As an aspiring ethical hacker, penetration tester, or red teamer, reconnaissance plays an important role in helping cybersecurity professionals reduce organizations’ digital footprint on the internet. These digital footprints enable adversaries such as hackers to leverage publicly available information about a target to plan future operations and cyber-attacks. As more organizations and users are connecting their systems and networks to the largest network infrastructure in the world, the internet, access to information and the sharing of resources are readily available to everyone. The internet has provided the platform for many organizations to extend their products and services beyond traditional borders to potential and new customers around the world. Furthermore, people are using the internet to enroll and attend online classes, perform e-commerce transactions, operate online businesses, and communicate and share ideas with others.

Nowadays, using the internet is very common for many people. For instance, if an organization is looking to hire an employee to fill a new or existing role, the recruiter simply posts the job vacancy with all the necessary details that are needed for an interested candidate. This enables anyone with internet access to visit various job forums and recruiting websites to seek new career opportunities and easily submit an application via the online platform. Information that’s posted and available online enables adversaries to collect and leverage specific details about the targeted organization. Such details help hackers to determine the type of network infrastructure, systems, and services that are running on the internal network of a company without breaking in. This book will teach you all about how threat actors and ethical hackers are able to leverage publicly available information in planning future operations that lead to a cyber-attack.

During the course of this chapter, you will gain a solid understanding of the importance of reconnaissance from both an adversary and cybersecurity professional’s perspective, and why organizations need to be mindful when connecting their systems and network to the internet. Furthermore, you will learn the fundamentals of attack surface management, why it’s important to organizations, and how cybersecurity professionals use it to reduce the risk of a possible cyber-attack on their networks. Lastly, you will discover the tactics, techniques, and procedures that are commonly used by threat actors, adversaries, ethical hackers, and penetration testers during the reconnaissance phase of an attack.

In this chapter, we will cover the following topics:

• What is ethical hacking?
• Importance of reconnaissance
• Understanding attack surface management
• Reconnaissance tactics, techniques, and procedures

Let’s dive in!

The term hacking is commonly used to describe the techniques and activities that are performed by a person with malicious intentions, such as a hacker, to gain unauthorized access to a system or network. Since the early days of telephone systems, computers, and the internet, many people have developed a high level of interest in determining how various devices and technologies operate and work together. It’s quite fascinating that a person can use a traditional landline telephone to dial the telephone number of another person and establish a connection for a verbal conversation. Or even using a computer to send an email message to someone else, where the email message can be delivered to the intended recipient’s mailbox almost instantaneously compared to traditional postal operations.

Due to the curiosity of people around the world, the idea of disassembling a system to further understand its functions created the foundation of hacking. Early generations of hackers sought to understand how systems and devices work, and whether there was any flaw in the design that could be taken advantage of to alter the original function of the system. For instance, during the 1950s and 1960s in the United States, a security vulnerability was found in a telephone system that enabled users to manipulate/alter telephone signals to allow free long-distance calls. This technique was known as phreaking in the telecommunication industry. Specifically, a person could use whistles that operated at 2600 MHz to recreate signals that were used as the telephone routing signals, thus enabling free long-distance calling to anyone who exploited this flaw. However, telecommunication providers had implemented a solution known as Common Channel Interoffice Signaling (CCIS) that separated the signals from the voice channel. In this scenario, people discovered a security vulnerability in a system and exploited it to alter the operation of the system. However, the intention varied from one person to another, whether for fun, experimental, or even to gain free long-distance calling.

Important note

A vulnerability is commonly used to describe a security flaw or weakness in a system. An exploit is anything that can be used to take advantage of a security vulnerability. A threat is anything that has the potential to cause damage to a system. A threat actor or adversary is the person(s) who’s responsible for the cyber-attack or creating a threat.

A very common question that is usually asked is why someone would want to hack into another system or network. There are various motives behind each hacker, for instance, many hackers will break into systems for fun, to prove a point to others, to steal data from organizations, for financial gain by selling stolen data on the dark web, or even as a personal challenge. Whatever the reason is, hacking is illegal around the world as it involves using a computing system to cause harm or damage to another system.

While hacking seems all bad on mainstream media, it’s not all bad because cybersecurity professionals such as ethical hackers and penetration testers use similar techniques and tools to simulate real-world cyber-attacks on organizations’ networks with legal permission and intent to discover and resolve hidden security vulnerabilities before real cyber-attacks occur in the future. Ethical hackers are simply good people and are commonly referred to as white-hat hackers in the cybersecurity industry, who use their knowledge and skills to help organizations find and resolve their hidden security weaknesses and flaws prior to a real cyber-attack. Although threat actors and ethical hackers have similar skill sets, they have different moral compasses, with threat actors using their skills and abilities for malicious and illegal purposes and ethical hackers using their skills to help organizations defend themselves and safeguard their assets from malicious hackers.

The following are common types of threat actors and their motives:

• Advanced Persistent Threat (APT) groups – The members of an APT group design their attacks to be very stealthy and undetectable by most threat detection systems on a targeted network or system. The intention is to compromise the targeted organization and remain on its network while exploiting additional systems and exfiltrating data.
• Insider threats – This is an attacker who is inside the targeted organization’s network infrastructure. This can be a hacker who is employed within the company and is behind the organization’s security defense systems and has direct access to vulnerable machines. In addition, an insider threat can be a disgruntled employee who intends to cause harm to the network infrastructure of the company.
• State actors – These are cybersecurity professionals who are employed by a nation’s government to focus on national security and perform reconnaissance on other nations around the world.
• Hacktivists – These are persons who use their hacking skills to support a social or political agenda such as defacing websites and disrupting the availability of or access to web servers.
• Script kiddie – This type of hacker is a novice and lacks the technical expertise in the industry but follows the tutorials or instructions of experts to perform cyber-attacks on targeted systems. However, since this person does not fully understand the technicalities behind the attack, they can cause more damage than a real hacker.
• Criminal syndicates – This is an organized crime group that focuses on financial gain and each person has a specialized skill to improve the attack and increase the likelihood of success. Furthermore, this group is usually well funded to ensure they have access to the best tools that money can buy.
• White hat – These are cybersecurity professionals such as ethical hackers, penetration testers, and red teamers who use their skills to help organizations prevent cyber-attacks and threats.
• Gray hat – These are people who use their hacking skills for both good and bad. For instance, a gray hat threat actor could be a cybersecurity professional who uses their skills in their day job to help organizations and at night for malicious reasons.
• Black hat – These are typical threat actors who use their skills for malicious reasons.

Ethical hackers, penetration testers, and red team operators always need to obtain legal permission from authorities before engaging in simulating any type of real-world cyber-attacks and threats on their customers’ systems and network infrastructure, while ensuring they remain within scope. For instance, the following agreements need to be signed between the cybersecurity service provider and the customer:

• Non-Disclosure Agreement (NDA)
• Statement of Work (SOW)
• Master Service Agreement (MSA)
• Permission of Attack

The NDA is commonly referred to as a confidentiality agreement, which specifies that the ethical hacker, penetration tester, or red teamer will not disclose, share, or hold on to any private, confidential, sensitive, or proprietary information that was discovered during the security assessment of the customer’s systems and network infrastructure.

However, the SOW documentation usually contains all the details about the type of security testing that will be performed by the ethical hacker/service provider for the customer and the scope of the security testing, such as the specific IP addresses and ranges. It’s extremely important that ethical hackers do not go beyond the scope of security testing for legal reasons. Furthermore, the SOW will contain the billing details, duration of the security testing, disclaimer and liability details, and deliverables to the customer.

The MSA is a general agreement that contains the payment details and terms, confidentiality and work standards of the provider, limitations and constraints, and delivery requirements. This type of agreement helps the cybersecurity service provider to reduce the time taken for any similar work that needs to be provided to either new or existing customers. In addition, the MSA document can be customized to fit the needs of each customer as they may require unique or specialized services.

Permission of attack is a very important agreement for ethical hackers, penetration testers, and red teamers as it contains the legal authorization that is needed to perform the security testing on the customer’s systems and network infrastructure. Consider this agreement, in the form of a document, as the get-out-of-jail card that is signed by the legal authorities, which indicates the granting of permission to the service provider and its employee(s) who are performing ethical hacking and penetration testing services on the customer’s systems and network.

Mindset and skills of ethical hackers

Threat actors are always seeking new and advanced techniques to compromise their target’s systems and networks for legal purposes. For instance, there are different types of hackers and groups around the world, and each of these has its own motive and rationale for their cyber-attacks:

• Personal accomplishment/challenge, such as proving they have the skills and capabilities to break into an organization and its systems
• Financial gain, such as stealing confidential data from organizations and selling it on various dark web marketplaces
• Supporting a social or political agenda such as defacing and compromising websites that are associated with a social/political movement
• Cyber warfare, such as compromising the Industrial Control Systems (ICS) that manage the critical infrastructure of a country

While there are many cybersecurity companies around the world who are developing and improving solutions to help organizations defend and safeguard their assets from cyber criminals, attacks, and threats, there’s also a huge demand for cybersecurity professionals in the industry. It’s already noticeable through mainstream media platforms that it’s only a matter of time before another organization is the target of threat actors. In an online article published by the World Economic Forum on January 21, 2015, What does the Internet of Everything mean for security?, the former executive chairman and CEO of Cisco Systems, John Chambers, said, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” Each day, this statement is becoming more evident, and more of a reality, as many companies are reporting data breaches, and some reports indicate attackers were living off the land for many days or even months before the security incident was detected and contained.

The need for ethical hacking skills and knowledge is ever growing around the world, as leadership teams within small to large enterprises are realizing their assets need to be protected and ethical hackers and penetration testers can help discover and remediate hidden security vulnerabilities, reduce the attack surface, and improve the cyber defenses of their company against cyber criminals and threats. Ethical hackers have the same skill set and expertise as malicious attackers such as threat actors, however, the difference is their intention. Ethical hackers have a good moral compass and choose to use their skills for good reasons, whereas threat actors use their skills and knowledge for bad reasons, such as causing harm and damage to systems for illegal purposes.

The following are common technical skills of ethical hackers in the cybersecurity industry:

• Administrative-level skills with various operating systems such as Windows and Linux
• Solid foundational knowledge of networking, such as routing and switching
• Understanding the fundamentals of common security principles and best practices
• Familiar with programming languages such as Go and Python, and scripting languages such as Bash and PowerShell
• Familiarity with virtualization, containerization, and the cloud

While the preceding list of foundational skills seems a bit intimidating, always remember the field of cybersecurity and learning is like a marathon and not a sprint. It’s not how quickly you can learn something, but ensuring you’re taking the time you need to fully understand and master a topic.

The following are non-technical skills of ethical hackers:

• Being proficient in oral and written communication between technical and non-technical persons
• Being an out-of-the-box thinker
• Being self-motivated and driven to learn about new topics and expand knowledge
• Ensuring you understand the difference between using knowledge for good and bad intentions

Ethical hackers use the same techniques, tools, and procedures as real threat actors to meet their objectives and discover hidden security vulnerabilities in systems. There’s a proverb that says if you want to catch a thief, you need to think like one. This proverb applies to ethical hacking – if you want to find the security vulnerabilities that real hackers are able to discover and exploit, then you need to adapt your mindset while using the same techniques, tools, and procedures to help you do the same, with legal permission and good intentions.

The following diagram shows the EC-Council’s five stages of ethical hacking:

Figure 1.1 – Stages of hacking

As shown in the preceding diagram, ethical hackers and threat actors start with reconnaissance on their target, then move on to scanning and enumeration, then onward to gaining access and establishing a foothold in the system by maintaining access, and then covering tracks to remove any evidence of an attack. Since this book is based on the concept of Reconnaissance for Ethical Hackers, we’ll focus on reconnaissance, scanning, and enumeration during the course of it.

The first phase of ethical hacking is reconnaissance – the techniques and procedures that are used by the ethical hacker to collect as much information as possible about the target to determine their network infrastructure, cyber defenses, and security vulnerabilities that can be compromised to gain unauthorized access and improve attack operations accordingly. From a military perspective, reconnaissance plays an important role in planning and launching an attack on a target. Collecting information about the target helps the attacker to determine the points of entry, type of infrastructure, assets owned, and the target’s strengths and weaknesses.

To put it simply, reconnaissance helps ethical hackers to gain a deeper understanding of an organization’s systems and network infrastructure before launching an attack. The collected information can be leveraged to identify any security vulnerabilities that can be exploited, thus enabling the ethical hacker to compromise and gain a foothold in the targeted systems. For instance, using reconnaissance techniques enables the ethical hacker to identify any running services and open ports and the service and software versions on a system, all of which can be used to identify and determine potential attack vectors on the target.

In addition, using reconnaissance techniques such as Open Source Intelligence (OSINT) enables the ethical hacker to passively collect information about their target that’s publicly available on the internet. Such information may contain usernames, email addresses, and job titles of employees of the targeted organization. This information can be leveraged to create various social engineering attacks and phishing email campaigns that are sent to specific employees within the targeted company.

The following screenshot shows an example of employees’ information that’s publicly available on the internet:

Figure 1.2 – Employees’ data

As shown in the preceding screenshot, these are various employees of a specific organization. Their names, email addresses, and job titles are publicly known on the internet. A threat actor could look for patterns in their email addresses to determine the format that’s used for all employees of the company. For instance, let’s imagine there’s an employee whose name is John Doe and his email address is jdoe@companyname.com and another employee is Jane Foster with an email address of jfoster@companyname.com. This information shows a pattern and format for employees within the same organization: {f}{lastname}@domain-name.com, where f is the initial letter of the person’s first name followed by their last name and the company’s domain name. Such information can help an ethical hacker to send phishing email campaigns to specific email addresses of high-profile employees of the targeted organization.

Reconnaissance helps organizations to reduce the risk of being compromised by a threat actor and improve their cyber defenses. By enabling an ethical hacker to perform reconnaissance techniques and procedures on an organization’s systems and network infrastructure, the organization can efficiently identify security vulnerabilities and take the necessary measures to remediate and resolve them before they are discovered and exploited by adversaries. Furthermore, reconnaissance helps organizations to both identify and keep track of potential threat actors, enabling the company to gain a better understanding of the cybersecurity threat landscape while implementing and improving proactive countermeasures to safeguard their assets, systems, and networks. Hence, reconnaissance is not only important to adversaries but cybersecurity professionals use the gathered information to help organizations.

Reconnaissance is divided into the following types:

• Passive reconnaissance
• Active reconnaissance

Passive reconnaissance enables the ethical hacker to leverage OSINT techniques to gather information that’s publicly available from various sources on the internet without making direct contact with the target.

The following are some examples of OSINT data sources:

• Job websites
• Online forums
• Social media platforms
• Company registry websites
• Public Domain Name System (DNS) servers

It’s important for ethical hackers to use similar techniques and procedures as adversaries during their security assessments to provide real-world experience to their customers. In addition, it also helps the organization to determine whether its security team and solutions are able to detect any security intrusions that are created by the ethical hacker. If the security team were unable to detect any actions that were performed during the ethical hacking and penetration testing assessment, it’s a good sign for the ethical hacker as their techniques were stealthy enough to bypass and evade any threat detection systems on the network. However, this means the organization’s security team needs to improve their threat monitoring and detection strategies and tune their sensors to catch any security-related anomalies.

Active reconnaissance involves a more direct approach by the threat actor and ethical hacker to gather information about the target. In active reconnaissance, the ethical hacker uses scanning and enumeration techniques and tools to obtain specific details about the targeted systems and networks. For instance, to determine running services and open ports on a server, the ethical hacker can use a network and port scanning tool such as Nmap to perform host discovery on a network. However, active reconnaissance increases the risk of triggering security sensors and alerting the security team about a possible reconnaissance-based attack being performed.

In the next section, you will learn how cybersecurity professionals, including ethical hackers, leverage the information that is collected during reconnaissance to help organizations improve their security posture and manage their attack surfaces.

The attack surface is simply the number of potential security vulnerabilities that can be exploited to gain access to a system, network, and organization using attack vectors. If organizations are unable to identify their security vulnerabilities and implement countermeasures, they are simply leaving themselves susceptible and exposed to cyber-attacks and threats. Attack Surface Management (ASM) is not a new study in the cybersecurity industry, rather it’s a new focus for cybersecurity professionals and organizations around the world. ASM is a strategy that’s used by cybersecurity professionals that enables them to focus on identifying, analyzing, and reducing the attack surface of an organization. As a result, by reducing the attack surface of an organization, it reduces the risk of being compromised by cyber-attacks and threats while safeguarding its assets, resources, and sensitive information.

Adopting ASM within an organization enables the security team to identify and prioritize security vulnerabilities based on their vulnerability score and potential impact. The Common Vulnerability Scoring System (CVSS) is commonly referenced within many vulnerability scanning tools to provide vulnerability of between 0 and 10, where 0 is the least impact and 10 is critical. These scores help cybersecurity professionals to apply high priority and resources to remediate security vulnerabilities with higher severity.

For instance, the following screenshot shows the base metrics of the CVSS calculator:

Figure 1.3 – CVSS calculator

As shown in the preceding snippet, the metrics within the base score influence the vulnerability score. For instance, if an attacker can compromise a security vulnerability on a targeted system over a network, where the attack complexity is low and does not require any user interaction or escalated privileges, where the impact will greatly affect the confidentiality and integrity of the system, the CVSS calculator provides a vulnerability score of 9.4. Keep in mind, these scores are assigned to a vulnerability based on the criticality and impact on the system.

Tip

To learn more about the CVSS calculator, please see https://www.first.org/cvss/calculator/3.1.

The following snippet shows the results of a Nessus vulnerability scan, displaying the number of security flaws and their scores:

Figure 1.4 – Nessus scan results

As shown in the preceding snippet, the CVSS scores were referenced from the CVSS calculator.

It’s important to recognize that cybersecurity professionals may identify a security vulnerability that is critical to the operation of the organization and its business processes but has a low potential impact. There can be security vulnerabilities that are less critical to the operation of the business but have a greater potential impact if they’re exploited by a threat actor. Therefore, ASM helps organizations in prioritizing security vulnerabilities based on their impact levels while allocating their resources to remediating the most critical security vulnerabilities first.

Additionally, organizations that implement ASM are able to better identify and track changes to their attack surfaces. For instance, if an organization installs a new update to an existing system, this new update could introduce new security vulnerabilities and potentially change the attack surface, enabling a threat actor to use new techniques to compromise the system. Similarly, if an organization implements a new system or application on its network infrastructure, it has the potential of bringing new security flaws to the attack surface. However, ASM enables cybersecurity professionals to track changes that are being made to the attack surface of the organization while ensuring the security team is aware of any new security vulnerabilities that are introduced during this process. Furthermore, the organization can take the necessary actions to remediate these security vulnerabilities before they can be exploited by a threat actor.

Another benefit of ASM is its capability of helping organizations efficiently monitor their attack surface and identify any suspicious activities. This improves real-time threat detection and response within the company, enabling the security team to take immediate action to prevent, contain, or remediate the threat from systems and networks. Lastly, when ASM is implemented properly, it helps security teams to identify whether any malicious activities or threats that evaded security solutions have gone undetected on their systems and networks.

The following are the major benefits of ASM within the cybersecurity industry:

• Reducing risk – Organizations that adopted ASM are able to identify and reduce their own attack surfaces, thereby reducing the risk of potential cyber-attacks and threats, and protecting their assets from threat actors. Hence, by identifying and remediating security vulnerabilities, it becomes more difficult for threat actors to compromise systems and gain a foothold.
• Prioritization – ASM helps companies to prioritize their resources to remediate security vulnerabilities that are more critical than others.
• Continuous monitoring – For organizations to ensure their attack surface is small, continuous monitoring and maintenance are needed. This helps both cybersecurity professionals and organizations to always be aware of any new security vulnerability that may exist, either due to a new implementation or an upgrade to a system, therefore, taking the necessary actions needed to mitigate any security vulnerabilities before they can be exploited.
• Improving incident response – ASM helps security teams to efficiently identify and respond to security incidents on their network in real time, as a result, reducing the impact and spread of a threat.
• Compliance – There are regulatory standards and frameworks that are needed within organizations that operate in certain industries. For instance, organizations that operate in the payment card industry need to ensure their systems and networks are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant means the organization’s systems and networks have the specific security controls in place to ensure data is protected.
• Cost-effectiveness – Since ASM helps organizations to improve the identification and remediation of security vulnerabilities, it reduces the risk of data breaches and increases the availability of systems that are critical to the organization.

The following are key steps that organizations and cybersecurity professionals can use to get started with ASM:

1. Asset management – Ensure all assets within your organization are properly tracked and entered into your inventory. These may include computers, servers, applications, and mobile devices. This helps organizations to better understand which assets are to be protected and identify security flaws in them.
2. Identifying and mapping the attack surface – At this stage, the cybersecurity professionals are to identify security vulnerabilities and map the attack surface of the organization. This stage includes potential attack vectors that could be used to deliver an exploit and points of entry such as open ports and vulnerable running services on systems and networks.
3. Assessing risk – This stage focuses on assessing the risk of each security vulnerability and its impact on the organization. This phase helps with prioritizing and focusing on the most critical security vulnerabilities, then on less critical vulnerabilities.
4. Implementing security controls – This phase focuses on implementing security controls and solutions to remediate and mitigate security vulnerabilities that were identified in the previous stages. Here, the security team will implement network security devices, threat monitoring and prevention solutions, network segmentation, and so on.
5. Monitoring and maintenance – For ASM to be effective, continuous monitoring of all assets, systems, and devices is required. It’s important to continuously monitor and maintain security controls that are responsible for mitigating cyber-attacks and threats from exploiting security vulnerabilities. In addition, continuous monitoring and maintenance help ensure security controls are effective in safeguarding the assets of the organization.
6. Continuously perform reconnaissance – To identify new security vulnerabilities on the attack surface, organizations need to continuously perform reconnaissance on their assets, systems, and network infrastructure. Once new security vulnerabilities are identified, the lifecycle of ASM is repeated, taking the necessary steps to mitigate the security risk.

In addition to using the preceding key steps, there are several tools that will help both cybersecurity professionals and organizations with ASM:

• Vulnerability scanners – These are specialized, automated tools that help cybersecurity professionals identify security vulnerabilities in a system and provide recommendations on how to remediate the issue. Furthermore, these tools provide severity ratings, vulnerability scores, and potential impact.
• Network scanners and mappers – This type of tool helps cybersecurity and networking professionals to determine live hosts, open service ports, and running applications on host devices. In addition, they help organizations to map their entire network infrastructure and identify unauthorized devices that are connected to the company’s network.
• Configuration management tools – This type of tool helps organizations track and manage their configurations on systems and networks. It also helps cybersecurity professionals to identify new security vulnerabilities such as misconfigurations that are introduced onto a device after a new change.
• Application security testing tools – These are specialized tools that are commonly used by cybersecurity professionals to perform security testing on applications and software to identify any unknown security flaw.
• Attack Surface Reduction (ASR) tools – These tools are designed to help organizations reduce their attack surfaces. It works by identifying and denying any malicious network traffic and disabling unnecessary services on systems and protocols.
• Risk management tools – Risk management tools enable organizations to both track and manage the risk as it’s associated with their attack surface. Furthermore, this tool helps cybersecurity professionals to monitor the effectiveness of the security controls that are in place to prevent cyber-attacks and threats.
• Security Information and Event Management (SIEM) – This is a security solution that collects, aggregates, and analyzes security-related log messages generated from systems and devices within an organization to identify any potential cyber-attack and threat in real time.

While these tools are simply recommendations, it’s important to remember no single tool has the capability of providing complete coverage of the attack surface of an organization. Therefore, a combination of different tools, techniques, and procedures is required to ensure the organization can effectively manage its attack surface. Furthermore, as many tools are software-based, it’s important they are regularly updated to ensure they have the capability of detecting the latest security vulnerabilities and threats in the industry.

In the next section, you will learn about the tactics, techniques, and procedures that are used by adversaries during the reconnaissance phase of a cyber-attack.

As you have learned thus far, before an adversary launches an attack against an organization, they need to perform reconnaissance to gather as much information as possible on the target to determine its attack surface (points of entry). While there are many techniques that are used by both threat actors and ethical hackers, MITRE has created its well-known MITRE ATT&CK framework, which outlines the Tactics, Techniques, and Procedures (TTPs) of adversaries that are based on real-world events. These TTPs are commonly used by cybersecurity professionals, researchers, and organizations to both develop and improve their threat modeling and cyber defenses.

MITRE ATT&CK includes reconnaissance TTPs that help us to better understand the methods that are used by adversaries to collect information about their targets prior to launching an attack. These TTPs are also used by ethical hackers to efficiently identify security vulnerabilities and how a threat actor could compromise the attack surface of their client’s network infrastructure.

The following are common reconnaissance TTPs that are used by adversaries:

• Active scanning – During active scanning, adversaries use various scanning tools to collect information about the target that can be leveraged in future operations. These scanning tools send special probes to targeted systems and networks to determine live hosts, operating systems, open ports, and running services on the host machine. Active scanning is an active reconnaissance technique that involves scanning IP network blocks and public IP addresses of the target, vulnerability scanning to identify security weaknesses that can be exploited, and wordlist scanning to retrieve possible passwords for future password-based attacks against the target.
• Gathering victim host information – This technique enables the attacker to collect specific details about the target’s devices such as their hostnames, IP addresses, device types/roles, configurations, and operating systems. Additionally, the adversary is able to collect hardware, software, and client configuration details that can be used to improve the plan of attack. This technique involves using a combination of both active and passive reconnaissance as a threat actor can gain a lot of intelligence from OSINT alone and can perform active reconnaissance to identify specific details that are not easily available on the internet.
• Gathering victim identity information – This technique focuses on collecting details about the target’s identity – personal data such as employees’ names, email addresses, job titles, and users’ credentials. This type of information can be collected using passive reconnaissance and leveraged for future social engineering attacks and gaining access to the target’s systems.
• Gathering victim network information – Adversaries can use passive reconnaissance techniques to collect information on the target’s network infrastructure such as IP ranges, domain names, domain registrar details (physical addresses, email addresses, and telephone numbers), and DNS records. However, active reconnaissance techniques will help the attacker to better identify the target’s network topology, networking devices, and security appliances. Such information helps the adversary to better understand the target’s network infrastructure.
• Gathering victim organization information – This technique enables adversaries to collect specific information about the target’s organization such as names of departments, business operations and processes, and employees’ roles and responsibilities. Such information can be collected using passive reconnaissance. Furthermore, adversaries use this technique to determine physical locations, business relations, and operating hours.
• Phishing for information – Adversaries send phishing email messages to employees of the target organization with the intention of tricking a victim into performing an action such as downloading and installing malware on their system or even revealing sensitive information such as their user credentials. Adversaries can use spear phishing services from online service providers, insert malicious attachments in email messages, and insert obfuscated links within the body of the email message. Since the attacker is using a direct approach, this is an active reconnaissance technique.
• Searching closed sources – The adversary may attempt to collect information about the target from closed sources, where the information is available as a paid subscription (passive reconnaissance). Such information includes threat intel vendors such as private details from threat intelligence sources that can be used to compromise the target. Furthermore, adversaries can purchase information about the target from Dark Web marketplaces/black markets.
• Searching open technical databases – There are many public online sources that enable anyone to collect information about a target. This technique focuses on leveraging public information that can be used to improve the plan of attack against an organization. For instance, the adversary can leverage public DNS records, WHOIS data (domain registration details), digital certificates (help identify sub-domains), and public databases that contain IP addresses, open ports, and server banner details about the target. This is another passive reconnaissance technique to collect information about the target.
• Searching open websites and domains – Adversaries use this technique to search various online websites and platforms such as social media, internet search engines, and code repositories (such as GitHub) to collect information that can be used to compromise the target. Searching open websites and domains is another passive reconnaissance technique for collecting public information.
• Searching victim-owned websites – This technique is used by the adversary to search the target’s websites for any details that can be leveraged, such as organizational details, physical locations, email addresses of employees, high-profile employees, and even employees’ names and contact details. This is an active reconnaissance technique since the attacker establishes a direct connection to the target’s asset.

These are common strategies used by threat actors, and it helps ethical hackers to efficiently identify security vulnerabilities within organizations. Additionally, keep in mind that reconnaissance TTPs are continuously expanding as adversaries are developing new techniques and tools to compromise organizations. However, cybersecurity professionals and organizations can leverage reconnaissance TTPs to improve cyber defenses, identify and remediate security vulnerabilities, and reduce their attack surface and risk of a cyber-attack.

In this chapter, you have learned the importance of ethical hacking and how it helps organizations to improve their security posture. You have also discovered why threat actors spend a lot of time collecting information about their targets and how it can be leveraged to identify security vulnerabilities. Furthermore, you have learned why ethical hackers use similar techniques and strategies to help organizations identify and remediate their security vulnerabilities before a real cyber-attack occurs.

In addition, you have explored the need for attack surface management within the cybersecurity industry and how it helps organizations improve their defenses against cyber-attacks and threats. Lastly, you have gained an insight into reconnaissance TTPs that are commonly observed around the world as it helps security professionals and organizations to improve their threat modeling and strategies in safeguarding their assets from cyber criminals.

I hope this chapter has been informative for you and helpful on your journey in the cybersecurity industry. In the next chapter, Setting Up a Reconnaissance Lab, you will learn how to construct a security lab environment that will be safe for performing active reconnaissance and vulnerability assessments on your personal computer.

• Basics of footprinting and reconnaissance: https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/basics-footprinting-reconnaissance/
• Attack surface management: https://www.crowdstrike.com/cybersecurity-101/attack-surface-management/
• MITRE Reconnaissance: https://attack.mitre.org/tactics/TA0043/
• What does the Internet of Everything mean for security?: https://www.weforum.org/agenda/2015/01/companies-fighting-cyber-crime/