Which stage of the cyberattack lifecycle can be identified by port scans from external sources?

The identification of port scans from external sources is primarily associated with the reconnaissance stage of the cyberattack lifecycle. During this phase, an attacker gathers information about the target environment to identify potential vulnerabilities. Port scanning is a method used to discover open ports on a networked system, which can indicate what services are running, and potentially highlight technical weaknesses that can be exploited.

Reconnaissance is a critical first step in an attack since it provides essential information that shapes the subsequent phases of the lifecycle. By conducting port scans, attackers can map out the attack surface, understand the network configuration, and prepare for weaponization and delivery by determining the most promising entry points for their attack.

The other stages, such as weaponization, delivery, exploitation, and installation, focus on specific activities after initial intelligence gathering has occurred. They do not involve the external examination of a system's open ports, which is a hallmark of the reconnaissance process. Thus, the correct identification of this proactive scanning as a reconnaissance activity underscores its role in the broader context of cybersecurity awareness and threat analysis.