Reconnaissance
In the context of cybersecurity, reconnaissance is the practice of covertly discovering and collecting information about a system. This method is often used in ethical hacking or penetration testing.
Like many cybersecurity terms, reconnaissance derives from military language, where it refers to a mission with the goal of obtaining information from enemy territory.
How Reconnaissance Works
Reconnaissance generally follows seven steps:
- Collect initial information
- Determine the network range
- Identify active machines
- Find access points and open ports
- Fingerprint the operating system
- Discover services on ports
- Map the network
Using these steps, an attacker will aim to gain the following information about a network:
- File permissions
- Running network services
- OS platform
- Trust relationships
- User account information
One of the most common techniques involved with reconnaissance is port scanning, which sends data to various TCP and UDP (user datagram protocol) ports on a device and evaluates the response.
Differences Between Passive and Active Reconnaissance
There are two main types of reconnaissance: active and passive reconnaissance.
With active reconnaissance, hackers interact directly with the computer system and attempt to obtain information through techniques like automated scanning or manual testing and tools like ping and netcat. Active recon is generally faster and more accurate, but riskier because it creates more noise within a system and has a higher chance of being detected.
Passive reconnaissance gathers information without directly interacting with systems, using tools such as Wireshark and Shodan and methods such as OS fingerprinting to gain information.
How To Prevent Reconnaissance
Organizations can use penetration testing to determine what their network would reveal in the event of a reconnaissance attack. Organizations can outsource the work by hiring security testing professionals to carry out penetration testing, vulnerability assessment, compliance testing, etc.
During testing, organizations can deploy port scanning tools (which scan large networks and determine which hosts are up) and vulnerability scanners (which find known vulnerabilities in the network).
SIEM solutions can also detect source IPs that are running a port scanning tool in your network.
Other reconnaissance prevention techniques are highlighted in the MITRE ATT&CK Framework.