Reconnaissance is a crucial stage in any cyber attack and refers to the process of gathering information about potential targets, their systems, networks, and vulnerabilities. This information is used by attackers to select which tactics, techniques, or tools will be most effective when attempting to compromise a target system or organization. Reconnaissance can be divided into two primary methods: active and passive.
In active reconnaissance, attackers directly engage with their target to gather information. This may include scanning networks for open ports or services, attempting to query servers or probing for vulnerabilities. Since the attacker is actively interacting with target systems, it has higher chances of being detected by intrusion detection systems, firewalls or security teams.
Common active reconnaissance tools include:
In passive reconnaissance, the attacker seeks to gather information about the target without making any contact or directly engaging with target systems. Passive reconnaissance is often harder to detect and involves activities such as social engineering, open-source intelligence (OSINT) gathering, or analyzing leaked data.
Common passive reconnaissance techniques include:
Defensive measures against reconnaissance include monitoring network traffic for unusual patterns or repeated probing attempts, regularly updating and patching systems, providing employee training on social engineering awareness, and implementing network segmentation to limit access to sensitive information.