Information gathering is often the starting point of a cyberattack. For many hackers, before attempting anything they want to know who they’re dealing with, what vulnerabilities they might exploit, and whether they can operate stealthily or not.
During such reconnaissance operations, attackers collect relevant data about their victims, but it’s not without risks for them. Secured computer systems can use advanced detection tools to spot and block such suspicious activities and even catch adversaries.
It’s essential for companies and organizations to understand this initial step to prevent breaches and detect attacks early.
MITRE ATT&CK, a popular knowledge base for beginners and security professionals, defines reconnaissance as a fundamental tactic that leverages the “techniques that involve adversaries actively or passively gathering information that can be used to support targeting.”
That valuable information is then used to aid further actions, which might involve attacking a vulnerability or additional reconnaissance work.
Active vs. Passive Reconnaissance
Reconnaissance is a critical phase in the adversary cycle. It’s not uncommon for hackers to spend much more time on the pre-attack than on the actual attack. And wrong or incomplete reconnaissance can result in a massive failure for the attackers.
Ping probes, port scanning, or traceroute are practical examples of active reconnaissance. The attackers directly interact with the targeted machines to enumerate exploitable data.
Passive reconnaissance is the opposite. The attackers do not engage and instead collect data indirectly, using techniques such as physical observation around buildings, eavesdropping on conversations, finding papers with logins/passwords, Google dorks, open source intelligence (OSINT), advanced Shodan searches, WHOIS data, and packet sniffing.
What Data Do Hackers Collect?
MITRE has identified a number of reconnaissance techniques used by attackers to collect actionable information, such as:
- Active IP addresses, hostnames, open ports, certificates, server banners, gateways, and routers
- Credentials, emails, employee names, roles, departments/divisions, and physical location
- Antivirus and EDR tools, SIEM systems (security information and event management), security vendors, software, hardware, firmware, and operating systems
- Domain names, subdomains, CDN, mail servers, and other hosts
- Public WHOIS data such as DNS name servers, IP blocks, and contact information
- Financial data and intellectual property
- Purchased data from reputable sources or black markets
While many of these data types would likely require a direct interaction such as active scanning, it’s still possible to use the results of a previous active scan in a passive analysis, for example, by using a dedicated search engine such as Shodan.
Sometimes, hackers only need Google and motivation to find vulnerabilities to exploit.
Corporate websites or apps can reveal details about the business relationships, the supply chain, and other sensitive elements. Adversaries can also leverage social media to stalk victims and collect precious information.
The Top Reconnaissance Tools
The most popular reconnaissance-detection tools are probably the following:
- Nmap, a popular enumeration software
- Wireshark, an accurate sniffer (network analysis)
- Metasploit or the Burp suite, very comprehensive attacking frameworks
- BeEF, the Browser Exploitation Framework
- Cobalt Strike
Indeed, there’s an extensive range of vendors that include modules for reconnaissance work or that can be used to collect specific data. Moreover, many of them are free and open source.
- How Cobalt Strike Became a Favorite Tool of Hackers
- Nmap Vulnerability Scanning Made Easy: Tutorial
- Getting Started with the Burp Suite: A Pentesting Tutorial
- Getting Started With the Metasploit Framework: A Pentesting Tutorial
Be Aware of the Attackers’ Timing and Goals
One of the most underappreciated aspects of hacking is the timing. It’s not uncommon to conduct reconnaissance work way before the attack.
Experienced hackers rarely strike just after gathering information. They often collect data and return several weeks or months later to see if the targeted system is still vulnerable, which greatly limits the risks of being caught.
Besides, attackers can scan and collect data from several targets over time, allowing them to determine which targets would be worth attacking and which can be removed from their list. When there’s money involved and easier targets elsewhere, there’s no use wasting resources on secured systems and cybersecurity-aware organizations.
How to Protect Against Reconnaissance
Unfortunately, not all targeted systems are challenging for attackers, allowing them to collect data, which can then be sold to competitors or other threat actors if it’s valuable enough.
After successful reconnaissance, all kinds of attacks become possible, including ransomware, sensitive data exfiltration, additional reconnaissance work, public disclosures, destructions, lateral movement, and more.
Simple security hygiene and awareness isn’t enough to prevent such bad outcomes. You should consider implementing advanced security strategies and solutions, such as endpoint detection and response (EDR), SIEM, breach and attack simulation, and pentesting.
Stay informed about the latest vulnerabilities outlined by MITRE ATT&CK, CISA, NIST and other sources, prioritize fixes, and patch them and apply other recommended mitigations. Between neglected patches and zero-day threats, organizations are no more than a few moves by a hacker from data disaster.
These steps might not spot and protect against all kinds of reconnaissance, though, as stealth scanning techniques such as decoy scans, zombie scans, spoofing, or bouncing can be used to bypass most detection tools.
In any case, you must take measures to mitigate reconnaissance, and modern security solutions are ever smarter, with special features such as deception technology to trap intruders.