What's the difference between active and passive reconnaissance?

Exploring essential tools of both ethical and malicious hackers alike

Figure walking through keyhole

Whether working in the technology industry or simply following the events within it, you'll rarely go a day without seeing at least a few headline-grabbing security breaches that haunt security teams and finance departments alike. 

Reconnaissance is a significant element of the orchestration process of any cyber attack as it’s one of the crucial tools used by hackers to successfully infiltrate an organisation.

Both active and passive in nature, reconnaissance provides hackers with the ability to obtain essential knowledge about the status of a company - whether it concerns its on-prem infrastructure or cloud configuration. It is also worth remembering that, while conducting reconnaissance, cyber criminals ensure that the information is acquired without being detected. 

This sort of scouting venture is not a promise that a cyber attack will definitely be launched and that it will happen straight away. What it means is that the attackers are primed with the intelligence concerning your company’s strengths and weaknesses, and may use it to feed into any future plans.

Large organisations aren’t the only ones vulnerable to these kinds of operations. Small and medium-sized businesses should also be wary of reconnaissance, especially if they have digital transformation projects underway. Ventures that haven’t been properly checked for potential security breaches or misusing security tools can be especially helpful to hackers infiltrating your network.

Other risks worth considering include unfortified applications containing data which could be vulnerable to being accessed by third-parties. Every organisation should be one step ahead from its potential hackers and consider all the processes that a criminal could deploy in order to gain access to confidential information.

Meanwhile, the rise in cyber attacks and the increasingly sophisticated methods deployed is married with the rise in ethical testing. This process usually involves deploying the methods hackers normally adopt, by professional penetration testers, to locate the holes in an organisation's defences. This would allow the business to resolve any of these weaknesses as and when they're found before they're exploited by hackers in a live setting. The method isn't always free from fuss, however, and pen-testers have occasionally been mistaken for actual criminals.

How they work

The term 'reconnaissance' originates from the military and references an intelligence-gathering exercise in hostile territory. Simply put, the aim is to obtain information about the target rather than conduct any harmful activity. Avoiding detection is crucial to its success, therefore, in order for the perpetrator to conduct a more effective and successful attack against their target when the time is right.

Related Resource

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

It's clear to see how this parallels with IT. Though from the organisations perspective, active and passive reconnaissance works more along the principle of a vaccine as it helps the host shore up its defences against future attacks.

Simply put, active reconnaissance is the process of examining a computer system in order to scope technical weaknesses that can be used to access it. System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. Security barriers have therefore been engaged, with information resistance found relayed back to the hacker.

On the other hand, performing passive reconnaissance doesn't necessitate contact with any infrastructure, allowing hackers to bypass potential obstacles. The reconnaissance determines the target company, partner and employee details, technology in use, IP information, and so on then retreats with information collated.

No trace is left as usually sites are browsed as a typical user. The only evidence of a hacker's presence would be in analytical data, however, with no red flags raised, they shouldn't appear in security logs. Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced google searches, war driving, sifting through information stored on discarded devices, and impersonating users.

Differences and common use cases

The fundamental difference in method is that while active reconnaissance involves being present on a target network or server, leaving a trail in the hacker's wake, passive reconnaissance is concerned with being as untraceable as possible. Computers and networks are still targeted, but crucially without actively engaging with the systems or infrastructure. Subsequently, few clues are left which lead back to an IP address.

Differences in method unsurprisingly yield different results. Active reconnaissance is riskier (from the malicious hacker's perspective), but generally more useful information is gathered. Passive reconnaissance carries less risk, however, it is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, for many hackers passive reconnaissance is the method of choice as they are much less likely to be detected. If completed successfully, the hacker can't be incriminated and the organisation is not alerted, leaving any vulnerabilities wide open for a subsequent cyber attack. Scrupulous preparation is necessary for active reconnaissance because the traces it leaves can likely be used as evidence against them in a digital investigation. Undertaking passive reconnaissance is therefore viewed as the simpler option, despite it being quite time-consuming.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020