Threat actors may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure (GS and Cloud infrastructure) via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
Threat actors may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.