What's the difference between active and passive reconnaissance?

Exploring essential tools of both ethical and malicious hackers alike

Reconnaissance is one of the most important steps hackers must take in order to successfully prepare for a cyber attack against an organisation, providing an early look at the sorts of defensive measures that will need to be overcome.

Usually defined as either passive or active, reconnaissance gives hackers a blueprint of the entity they are targetting, most notably whether it’s using its own on-prem infrastructure or if it relies on the cloud, and a sense of its network and the devices connected to it. This early work helps to prime the hackers with relevant strengths and weaknesses of a target, which may be used to help make a cyber attack as successful, and as damaging, as possible.

Regardless of how the reconnaissance is conducted, or what the hackers are hoping to find, the idea is to complete this work without being detected.

Active vs passive reconnaissance

The term ‘reconnaissance’ refers to the practice of intelligence-gathering, the aim being to obtain information about the target rather than conduct any harmful activity. In IT terms, this type of activity is normally classified as either active or passive, each with their own techniques and outcomes.

Active reconnaissance

Active reconnaissance is the more intrusive of the two techniques, whereby a hacker will engage with the target system directly in order to probe for weaknesses. This is also the faster of the two techniques and usually generates more accurate information, although the speed at which this is done depends on whether automated tools or manual processes are used.

Related Resource

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. 

The Nmap open source tool is perhaps the most well-known exploit kit used for active reconnaissance, which uses a range of different scan types to find hosts and services connected to a network.

Given this approach requires interaction with a system, it’s far more likely that a scan will be caught by a system’s firewall or an attached security suite.

Passive reconnaissance

Passive reconnaissance does not rely on direct interactions with a target system, and is therefore far easier to hide. This technique involves simply eavesdropping on a network in order to gain intelligence, with hackers being able to analyse the target company for partner and employee details, technology in use, and IP information.

If the attack is conducted successfully, the only evidence of a hacker's presence would be in analytical data, and with no red flags raised, they shouldn't appear in security logs.

Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced Google searches, sifting through information stored on discarded devices, and impersonating users.

Use cases for active and passive reconnaissance

Differences in method, unsurprisingly, yield different results. Active reconnaissance is riskier (from the hacker's perspective) but generally more useful information is gathered. Passive reconnaissance carries less risk, but is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, passive reconnaissance is the preferred tactic for many hackers, chiefly because of the reduced risk of detection. It also allows hackers to avoid the risk of incrimination, and the information gathered is still incredibly useful for supporting future cyber attacks. Conversely, active reconnaissance normally requires scrupulous preparation in order to avoid detection, and hackers always run the risk that a trace of their attack may be left behind.

All organisations are susceptible to these types of attacks, not just high profile networks. Small and medium-sized businesses should be particularly wary of reconnaissance, especially if they have digital transformation projects underway. Ventures that haven’t been properly checked for potential security breaches, or that have misconfigured security tools, can be especially helpful to hackers trying to infiltrate your network.

Other risks worth considering include unfortified applications containing data which could be vulnerable to being accessed by third-parties. Every organisation should be one step ahead of potential hackers and consider all the processes that a criminal could deploy in order to gain access to confidential information.

It’s also important to remember that reconnaissance is equally useful for ethical hacking. This process usually involves professional penetration tests deploying the methods hackers normally adopt in order to locate the holes in an organisation's defences. This would allow the business to resolve any of these weaknesses as and when they're found before they're exploited by hackers in a live setting. The method isn't always free from fuss, however, and pen-testers have occasionally been mistaken for actual criminals.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020