Understanding How Hackers Recon


Cyber-attacks keep increasing and evolving but, regardless of the degree of complexity used by hackers to gain access, get a foothold, cloak their malware, execute their payload or exfiltrate data, their attack will begin with reconnaissance. They will do their utmost to uncover exposed assets and probe their target’s attack surface for gaps that can be used as entry points.

So, the first line of defense is to limit the potentially useful information available to a potential attacker as much as possible. As always, the tug of war between operational necessity and security concerns needs to be taken into account, which requires a better understanding of the type of information typically leveraged.

What information are hackers looking for during recon?

When running recon on an organization, hackers – whether white or black hats – are “casing a joint.” To plan their attack, they will try and uncover as much information as possible about:

Your infrastructure

  • The types of technologies you use – As there is no flawless technology, learning about those used to build and manage your infrastructure is hackers’ first step. They aim to find vulnerabilities to penetrate your infrastructure and shield themselves from detection. Hackers can gain information about your technologies and how they are used through listening to conversations in tech forums. DevOps participating in such discussions should refrain from divulging their real identity or information that might identify the organization.
  • Your internet-facing servers – servers hold your organization’s vital information. Hackers will attempt to find vulnerabilities ranging from unused or unpatched services to open ports.
  • Any system used as a server on a public network is a target, so system administrators must be extra vigilant in:
    • Keeping all services current
    • Opting for secure protocols whenever possible
    • Limiting the type of network per machine to a strict minimum, preferably one per machine
    • Monitoring all servers for suspicious activity
  • Your Operating System (OS) – Each OS has its own vulnerabilities. Windows, Linux, Apple, and other OS regularly publish newly uncovered vulnerabilities and patches. This publicly available information is exploited by cyber-attackers once they know what OS you use.
  • For example, a forum conversation where Joe Blog, your accountant, explains how to use a function on a Windows 8 Excel Spreadsheet tells the hacker that Joe Blog uses Windows and has not updated his OS for ages.
  • This tidbit encourages the cyber-attacker to dig further as, if an employee with access to your organization’s financial information is allowed to work on an endpoint that is rarely, if ever, updated, employees’ endpoint security is lax.
  • Your security maturity – Hackers are humans and, as such, tend to be lazy. A hacker on a recon mission who finds out that you are using an XSPM (Extended Security Posture Management) platform knows that, even if there is an exploitable entry point, escalation will be hampered at every step, and achieving the malicious action will require a superior level of planning. This discourages most potential cyber-attackers.


  • Email addresses – as the human mind is the hardest software to upgrade and patch, phishing remains the number one penetration vector for hackers. Though some email addresses, such as info, support, sales, etc., must be public, employees’ personal email can be leveraged by hackers for generic phishing messages and spear phishing.
  • Usernames & passwords – Darknet hackers’ shopping malls are full of credentials for sale at ridiculously low prices, hence the recommendation to change your password regularly.
  • For system admin and other users with high privilege access, maintaining stellar password hygiene – and MFA! – is an absolute must as, should their credentials fall into the hands of a hacker, the entire system could be irremediably compromised.

Can you spot a hacker recon?

Forewarned is fore-armed, so it might be a clever idea to listen for signs of hostile recon activity. Recon activity can be classified into two categories:

  • Active recon: hackers using tools or spyware to peak into your system. This should trigger alerts from properly configured detection tools, informing security information teams that hackers are “casing” them.
  • This should prompt launching a security validation exercise to ensure that potential security gaps are adequately monitored and scheduled for priority patching.
  • Passive recon: hackers “stalking” you by collecting publicly available information about your infrastructure’s technological details or email addresses. This is, in effect, undetectable.

What Does a Hacker do with the information Gathered During Recon?

Cyber-attackers’ goals fall under four broad categories:

  • Theft – by far the largest category in terms of numbers, attacks aimed at stealing can be subdivided into more categories matching what the theft aim is:
    • Data – data is 21st century’s currency, and any data in the right hand can be translated into value. From Credit Card details to users’ personal information to generic data such as traveling habits, all data can be misappropriated for commercial, strategic, or even military purposes.
    • Intellectual Property – IP gives an edge to many organizations and businesses. Competitors, for example, have an immediate interest in obtaining that information.
    • Computing resources – the resources used to power your infrastructure are costly, therefore attractive. Today, stolen resources’ main usage is crypto mining.
  • Extortion – best known as ransomware, ransomware hijacks parts or all the infrastructure, encrypts the data, and requires payment in crypto-currency to decrypt the affected data. Exfiltrating data and threatening to sell them is also part of ransomware threats.
  • Information gathering – a stealthy type of attack that might remain undetected for extended periods. Typically, those are commandeered by nation-states, political opponents, or business competitors.
  • Destruction / taking over the infrastructure – attacks aimed at overtaking or destroying are typically led by nation-states targeting critical infrastructure, particularly aggressive competitors, or hacktivists.

Given the range of damages that can result from a cyber-attack, making recon as fruitless or daunting as possible for scouting cyber-attackers is a good policy. This explains the current trend toward better Attack Surface Management (ASM).

Note: This article is written by Sasha Gohman, VP Research at Cymulate.

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *