Cybersecurity 101: Understanding Reconnaissance – The First Step in MITRE ATT&CK

Cybersecurity 101: Understanding Reconnaissance – The First Step in MITRE ATT&CK

Continuing our mitre series, we will explore how attackers take the first step. As we will later uncover, the same principle applies if we discuss a specific target that threat actors want to attack, or if we analyze large-scale attacks done by a group or with the help of automated tools.

Attackers must understand their target before exploiting any vulnerability or delivering any payload. This is where Reconnaissance comes in.

What is Reconnaissance?

Reconnaissance, in cybersecurity context and Mitre more specifically, represents how attackers gather information about their targets.

It’s about scanning networks or performing social engineering to understanding a system’s architecture, technologies, and uncover potential vulnerabilities.

It’s the first step, but at the same time treated as a simple preliminary step. Especially by cybersecurity specialists, that depending on their role type, the focus more on the:

  • Exploitation aspect and execution – pentesters.
  • Defense Evasion and lateral movement – application security.
  • Collection and exfiltration – Threat researchers or digital forensics.

This is just an oversimplification and is not really a critic towards these cybersecurity roles. Of course there are many other (Cybersecurity Analysts, Sec Engineer, Security Architect, Malware analyst, and so on). And the list goes on and one depending on the day to day necessary tasks.

What we want to highlight is that no matter if the security specialist is on the offensive side, defensive side, a mix between, or even a researcher, they rarely focus on this step.

Why?

As noted earlier, they’re already overloaded with daily tasks. These reconnaissance services are infrequently required when a company contracts them; their work is primarily offensive or defensive, specific to an application or company wide, depending on the case.

Why is Reconnaissance downplayed by ethical hackers yet important?

This is where I wanted to point out again that ethical hackers are required to think as attackers would do in order to properly defend against them.

And in reality, threat actors spend more time on reconnaissance than on any other aspect, including exploitation.

They are building a detailed profile of their target. Gathering a lot more intel that we initially expect:

A modern reconnaissance done by the attacker can involve:

  • Version control repositories that might reveal internal architecture
  • Documentation that exposes API structures and data flows
  • Error messages that leak technology stack details
  • Continuous integration pipelines that show deployment patterns
  • Dependencies that show potential supply chain targets

And if we extend for companies, threat actors can gather intel from every possible relevant source, building extensive profiles using:

  • Employee LinkedIn profiles revealing team structures and technologies
  • Job postings outlining tech stack and internal tools
  • Conference presentations detailing technical challenges and solutions
  • Financial reports showing security investment and priorities
  • Corporate blogs describing technical implementations
  • Social media revealing internal processes and tools
  • Press releases announcing new technology partnerships
  • Patent filings exposing technical capabilities

However, we see an evolution lately, with more and more security specialists understanding this need to add reconnaissance techniques to both improve security posture and better train people.

Since people are a resource and a possible entry point for hacking, cybersecurity encompasses more than just application code and external infrastructure attacks.

Active vs Passive: The Two Faces of Reconnaissance

Modern reconnaissance has evolved beyond simple network scanning, although remaining a strong point even today.

We can split reconnaissance into two distinct approaches, each with its own tools and techniques.

Passive Reconnaissance

Passive reconnaissance involves gathering publicly available information about a target without direct interaction with their systems.

This approach allows attackers to collect intelligence while remaining undetected, and it’s nothing too surprising to find out why threat actors spend so much time in this phase.

During this phase, attackers explore public internet resources to better understand their target. As stated in the previous lists, they examine company websites, looking for technology indicators and versions in page source code, HTTP headers, and SSL certificates. Public DNS records reveal email servers, subdomains, and network infrastructure details.

In this phase, search engines are mainly used during. Specialized queries can discover exposed documents or configuration files.

Third-party services also contribute to gather information.

Active Reconnaissance

Unlike its passive counterpart, active reconnaissance involves direct interaction with target systems.

This phase marks the transition from information gathering to actual system probing. This is a visible step, but only if the system does have safety checks or monitoring in place.

Active techniques include port scanning to identify running services, version fingerprinting to determine software types and versions, and directory enumeration to map out web applications.

Each probe provides more data about the target’s infrastructure, but also at the same time, risks detection.

Everything is exploited, network mapping, web application testing, and even error messages returned by systems can provide valuable information about internal architecture.

Active Reconnaissance, A Direct Interaction

Most attacks begin with DNS exploration.

By querying your domain’s DNS records, attackers map out your infrastructure. They discover your entire digital footprint: mail servers, verification records, subdomain patterns.

Attackers probe each discovered endpoint, identifying running services and their versions.

Consider a standard web response header, for instance. Your server may reveal your nginx version, server side framework version, and application framework to attackers. Attackers use seemingly harmless technical data to improve their chances of a successful exploit.

Moving Forward

The next article will cover how attackers use reconnaissance and resource development to gain initial access to systems.

After all, cybersecurity is about prevention but also about understanding our exposure and managing it effectively.

Photo by Jacob Miller on Unsplash