Basic principles of reconnaissance

Reconnaissance, or recon, is the first step of the kill chain when conducting a penetration test or attack against a data target. This is conducted in before the actual test or attack of a target network. The findings will give a direction to where additional reconnaissance may be required, or the vulnerabilities to attack during the exploitation phase.

Reconnaissance activities are segmented on a gradient of interactivity with the target network or device.

Passive reconnaissance does not involve direct interaction with the target network. The attacker's source IP address and activities are not logged (for example, a Google search for the target's e-mail addresses). It is difficult, if not impossible, for the target to differentiate passive reconnaissance from normal business activities.

In general, passive reconnaissance focuses on the business and regulatory environment, the company, and the employees. Information of this type is available on the Internet or other public sources, and is sometimes referred to as open source intelligence, or OSINT.

Penetration testers or attackers generally follow a process of structured information gathering, moving from a broad scope (the business and regulatory environments) to the very specific (user account data).

To be effective, testers should know exactly what they are looking for and how the data will be used before collection starts. Using passive reconnaissance and limiting the amount of data collected minimizes the risks of being detected by the target.