What's the difference between active and passive reconnaissance?
Exploring essential tools of both ethical and malicious hackers alike
It's difficult to work within the technology industry and not be aware of the series of high-profile security breaches which are costing corporations millions and keeping CIOs up at night.
The development of active and passive reconnaissance as a cyber attack method has equipped hackers with a tool that allows the status of a company information based both on-premise and in the cloud to be gleaned, sometimes without detection. This means that even if no cyber attack has actually occurred, a scouting foray may have already discovered that your cyber defences are susceptible to attack, and as a result, one may be in the post.
What's more, it isn't just large enterprises that are vulnerable. As digital innovation sweeps across the globe, SMBs continue their digital transformations. Poorly prepared transitions paired with the improper or incomplete use of security tools can be debilitating, leaving applications unfortified and the data they contain vulnerable. Combined with the advancement of bots which endlessly scour business applications in search of such vulnerabilities, everyone is a target.
In accordance with incremental cyber attacks, the practice of ethical testing has developed. Here, the very methods hackers employ to scout potential targets are used by professional penetration testers, hired by the organisation to highlight chinks in their armour. In theory, this allows the organisation to subsequently solve any weaknesses before they are actively exploited by malicious hackers. Though unorthodoxies have been recorded.
How they work
Reconnaissance stems from the militaristic term which describes an information-gathering mission into hostile territory. Its purpose is to simply obtain information, rather than actively exploit the target. As such, discretion is key. After successful reconnaissance and depending on the information gathered, an active attempt to exploit the target may follow.
It's clear to see how this parallels with IT. Though from the organisations perspective, active and passive reconnaissance works more along the principle of a vaccine as it helps the host shore up its defences against future attacks.
Simply put, active reconnaissance is the process of examining a computer system in order to scope technical weaknesses that can be used to access it. System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. Security barriers have therefore been engaged, with information resistance found relayed back to the hacker.
On the other hand, performing passive reconnaissance doesn't necessitate contact with any infrastructure, allowing hackers to bypass potential obstacles. The reconnaissance determines the target company, partner and employee details, technology in use, IP information, and so on then retreats with information collated.
No trace is left as usually sites are browsed as a typical user. The only evidence of a hacker's presence would be in analytical data, however, with no red flags raised, they shouldn't appear in security logs. Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced google searches, war driving, sifting through information stored on discarded devices, and impersonating users.
Differences and common use cases
The fundamental difference in method is that while active reconnaissance involves being present on a target network or server, leaving a trail in the hacker's wake, passive reconnaissance is concerned with being as untraceable as possible. Computers and networks are still targeted, but crucially without actively engaging with the systems or infrastructure. Subsequently, few clues are left which lead back to an IP address.
Differences in method unsurprisingly yield different results. Active reconnaissance is riskier (from the malicious hacker's perspective), but generally more useful information is gathered. Passive reconnaissance carries less risk, however, it is slightly more unreliable, can be time-consuming, and is usually far less revealing.
Despite these drawbacks, for many hackers passive reconnaissance is the method of choice as they are much less likely to be detected. If completed successfully, the hacker can't be incriminated and the organisation is not alerted, leaving any vulnerabilities wide open for a subsequent cyber attack. Scrupulous preparation is necessary for active reconnaissance because the traces it leaves can likely be used as evidence against them in a digital investigation. Undertaking passive reconnaissance is therefore viewed as the simpler option, despite it being quite time-consuming.
Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now