Active vs. Passive External Cyber Threat Intelligence

What is cyber reconnaissance?

Cyber reconnaissance embodies the art of gathering information. It is the part of cyber threat intelligence that involves obtaining data about a particular target using advanced tools and techniques. Cyber reconnaissance is often used by threat actors ahead of an attack, making it a natural initial step in professional penetration testing exercises. By gathering a depth of information about a target, both threat actors and security analysts aim to discover the attack surface, uncover information for gaining footholds, and identify weaknesses.

For some, the term reconnaissance conjures up thoughts of military operations, secret service, and spy missions. The meaning for our context within cybersecurity is more practical. Before taking some form of action, reconnaissance simply means to check out a situation. In many instances, this involves collecting data. This does not exclusively apply to cyber attacks and penetration testing activities. Data collection is also useful for situational awareness and can be used for detecting malicious activities and signs of compromise existing within a target.

Reconnaissance for cyber threat intelligence can be performed within the context of past, current, and future threats. The data collection can be used to identify points of exposure, weakness, and increasing risk that could lead to an exploit. This is a future-looking objective. On the other hand, data collection can be used to identify an ongoing attack that requires some form of response. This is an example of a current objective. Finally, data collection may reveal indicators of an attack that has already happened. Regardless of the perspective, findings can necessitate action to prevent, respond, or recover from a situation.

What is active reconnaissance?

Active Cyber Reconnaissance is the gathering of data relating to a target while directly interacting with it. For example, this technique can involve tools that send requests to the target. This method is often leveraged when identifying open/closed ports, fingerprinting remote systems (e.g., to determine its operating system), and scanning for vulnerabilities. However, this direct interaction with target systems has a higher probability of causing some form of network disruption, such as activating an intrusion prevention system. In some networks, such as within operational technology, these types of tests can produce undesirable secondary impacts including network disruption. Security practitioners are often careful when considering active approaches to sensitive network elements to avoid the risk of business interruption and financial impact to the organization.

What is passive reconnaissance?

Passive Cyber Reconnaissance is the gathering of data relating to a target without the need to directly interact with it. This implies that the security analyst(s) does not send requests to the target and thus the target is unaware of any plan to gather information about it. For this reason, passive threat intelligence can be used by attackers without their target becoming aware. This type of reconnaissance can leverage data from the dark web and public internet. This use of public resources to collect data is referred to as open source intelligence (OSINT).

ThreatHarvest automates the process of passive data collection, enabling an organization to gain an understanding of future, current, and past threats using external threat intelligence. Since ThreatHarvest was built to take advantage of advanced passive techniques, there is no risk of business impact to an organization that may otherwise be associated with active methods. Passive intelligence is not a one-time endeavor when protecting an organization. For this reason, a core tenant of ThreatHarvest is ongoing monitoring to detect emerging threats.

What’s the Difference?

The fundamental difference between the two techniques relies on the methods each approach leverages to collect data. Whereas passive reconnaissance methods use publicly available data to gather information about a certain target, active reconnaissance may involve interacting with targets directly. The process of data collection makes threat intelligence possible, providing the capabilities for organizations to remain informed and engaged with maintaining their security posture.