Dynamic, sprawling, and constantly fermenting new vulnerabilities, the typical organization’s attack surface can be challenging to measure. While defenders plan out what their defenses are supposed to look like, attackers see how defenses are actually deployed. In some cases, attackers know more about your implementation that you do. By giving security teams insight into how their perimeter looks from the outside, black box recon is a powerful method for bridging this perception gap.
Conducting black box recon involves a tester attempting to breach an organization’s defenses by probing for known and unknown vulnerabilities, misconfigurations, or common security weaknesses. Unlike white box or grey box testing — where pen testers receive security information from the organization under audit — when red teams conduct black box recon, they start with zero knowledge of their target. This means knowing nothing bar their target’s name.
Benefits of Black Box Recon
With no limitations or assistance provided by the organization under audit, black box recon happens on a blank canvas, closely mimicking how actual attacks occur.
During black box recon, there is no defined process. Instead, testers follow the path of least resistance to breach a company’s network, extract files, or deploy malware. All discoverable assets are fair game during this process, and, just like actual attacks, the results of a test can depend on what the attacker encounters. Often testers’ only real goal is to demonstrate how an attack might cause as much damage as possible.
Resembling the exploratory nature of real-world threats, black box recon gives a realistic view into how a security posture functions under pressure. As a result, security teams get a chance to find out what parts of their IT suite are actually vulnerable rather than confirm pre-existing hunches. This feature of black box recon provides organizations with a powerful way to test blue teams, measure risk, and manage their attack surfaces.
With attacks starting entirely outside the network, black box recon does not involve sharing proprietary knowledge of security arrangements and creates minimal downtime.
Deploying Black Box Recon
At the start of a campaign, testers will perform black box reconnaissance on an organization using open source intelligence (OSINT) methods. Techniques used may include scraping social media sites, Google dorking, conducting Whois lookups, analyzing certificate transparency logs and querying ARIN records to identify registered networks. The aim at this stage is to identify basic information on the targeted organization and their technology assets such as domain names, registered networks, known employees, recent mergers and acquisitions, stolen credentials, and web technologies.
Afterward, testers will attempt to gather more detailed information on weak points within an organization’s network assets. Using pen-testing tools like Sqlmap and Nikto, alongside manual intelligence gathering, they will try to probe an organization’s networks for valuable information without being detected. Looking for data such as what OS versions are used by company devices, logic flaws, metadata on company documents, or misconfigured applications that might allow malicious access, testers will try to find one or more ways to breach their target network.
When a path into a network or an exposed asset is located, testers will either make a catalog of the vulnerabilities found and report these to their client or proceed beyond reconnaissance to exploitation through phishing tests or technical vulnerabilities — depending on the nature of the test.
More than a Snapshot
The advantage of conducting the manual testing described above is that it provides companies with a thorough assessment of their attack surface. However, doing so also comes with significant disadvantages. Firstly, although manual black box recon gives a highly detailed snapshot of an organization’s attack surface, it is still just a snapshot.
With organizational attack surfaces continually changing, a report provided by a red team or testing organization is likely to be out of date by the time it’s read. As a result, to be genuinely effective, testing needs to be continuous and happen at the same cadence that attack surfaces evolve. Unfortunately, repeatedly contracting third-party consultants or hiring a dedicated red team to perform in-house testing is not cheap. Because of these costs, the level of black-box testing required to gain real insight is beyond the reach of most organizations.
Automated Breach and Attack Simulation (BAS) solutions can replicate some of the benefits of human-operated black box recon. However, because these tools run through predictable sets of actions to test a company’s attack surface, the insights they provide are comparatively shallow. And unlike scripted BAS tools, real-world threat actors are anything but predictable.
Continuous Black Box Recon with Randori
To give more organizations access to the level of real-world black box recon they need to ensure security, Randori’s Recon platform offers a continuous outsider’s view into your network. This means you can see your attack surface as an attacker sees it in real time, as well as be alerted when new targets pop up on your perimeter.
