<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1703665079923990&amp;ev=PageView&amp;noscript=1">

Cyberattack Game Plan: How attackers choose their targets & plan their attack

Cyberattack Game Plan: How attackers choose their targets & plan their attack

Posted by TEAM ASCEND on 10/28/19 3:45 PM

<< Back to Blog

High-profile, newsworthy cyber breaches may have you believe that only big corporations like Target, Facebook, and Equifax are where cyber criminals focus their efforts. However, it continues to be proven that small and mid-sized organizations are being targeted frequently, despite the belief that a smaller organization has nothing that would be valuable to a criminal.

The truth is actually quite contrary: small and mid-sized organizations are not only easier for criminals to target and breach, but they’ve proven fruitful for those criminals looking for personal data, financial data, and credential access.

According to industry research, some of the most common reasons that smaller organizations become the target of cyberattacks include:

  • Low security investments or even cut security spending
  • Lack of resources to implement and maintain strong security (time, budget, expertise)
  • Small staff – often including a lack of dedicated IT or security specialists
  • Low risk awareness or cybersecurity understanding
  • Outdated or nonexistent security appliances, products, and software

These reasons are essentially a collection of unlocked—or even wide open—doors for cyber criminals to take advantage of, making it incredibly easy to perform an attack and successfully breach their target.


How do cyber criminals pick their targets?

The truth is, in some cases it is completely random. Attackers using a “spray-and-pray” approach—through widespread phishing campaigns, web-hosted malware delivery, and the like—may access a list of email addresses and send their attack to as many people as possible, or infect a website and hope that enough people will get infected by the malware.

In instances where cyber-espionage is the goal, attackers may have their target(s) picked out in advance for political, personal, economic or other motives. These attacks generally take place when the attacker’s goal is to negatively impact the image, reputation, and proceedings of business for an entity or organization.

In the case of your “every day” cyber attacks (not that we want them to be so normal!), cyber criminals tend to land somewhere between specific, well-researched targets and broader, more generalized goals. These goals may correlate via location, industry, type of data held within the organization, and so on, depending on the motivations of the individual attacker or attack group.

Whether the cyber criminals have chosen a broad list of targets or have decided to attack a refined group of targets, like all of the local retailers in a certain area, their next step will be to perform reconnaissance so they can begin their attack.


How does cyber reconnaissance work?

The intelligence-gathering stage of an attack is where an attacker will complete extensive research about potential targets and strategize for a successful attack. Some of the reconnaissance (recon) strategies commonly used include:

  • WHOIS Lookups

Used for gathering domain names, IP addresses, and web system information.

  • NMAP Port Scanning

A network discovery tool that can be used to identify open ports and vulnerabilities to exploit in your network.

  • Web Page Analysis & Email Address Search

Using search engines and queries, attackers can gather information available about your organization and its email communications online.

  • Social Media Research

Learning about your organization and its employees through Facebook, Linkedin, Twitter, and more can prove valuable for attackers looking to craft targeted phishing attacks.


The NMAP port scanning approach is helpful for attackers looking to begin an attack that goes beyond the simple phishing email because it allows them to discover the “open doors” in your network—doors that they can use to get inside and start causing damage. This tool is important to illustrate and discuss because while it’s not malicious in nature, it is incredibly helpful to attackers as it easily provides them the information they need to breach their target.


NMAP Scanning in action

Watch as Information Security Analyst Chris demonstrates an NMAP scan and explains how this reconnaissance technique is used by cyber criminals.


Cybersecurity Game Plan


If an attacker has used NMAP Port Scanning against your network, signs of this will be present through Next-Generation Firewall (NGFW) logs or integrated logs in your SIEM solution. Proof of potential attacker recon should lead you to secure vulnerabilities and keep an eye on the other layers of security you have in place, like EDR and Malware Prevention, for signs of an attack.



While you can’t prevent someone from scanning your network from the outside, you can take a few steps to ensure that their online research and subsequent scans aren’t as fruitful as they prepare for an attack.

First, secure the information available about your organization online. As a business, it can be hard to balance publicizing information with keeping key details secure. Some suggestions include not listing direct employee emails or contact information on your website, having employees maintain privacy settings on Facebook and Linkedin accounts, and refrain from sharing private data about your business on your website, social media, or blog. These steps can help make it harder for a criminal to phish or spear-phish your organization by limiting their access to direct email addresses and making it harder to discover who to phish or impersonate within your organization.

Next, perform regular vulnerability scanning within your network or employ a security partner to regularly evaluate your security posture through scanning, assessments, or penetration tests. With frequently updated, actionable data about your network vulnerabilities, you can be on top of security from the perimeter level down to your endpoint devices. Port-level vulnerabilities are discovered and announced regularly, but it’s up to your organization to keep security products and software updated and proactively address vulnerabilities that require new configurations or security settings. If vulnerabilities are left unchecked, an NMAP scan could uncover an easy way into your network and an attacker can exploit it.

If your organization lacks the time, resources, or expertise to stay on top of the evolving security landscape, you might consider a Managed Security Service Provider (MSSP) to take that load off of your team. Read more about MSSPs here.

As discussed throughout the Cyberattack Series so far, layers of security that cover your account credentials, endpoint devices, email system, and the activities within your network are all key to maintaining a strong defense against cyberattack tactics used every day. Whether an attack begins with an email, an open port, or an infected device, it’s important to have both your offense and defense ready in the fight against your adversaries.

New call-to-action


<< Back to Blog

Posted in Vulnerability Management, Perimeter Security, SOC-as-a-Service, Cyberattack Series