Reconnaissance is often used in a military context, and as such, it is an activity carried out by both sides in a conflict. The adversary (enemy) wants to find out where the good guys have deployed their assets and defenses, which holds true for the good guys as well. In each of these scenarios, the reconnaissance is adversarial.
In Cybersecurity, reconnaissance scans, also known as “recon” scans, are used in both adversarial and non-adversarial ways and are a part of the four types of cybersecurity scans.
How Recon Scans Work
Before we dig into the different types of scans, let’s cover the basics of how typical scans work.
Most electronic communications traffic over the internet, within our corporate networks, and even at home uses TCP/IP. TCP/IP is a suite of protocols that allow a sender to pass a message to one or more receivers on a network.
Using a simple analogy, all devices on an IP network (e.g., the internet, local area network, etc.) have an IP address. Think of this as the street address for a home. It’s where packages are received or packets in the case of a data network.
When packages/packets are sent, this originating location is also the return address, so the receiver of the packets can reply to tell that the packets have been received.
Now let’s assume that the receiver doesn’t live in a single-family home, but instead, it’s a high-rise full of condos or apartments. The high-rise only has a single street address, but each occupant has their own apartment or box number. In TCP/IP world, the apartment number is a port. Ports identify specific services or applications running at a given IP address.
There are many standard ports that specific services tend to use. For example, port number 25 routes mail between mail servers. Port 443 transmits data securely between browser sessions and a web server.
There are thousands of ports. Many are well-known, like the ones above, and others are a bit more obscure. All (at least most) are expected to be used by specific applications or services.
To have reliable communications over a network, TCP/IP has some built-in features to establish a connection, and it involves what’s known as a handshake.
Establishing a standard TCP (which stands for Transmission Control Protocol) connection requires three separate steps:
- The first computer (Amy’s PC) sends the second computer (Joe’s Server) a “synchronize” (SYN) message with its sequence number x, which Joe receives.
- Joe’s server replies to Amy with a synchronize-acknowledgment (SYN-ACK) message with its own with sequence number y and an acknowledgment number x+1, which Amy receives.
- Amy replies with an acknowledgment (ACK) message with the ACK number y+1, which Joe receives, but he doesn’t need to respond since the handshake is complete.
Without diving too much deeper into the technical weeds, think of scans as the equivalent of knocking on every door (i.e., port) in the high-rise to see who answers. Once the scan has covered that building, it moves on to the next address on the street and starts the process over again. All of this is automated and happens in just seconds.
Adversarial Use of Reconnaissance Scans
It should be obvious why a thief would want to know which of the apartments in a high-rise are occupied and which ones are not. In the case of our apartment analogy, if a resident is at home, the thief might want to move on to the next apartment to try and break in to minimize the chance of getting caught.
The opposite is true with a recon scan in the cybersecurity world. When someone answers the door (i.e., a port responds to a SYN message used to initiate and establish a connection), it allows an attacker to build a list of services and applications present on that machine.
Looking at ports that respond across a range of addresses can give adversaries tremendous intelligence. That intel can then be used to probe known vulnerabilities associated with the responding services and applications to further the goals of the attacker, such as inserting malware, viewing sensitive data, or even disrupting the network with a flood of electronic traffic.
These types of scans are happening all the time. So how do we protect against them?
Protecting Against Adversarial Scans
- Good Perimeter Security – This means configuring firewalls at the edge of a network to recognize and not respond to these types of scans. This functionality is rudimentary for today’s firewalls but should be made sure that these features are enabled and operational.
- Limiting An Organization’s Internet Footprint – This means keeping the number of devices with direct connections to the internet (think publicly facing IP addresses) to the smallest number possible. This will reduce the attack surface for the network.
- Hardening Systems – Configuring all systems (but especially those with direct internet connections) only to use necessary services and ports. This will reduce the attack surface for individual systems.
- Implement Intrusion Detection and Prevention Systems (IDS/IPS) – It only takes one system user to click on the wrong link or open an attachment loaded with malware for an attacker to be behind a firewall. With that being the case, there must have a layer of defense that sees more traffic on the network than the firewall can see. A properly configured IDS/IPS can identify and shut down and report unauthorized scans that originate from within the network.
Non-Adversarial Use of Reconnaissance Scans
So why would we want to use the methods attackers use? Two primary reasons:
- To See What an Attacker Can See – We will discuss this topic in greater detail in our article dealing with vulnerability scanning. Suffice it to say that regular scanning of the network from inside and out is the starting point of a good vulnerability management program.
- To See What There is to Protect – All but the smallest organizations struggle with identifying and managing IT Assets. Recon scans are a great way to begin to build the IT Asset inventory for the organization or to validate the inventory that is being maintained.
Reconnaissance security scans are a great way to understand the attack surface and begin to classify the assets that need to be protected. Attackers also use them to probe networks and systems for weaknesses.
Limiting visibility for the bad guys and increasing visibility are two goals. With security teams stretched to the limit, it may be time to consider outsourcing these critical security processes.
CyberMaxx has designed services to prevent, detect, and respond to security incidents, including unwanted scans – our security operations center personnel have seen and done more than their share and are a tremendous force multiplier for any busy security team.