What's the difference between active and passive reconnaissance?

Exploring essential tools of both ethical and malicious hackers alike

Hacking is a profession that requires lots of preparation. It isn't a case of selecting a target and hitting them with whatever malware you've got - it's far more nuanced. Pentesters and malicious attackers need to know how best to hit an organisation, including how to gain access to their networks without being caught, and when the right time to strike is. This information will only be gleaned from thorough reconnaissance.

With the sheer volume of systems and cloud environments on offer to businesses, a blueprint of the target helps to strengthen the attack. Does the target use an on-premise infrastructure, or does it use a cloud service from a third-party provider? How many employees does it have, and which ones are authorised to access the systems you want to hit? Do employees have their own devices at work? - this can all be critical information.

Regardless of your route in, the key to successful reconnaissance is stealth. Going undetected will keep your eventual attack a surprise (though most businesses should expect to be regularly attacked these days).

Active vs passive reconnaissance

"Reconnaissance', which is often shortened to 'recon' is a military term for observing a region to locate the enemy or find information to design an attack strategy. Within IT, the term is normally classified as either 'active' or 'passive' with each referring to different methods. 

Active reconnaissance

Active reconnaissance is a more direct approach. Hackers will use this method to probe a system for weaknesses, often risking early detection. Of the two, this is the fastest method of recon, actively searching for vulnerabilities or entre points.  

Related Resource

Best practices for protecting remote work

Staying safe and secure while working from home

Download now

System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. 

The Nmap open source tool is perhaps the most well-known exploit kit used for active reconnaissance, which uses a range of different scan types to find hosts and services connected to a network.

Given this approach requires interaction with a system, it’s far more likely that a scan will be caught by a system’s firewall or an attached security suite.

Passive reconnaissance

Passive reconnaissance does not rely on direct interactions with a target system, and is therefore far easier to hide. This technique involves simply eavesdropping on a network in order to gain intelligence, with hackers being able to analyse the target company for partner and employee details, technology in use, and IP information.

If the attack is conducted successfully, the only evidence of a hacker's presence would be in analytical data, and with no red flags raised, they shouldn't appear in security logs.

Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced Google searches, sifting through information stored on discarded devices, and impersonating users.

Use cases for active and passive reconnaissance

Differences in method, unsurprisingly, yield different results. Active reconnaissance is riskier (from the hacker's perspective) but generally more useful information is gathered. Passive reconnaissance carries less risk, but is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, passive reconnaissance is the preferred tactic for many hackers, chiefly because of the reduced risk of detection. It also allows hackers to avoid the risk of incrimination, and the information gathered is still incredibly useful for supporting future cyber attacks. Conversely, active reconnaissance normally requires scrupulous preparation in order to avoid detection, and hackers always run the risk that a trace of their attack may be left behind.

All organisations are susceptible to these types of attacks, not just high profile networks. Small and medium-sized businesses should be particularly wary of reconnaissance, especially if they have digital transformation projects underway. Ventures that haven’t been properly checked for potential security breaches, or that have misconfigured security tools, can be especially helpful to hackers trying to infiltrate your network.

Other risks worth considering include unfortified applications containing data which could be vulnerable to being accessed by third-parties. Every organisation should be one step ahead of potential hackers and consider all the processes that a criminal could deploy in order to gain access to confidential information.

It’s also important to remember that reconnaissance is equally useful for ethical hacking. This process usually involves professional penetration tests deploying the methods hackers normally adopt in order to locate the holes in an organisation's defences. This would allow the business to resolve any of these weaknesses as and when they're found before they're exploited by hackers in a live setting. The method isn't always free from fuss, however, and pen-testers have occasionally been mistaken for actual criminals.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Ransomware hit industrial sector the hardest in the third quarter
ransomware

Ransomware hit industrial sector the hardest in the third quarter

25 Oct 2021
Tesco services knocked offline after suspected cyber attack
hacking

Tesco services knocked offline after suspected cyber attack

25 Oct 2021
Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021
Ofcom report reveals alarming uptick in smishing attacks
scams

Ofcom report reveals alarming uptick in smishing attacks

22 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021