Reconnaissance in cybersecurity refers to the preliminary step of a cyberattack, where a hacker is ‘scouting’ the target system. The terminology comes from military language, referring to a mission into enemy territory to obtain information. Due to this action being before any damage is truly done, it’s considered to be a ‘passive attack’.
Generally, users think hackers search for one big break, one main weakness they can exploit to gain access into a company’s entire network. In reality, hackers gather information from anywhere and everywhere to build an information “dossier” on a target company. This dossier may contain network addresses, enabled services, open ports, proxy relays, VPN concentrators, SAS applications used by the company, and crucial usernames and passwords purloined on the dark web for the company’s domain and users. The hacker is learning all there is to know about a company before beginning their attack.
Common sources of information during reconnaissance work includes:
- Domains and subdomains
- Whois Information
- Directory info
- Amazon S3 Buckets
- Social media accounts (individuals and the company itself)
- Dark web breached accounts for the domains in question
- Calling individuals in the company to Social Engineer information about the company out of them
The above list is definitely not an exhaustive list of reconnaissance methods and tactics. Reconnaissance isn’t something that needs a slew of technical experience, it can be done through public employee social media accounts to gain information and trick them into giving out information or clicking a malicious link.
Ultimately, this information will be used to attack a company at its weakest points, seeking access into company systems, networks, and data repositories.
What does this mean for an SMB?
Some reconnaissance can be prevented by obfuscating information about open networks, ports, and systems often targeted to identify specific vulnerabilities in your security framework. Less information or no information can be helpful.
The following actions can help your business and employees reduce the amount of information collected in this stage of an attack by hackers:
- Train employees on the many threats online including social engineering, phishing attacks, and social media (in)security. Do not accept friend requests from unknown entities;
- Lock down all the networks and the enabled services into and out of your networks and even between business units, internal groups, and networks (segmentation is your friend). Many services have a banner message detailing the version and application behind the open port. Disable such messages where possible;
- If funds allow, do a Red Team exercise,
- Alternatively, perform Penetration Testing and vulnerability scanning;
- Govern staff with short, easily understood, and updated cybersecurity policies ;
- Phish test staff quarterly or semi-annually; and
- Setup DMARC, DKIM, and SPF records to harden your email delivery to your clients preventing others from pretending to be you and attacking your clients.
Nothing is full proof. The odds are often stacked against companies and in favor of hackers who only have to be successful once, while companies must defend every day and every time against hacker attacks and must be perfect. Training your staff will help improve your overall odds of successfully defending yourself.