The first stage in reconnaissance is identifying potential targets (companies or individuals) that satisfy the mission of the attackers (e.g. financial gain, targeted access to sensitive information, brand damage, etc.). Once the target or targets are identified, the attackers determine their best mode of entry.
The initial compromise is usually in the form of hackers bypassing your perimeter defenses and, in one way or another, gaining access to your internal network through a compromised system or user account. Compromised systems might include your externally facing servers or end-user devices, such as laptops or desktops.
The compromised device is used as a beachhead into your organization.
Typically, this involves the attacker surreptitiously downloading and installing a remote-access Trojan (RAT) so they can establish persistent, longterm, remote access to your environment.
Once the attacker has an established persistent connection to your internal network, they seek to compromise additional systems and user accounts. First, they take over the user account on the compromised system. This account helps them scan, discover and compromise additional systems from which additional user accounts can be stolen.
At this stage of the Kill Chain, the attacker typically has multiple remote access entry points and may have compromised hundreds (or even thousands) of your internal systems and user accounts. They have mapped out and deeply understand the aspects of your IT environment of highest interest to them.
The final stage of the attack kill chain, and is where cost to your business rises exponentially if the attack is not defeated. This is the stage where the attacker executes the final aspects of their mission, stealing intellectual property or other sensitive data, corrupting mission-critical systems, and generally disrupting the operations of your business.