Reconnaissance & OSINT
Before an attacker touches your systems, they read everything you left lying in the open.
01 Passive vs. active reconnaissance
Reconnaissance is stage one of the Kill Chain and, quietly, the stage where most of the real work happens. It splits into two modes distinguished by whether you interact with the target at all.
Passive reconnaissance gathers information without sending a single packet to the target's own infrastructure. You read public records, search engines, social media, code repositories, and third-party databases. Because you never touch the target, it is nearly undetectable and, for public data, generally lawful. Active reconnaissance interacts directly — pinging hosts, resolving DNS against the target, connecting to a service to read its banner. It yields fresher, more precise data, but it leaves logs and, done without authorization, it can already cross the legal line.
| Passive | Active | |
|---|---|---|
| Touches target? | No | Yes |
| Detectable? | Rarely | Yes — appears in logs |
| Data freshness | Can be stale | Current |
| Authorization needed? | Public data: generally no | Yes, if it probes systems you do not own |
02 Open-source intelligence (OSINT)
OSINT is intelligence assembled entirely from publicly available sources. Individually each source is innocuous; the danger is in the aggregation. A patient analyst stitches fragments into a map of your organization's people, technology, and habits. Common source categories include:
- Domain and network records — WHOIS registration data, DNS records, and Certificate Transparency logs, which publicly list every TLS certificate ever issued for your domains, quietly revealing subdomains you thought were private.
- Internet-wide scan data — services like Shodan and Censys continuously index exposed devices and services, so an attacker can query for your exposed assets without ever scanning you.
- People data — job postings that name your exact tech stack, LinkedIn org charts, conference talks, and employee social media.
- Code and documents — public code repositories with committed secrets, and document metadata (EXIF, authorship, software versions) embedded in published PDFs and images.
03 Footprinting and attack surface mapping
Footprinting is the systematic build-out of a target's profile from those OSINT fragments: which domains and IP ranges it owns, which cloud providers it uses, who its employees are, and which technologies it runs. The end product is a picture of the attack surface — the total set of points where an unauthorized user could try to enter or extract data.
Attack surface is bigger than most organizations think. It includes obvious things (the corporate website, the VPN gateway) and forgotten ones: a marketing microsite from a campaign three years ago, a staging server someone spun up "temporarily," an S3 bucket left public, a subdomain pointing at a decommissioned service that an attacker can re-register (a subdomain takeover).
You cannot defend an asset you do not know you own. Shadow IT is not a policy problem; it is an unmonitored attack surface.
Modern practice treats this as a continuous discipline called External Attack Surface Management (EASM): tooling that repeatedly rediscovers everything the organization exposes to the internet, from the outside, the way an attacker would. The goal is to shrink surprises — to make the defender's map at least as complete as the adversary's.
04 Why oversharing is a real risk
The most damaging reconnaissance material is often given away freely, because no single disclosure feels risky. This is aggregation risk: the whole is far more dangerous than the sum of its parts.
Consider how a targeted phishing pretext gets built. From a conference talk, an attacker learns your company migrated to a specific cloud platform. From LinkedIn, they identify the engineer who led it and the executive she reports to. From a data broker or a past breach, they find her personal email and phone number. From a photo she posted from the office, EXIF metadata and a visible badge reveal the building and the badge design. None of these facts is secret. Assembled, they are a convincing, personalized lure — the raw material for spear phishing.
The lesson is not "post nothing." It is to recognize that public information has a second audience, and to keep the highest-value details — internal tooling, security controls, org structure, travel plans of executives — off the public record by default.
05 How defenders shrink their footprint
Defenders cannot un-publish the internet, but they can systematically reduce and monitor what they expose. The playbook is conceptual and entirely defensive:
- Maintain an authoritative asset inventory. Know every domain, IP, cloud account, and service you own. Most breaches of exposed assets trace back to something nobody knew was there.
- Practice data minimization. Strip metadata from published documents, scrub secrets from code before it goes public, and keep tech-stack specifics out of job postings where possible.
- Decommission cleanly. Tear down old subdomains and DNS records so they cannot be hijacked, and retire staging systems rather than leaving them exposed.
- Monitor your own exposure. Query Certificate Transparency and internet-scan data about yourself, and watch breach-notification and paste sites for leaked credentials.
- Train people on the aggregation risk so employees understand why a harmless-looking post can complete an attacker's picture.
⌘ Field Glossary
- Passive reconnaissance
- Information gathering that never touches the target's own systems, relying instead on public and third-party sources; nearly undetectable.
- Active reconnaissance
- Directly probing a target's infrastructure (pinging, DNS resolution, banner grabbing) for fresher data, at the cost of leaving detectable traces.
- OSINT
- Open-Source Intelligence — actionable intelligence assembled from publicly available data, where the danger lies in aggregating many innocuous sources.
- Attack surface
- The complete set of points where an unauthorized actor could attempt to enter, interact with, or extract data from a system or organization.
- Certificate Transparency
- Public, append-only logs of issued TLS certificates that inadvertently reveal an organization's subdomains and internal hostnames.
- Subdomain takeover
- Hijacking a subdomain whose DNS still points at a decommissioned or unclaimed service, letting an attacker host content under the victim's domain.
- EASM
- External Attack Surface Management — continuously rediscovering an organization's internet-exposed assets from the outside to close the gap with an attacker's view.
Knowledge Check
Field Assessment
01 What most clearly separates passive from active reconnaissance?
02 Why is a detailed job posting a reconnaissance concern?
03 Which defensive practice most directly addresses forgotten, exposed assets?