Reconnaissance

Attackers aim to identify weaknesses, entry points, and potential attack vectors during this stage. They may gather information through publicly available sources, social media, WHOIS databases, or other means to tailor their attack strategy.

What is Reconnaissance?

In the Cyber Kill Chain, reconnaissance is the initial phase where attackers gather information about their target. It involves researching and collecting data on the target's infrastructure, personnel, and potential vulnerabilities.

Active vs Passive Reconnaissance

Attackers choose between active and passive reconnaissance based on their goals, the level of stealth required, and the desired depth of information gathering. Here's why attackers might opt for active or passive reconnaissance:

What is Active Reconnaissance

‍In active reconnaissance, attackers interact directly with the target's systems or network. This could involve probing for open ports, attempting to gain unauthorized access, or using tools to actively scan and identify vulnerabilities.

Purpose of Active Reconnaissance

Active reconnaissance involves direct interaction with the target's systems, probing for vulnerabilities, and attempting to gain more detailed information.

Why attackers use Active Reconnaissance

Detailed Information: Active reconnaissance can provide more granular and specific details about the target's security posture, system configurations, and potential weaknesses.
‍Real-Time Data: Attackers get real-time insights into the target's current state, as opposed to relying on pre-existing information.
‍Identification of Live Systems: It helps identify live systems and services actively in use.

What is Passive Reconnaissance

‍Passive reconnaissance involves collecting information without directly interacting with the target's systems. This could include monitoring publicly available information, analyzing network traffic, or studying social media profiles to build a profile of the target.

Purpose of Passive Reconnaissance

Passive reconnaissance involves collecting information without directly interacting with the target's systems, relying on existing data and observations.

Why attackers use Passive Reconnaissance

Stealth: Passive reconnaissance is less likely to trigger security alarms, making it a more discreet approach for information gathering.
Lower Risk: Since there's no direct interaction, the risk of detection and attribution is reduced.
Long-Term Gathering: Attackers can conduct passive reconnaissance over an extended period without leaving immediate traces.

How attackers choose between Active and Passive Reconnaissance

Active reconnaissance is riskier than passive reconnaissance as it increases the chances of triggering security alerts or being detected by intrusion detection systems. Passive reconnaissance may provide less detailed information compared to active reconnaissance. So how does an attacker choose between the two?

Nature of the Target: The security measures in place and the nature of the target influence the choice. More secure or high-profile targets may necessitate a stealthier approach like passive reconnaissance.
Goals of the Attack: If the goal is to quickly identify and exploit vulnerabilities, active reconnaissance may be chosen. If the goal is a more prolonged, undetected observation, passive methods might be preferred.
Risk Tolerance: Attackers assess their risk tolerance and the consequences of being detected. Active methods pose a higher risk but might yield more immediate results.

In summary, the decision to use active or passive reconnaissance depends on the attacker's objectives, the level of risk they are willing to take, and the specific characteristics of the target environment. Both methods play crucial roles in the information-gathering phase of a cyber attack.