Reconnaissance tactics, techniques, and procedures

As you have learned thus far, before an adversary launches an attack against an organization, they need to perform reconnaissance to gather as much information as possible on the target to determine its attack surface (points of entry). While there are many techniques that are used by both threat actors and ethical hackers, MITRE has created its well-known MITRE ATT&CK framework, which outlines the Tactics, Techniques, and Procedures (TTPs) of adversaries that are based on real-world events. These TTPs are commonly used by cybersecurity professionals, researchers, and organizations to both develop and improve their threat modeling and cyber defenses.

MITRE ATT&CK includes reconnaissance TTPs that help us to better understand the methods that are used by adversaries to collect information about their targets prior to launching an attack. These TTPs are also used by ethical hackers to efficiently identify security vulnerabilities and how a threat actor could compromise the attack surface of their client’s network infrastructure.

The following are common reconnaissance TTPs that are used by adversaries:

• Active scanning – During active scanning, adversaries use various scanning tools to collect information about the target that can be leveraged in future operations. These scanning tools send special probes to targeted systems and networks to determine live hosts, operating systems, open ports, and running services on the host machine. Active scanning is an active reconnaissance technique that involves scanning IP network blocks and public IP addresses of the target, vulnerability scanning to identify security weaknesses that can be exploited, and wordlist scanning to retrieve possible passwords for future password-based attacks against the target.
• Gathering victim host information – This technique enables the attacker to collect specific details about the target’s devices such as their hostnames, IP addresses, device types/roles, configurations, and operating systems. Additionally, the adversary is able to collect hardware, software, and client configuration details that can be used to improve the plan of attack. This technique involves using a combination of both active and passive reconnaissance as a threat actor can gain a lot of intelligence from OSINT alone and can perform active reconnaissance to identify specific details that are not easily available on the internet.
• Gathering victim identity information – This technique focuses on collecting details about the target’s identity – personal data such as employees’ names, email addresses, job titles, and users’ credentials. This type of information can be collected using passive reconnaissance and leveraged for future social engineering attacks and gaining access to the target’s systems.
• Gathering victim network information – Adversaries can use passive reconnaissance techniques to collect information on the target’s network infrastructure such as IP ranges, domain names, domain registrar details (physical addresses, email addresses, and telephone numbers), and DNS records. However, active reconnaissance techniques will help the attacker to better identify the target’s network topology, networking devices, and security appliances. Such information helps the adversary to better understand the target’s network infrastructure.
• Gathering victim organization information – This technique enables adversaries to collect specific information about the target’s organization such as names of departments, business operations and processes, and employees’ roles and responsibilities. Such information can be collected using passive reconnaissance. Furthermore, adversaries use this technique to determine physical locations, business relations, and operating hours.
• Phishing for information – Adversaries send phishing email messages to employees of the target organization with the intention of tricking a victim into performing an action such as downloading and installing malware on their system or even revealing sensitive information such as their user credentials. Adversaries can use spear phishing services from online service providers, insert malicious attachments in email messages, and insert obfuscated links within the body of the email message. Since the attacker is using a direct approach, this is an active reconnaissance technique.
• Searching closed sources – The adversary may attempt to collect information about the target from closed sources, where the information is available as a paid subscription (passive reconnaissance). Such information includes threat intel vendors such as private details from threat intelligence sources that can be used to compromise the target. Furthermore, adversaries can purchase information about the target from Dark Web marketplaces/black markets.
• Searching open technical databases – There are many public online sources that enable anyone to collect information about a target. This technique focuses on leveraging public information that can be used to improve the plan of attack against an organization. For instance, the adversary can leverage public DNS records, WHOIS data (domain registration details), digital certificates (help identify sub-domains), and public databases that contain IP addresses, open ports, and server banner details about the target. This is another passive reconnaissance technique to collect information about the target.
• Searching open websites and domains – Adversaries use this technique to search various online websites and platforms such as social media, internet search engines, and code repositories (such as GitHub) to collect information that can be used to compromise the target. Searching open websites and domains is another passive reconnaissance technique for collecting public information.
• Searching victim-owned websites – This technique is used by the adversary to search the target’s websites for any details that can be leveraged, such as organizational details, physical locations, email addresses of employees, high-profile employees, and even employees’ names and contact details. This is an active reconnaissance technique since the attacker establishes a direct connection to the target’s asset.

These are common strategies used by threat actors, and it helps ethical hackers to efficiently identify security vulnerabilities within organizations. Additionally, keep in mind that reconnaissance TTPs are continuously expanding as adversaries are developing new techniques and tools to compromise organizations. However, cybersecurity professionals and organizations can leverage reconnaissance TTPs to improve cyber defenses, identify and remediate security vulnerabilities, and reduce their attack surface and risk of a cyber-attack.