As organisations wind down for the festive break, cyber adversaries ramp up their reconnaissance efforts. This early phase of the cyber kill chain (reconnaissance) involves scanning, mapping and profiling networks to identify potential weaknesses for later exploitation. During December, when IT teams are distracted by change freezes and reduced staffing, attackers quietly gather information on exposed services, outdated software and vulnerable systems. Executives should treat reconnaissance not as a low-level nuisance, but as the first warning bell of potential compromise.
Reconnaissance attacks involve external scanning and information gathering. Attackers use automated tools to probe networks for open ports, misconfigured firewalls and unpatched software. They also perform passive reconnaissance, collecting publicly available data from corporate websites, social media or job postings that may reveal system types, vendors or technologies in use.
Once attackers identify a target, they catalogue vulnerabilities and create a plan for initial access. This may include targeting unpatched web servers, remote desktop services or outdated VPN appliances. The process is largely invisible to end users and can persist for weeks before active exploitation begins.
During the Christmas season, reconnaissance often precedes major attacks in January, when attackers assume systems are least monitored and incident response capacity is lowest.
The ACSC’s Cyber Threat Report 2024-2025 noted that reconnaissance as the most common activity type leading to critical infrastructure-related incidents at 41 per cent. During FY2024–25, ASD’s ACSC notified entities more than 1,700 times of potentially malicious cyber activity, an 83% increase from the previous year, highlighting the ongoing need for vigilance and action to mitigate against persistent threats. State-sponsored cyber actors continue to pose a serious and growing threat to our nation. ASD observed that threat actors commonly scan for vulnerabilities throughout an analysis period before exploiting the discovered vulnerability at a time when the attacker believes the target is least equipped to detect and respond to an attack.
While reconnaissance itself is difficult to prevent, the Essential Eight reduces its effectiveness and limits what attackers can discover:
Together, these controls ensure that even if attackers gather some intelligence, exploiting it becomes significantly more difficult and resource-intensive.
By maintaining vigilance and aligning with the Essential Eight, organisations can ensure their networks remain resilient, allowing executives to enjoy the holidays knowing that the only reindeer exploring their environment are the ones in festive stories, not in their firewalls.
