What's the difference between active and passive reconnaissance?
Exploring essential tools of both ethical and malicious hackers alike
Reconnaissance is one of the most important steps hackers must take in order to successfully prepare for a cyber attack against an organisation, providing an early look at the sorts of defensive measures that will need to be overcome.
Usually defined as either passive or active, reconnaissance gives hackers a blueprint of the entity they are targetting, most notably whether it’s using its own on-prem infrastructure or if it relies on the cloud, and a sense of its network and the devices connected to it. This early work helps to prime the hackers with relevant strengths and weaknesses of a target, which may be used to help make a cyber attack as successful, and as damaging, as possible.
Regardless of how the reconnaissance is conducted, or what the hackers are hoping to find, the idea is to complete this work without being detected.
Active vs passive reconnaissance
The term ‘reconnaissance’ refers to the practice of intelligence-gathering, the aim being to obtain information about the target rather than conduct any harmful activity. In IT terms, this type of activity is normally classified as either active or passive, each with their own techniques and outcomes.
Active reconnaissance is the more intrusive of the two techniques, whereby a hacker will engage with the target system directly in order to probe for weaknesses. This is also the faster of the two techniques and usually generates more accurate information, although the speed at which this is done depends on whether automated tools or manual processes are used.
BIOS security: The next frontier for endpoint protection
Today’s threats upend traditional security measuresDownload now
System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities.
The Nmap open source tool is perhaps the most well-known exploit kit used for active reconnaissance, which uses a range of different scan types to find hosts and services connected to a network.
Given this approach requires interaction with a system, it’s far more likely that a scan will be caught by a system’s firewall or an attached security suite.
Passive reconnaissance does not rely on direct interactions with a target system, and is therefore far easier to hide. This technique involves simply eavesdropping on a network in order to gain intelligence, with hackers being able to analyse the target company for partner and employee details, technology in use, and IP information.
If the attack is conducted successfully, the only evidence of a hacker's presence would be in analytical data, and with no red flags raised, they shouldn't appear in security logs.
Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced Google searches, sifting through information stored on discarded devices, and impersonating users.
Use cases for active and passive reconnaissance
Differences in method, unsurprisingly, yield different results. Active reconnaissance is riskier (from the hacker's perspective) but generally more useful information is gathered. Passive reconnaissance carries less risk, but is slightly more unreliable, can be time-consuming, and is usually far less revealing.
Despite these drawbacks, passive reconnaissance is the preferred tactic for many hackers, chiefly because of the reduced risk of detection. It also allows hackers to avoid the risk of incrimination, and the information gathered is still incredibly useful for supporting future cyber attacks. Conversely, active reconnaissance normally requires scrupulous preparation in order to avoid detection, and hackers always run the risk that a trace of their attack may be left behind.
All organisations are susceptible to these types of attacks, not just high profile networks. Small and medium-sized businesses should be particularly wary of reconnaissance, especially if they have digital transformation projects underway. Ventures that haven’t been properly checked for potential security breaches, or that have misconfigured security tools, can be especially helpful to hackers trying to infiltrate your network.
Other risks worth considering include unfortified applications containing data which could be vulnerable to being accessed by third-parties. Every organisation should be one step ahead of potential hackers and consider all the processes that a criminal could deploy in order to gain access to confidential information.
It’s also important to remember that reconnaissance is equally useful for ethical hacking. This process usually involves professional penetration tests deploying the methods hackers normally adopt in order to locate the holes in an organisation's defences. This would allow the business to resolve any of these weaknesses as and when they're found before they're exploited by hackers in a live setting. The method isn't always free from fuss, however, and pen-testers have occasionally been mistaken for actual criminals.
Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now
Simplify cluster security at scale
Centralised secrets management across hybrid, multi-cloud environmentsDownload now
The endpoint as a key element of your security infrastructure
Threats to endpoints in a world of remote workingDownload now
2021 state of IT asset management report
The role of IT asset management for maximising technology investmentsDownload now