So what do detectives do?

Yeah! Because there is a correlation of characteristics between a cybercriminal and a detective. We will talk about some, but we will focus on one that connects them all.

(Spoiler, it’s reconnaissance.)

Whenever an illegal offense happens, you would find a detective, curious, probably with a ballpoint pen and a small high-end notebook.

His initial move is to target witnesses ( if there are some ) or anyone who’s related to the main wrongdoing.

He tries to expose everything, observe the small details, and connect the dots because he craves the Aha! moment.

But what does a cybercriminal do? 

Wait, but first, what’s his goal? 

Regardless of the reasons, the first goal a cybercriminal wants to achieve is to find a spot in the targeted network. 

It’s a moment of truth for him. 

A cybercriminal (whom we will refer to as the fake detective) tends to do the same activities as the detective.

He usually put an eye on the target, target its employees, expose everything he could possibly get about them, observe the smallest details, connect all the dots, and craft a spear-phishing email campaign. 

It’s easy to get in.

Spear-phishing is an advantageous method to get into a company’s network because it exploits humans’ naturality.

Here is a tenet detectives live by: 

Everyone is guilty until proven innocent. 

And for the fake detective:

Every employee is breakable until proven safe.

There are tons of real-world examples of spear-phishing emails and there are also many scary statistics about them. Here’s one from FireEye:

86% of email-based attacks include spear-phishing, CEO fraud, and impersonation attacks.


Spear-phishing attack has been enhanced by the current covid-19 pandemic which makes the situation even worse. 

And to resume all the existing solutions, defending against spear-phishing attacks requires employees with a security culture. 

What’s that?

And to be honest, once the human stupidity is exposed, security perimeters become nothing but a myth. 

There are many other ways a fake detective can get into your network.

A report from Positive Technologies researchers who perform Penetration testing for companies from various industries mentioned that 71% of companies, there’s at least one obvious weakness that could provide malicious outsiders with entry into the network.


No escapism but all this and that lead to one fact.

The probability of the existence of an intruder in your network is never ZERO. 

Be that as it may.

Back to our fake detective who just gained a spot in a network. And the first thing he would do is to perform reconnaissance. 

We will have a deep dive into the anatomy of the reconnaissance process in other articles, but for now, let’s give it a definition of…

What? How? Why? When? Where?

Reconnaissance is the first step hackers do when they decide to perform a misdeed. It’s the process of gathering as much as possible information about the target. However, there’s an Active recon and a Passive recon. 

Passive: It’s when a fake detective gathers available info on the internet about a target without interacting with the target itself. 

Active: It’s when the fake detective directly interacts with the target assets. 

Active reconnaissance is a repetitive process. That means once the fake detective passes a stage, he would start doing a recon again to pass the next one.

If the fake detective landed in a network through one simple host,  just how a detective would deconstruct what happened in a scene, he will start deconstructing the network assets, gathering every small detail, and connecting the dots to find the path to the most valuable assets.

That’s the Aha! moment. 

And that’s what reconnaissance is all about.  

But, wait. 

Don’t confuse yourself and think that a fake detective can be only a person, it can be malware that is indirectly controlled by a human.

Last month, ESET discovered a nine-year-old advanced persistent threat called XDDown. The latter works as a downloader that once in the network, it starts downloading other modules including two called XDrecon and XDMonitor.

XDrecon’s job is to gather technical specs and OS details, and send the data back to the XDDown/XDSpy command-and-control server while XDMonitor’s job is to monitor what kind of devices were connected to an infected host.

One thing worth talking about is the availability of the tools used in recon. There are many GitHub repositories with a massive list of recon tools.

Besides, any fake detective who has the audacity to attack a company is surely able to innovate costume PowerShell, Python, and bash recon scripts which make them hard to detect.

He will deploy these tools until they reach the Aha! moment. 

It’s the moment that gives him a maximum of dopamine, making him strive for it every time they land in a network.


I will ask you how adaptive your cybersecurity solutions are?

And how visible is your network?