Active & Passive Reconnaissance | CompTIA Security+ SY0-601 | 1.8b

In this video you will learn about passive, active, & other various reconnaissance in cybersecurity along with learning about penetration testing exercises such as: Red Team, Blue Team, White Team, & Purple Team.

Reconnaissance

In the context of cybersecurity, reconnaissance is the practice of covertly discovering & collecting information about a system.  This method is often used in ethical hacking or penetration testing.[1]  There are two main types of reconnaissance that you need to be concerned with in regards to the Security+ SY0-601 certification exam:

  • Active Reconnaissance:  where hackers interact directly with the computer system & attempt to obtain information through techniques like automated scanning or manual testing and tools like ping and netcat.  Active recon is generally faster & more accurate, but riskier because it creates more noise within a system and has a higher chance of being detected.[1]
  • Passive Reconnaissance:  is when information is gathered without directly interacting with systems, using tools such as Wireshark.  Passive recon can also be carried out by an attacker by just researching information about a victim’s public records, social media sites, & other technical information, such as DNS, whois, & other various sites.[2]

Other aspects pertaining to reconnaissance are the following:

  • Drones:  can be used for eavesdropping and monitoring wireless networks.
  • War Flying:  an activity consisting of using an airplane & a WiFi-equipped computer, such as a laptop or a PDA, to detect WiFi wireless networks.
  • War Driving:  the act of searching for WiFi wireless networks, usually from a moving vehicle, using a laptop or smartphone.
  • Footprinting:  a technique used for gathering information about computer systems & the entities they belong to.  To get this information, a hacker might use various tools & technologies.  This information could be very helpful to a hacker who is trying to crack into a system.[3]
  • OSINT (Open-Source Intelligence):  the collection & analysis of data gathered from open sources (overt & publicly available sources) to produce actionable intelligence.  OSINT is primarily used in national security, law enforcement, & business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.[4]

Exercise Types

For the Security+ SY0-601 certification exam, you need to be familiar with various penetration testing exercise types such as:

  • Red Team:  Individuals who perform adversarial simulation & penetration testing.  Red teaming is the act of systematically & rigorously (but ethically) identifying an attack path that breaches the organization’s security defense through real-world attack techniques.  In adopting this adversarial approach, the organization’s defenses are based not on the theoretical capabilities of security tools and systems, but their actual performance in the presence of real-world threats.  Red teaming is a critical component in accurately assessing the company’s prevention, detection and remediation capabilities and maturity.[5]
  • Blue Team:  these are defenders of organizations.  Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats.  The IT security team is then responsible for maintaining the internal network against various types of risk.[5]
  • White Team:  The group responsible for refereeing an engagement between Red Team & Blue Team.  The White Team acts as the judges, enforces the rules of the exercise, observe the exercise, score the teams, resolve any problems that may arise, handle all requests for information or questions, & ensure that the competition runs fairly & does not cause operational problems for the defender’s mission.[6]
  • Purple Team:  individuals that are there to ensure and maximize the effectiveness of the Red & Blue teams.  They do this by integrating the defensive tactics & controls from the Blue Team with the threats and vulnerabilities found by the Red Team into a single narrative that maximizes both.[7]

References

  1. Reconnaissance. Blumira.
  2. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  3. Zola, A. Footprinting. TechTarget.
  4. Schwartz, L. (2022). Amateur Open – Source Researchers Went Viral Unpacking the War in Ukraine. Rest of World.
  5. (2022). Red Team Vs Blue Team In Cybersecurity. CrowdStrike.
  6. White Team. Computer Security Resource Center – NIST.
  7. Miessler, D. (2021). The Difference Between Red, Blue, and Purple Teams. Daniel Miessler.