Introduction
This guide is educational and defense-oriented. It describes methodology and techniques at a conceptual level, without providing actionable exploitation instructions.
What you’ll learn in this guide
- The CEH attack methodology phases, in the right order
- The objective and expected deliverables for each phase
- Typical attacker techniques (concept-level)
- Detection signals and defensive controls to strengthen
- Common pentest (and defense) mistakes that cost time and money
Important: ethical scope and defensive intent
This guide is educational and defense-oriented. It describes methodology and techniques at a conceptual level, without providing actionable exploitation instructions.
Overview: the CEH attack chain
You can understand the CEH methodology as a 10-phase progression:
- Reconnaissance (Footprinting)
- Scanning & Discovery
- Enumeration
- Vulnerability Analysis
- Exploitation (Gaining Access)
- Privilege Escalation
- Maintaining Access (Persistence)
- Lateral Movement & Expansion
- Covering Tracks (Defense Evasion)
- Reporting & Recommendations
1) Reconnaissance (Footprinting): understand the target before acting
Goal: gather maximum information with minimum noise.
What the attacker looks for:
- External attack surface: domains, subdomains, IPs, exposed services
- Organization context: subsidiaries, partners, vendors, suppliers
- People: roles, emails, habits, technologies in use
- Technical clues: web stack, cloud footprint, internal tools, data leaks
Defensive / audit deliverables:
- External attack surface inventory
- OSINT exposure risks (emails, documents, metadata)
- List of “forgotten” assets (subdomains, test environments)
Detection & controls:
- Reduce exposure: DNS hygiene, remove unused assets
- Publication policy: limit public technical details
- Monitoring: alerts for new subdomains, certificates, typosquatting
2) Scanning & Discovery: map the doors in
Goal: identify reachable systems and potentially exploitable services.
What the attacker looks for:
- Open ports/services, versions, configurations
- Web endpoints, APIs, admin pages, consoles
- Remote access services, VPNs, gateways, bastions
Deliverables:
- Map of exposed services (with criticality)
- List of outdated or misconfigured services
Detection & controls:
- WAF / rate limiting on sensitive endpoints
- Hardening: close unused ports, segmentation, MFA
- Detection: request spikes, abnormal scans, exploration patterns
3) Enumeration: turn discovery into usable knowledge
Goal: obtain “actionable” information about identity, permissions, and structure.
What the attacker looks for:
- Accounts, groups, roles, policies
- Shares, resources, internal services
- Trust relationships and privilege escalation paths
Deliverables:
- Access model: who can do what
- List of potential privilege paths
Detection & controls:
- Strong logging (auth, directory, resource access)
- Least privilege + privileged group reviews
- Detection: repeated enumeration, unusual resource access
4) Vulnerability analysis: prioritize what actually matters
Goal: identify vulnerabilities and misconfigurations that enable compromise.
What the attacker looks for:
- Known vulnerabilities (missing patches)
- Misconfigurations (exposure, excessive rights)
- Authentication weaknesses (no MFA, weak passwords)
Deliverables:
- Vulnerability list with severity + business impact
- Prioritized remediation plan (quick wins vs larger initiatives)
Detection & controls:
- Patch management + real asset inventory
- Regular scanning + manual validation for critical risks
- Governance: fix SLAs by severity
5) Exploitation (Gaining access): establish an initial foothold
Goal: obtain initial access (account, session, host) using a weakness.
Typical vectors (conceptual):
- Identity: credential theft/reuse, MFA gaps, user error
- Web: application flaws, configuration errors, exposed secrets
- Endpoint: malicious attachments, vulnerable software, unsafe execution
- Cloud: exposed keys/APIs, overly broad permissions
Deliverables:
- Controlled proof of access + achieved scope
- Root cause analysis (why it was possible)
Detection & controls:
- Strong MFA + conditional access / risk-based protections
- EDR, endpoint hardening, email filtering, sandboxing
- Detection: abnormal logins, new devices, impossible travel
6) Privilege escalation: go from “present” to “powerful”
Goal: gain higher privileges to act broadly.
What the attacker looks for:
- Permission misconfigurations
- Overpowered service accounts
- Weak secret storage (scripts, shares, repos)
Deliverables:
- Documented escalation path
- List of excessive privileges to remove
Detection & controls:
- PAM / JIT / JEA (time-bound privileges)
- Secret rotation + vaulting + remove shared accounts
- Detection: unusual privilege changes, new admin creation
7) Maintaining access (Persistence): survive fixes and resets
Goal: keep access even if the original entry point is closed.
What the attacker looks for:
- Persistence mechanisms (accounts, tasks, rules, tokens)
- Alternate access paths (backups, integrations, forgotten accounts)
Deliverables:
- Inventory of potential persistence points
- Hardening + monitoring recommendations
Detection & controls:
- Review accounts, rules, integrations, tokens
- Alerts on new accounts, rule changes, new secrets
8) Lateral movement & expansion: reach critical assets
Goal: move from one compromised system to more valuable systems.
What the attacker looks for:
- Paths to sensitive data (finance, HR, IP)
- Access to infrastructure (servers, directory, cloud control plane)
- Network trust and reused identities
Deliverables:
- Lateral movement graph (possible paths)
- Recommended segmentation + access controls
Detection & controls:
- Network segmentation, micro-segmentation, Zero Trust
- Detection: lateral auth patterns, unusual inter-system access
9) Covering tracks (Defense evasion): reduce visibility
Goal: lower detection probability and complicate investigation.
What the attacker looks for:
- Ways to reduce traces, hide origin, blur timelines
- Low-telemetry areas that are poorly logged
Deliverables:
- List of critical logs to protect
- Recommendations: centralization, immutability, retention
Detection & controls:
- SIEM centralization, immutable logging, restricted log access
- Alerts on log deletion/tampering, sudden telemetry drops
10) Reporting: turn technical findings into decisions
Goal: produce an actionable, prioritized report that business leaders can use.
A strong report includes:
- Executive summary (top risks, impact, likelihood)
- Reconstructed attack chain (what was possible)
- Controlled evidence (without dangerous disclosure)
- Prioritized remediation plan (30/60/90 days)
- Prevention + detection improvements (controls + monitoring)
Common mistakes (on both pentest and defense sides)
- Treating “vulnerability” as “risk” (without business context)
- Failing to document assumptions and test boundaries
- Underestimating identity (MFA, privileges, service accounts)
- Fixing symptoms without addressing root causes
- Insufficient telemetry: no logs = no investigation
Mini scenario: how to break the chain early
Imagine an organization where:
- Asset inventory is incomplete
- Admin access isn’t time-bound
- Logs aren’t centralized
In that environment, an attack chain can progress quickly. The most effective defensive strategy is to break the chain early: reduce exposure, harden identity, segment access, and make the environment observable.
Actionable next steps
- Build a real attack surface inventory (external + internal)
- Prioritize identity: strong MFA, least privilege, service account hygiene
- Define remediation SLAs (critical/high/medium)
- Centralize and protect logs (retention + immutability)
- Test detection capability (exercises, purple teaming)
Recommended training path
If you want a structured end-to-end framework (attack + defense mindset), CEH training is a strong methodology-driven training option.
FAQ
Is the CEH methodology the same as the Cyber Kill Chain?
They overlap. CEH is a pentest/ethical hacking learning framework, while the Kill Chain is an attack analysis model. Both help structure defense.
Why is identity so central?
Because many modern attacks focus on accounts, tokens, permissions, and misconfigurations—not just “spectacular” software bugs.
What’s the best phase to detect an attack?
As early as possible: reconnaissance/scanning and initial access. The further an attacker progresses, the higher the impact and remediation cost.
What must be logged no matter what?
Authentication, privilege changes, access to sensitive data, account/rule creation, and critical endpoint events—ideally centralized and protected.
