Just as a military attack begins with intelligence gathering about the enemy’s defenses and target selection, a sophisticated cyberattack begins with the hacker collecting intelligence about the target’s cyberdefenses so they can find the best way to attack.
In the hacking world, such intelligence gathering is known as “reconnaissance” or “recon,” a term borrowed from the military, used to describe observation of an area to locate the enemy or identify and understand strategic features. Some hackers claim to spend up to three fourths of their effort on reconnaissance.
Understanding how attackers conduct reconnaissance can help you identify appropriate countermeasures and ensure that they are in place. Stymying reconnaissance efforts can significantly reduce your chances of becoming a victim.
Passive versus Active Reconnaissance
Reconnaissance can either be passive, with the attacker conducting their research without interacting with your system, or active, with the attacker taking steps that can be detected (with proper tools and sufficient attention), such as probing your ports.
Attackers can learn a lot of information with passive recon. A few examples:
- Google searches can be used to find employee email addresses which can be used in phishing attacks.
- Attackers can use a tool such as Wget to download your website and analyze it offline to find clues about your operating system, software in use, hardware, contact information, etc.
- Checking social media accounts can reveal a lot of information. LinkedIn can provide hackers a wealth of information about possible individuals who can be targeted with phishing attacks. Comments people make on social media can reveal information about software or operating systems; for instance, a person may post a question that reveals that their workplace is using an old operating system, which could be a great vulnerability.
- Public directories and Whois listings can provide a lot of information.
- Some attackers use phone calls to company employees and clever – but innocent-seeming — inquiries to collect information for social engineering attacks.
Since passive reconnaissance does not involve directly engaging with servers in a way that would be detected as unusual activity, the primary mechanisms for defending against passive reconnaissance are simply being careful to keep information about your network, software, systems and so on private. User education is an important part of this effort, since casual posts on social media or Reddit can reveal valuable information to a hacker who’s looking.
Passive reconnaissance is useful, but limited. To really understand the ins and outs of your network and find software vulnerabilities an attacker needs to actively probe for weaknesses. This can be risky for the hacker because it could lead to early detection – in essence, blowing their cover before they get the goods they came for.
Hackers use many different tools to conduct active recon, many of which are also used by cybersecurity professionals and ethical hackers, with the aim of finding vulnerabilities before cybercriminals do. Examples include programs that support:
- Penetration testing, probing for software flaws and misconfigurations
- Vulnerability scanning tools that find exploitable weaknesses on systems
- Web server scanners that find vulnerabilities specifically on web servers
- Network mappers that help hackers figure out DNS information
Additional cyber reconnaissance tools such as Spyse can be used to conduct both passive and active recon.
Protecting Against Active Reconnaissance
There’s pretty much no way to make your organization’s digital presence 100% invisible to cybercriminals, but there are several steps you can take to make their job harder.
One of the most important steps you can take is to reduce the “attack surface” available to an attacker who is trying to get into your network. Steps that can be reduce your attack surface include:
- Use Web Application Isolation to hide your website and the code of your web-facing applications (and any potential vulnerabilities they have) from active recon.
- Close any unused ports. Some companies have a standard RDP port open even if they are not using RDP.
- Turn off any unneeded software functionality. Code that’s not available can’t be exploited.
- Eliminate vulnerable VPNs, which expose IP ports and offer network-level connections to corporate infrastructure. Instead, implement Zero Trust Network Access (ZTNA) to enable granular user-level access to specific IT resources and apps. On microsegmented networks, even legitimate users can access only the applications they need. Policy-based least privilege access also limits the information that users have and may therefore expose, whether innocently or maliciously.
- Use Virtual Meeting Isolation to isolate user IP addresses from being exposed during virtual meetings and to protect endpoints from malware. Data loss prevention (DLP) can also be applied to stop users from sharing information that should not be exposed.
Other measures that should be taken include:
- Put an Intrusion Prevention System in place to detect threats in real time.
- Implement least privilege access and microsegmentation to block further recon inside the network if a hacker did find a way in, and prevent DNS information and IP ports from being exposed.
Just as a military attack starts with reconnaissance to identify targets and weaknesses, cyberattacks also begin with watchful intelligence gathering. Foiling these attempts to collect information about your network, users, and resources can stop attacks before they even occur, or at least vastly minimize the damage that’s done. Look to a comprehensive Zero Trust SASE platform such as ZTEdge to provide an array of tools that are valuable for foiling reconnaissance missions.