The previous chapter gave you an overview of all the stages of the Cyber Kill Chain life cycle. This chapter will go into the first phase of the life cycle in depth—reconnaissance.

Reconnaissance is one of the most important stages of a threat life cycle, where attackers search for vulnerabilities that they can use to attack targets. In this stage, an attacker is interested in locating and gathering data to identify any loopholes in a target’s network, its users, or its computing systems. Reconnaissance is done both passively and actively, borrowing tactics that have been used by the military. It can be compared to sending spies into an enemy’s territory to gather data about where and when to strike. When reconnaissance is done in the right way, the target should not know that it is being done. This attack life cycle phase can be actualized in a number of ways, which are broadly classified as either external or internal reconnaissance.

This...

Also known as external footprinting, external reconnaissance involves the use of tools and techniques that help hackers find information about a target while operating outside the target’s network. This exercise is stealthy and can be quite hard to detect since some reconnaissance tools are built to be evasive to monitoring tools, and others use requests that appear to be quite normal to servers.

External reconnaissance differs from internal reconnaissance as it is conducted before a threat actor has actually infiltrated an organization (it can also be conducted as an attack of its own that doesn’t infiltrate an organization at all if the threat actor isn’t aiming to conduct an advanced persistent attack). In comparison, internal reconnaissance is conducted after a threat actor has already breached an organization, and is conducted within a target’s network to gather as much intel as possible about the organization and its members...

Unlike external reconnaissance attacks, internal reconnaissance is done on-site. This means that the attacks are carried out within an organization’s network, systems, and premises.

Mostly, this process is aided by software tools. An attacker interacts with the actual target systems in order to find out information about its vulnerabilities. This is the main difference between internal and external reconnaissance techniques.

External reconnaissance is done without interacting with the system, but by instead finding entry points through the people that work in an organization. That is why most external reconnaissance attempts involve hackers trying to reach users through social media, emails, and phone calls. Internal reconnaissance is still a passive attack since the aim is to find information that can be used in the future for an even more serious attack.

The main target of internal reconnaissance is the internal network of an organization...

There are many recon tools available on the internet. Some of them are commercial and very expensive and some of them are totally free. In this section, we will examine some of the many tools that are used for reconnaissance. However, before we go ahead and share some useful tools here, we would like to introduce you to some comprehensive archives that are updated regularly with even more tools and exploits. As such, we recommend you visit them regularly to keep on top of the latest trends:

• Exploit-DB: The Exploit Database is a repository for exploits and proofs of concepts rather than advisories, making it a valuable resource for those who need actionable data right away. The site hosts more than 10,000 exploits and sorts them into categories based on the operating system, shellcode, and so on.
• Seebug: Seebug.org is an open vulnerability platform based on vulnerability and proof of concept/exploit sharing communities. The site has 50...

While there are two different types of reconnaissance (internal and external) there are also two different ways a threat actor may approach reconnaissance—by actively engaging with a target/system themselves (active reconnaissance), or by passively allowing tools to gather intel about a target (passive reconnaissance).

Active reconnaissance entails a situation where the hacker directly interacts with the system. The hackers use such tools as automated scanners, manually testing the system, and other tools such as Netcat and ping. The aim of the active reconnaissance process is to obtain information about the system used by an organization. Active recon is known to be faster and more accurate compared to passive recon. However, it is also known to be much riskier for the hacker compared to the passive category as it tends to make more noise within the system, significantly increasing the chances of the hacker being detected within the system...

Stopping the success of the attacker during the reconnaissance stage is crucial to stopping attacks before they develop further. If an attacker does not gain access to critical details about a system, they will end up using either trial and error methods or basing their plans on guesswork. For major attacks, such as advanced persistent attacks that cost huge sums of money to plan, the attackers cannot afford to use uncertain information to make major plans that may end up costing them a lot of money in the end. Therefore, thwarting attacker efforts at the beginning will help to either delay the attacks happening or stop the attacks altogether.

The best way to combat the successful completion of reconnaissance by attackers is to completely understand your network as an organization. You need to know details such as:

• All the technologies that are used in the system and the network
• Any possible cracks within the system

The best...

The process of reconnaissance is the first stage of an attack that hackers will use to determine what kind of effort or tools they will need to access the system. A successful reconnaissance stage allows the hackers to effectively plan their attacks. Without the information the hackers obtain at this stage, it will force them to use trial and error methods, which will greatly increase their noise within the system or increase their chances of triggering alerts of the security systems in place to keep out attackers. Therefore, it is critical for an organization to find ways to prevent hackers from successfully carrying out reconnaissance procedures and determining essential details about the system that can help them better prepare to attack it.

Penetration testing is the solution that organizations can use to determine what an attacker can determine about the system during reconnaissance. Penetration testing is an ethical hacking procedure that is...

The reconnaissance stage of a cyber attack is a key determinant of the overall attack process. At this stage, hackers are normally seeking to find a lot of information about their targets. This information is used in the later stages of the attack process. There are two types of reconnaissance, external and internal. External reconnaissance, also referred to as external footprinting, involves finding as much information as possible about a target while outside its network.

The new tools used here include Webshag, FOCA, PhoneInfoga, and theHarvester. Internal reconnaissance, also referred to as post-exploitation reconnaissance, involves finding more information about a target within their network. Some of the new tools used include Airgraph-ng, Hak5 Plunder Bug, CATT, and canary token links. It is noteworthy that some of these tools have additional functionalities that go beyond doing basic scans. Internal reconnaissance tools will mostly yield richer information about...

• M. de Paula, One Man’s Trash Is... Dumpster-diving for disk drives raises eyebrows, U.S. Banker, vol. 114, (6), pp. 12, 2004. Available: https://search.proquest.com/docview/200721625.
• J. Brodkin, Google crushes, shreds old hard drives to prevent data leakage, Network World, 2017. [Online]. Available: http://www.networkworld.com/article/2202487/data-center/google-crushes--shreds-old-hard-drives-to-prevent-data-leakage.html. [Accessed: 19- Jul- 2017].
• Brandom, Russian hackers targeted Pentagon workers with malware-laced Twitter messages, The Verge, 2017. [Online]. Available: https://www.theverge.com/2017/5/18/15658300/russia-hacking-twitter-bots-pentagon-putin-election. [Accessed: 19- Jul- 2017].
• A. Swanson, Identity Theft, Line One, Collector, vol. 73, (12), pp. 18-22, 24-26, 2008. Available: https://search.proquest.com/docview/223219430.
• P. Gupta and R. Mata-Toledo, Cybercrime: in disguise crimes, Journal of Information Systems &...