Before launching any attack, adversaries gather intelligence on their target. This falls into two categories: passive recon, i.e. browsing public websites, scraping LinkedIn, reading job postings, and using WHOIS lookups; and active recon, which involves directly probing systems through port scanning and banner grabbing. Social media is a goldmine for attackers, with employees often unknowingly revealing technology stacks, org structures, and internal processes. Defenders can limit exposure through regular external attack surface assessments, employee awareness training, and minimizing publicly visible technical detail.
Passive recon, often referred to as open-source intelligence (OSINT), manifests in various forms, all revolving around gathering information that is publicly available. This can include:
Active recon, as opposed to passive recon, requires a more active approach. Tools like nmap are used to probe local machines and try to capture any information over insecure channels. Defenders can detect malicious actors using these tools with packet sniffers because they generate traffic.