by Mendy Newman
Posted on March 23, 2022
Want to interview Mendy?Contact
Just as a military attack begins with intelligence gathering about the enemy’s defenses and target selection, a sophisticated cyberattack begins with the hacker collecting intelligence about the target’s cyber defenses so they can find the best way to attack.
In the hacking world, such intelligence gathering is known as “reconnaissance” or “recon,” a term borrowed from the military, used to describe observation of an area to locate the enemy or identify and understand strategic features. Some hackers claim to spend up to three fourths of their effort on reconnaissance.
Understanding how attackers conduct reconnaissance can help you identify appropriate countermeasures and ensure that they are in place. Stymying reconnaissance efforts can significantly reduce your chances of becoming a victim.
Reconnaissance can either be passive, with the attacker conducting their research without interacting with your system, or active, with the attacker taking steps that can be detected (with proper tools and sufficient attention), such as probing your ports.
Attackers can learn a lot of information with passive recon. A few examples:
Since passive reconnaissance does not involve directly engaging with servers in a way that would be detected as unusual activity, the primary mechanisms for defending against passive reconnaissance are simply being careful to keep information about your network, software, systems and so on private. User education is an important part of this effort, since casual posts on social media or Reddit can reveal valuable information to a hacker who’s looking.
Passive reconnaissance is useful, but limited. To really understand the ins and outs of your network and find software vulnerabilities an attacker needs to actively probe for weaknesses. This can be risky for the hacker because it could lead to early detection – in essence, blowing their cover before they get the goods they came for.
Hackers use many different tools to conduct active recon, many of which are also used by cybersecurity professionals and ethical hackers, with the aim of finding vulnerabilities before cybercriminals do. Examples include programs that support:
Additional cyber reconnaissance tools such as Spyse can be used to conduct both passive and active recon.
There’s pretty much no way to make your organization’s digital presence 100% invisible to cybercriminals, but there are several steps you can take to make their job harder.
One of the most important steps you can take is to reduce the “attack surface” available to an attacker who is trying to get into your network. Steps that can be reduce your attack surface include:
Other measures that should be taken include:
Just as a military attack starts with reconnaissance to identify targets and weaknesses, cyberattacks also begin with watchful intelligence gathering. Foiling these attempts to collect information about your network, users, and resources can stop attacks before they even occur, or at least vastly minimize the damage that’s done. Look to a comprehensive Zero Trust SASE platform such as ZTEdge to provide an array of tools that are valuable for foiling reconnaissance missions.
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.