The Hacker Lifecycle Phase 1: Reconnaissance - How IncMan SOAR Playbooks Enable Protection

Back to all articles

IncMan SOAR PLaybooks

This will be the first in a five-part blog series in which I will discuss how IncMan SOAR from DFLabs and its Security Orchestration, Automation and Response (SOAR) essentials, combat against each one of the five stages of a hacker lifecycle evolution. Automation is one of the greatest and most sought-after technologies within the information technology field. Moreover, being able to fully capitalize on automation functions within the cybersecurity realm is a critical component to efficiency, while also being able to support the need to eliminate extensive human intervention.

In this blog post I will highlight how DFLabs’ flagship product, IncMan SOAR, incorporates various specially crafted Playbooks to assist in the automation necessities, while also defining a systematic approach to accommodating the requirement to defend and protect assets. Furthermore, I will pinpoint how IncMan SOAR meticulously and automatically documents all aspects of a compromised device associated with the Incident Response framework and all the stages pertaining to that progression.

A few weeks ago one of our DFLabs superstars wrote an article on the various forms or types of hackers that are currently in circulation. As a current certified ethical hacker with multiple years of experience supporting white-hat ethical hacking and red/blue team operations to several 3-letter government agencies, military and the private/public sector, I will use my experience to supply a follow-up to this recent post.

We previously mentioned in the last post the different types of hackers, both good and bad, and I will be taking it a few steps deeper into the rabbit hole to discuss the hacker phases and include the lifecycle of a cyber attack. Furthermore, I shall briefly discuss how IncMan SOAR Playbooks supply an automated scheme that not only has defensive measures to combat against each and every stage mentioned, but also ensures full employment of an organization's security posture.

Unfortunately, in more times than not, it is very common to discover that a company’s security base is poorly developed, in the event that it has even been developed at all. Oftentimes a company will go to great lengths to employ a significant amount of security appliances, software and applications, although fail to then effectively configure and optimize the products to obtain the most amount of capabilities available that are supplied by that particular appliance or application. Thus, IncMan SOAR ensures that all security tools are being utilized to their greatest capacity and furnish the greatest possible output backed by these devices or applications.

The Hacker Lifecycle

The following information will highlight the main tenets of the hacker lifecycle. Regardless of the type whether black, white, grey, or green hat they all follow the same protocols. Depending on which hacker type you ask and the end-game goal in mind, will dictate to some degree as to what stages they will undergo. However, regardless of the sophistication and experience level of the hacker performing any one of the stages of the lifecycle, they will often follow the same process as the results supplied are crucial to an effective hack. In this particular post I will be going into detail on the first stage and how SOAR technology and IncMan Playbooks help support defense and automation effectiveness.

The following listed steps illustrate the standard operating protocol to infiltrate/own a system:

  • Reconnaissance

  • Scanning of System (External/Internal)

  • Gaining Access

  • Maintain Access & Elevate Privileges

  • Cover Tracks & Remain Dormant

We shall elaborate on the first stage of ‘Reconnaissance’. Before we continue we will establish what elements fall into the ‘Reconnaissance’ phase and focus on that element for this particular segment. A few main factors of the Reconn phase include but are not limited to:


  • Social Networking (Facebook, LinkedIn, Twitter)

  • Job Boards (Description of Hardware/Software)

  • Company Websites (Bio’s, Chain-of-Command)

  • Social Engineering (Physical layout, asset count, # of employees, work schedules, work habits)

This type of intelligence gathering can be linked to various Social Engineering tactics and Whaling or Spear-Phishing campaigns. The ability to gain this type of intel is crucial to understanding the layout of a company, what type of services and applications are being used, and Personal Identifiable Information (PII) just to name a few. Job boards will often post requisites based on the need of the company. An employer will post skillset requirements such as being proficient at certain operating systems or platforms.

For example, a company may state that they are in need of someone qualified in Windows 10, Red-Hat, Salesforce, or any other number of software or hardware applications. Given this information, a hacker may then use certain hacking tools like Metasploit and begin to determine all of the known vulnerabilities associated with the listed applications and begin to test and establish whether or not these applications have been patched or not. This is one of the fundamental reasons why having a strong Threat and Vulnerability Management Program in place is key within an organization. In the event they have not been patched, these vulnerabilities might be exploited for compromise or an Advanced Persistent Threat (APT) campaign.

Additionally, Social Engineering tactics may also be employed to play on peoples likes/dislikes, weaknesses, wants and desires. Perusing through social media platforms plays a huge role in the overall hacking process. Through various media sites such as Facebook, LinkedIn, or Twitter if one were so inclined they could obtain a huge amount of information on the selected mark of a company or organization. Seemingly, they are also able to gain much insight into the company itself, assuming they have a Facebook and or LinkedIn page.

This is a critical component because if you can manipulate an employee through various techniques and tactics, one can get an employee to divulge confidential information pertaining to the company’s processes and internal procedures. This, of course, is only the starting point in the multiple stages of the hacker lifecycle. Even though it is the first stage it is arguably one of the most important stages. Speaking from personal experience I have in the past been able to infiltrate and compromise a company solely through Facebook information, a phone, and implementing a few basic social engineering tactics to finesse a mark.

IncMan SOAR Playbooks and Incident Response Use Case

Playbooks are a critical aspect to the underlying IncMan SOAR platform mechanisms. It is here that the main aspects of the automation abilities within IncMan initiate a series of steps that can be specially crafted to accommodate a certain compromise or requirement of a customer or organization’s information systems security network infrastructure. A systematic framework has been developed which serves as a backbone component within IncMan’s technology and is played out through Playbooks and Runbooks.

IncMan has developed a Social Engineering Playbook template, among many other Playbook templates, to accommodate various social engineering attack campaigns. It is within these specific playbooks that you will find that there are various steps and stages within the incident response processes that need to be defined and regulated to ensure optimal protection and establish specific actions. All attack vectors, malware families, and exploits maintain certain behaviors and follow standard protocols during their particular attack type. Having a basic understanding of these different behaviors are a critical component to creating protective measures against future attacks.

Reducing the need of human intervention during these times of attacks significantly reduces dwell time, isolation and remediation mean time, and enhances the overall end-to-end Incident Response and Remediation components. Additionally, it is imperative that an automated process is in place to validate and document all stages and aspects of the compromise. This may be addressed via various input forms to include but not limited to syslog, email, and database retrieval. This is a vital element as the data supplied is properly organized and will be used for review, historical documentation, and lessons learned necessities. Incorporating all of these requirements is one of the key strength components that is embedded within IncMan SOAR.


To finalize this first part in the five-part series, I would like to re-emphasize a few key points. As previously mentioned there is a standard lifecycle or process that a hacker will follow to reach his or her objective. Depending on the objective, mark, type of hacker, and end result, often a hacker will not need to go through all steps to obtain their goal. An organization will often have many security tools in place that are either poorly configured or not configured at all. This results in a host of related issues, such as compromised assets, reduced return on investment (ROI), and lost manpower and resources associated with these diminished returns on security protocols.

Luckily, tools such as IncMan SOAR have been developed to ensure and guarantee that cybersecurity appliances and applications within a specific infrastructure are being utilized to the greatest capacity and that automation capabilities are in place. This not only drastically reduces triage and dwell time, but also initiates the incident response process in an automated machine-to-machine fashion without the need for human intervention.

Stay tuned for more to follow in future posts on how IncMan SOAR is used to support many functionalities in the never-ending fight against unethical hackers and the continuously evolving attack vectors within the threat landscape.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo