Summary
Reconnaissance is the first phase of most cyber attacks. Adversaries collect information to find weak points and plan entry. This guide explains common methods and the controls that reduce risk.
What is reconnaissance in cyber security?
Reconnaissance is the systematic gathering of information about a target. Attackers profile people, systems, and networks to uncover exploitable gaps. Security teams use similar techniques to assess exposure and close issues early.
Why it matters
Early detection stops intrusions before damage occurs. Small signals often precede an attack attempt. Reducing what is visible and monitoring for probes lowers your risk.
Types of reconnaissance
Passive reconnaissance
Attackers collect public information without touching your systems. They review websites, DNS and WHOIS records, job posts, and social media. They may mine breach dumps to map emails and tech stacks.
Active reconnaissance
Attackers interact with your assets to elicit responses. They run ping sweeps, port scans, and banner grabs. They probe web apps and APIs to learn versions and misconfigurations.
Common reconnaissance methods
OSINT and data aggregation
Adversaries compile data from public sources. Examples include subdomains, cloud buckets, IP ranges, and code snippets. The goal is a coherent picture of your external footprint.
Social engineering groundwork
Email formats and org charts help craft convincing pretexts. Attackers test who replies and which inboxes bounce. They validate phone numbers with short calls or texts.
DNS, WHOIS, and certificate clues
Zone data, TXT records, and certificate transparency logs reveal assets. Misplaced records expose staging hosts or forgotten services. Consistent hygiene reduces these leaks.
Port and service discovery
Scans reveal open ports and listening services. Follow-up probes identify versions and weak defaults. Rate-limited scans help attackers avoid noisy patterns.
Network mapping and OS fingerprinting
Timing, TTL, and stack quirks hint at device types. Traceroute variants outline network paths and controls. The map guides later lateral movement attempts.
Cloud and SaaS exposure checks
Attackers look for public storage, test keys, and over-permissive roles. They also review CI/CD endpoints and status pages. Shadow IT widens the attack surface.
Indicators of reconnaissance activity
Network-level signals
Short bursts of SYN packets across many ports suggest scanning. Repeated 404 or 403 codes on odd paths can indicate cataloguing. Geographically diverse probes in tight windows are suspect.
Host and user signals
Unusual authentication attempts against disabled users are a red flag. Repeated requests for non-existent files imply content discovery. Staff receiving odd validation emails is another sign.
Defences that work in practice
Reduce the attack surface
Inventory internet-facing assets. Remove orphaned hosts and default pages. Enforce least privilege for cloud roles and service accounts.
Detect and disrupt
Enable IDS or NDR to alert on scan patterns. Rate limit and tarpitting slow indiscriminate probes. Use deception assets like low-interaction honeypots to trip alarms.
Control exposure at the edge
Apply deny-by-default firewall policies. Filter management ports from the public internet. Place WAFs and API gateways in front of critical apps.
Hardening and patch discipline
Close unused ports and disable weak ciphers. Patch exposed services on a routine cadence. Replace default banners and suppress verbose error messages.
Segment and authenticate
Use network segmentation to constrain movement. Require MFA for admin paths and remote access. Isolate backups and monitoring from user subnets.
Monitor and respond
Aggregate logs in a SIEM for correlation and alerts. Track baselines for traffic and authentication. Rehearse playbooks for scan and probe scenarios.
Comparison Section
| Approach | Key features | Best for |
| External attack surface management | Continuous asset discovery, exposure checks | Finding unknown internet-facing assets |
| IDS/IPS or NDR | Signature and behaviour detection, blocking | Spotting scans and lateral recon |
| SIEM with UEBA | Log aggregation, anomaly detection | Correlating weak signals across systems |
| Vulnerability scanning | Port and service mapping, CVE checks | Prioritising patching on exposed hosts |
| Deception technology | Honeypots, honey credentials, alerts | Early warning with low false positives |
| Microsegmentation | Policy per workload, east-west control | Limiting blast radius and movement |
Conclusion
Reconnaissance thrives on visibility and silence. Shrink what attackers can see and raise fast, accurate alerts for what they try. Combine reduction, detection, and response to break the kill chain early.
FAQ
Is reconnaissance illegal?
It depends on intent and permission. Testing your own assets or with written consent is acceptable. Probing others without consent can breach laws and terms.
How do I detect port scanning in time?
Alert on rapid or distributed SYN attempts and connection failures. Correlate with unusual user agents, geographies, and denied paths.
What is the difference between reconnaissance and scanning?
Reconnaissance is the broader information-gathering phase. Scanning is one active technique used within that phase.
How often should we scan our external footprint?
Run continuous discovery where possible. Supplement with weekly reviews and deeper monthly assessments.
Which ports should never be exposed publicly?
Avoid exposing administrative services like SSH, RDP, WinRM, and database ports. Use VPNs, jump hosts, or zero trust access instead.
Do small organisations need deception tools?
Not always. Start with inventory, patching, MFA, and logging. Add deception when basics are stable and coverage is strong.
What metrics show improvement against recon?
Track unknown-to-known asset ratio, time to close exposures, scan alert fidelity, and repeat probe rates by source.
