever lover! We're hosting an emergency 
adoption event this weekend and desperately need volunteers. Can you 
help? Check out the attached schedule and let us know your availability.
Thanks so much!
Golden Hearts Rescue

Looks innocent, right? But the attachment contains malware.

Other Delivery Methods:

  • USB drops: Leaving infected USB drives in parking lots (people pick them up and plug them in!)
  • Watering hole attacks: Compromising websites that targets frequently visit
  • Malicious ads: Advertisements on legitimate websites that deliver malware (malvertising)
  • Supply chain attacks: Compromising software updates or third-party vendors
  • SMS/Text messages: Phishing via text (smishing)
  • Phone calls: Social engineering to trick people into taking actions (vishing)

Delivery succeeds because of human nature. We're curious, helpful, and trusting — all wonderful qualities that attackers exploit:

  • Curiosity: "What's in this attachment? Someone sent me something!"
  • Fear: "This message says my account will be closed unless I act NOW!"
  • Authority: "The CEO needs this information immediately!" Greed: "You've won a prize! Click here to claim it!" Urgency: "Verify your account in the next hour or lose access!" Helpfulness: "Can someone help this person who's asking for information?"

How to Defend Against Delivery

This is where you have tremendous power. Delivery requires your participation; you have to click, open, or download something.

The Email Safety Protocol:

Before opening any attachment, ask yourself:

  1. Was I expecting this? (No? Be suspicious)
  2. Do I know the sender? Not really? then you need to be very suspicious.
  3. Does this make sense? (Why would HR send me a .zip file?)
  4. Is the sender's email address correct? (Check carefully — scammers use look-alike addresses)
  5. Are there spelling or grammar errors? (Professional organizations proofread)

The Hover Test: Before clicking any link, hover your mouse over it (don't click!). Look at the URL that appears:

  • Does it match where it claims to go?
  • Is the domain spelled correctly? (amazom.com isn't amazon.com)
  • Is it using HTTPS? (Not a guarantee, but HTTP is definitely suspicious for anything sensitive)

The Verification Call: If an email claims to be from your bank, your boss, or any important institution and asks you to do something unusual:

  • Don't reply to the email
  • Don't call a number provided in the email
  • Look up the official contact number separately and call to verify

The File Extension Check: Be wary of these file types in email attachments:

  • .exe, .bat, .cmd, .scr (executable files)
  • .js, .vbs (script files)
  • .zip, .rar (compressed files that might hide malicious content)
  • .docm, .xlsm (Office files with macros enabled)

Legitimate businesses rarely send these file types via email.

For Organizations:

Email Security Layers:

  • Spam filters (block obvious junk)
  • Anti-malware scanning (catch known threats)
  • Sandbox analysis (detonate suspicious attachments in a safe environment)
  • Link protection (rewrite and scan URLs before users click)
  • User reporting tools (make it easy for employees to report suspicious emails)

Security Awareness Training:

  • Regular phishing simulations (test your people)
  • Monthly security reminders (keep it fresh)
  • Celebrate people who report suspicious emails (positive reinforcement)
  • Share examples of real phishing attempts (education)

Access Controls:

  • Restrict what file types can be emailed
  • Block executable files at the email gateway
  • Require authentication for external file sharing
  • Monitor and log all file transfers

Here's why focusing on these early stages is so powerful:

At the reconnaissance stage, attackers are just gathering information. Stop them here by limiting what's available, and they might move on to easier targets.

At the weaponization stage, you make their weapons ineffective through updates and security tools. They waste time building tools that won't work.

At the delivery stage, you prevent the weapon from ever reaching its target. All their preparation is wasted.

Always remember, they need to succeed at ALL stages. You only need to stop them at ONE.

Tomorrow on Day 19, we'll cover what happens when delivery succeeds, that is, Stages 4 and 5: Exploitation and Installation. This is where the attacker actually breaks in and establishes a foothold.

The good news? Even if an attacker makes it past delivery, the game isn't over. There are still ways to stop them.

Stay vigilant, stay secure!

#CybersecurityAwarenessMonth #CyberattackLifecycle #Phishing #SocialEngineering #CyberSecurity #Day18