“Reconnaissance” (recon) is a military term that refers to observing a target (usually in a clandestine way) and gathering information about it. The term and its meaning have also found its way into cybersecurity. Cyber attackers use a number of recon techniques to gather sensitive information about a target organization – which would be you.
Such recon attacks often seem harmless at first, and are often overlooked by security administrators. This can be a dangerous mistake because attackers use the information gained in reconnaissance for subsequent ransomware attacks, denial of service (DoS) attacks, advanced persistent threats (APTs), and other malicious purposes.
On the positive side, security teams can likewise perform reconnaissance during penetration testing to understand the attacker mindset and improve the company’s security strategy.
What Is Cybercriminal Reconnaissance?
Cyber attackers use reconnaissance techniques and tools to “stake out” an organization’s security environment and identify weaknesses. The attackers’ goal is to exploit these weaknesses to bypass security controls so that they can:
- Sabotage or damage devices
- Encrypt systems and demand a ransom
- Steal sensitive or confidential data
- Prepare for later or longer-term attacks (such as advanced persistent threats, or APTs)
Attackers usually perform recon in multiple stages to gather more information about the target, identify exploitable open ports or vulnerable services, and gain unauthorized access to enterprise resources – all while evading security alarms. These phases are as follows.
Open Source Intelligence (OSINT) Gathering
Attackers use search engines, financial databases, domain name registries, business reports, and other readily available data mining tools to learn about the company’s:
- DNS names
- Organizational structure
- Business partners
- Brands and divisions
After collecting information about the target, the adversary mines and translates DNS host names into IP addresses or IP address ranges. To achieve these aims, the attackers may use data mining tools, a domain information groper (DIG) command-line tool, or the WHOIS Internet record listing.
Humans are often the weakest link in cybersecurity; that’s why this is an important phase in criminal recon. The adversary gathers intelligence about the people associated with the organization, such as employees, senior managers, and third-party service providers. The information may include:
- Job titles
- Contact information
- Other personal details
To collect this data, the attacker may use sources such as email lists, social media and website posts, public records, and search engines.
In this phase, attackers confirm the validity of collected information using WHOIS or DIG. To this end, they remove invalid or duplicate data and gather additional information to support verification.
More Information Verification
In the final phase, the threat actor confirms the reachability of the IP addresses identified in previous phases. They use mapping tools, port scanners, or packet internet groper (PING) tools to compile a list of reachable IP addresses.
There is no typical timeframe for reconnaissance. Depending on the target, the attacker’s skills, and the type of information the attacker seeks, a recon mission may take anywhere from a few days to several months.
In a well-protected enterprise network, the attacker may not gain any useful information. In weaker networks, however, the attacker may gather enough information to exploit the environment, install harmful malware and trojans, or exfiltrate sensitive data.
What is a Reconnaissance Attack?
Recon may appear to be a simple information-gathering mission or a precursor to a “real” attack. As a practical matter for CISOs, however, it’s useful to see recon as just another type of attack that requires a response from you, even if recon doesn’t damage enterprise resources or data.
A reconnaissance attack allows criminals to prepare for subsequent DoS attacks, ransomware attacks, APTs, and so forth. There are three main types of recon attacks:
Software Recon Attacks
The adversary uses software tools, such as debugging or troubleshooting utilities, to gather information about the target network and resources. For example, the attacker might use the nslookup command to investigate a DNS and find a reachable IP address from the domain name. The attacker can then use WHOIS to find more information about the organization, such as its mail servers, DNS servers, personnel contact information, and the like.
The hacker may also use the ping command to confirm that a target host is live, or the tracert command to create a visual map of the target network. Some attackers also use network scanners to detect running services, operating systems, firewalls, and other exploitable resources on the target host.
Public Recon Attacks
This attack involves collecting information about the target from public sources such as company websites, business reports, web archives, domain name registrars, and financial databases. These sources allow the attacker to determine:
- The target’s location
- The target’s IT infrastructure
- Vulnerabilities in enterprise systems
- Confidential information such as intellectual property, blueprints, or business plans
Social Recon Attacks
A social recon attack exploits human weaknesses like greed and the tendency to trust others. The attacker uses social engineering methods such as phishing, scareware, pretexting, and baiting to fool or threaten a person into revealing information about the target organization. The attacker may also look at employees’ social networking accounts to gather information about the company’s employees, partners, M&A plans, and more.
Common Reconnaissance Tools
Attackers can use many techniques and tools to perform reconnaissance on a target. For example, they may use ICMP ping sweeps to scan a network and find a range of IP addresses that map to live hosts. Or attackers might leverage SNMP walking techniques to gather information about network maps and device configurations.
Some attackers also use application-level scanners to search for vulnerabilities in web server common gateway interfaces (CGI) or application code. Other popular recon tools and techniques include:
- Google dorking
- Shodan search engine
- CVE (Common Vulnerabilities and Exposures) database
- Wireshark network analysis tool
- Maltego OSINT and forensics application
- Nmap port scanner
- OpenVAS vulnerability scanner
How Reconnaissance Helps Organizations With Strategic Security Planning
Many organizations, even those that are cyber-prepared, rely on attack detection and response tools (for example, endpoint detection and response, or EDR) to identify cybersecurity threats and mitigate attacks.
While these tools are important for cybersecurity, they are reactive. That means they cannot identify reconnaissance activities or prevent reconnaissance attacks; recon is so low-profile and unobtrusive, there’s hardly anything for those tools to react to.
Most EDR tools also produce a high volume of alerts and false positives. Amid all this noise, serious reconnaissance-related threats can easily get lost. These high alert volumes also overwhelm security teams and keep them from performing security tasks such as software patching or system hardening.
Knowing these facts of security life helps with effective security planning and implementation. Security teams that understand the risk of recon attacks can implement appropriate tools and controls to:
- Build a deeper understanding of the enterprise network
- Identify vulnerable ports or applications that could be exploited by an attacker
- Detect security blind spots
- Update security policies
These tools may include anti-malware and antivirus software, EDR platforms, next-generation firewalls (NGFWs), Security Information and Event Management (SIEM), and digital risk protection services (DRPS) to counter reconnaissance attacks.
In addition, the team can determine whether the organization needs more advanced solutions enhanced with artificial intelligence (AI) or machine learning to detect recon attack patterns and intercept threats in real-time.
Companies can also perform reconnaissance as part of penetration testing and red team exercises. These exercises can help them determine their security posture and find security weaknesses that must be fixed on priority.
Additionally, recon helps security teams to understand the tactics, techniques, and procedures (TTPs) potential hackers may use as part of their recon missions. For the latter, it’s useful to use widely accepted frameworks like MITRE ATT&CK or Lockheed Martin Kill Chain.
Then the team can:
- Take steps to harden networks and systems
- Implement appropriate controls to keep data safe
- Audit existing security systems
- Implement monitoring and threat intelligence to detect in-progress recon
- Train staff to recognize the signs and dangers of recon attacks
Security admins may also deploy deception campaigns to lure attackers into the network and track their activity. Implementing deception tactics into the security strategy is an active way to stop reconnaissance attacks before they happen and protect the organization.
Strengthen Enterprise Security with Reciprocity ROAR
Be more strategic about your cybersecurity, to prevent recon attacks and keep attackers out of your enterprise network – and to do this, you need the right technology. Try Reciprocity’s ROAR platform.
ROAR, a comprehensive cybersecurity risk management platform, provides a unified, real-time view of risk. Leverage this view to understand the risk implications of various processes, distinguish between strategic versus operational risk, and mature your risk program.
Get a demo to know how ROAR’s advanced functionality can support your anti-reconnaissance efforts.