Cyber reconnaissance techniques

Download paper


DOI: 10.1145/3418293
Publication type: Article
Journal: Communications of the ACM
Publisher: Association for Computing Machinery
Publication date: 2021-02-15


Almost every day, security firms and mass media report news about successful cyber attacks, which are growing in terms of complexity and volume. According to Industry Week, in 2018 spear-phishing and spoofing attempts of business emails increased of 70% and 250%, respectively, and ransomware campaigns targeting enterprises had an impressive 350% growth. In general, economic damages are relevant, as there is the need of detecting and investigating the attack as well as restoring the compromised hardware and software. To give an idea of the impact of the problem, the average cost of a data breach has risen from $4.9 million in 2017 to $7.5 million in 2018. To make things worse, attackers can now use a wide range of tools for compromising hosts, network appliances and Internet of Things (IoT) devices in a simple and effective manner, for example, via a Crime-as-a-Service business model.

Usually, each cyber threat has its own degree of sophistication and not every attack has the same goal, impact, or extension. However, the literature agrees that an attack can be decomposed into some general phases as depicted in Figure 1. As shown, the Tao of Network Security Monitoring subdivides the attacks in to five stages and the Cyber Kill Chain in to seven stages, whereas the ATT&CK framework proposes a more fine-grained partitioning. Despite the reference model, the first step always requires gathering information on the target and it is commonly defined as “reconnaissance.” Its ultimate goals are the identification of weak points of the targeted system and the setup of an effective attack plan.

In general, reconnaissance relies upon a composite set of techniques and processes and has not to be considered limited to information characterizing the target at a technological level, such as, the used hardware or the version of software components. Attackers also aim at collecting details related to the physical location of the victim, phone numbers, names of the people working in the targeted organizations and their email addresses. In fact, any bit of knowledge may be used to develop a software exploit or to reveal weaknesses in the defensive systems.

Unfortunately, the evolution of the Internet, the diffusion of online social networks, as well as the rise of services for scanning smart appliances and IoT nodes, lead to an explosion of sources that can make the reconnaissance phase quicker, easier, and more effective. This could also prevent contact with the victim or limit its duration, thus making it more difficult to detect early and block reconnaissance attempts. Therefore, investigating the evolution of techniques used for cyber reconnaissance is of paramount importance to deploy or engineer effective countermeasures. Even if the literature provides some surveys on some specific aspects of reconnaissance (see, for example, network scanning and techniques exploiting social engineering) the knowledge is highly fragmented and a comprehensive review is missing. In this perspective, this paper provides a “horizontal” review of the existing reconnaissance techniques and countermeasures, while highlighting emerging trends.

In this article, we introduce the classification and the evolution of the most popular reconnaissance methods. Then, we discuss possible countermeasures and present some future directions.


  • Wojciech Mazurczyk
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    Warsaw University of Technology
    Warsaw, Poland
  • Luca Caviglione
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    National Research Council of Italy
    Genoa, Italy