What's the difference between active and passive reconnaissance?

Exploring essential tools of both ethical and malicious hackers alike

Figure walking through keyhole

It's difficult to work within the technology industry and not be aware of the series of high-profile security breaches which are costing corporations millions and keeping CIOs up at night. 

The development of active and passive reconnaissance as a cyber attack method has equipped hackers with a tool that allows the status of a company information based both on-premise and in the cloud to be gleaned, sometimes without detection. This means that even if no cyber attack has actually occurred, a scouting foray may have already discovered that your cyber defences are susceptible to attack, and as a result, one may be in the post.

What's more, it isn't just large enterprises that are vulnerable. As digital innovation sweeps across the globe, SMBs continue their digital transformations. Poorly prepared transitions paired with the improper or incomplete use of security tools can be debilitating, leaving applications unfortified and the data they contain vulnerable. Combined with the advancement of bots which endlessly scour business applications in search of such vulnerabilities, everyone is a target.

In accordance with incremental cyber attacks, the practice of ethical testing has developed. Here, the very methods hackers employ to scout potential targets are used by professional penetration testers, hired by the organisation to highlight chinks in their armour. In theory, this allows the organisation to subsequently solve any weaknesses before they are actively exploited by malicious hackers. Though unorthodoxies have been recorded.

How they work

Reconnaissance stems from the militaristic term which describes an information-gathering mission into hostile territory. Its purpose is to simply obtain information, rather than actively exploit the target. As such, discretion is key. After successful reconnaissance and depending on the information gathered, an active attempt to exploit the target may follow.

Advertisement - Article continues below
Advertisement - Article continues below

It's clear to see how this parallels with IT. Though from the organisations perspective, active and passive reconnaissance works more along the principle of a vaccine as it helps the host shore up its defences against future attacks.

Simply put, active reconnaissance is the process of examining a computer system in order to scope technical weaknesses that can be used to access it. System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. Security barriers have therefore been engaged, with information resistance found relayed back to the hacker.

On the other hand, performing passive reconnaissance doesn't necessitate contact with any infrastructure, allowing hackers to bypass potential obstacles. The reconnaissance determines the target company, partner and employee details, technology in use, IP information, and so on then retreats with information collated.

No trace is left as usually sites are browsed as a typical user. The only evidence of a hacker's presence would be in analytical data, however, with no red flags raised, they shouldn't appear in security logs. Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced google searches, war driving, sifting through information stored on discarded devices, and impersonating users.

Differences and common use cases

The fundamental difference in method is that while active reconnaissance involves being present on a target network or server, leaving a trail in the hacker's wake, passive reconnaissance is concerned with being as untraceable as possible. Computers and networks are still targeted, but crucially without actively engaging with the systems or infrastructure. Subsequently, few clues are left which lead back to an IP address.

Advertisement - Article continues below

Differences in method unsurprisingly yield different results. Active reconnaissance is riskier (from the malicious hacker's perspective), but generally more useful information is gathered. Passive reconnaissance carries less risk, however, it is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, for many hackers passive reconnaissance is the method of choice as they are much less likely to be detected. If completed successfully, the hacker can't be incriminated and the organisation is not alerted, leaving any vulnerabilities wide open for a subsequent cyber attack. Scrupulous preparation is necessary for active reconnaissance because the traces it leaves can likely be used as evidence against them in a digital investigation. Undertaking passive reconnaissance is therefore viewed as the simpler option, despite it being quite time-consuming.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020