Defending Against Reconnaissance

Defending Against Reconnaissance – A Comprehensive Guide for GIAC GCIH

Introduction

Reconnaissance is the first phase of virtually every cyberattack. Before an attacker can exploit a vulnerability, they must first discover targets, map networks, identify services, and enumerate users and systems. Defending Against Reconnaissance is a critical domain in the GIAC Certified Incident Handler (GCIH) certification because it addresses how security professionals can detect, mitigate, and prevent adversaries from gathering the intelligence they need to launch successful attacks.

Why Is Defending Against Reconnaissance Important?

1. First Line of Defense: If you can disrupt an attacker's reconnaissance efforts, you can prevent or significantly delay subsequent attack phases (scanning, exploitation, privilege escalation, etc.).

2. Reducing the Attack Surface: By understanding what information an attacker can gather, defenders can proactively minimize exposed data, close unnecessary ports, and harden public-facing infrastructure.

3. Early Detection: Reconnaissance activities often produce detectable network signatures. Organizations that monitor for these activities gain early warning of impending attacks.

4. Regulatory and Compliance Requirements: Many frameworks (NIST, ISO 27001, PCI-DSS) require organizations to have defenses against information gathering and enumeration.

5. Incident Handling Context: As a GCIH candidate, you must understand not just how attacks work, but how to detect them in progress and respond effectively. Reconnaissance defense is foundational to this skill set.

What Is Defending Against Reconnaissance?

Defending against reconnaissance encompasses all strategies, technologies, policies, and procedures designed to:

- Prevent attackers from gathering useful information about your organization, networks, systems, and users
- Detect when reconnaissance activities are being performed against your infrastructure
- Respond to identified reconnaissance attempts appropriately
- Minimize the information footprint available to potential adversaries

This defense applies to both passive reconnaissance (where the attacker does not directly interact with your systems, such as OSINT gathering, WHOIS lookups, DNS queries, and social media mining) and active reconnaissance (where the attacker directly probes your systems, such as port scanning, vulnerability scanning, banner grabbing, and network enumeration).

Types of Reconnaissance and Their Defenses

1. Passive Reconnaissance

What attackers do:
- WHOIS lookups to find domain registration details
- DNS enumeration (zone transfers, reverse lookups)
- Google dorking and search engine reconnaissance
- Harvesting email addresses from websites and social media
- Reviewing job postings for technology stack clues
- Examining cached pages, web archives (Wayback Machine)
- Using Shodan, Censys, or similar services

Defenses:
- Use WHOIS privacy protection or domain privacy services to hide registrant details
- Restrict DNS zone transfers to authorized secondary DNS servers only (configure allow-transfer in BIND or equivalent)
- Implement Split DNS (split-horizon DNS) so internal DNS records are not visible externally
- Regularly audit and remove unnecessary information from public websites, social media, and job postings
- Use robots.txt and metadata scrubbing to limit what search engines index (but understand that robots.txt is advisory, not enforceable)
- Monitor for your organization's data on Shodan, Pastebin, and dark web sources
- Train employees on OPSEC (operational security) to limit information leakage

2. Active Reconnaissance – Network Scanning

What attackers do:
- Ping sweeps (ICMP echo requests) to identify live hosts
- Port scanning using tools like Nmap (TCP SYN, TCP Connect, FIN, XMAS, NULL, ACK scans)
- OS fingerprinting (active stack fingerprinting)
- Service version detection and banner grabbing
- Vulnerability scanning using tools like Nessus, OpenVAS

Defenses:
- Firewalls: Configure firewalls to block unnecessary inbound traffic and filter ICMP where appropriate. Use stateful inspection firewalls that can detect and block scan patterns.
- Intrusion Detection/Prevention Systems (IDS/IPS): Deploy network-based IDS/IPS (e.g., Snort, Suricata) with signatures to detect port scans, ping sweeps, and known scanning tool signatures. Configure thresholds for alerts on multiple connection attempts.
- Port scan detection tools: Use tools like scanlogd, PortSentry, or PSAD (Port Scan Attack Detector) to detect and optionally block scanning hosts in real time.
- Minimize open ports: Disable unnecessary services. Only expose ports that are required for business operations.
- Banner hardening: Modify or remove service banners to prevent version disclosure. For example, change default HTTP server headers, SMTP banners, and SSH banners.
- TCP Wrappers: Use /etc/hosts.allow and /etc/hosts.deny to restrict access to services.
- Rate limiting: Implement connection rate limiting to slow down scanning attempts.
- Network segmentation: Segment internal networks so that even if perimeter reconnaissance succeeds, internal assets remain hidden.
- Honeypots and honeynets: Deploy decoy systems to detect reconnaissance and waste attacker time while gathering intelligence about their methods.

3. Active Reconnaissance – Enumeration

What attackers do:
- NetBIOS/SMB enumeration (using tools like enum4linux, nbtscan, net view)
- SNMP enumeration (using default community strings like 'public' and 'private')
- LDAP enumeration to discover users, groups, and organizational structure
- NTP enumeration (ntpdc, ntpq)
- SMTP enumeration (VRFY and EXPN commands to validate users)
- DNS enumeration (zone transfer attempts, brute-force subdomain discovery)
- RPC enumeration (rpcinfo, showmount for NFS)

Defenses:
- Disable unnecessary protocols: If NetBIOS, SNMP, or NTP are not needed externally, block them at the firewall.
- Change SNMP community strings from defaults and use SNMPv3 with authentication and encryption.
- Disable SMTP VRFY and EXPN commands on mail servers.
- Restrict LDAP access to authenticated users only; do not allow anonymous binds.
- Block DNS zone transfers except to authorized secondary servers.
- Restrict null sessions on Windows systems (configure RestrictAnonymous and RestrictAnonymousSAM registry keys).
- Disable or restrict RPC services and NFS exports to specific IP ranges.
- Implement proper access controls on all enumerable services.
- Log and monitor enumeration attempts – unusual volumes of LDAP queries, failed authentication attempts, or SNMP requests can indicate enumeration.

How Defending Against Reconnaissance Works – A Layered Approach

Effective defense follows the principle of defense in depth:

Layer 1 – Information Minimization (Preventive)
Reduce the amount of publicly available information. Audit WHOIS records, DNS, websites, social media, and job postings. Use privacy services and metadata removal tools.

Layer 2 – Network Hardening (Preventive)
Close unnecessary ports, disable unneeded services, change default banners, implement strict firewall rules, use network segmentation, and enforce least privilege access.

Layer 3 – Detection and Monitoring (Detective)
Deploy IDS/IPS, SIEM, port scan detectors, and log analysis tools. Set up alerts for reconnaissance indicators such as sequential port access, ICMP sweeps, zone transfer attempts, SNMP queries from unknown sources, and high volumes of DNS queries.

Layer 4 – Active Defense (Responsive/Deceptive)
Use honeypots and honeynets to deceive attackers, tarpit services to slow down scanning, and automated blocking of identified scanning IPs. Feed false information through deception technologies.

Layer 5 – Incident Response (Reactive)
Have documented procedures for responding to detected reconnaissance. This includes logging evidence, correlating events, escalating to incident response teams, and potentially notifying upstream providers or law enforcement for persistent threats.

Key Tools and Technologies for the GCIH Exam

- Nmap: Understand how it works so you know what to defend against (SYN scan, service detection, OS fingerprinting, NSE scripts)
- Snort/Suricata: Know how IDS rules can detect scanning patterns
- PSAD: Port Scan Attack Detector – analyzes iptables logs to detect scans
- PortSentry: Detects and responds to port scans in real time
- Firewalls (iptables/nftables, pf): Know how to configure rules to block reconnaissance
- TCP Wrappers: Host-based access control for services
- Honeypots (Honeyd, Cowrie, T-Pot): Decoy systems for detection and intelligence
- SIEM platforms: Correlation of reconnaissance indicators across multiple sources

Common Exam Scenarios and How to Approach Them

Scenario 1: You see a large number of SYN packets to sequential ports on a server in your firewall logs. What is happening and how do you respond?
- This is a TCP SYN port scan. Respond by verifying IDS alerts, blocking the source IP if appropriate, reviewing which ports responded, and hardening any unnecessarily exposed services.

Scenario 2: An attacker performs a DNS zone transfer against your DNS server. How do you prevent this?
- Configure DNS to restrict zone transfers (allow-transfer directive in BIND) to only authorized secondary DNS servers. Monitor for unauthorized AXFR requests.

Scenario 3: You discover that your organization's internal IP ranges and server names are visible through public DNS records. What should you do?
- Implement split-horizon DNS so internal records are only resolvable from internal networks. Audit and clean up public DNS entries.

Scenario 4: SNMP enumeration is being used to map your network. How do you defend?
- Change default community strings, upgrade to SNMPv3, restrict SNMP access via ACLs, and block SNMP (UDP 161/162) at the perimeter firewall.

Exam Tips: Answering Questions on Defending Against Reconnaissance

1. Know the reconnaissance tools and techniques thoroughly: The GCIH exam tests your understanding of both offensive and defensive perspectives. You must know what tools like Nmap, Nessus, enum4linux, nbtscan, and others do so you can identify the appropriate defensive measures.

2. Map defenses to specific attacks: When a question describes a specific reconnaissance technique, think about which layer of defense addresses it. For example, ping sweeps → block ICMP at the firewall or configure IDS to alert; SMTP VRFY → disable the command on the mail server.

3. Remember the difference between passive and active reconnaissance: Passive recon defenses focus on information minimization and OPSEC. Active recon defenses focus on network hardening, detection, and response. Exam questions may test whether you can distinguish between them.

4. Understand IDS/IPS signatures and alerts: Be prepared for questions that show you Snort rules or IDS alerts related to scanning. Know what fields like threshold, flow, and flags mean in the context of detecting reconnaissance.

5. Focus on specific configuration details: The exam may ask about specific configurations such as BIND's allow-transfer directive, Windows RestrictAnonymous registry settings, SNMP community strings, or iptables rules. Be precise in your knowledge of these settings.

6. Think about the incident handling process: Many questions frame reconnaissance defense within the incident handling cycle (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Be ready to explain how reconnaissance detection fits into the Identification phase and how your defenses represent Preparation.

7. Honeypots as a defensive measure: Understand that honeypots serve dual purposes – detecting reconnaissance AND gathering intelligence about attacker methods. Know the difference between low-interaction and high-interaction honeypots and their appropriate use cases.

8. Eliminate distractor answers: Some answer choices may describe offensive techniques rather than defensive measures. Always verify that your selected answer is a defensive action. For example, if asked how to defend against port scanning, the answer is not 'perform a port scan back' – it's to deploy IDS, harden firewall rules, or use scan detection tools.

9. Consider the principle of least privilege: Many correct answers for defending against enumeration come down to restricting access – disabling anonymous access, requiring authentication, limiting services to authorized users/IPs. When in doubt, the answer that reduces exposure is often correct.

10. Use your index effectively: If you are taking the exam with an open book, index key topics like DNS zone transfer prevention, SNMP hardening, banner grabbing defenses, Nmap scan types, IDS configuration for scan detection, and firewall rules for blocking reconnaissance. Having these indexed will save critical time during the exam.

11. Practice with scenarios: The GCIH exam often presents scenario-based questions. Practice analyzing log entries, packet captures, and alert outputs that indicate reconnaissance. Being comfortable reading Nmap output, Snort alerts, and firewall logs will give you confidence during the exam.

12. Remember the 'why' behind each defense: Don't just memorize defenses – understand why they work. For example, restricting DNS zone transfers prevents bulk disclosure of all DNS records, while split-horizon DNS ensures internal naming is not exposed to external queries. Understanding the reasoning helps you handle questions that are worded differently from what you studied.

Summary

Defending against reconnaissance is about reducing the information available to attackers, hardening systems and networks against probing, detecting reconnaissance when it occurs, and responding appropriately. For the GCIH exam, ensure you understand the full spectrum of reconnaissance techniques, the specific defenses for each, the tools involved on both sides, and how reconnaissance defense fits into the broader incident handling framework. A layered, defense-in-depth approach is always the best strategy, and understanding this principle will help you select the correct answers on exam day.