What is Cyber Recon? How criminals try to outsmart the good guys

1st February 2022

It’s a little uncomfortable to hear, but cybercrime is big business. It has graduated from the gaggle of stereotypical basement-dwelling hackers into a highly profitable – though it pains us to say it – industry.

And just like any other business in any other industry, criminals need to carry out thorough research before they pursue a new highly focused project or campaign to maximise effectiveness and profits. Yes, long gone are the days where cybercriminals would simply throw vulnerabilities out there with minimal homework, just to see what sticks. Nowadays they have targets to hit, paymasters to please, and an increasingly cyber-aware populace to contend with.

So, they carry out cyber reconnaissance before embarking on a targeted attack. But what exactly is cyber reconnaissance? What does it involve? And how can knowledge of criminal recon tactics prevent cyber attacks before they happen? Let’s find out.

What is Cyber Reconnaissance?

Cyber reconnaissance refers to any kind of covert data-seeking activities that cybercriminals employ to help inform or launch a cyber attack on an organisation, a group of organisations, or a given user base. On the flip-side, cyber recon is also carried out by cyber security personnel in order to help prevent attacks and to explore the threat landscape.

During a campaign of cyber recon, criminals will actively seek out information about digital assets belonging to their target(s) in order to discover their weaknesses and plan an effective cyberattack against them. This may involve probing how specific networks operate; what data “lives” and travels where; where a system’s weak points lie; and gathering valuable physical intel which will enable them to launch a well-informed, large-scale attack. This kind of data gathering is often correctly considered an attack in its own right, so you may see the term “reconnaissance attack” used from time to time.

Why Do Hackers Carry Out Reconnaissance?

Just as any smart business wouldn’t dare to embark on a new project or product without extensive market, competitor, and practical research, a savvy cybercriminal organisation wouldn’t dare to launch a targeted attack without knowing precisely what they’re dealing with first.

The clearer and more extensive the criminals’ “pre-launch” research, the more they’ll be able to orchestrate a fully tailored attack that will linger just below the victim’s radar for the longest possible time. The more information they gather, the more that can potentially be successfully weaponised.

Let’s look from another angle. If a criminal cell is looking to infiltrate a particular organisation, it makes no sense to simply pluck a random exploit out of their bag of tricks and lazily lob it at the victim. This kind of blunt, careless attack can raise alarm bells at the victim organisation who can then batten down the cyber-hatches, making a second try even harder or potentially blowing the lid on the whole operation.

It therefore makes more sense for criminals to go slow and stay low – biding their time, collecting all the info they can, and engineering a surgically precise cocktail of intrusions and exploits that achieve their evil ends, just out of sight.

Types of Cyber Reconnaissance

So, what does cyber reconnaissance look like? Let’s explore a few different examples.

Logical reconnaissance

This refers to any kind of espionage carried out digitally.

Examples of Logical Reconnaissance

  • Port scanning to see which ports are open on a device or network, which can be handy for cyber infiltration.
  • Sending an echo “ping” request to see if a single or range of IP addresses appear on a network.
  • Cyber stalking company staff and associates on social media for internal company insights.
  • Packet sniffing to observe the kinds of data flowing across a network.
  • Installing persistent threats (a cyber menace in their own right) to infect and surveil a network’s users.
  • Website and cloud snooping – investigating a company’s subdomains, cloud buckets, etc. for vital information.

Physical reconnaissance

Physical reconnaissance is exactly what it sounds like – exploring the physical defences and features of an organisation: door locks, access control systems, security cameras, security guards, the physical layout of a building or campus, etc.

It’s important to note that as physical security services become more digital, the line between digital and physical recon is becoming ever more blurred.

Examples of Physical Reconnaissance

  • Hacking into security cameras to observe staff habits like opening, closing, breaks, and routines
  • Sitting outside to see when and where people enter and exit.
  • Observing when people are at their most tired and distracted – i.e., vulnerable to suggestion or temptation.
  • Observing how much physical traffic the premises get. How easy would it be for a stranger to ask to “use the facilities” or to just wander in pretending to be lost?
  • Probing the organisation’s WiFi network from within range.
  • “Dumpster diving” wherever a target disposes of their tech and documents to uncover information.

Active reconnaissance

Active reconnaissance refers to recon tactics that require direct interaction with the target and its IT. These more involved tactics can provide more useful, targeted information but are also more likely to sound alarm bells, making it a riskier gambit.

Examples of Active Reconnaissance

  • Manually hacking into and probing networks to map out their infrastructure.
  • Physical surveillance like “staking out” a premises or rifling through bins for discarded passwords.
  • Physically obtaining access to premises or otherwise directly interacting with a victim’s team or supply chain to gather info.
  • Using direct social engineering tactics over email or phone to gather information or access.
  • Deploying targeted surveillance malware.

Passive reconnaissance

Passive recon is where information is gathered without directly interacting with the victim, usually involving the collection of publicly available information.

Passive tactics are less likely to be noticed by the victim but at the same time, they’re also less likely to yield the in-depth technical information that a hacker may be looking for. However, that surface information can be just the insight the criminal needs to start their research… or add a deadly cherry on the top of their attack.

Examples of Passive reconnaissance

● Searching for company and team information through search engines and social media.
● Gathering information from the victim’s website – both on the surface and delving into the publicly available code.
● Physically eavesdropping on staff conversations during breaks.
● Digitally eavesdropping on endpoint devices using malware.

Recon methods wrap-up

So, in short, active recon is noisier and easier to detect but tends to yield more precise and useful information. Passive recon methods are much harder to detect and even harder to stop, but they generally yield more generic, publicly available information that isn’t always very useful for an attacker.

This is the balancing act that any criminal recon agent must strike.

How to protect your business from cyber reconnaissance

Reconnaissance is often the first step that a criminal organisation will take before they launch a full-scale, targeted attack. It may even help them to justify whether an attack is worth their while or not.

But either way, if you muck up a criminal’s reconnaissance into your business, you could potentially stop an attack from taking place. So how can we foil their dastardly schemes?

Know your infrastructure

Take the time to give yourself a working knowledge of your network. Do you know how your network connects together (its “topology”)? What security systems do you have in place? Who has access to them and why? If I were to point to a random Ethernet socket in your office, could you tell me how it connects to your central network hardware? These are all excellent questions to ask yourself.

When you know your organisation’s basic network infrastructure inside and out, you are much better placed to spot potential risks. If you need a hand, the friendly team here at Just Cyber Security can help you explore your network and provide advice and solutions to keep your defences high.

Harden your systems to minimise vulnerability

“Hardening” a computerised system is a process of actively minimising that systems’ cyber attack surface, in turn reducing its level of vulnerability.

For example, you can harden a network by closing unused ports; encrypting data in transit and at rest; maintaining zero-trust IT policies; and employing an enterprise-grade intrusion prevention system. You can harden an individual endpoint device like a PC by removing all unused software, forcing software updates as soon as they’re available, and installing preventative measures like endpoint protection and managed detection and response (MDR) solutions.

Invest in next generation perimeter defences

How long have you had your trusty firewall? If you’ve had it longer than 5 years, our colleagues at Just Firewalls would strongly advise you to upgrade! Likewise, if you’ve undergone a period of restructuring, growth, or other organisational upheaval, you may need to re-examine your firewall’s level of protection to ensure you’re covered.

A new firewall doesn’t just mean you get a new, fancy-looking box and slightly faster protection. Next-generation firewalls can contain all kinds of extras that your current solution may lack, like heuristic gateway antivirus tools, deep packet inspection, content filtering, and handy management functionalities that will help you keep your network secure. Talk to our pals at Just Firewalls today to explore your options.

Explore network & security monitoring

Do you have network security alerts set up to keep you or a member of staff up to date with the latest happenings on your network? If not, then it’s time to put more focus on network security alerts and monitoring. This can be a big responsibility for a small business to take on but thankfully it’s relatively easy and inexpensive to outsource to professionals like ourselves.

Penetration testing is also a great investment – that’s where ethical hackers try to breach your systems so they can give you feedback on where your individual vulnerabilities lie. It’s totally safe (when done properly) and can be a real eye-opener!

Training is great – habit-forming is ideal

Nowadays, cyber awareness training workshops are essential. However, workshops alone won’t keep your business safe. True cyber-awareness is achieved when training becomes so embedded that doing the right thing just becomes habit.

However, this training and habit-forming needs to run far deeper than mere password etiquette and malware avoidance. Provide clear guidelines for your team around what information they can and can’t share about work on social platforms – especially ones like LinkedIn that link directly back to your organisation.

Consider the many ways that your company could be vulnerable to cyber espionage and formulate a plan of action should each of them happen. Include this in your cyber training and habit-forming so your team know exactly what to do if something suspicious does arise.

In conclusion

So if you want to avoid becoming the next cyber-victim, make recon difficult. The more data that hackers can discover about you – actively or passively, digitally or physically – the more harm they can do.

Want an expert view to help you outsmart the bad guys? Let our boffins investigate your setup!

You’re in safe hands with our cyber security team