In cyber security training, reconnaissance is usually classified into two categories: Passive Reconnaissance and Active Reconnaissance.
Although each domain has its own technologies, tools, and weapons, many shared concepts regarding offensive and defensive actions exist. Take, for example, the terms "red team" and "blue team"; both terms are borrowed from the military. As we dive further into offensive and defensive security, we come across more terms with roots in military manuals; examples include OPSEC and reconnaissance.
In this article, we will focus on the seven fundamentals of reconnaissance as explained in military manuals, and explore how they would apply to cyber security. We list them below as found in the Army Techniques Publication (APT) 3-21.8 paragraph 6-176:
- Ensure continuous reconnaissance
- Do not keep reconnaissance assets in reserve
- Orient on the reconnaissance objective
- Report information rapidly and accurately
- Retain freedom of maneuver
- Gain and maintain enemy contact
- Develop the situation rapidly
Let’s dive in!
1. Ensure continuous reconnaissance
The first fundamental teaches us that reconnaissance should be a continuous activity. Although reconnaissance is presented as the first step in the Cyber Kill Chain (shown below), this fundamental teaches us that reconnaissance does not end there; we can consider reconnaissance as an activity that commences when the red team starts learning about their target and continues until the operation is concluded.
Initially, as a red team, we are conducting reconnaissance activity without any foothold on the network. We must realise that the reconnaissance stage conducted from afar without access does not end there. Consider the simple scenario where the red team successfully compromises a user's machine. When we gain access to the first system, we can connect to many systems from which we were isolated. This would lead to new reconnaissance opportunities that were not available before. For instance, we might discover a local mail server or private systems not exposed to the public network. Consequently, with every new system discovered and exploited, more reconnaissance is expected to become feasible and available.
2. Do not keep reconnaissance assets in the reserve
Do not reserve reconnaissance assets! This is a crucial fundamental to consider during reconnaissance activities after deciding what amount of noise we are allowed to make, i.e., how much active reconnaissance can be used before gaining access to the target network and after gaining preliminary access and expanding it.
Hundreds of tools and online services can help in reconnaissance activities. Passive reconnaissance is a part of any reconnaissance activity as it allows us to gather considerable information without connecting to the target and potentially alerting the Security Operations Center (SOC). On the other hand, active reconnaissance includes connecting to the target systems, potentially leaving traces in the system logs. Furthermore, some tools are noisy in the sense that they cause a considerable amount of log entries to be created. When we consider a tool such as 'gobuster` or `hydra`, we should ask ourselves whether we can tolerate causing several hundreds or thousands of error messages on target machines. We can configure a network scanner such as `nmap` to run very slowly, making the failed connect attempts more scattered; however, this does not mean it won't leave traces. In brief, we aim to use all reconnaissance tools we have at our disposal within the noise constraints the team has set.
3. Orient on the reconnaissance objective
Define clear objectives. Setting the objectives of our reconnaissance activities is the first step to consider once we have specified the targets within our scope, and is an indispensable step before proceeding. If we don't know the purpose of our reconnaissance activities, we might miss gathering valuable information, undermining the later steps.
In one scenario, the reconnaissance objectives include the physical network infrastructure, the registered domain names, and the versions of software running on the local servers. In another red team operation, the reconnaissance objective might focus solely on cloud services and authentication mechanisms. These are all examples of objectives, and they follow the agreed-upon scope.
4. Report information rapidly and accurately
This fundamental teaches us to provide accurate and timely information throughout the operation. For continuous reconnaissance to be impactful, we need effective communication between the team members to ensure information handover. As team members collect new information, they must hand it off to their peers so that everyone can utilise the newly gathered reconnaissance. Furthermore, the focus should be on speed and accuracy. Speed is a crucial factor, as a vulnerability will always end up either being patched or exploited; being on the red team, we prefer the latter.
5. Retain freedom of manoeuvre
In simple terms, we need to ensure adequate space to manoeuvre. A successful reconnaissance strategy should be flexible and suggest multiple attack vectors. In other words, if one attack is blocked, we can always plan another using a different approach. This flexibility can only be possible if we have conducted proper reconnaissance activities against our target.
6. Gain and maintain enemy contact
Gain and maintain enemy contact. Considering that we are thinking from the perspective of a red team, the main form of contact would be over the network. Social engineering might include direct contact, such as paying a visit to the company masquerading as the electricity maintenance specialist. However, the primary way of contact would be electronic, i.e., over the network.
Throughout the different stages, the red team contact will change and evolve. In the beginning, it would be passive reconnaissance. Things are expected to progress as they gain a foothold on a target system, and finally, they might end up exfiltrating data, depending on the scope of the operation.
7. Develop the situation rapidly
This fundamental teaches how time is a critical factor. Various attacks cannot be carried out before the relevant reconnaissance activities have been completed. Furthermore, as the team gains access to the target systems, new reconnaissance windows are opened, which, in turn, makes it possible to carry out new attacks.
For instance, we might come across the email and password of one of the users in the target client company. If the user shares the same password on several systems, then this password discovered via a recently leaked database might give us some access to the target network. For example, we might gain access to their email or even to their system via remote desktop or SSH. We expect the affected site to notify its users to change their passwords after a security breach; hence, time is essential here. The faster we take advantage of the situation, the higher our chances of success.
In more subtle cases, we must consider other factors that might affect our stealthy operation. For instance, if we gain access to a system over SSH, we can install `nmap` and scan other systems. However, this will increase the chances of getting noticed. The red team needs to decide beforehand how stealthy they want to be and how quickly they will take action when they discover a vulnerable system.
Want to dive further into the fundamentals of reconnaissance? Our Network Security module explores passive and active reconnaissance, where you'll also learn how common protocols work and their attack vectors.
strategos