Cyber-attacks keep increasing and evolving but, regardless of the degree of complexity used by hackers to gain access, get a foothold, cloak their malware, execute their payload or exfiltrate data, their attack will begin with reconnaissance. Hackers will try to find exposed assets, and search the attack surface of their targets for possible entry points.
So, the first line of defense is to limit the potentially useful information available to a potential attacker as much as possible. The tug-of-war between security and operational necessity must be considered. This requires an understanding of how information is typically used.
What information is recon looking for?
Hackers, whether they are white or black hats, “casing the joint” when running recon against an organization. They will attempt to uncover all information about :
in order to plan and execute their attack.
- The types of technologies you use – As there is no flawless technology, learning about those used to build and manage your infrastructure is hackers’ first step. Hackers seek to exploit vulnerabilities in your infrastructure to avoid detection. Hackers can gain information about your technologies and how they are used through listening to conversations in tech forums. DevOps participating in such discussions should refrain from divulging their real identity or information that might identify the organization.
- Your internet-facing servers – servers hold your organization’s vital information. Hackers will attempt to find vulnerabilities ranging from unused or unpatched services to open ports.
- Any system that is used to host a public network server can be a potential target. System administrators need to exercise extra caution :
- Keeping all services current
- Opting to secure protocols when possible
- Limiting the type of network per machine to a strict minimum, preferably one per machine
- Monitoring all servers for suspicious activity
- Your Operating System (OS) – Each OS has its own vulnerabilities. Windows, Linux, Apple, and other OS regularly publish newly uncovered vulnerabilities and patches. Cyber-attackers can exploit this publicly accessible information once they have your OS.
- For example, a forum conversation where Joe Blog, your accountant, explains how to use a function on a Windows 8 Excel Spreadsheet tells the hacker that Joe Blog uses Windows and has not updated his OS for ages.
- This tidbit encourages the cyber-attacker to dig further as, if an employee with access to your organization’s financial information is allowed to work on an endpoint that is rarely, if ever, updated, employees’ endpoint security is lax.
- Your security maturity – Hackers are humans and, as such, tend to be lazy. A hacker on a recon mission who finds out that you are using an XSPM (Extended Security Posture Management) platform knows that, even if there is an exploitable entry point, escalation will be hampered at every step, and achieving the malicious action will require a superior level of planning. This discourages most potential cyber-attackers.
- Email addresses – as the human mind is the hardest software to upgrade and patch, phishing remains the number one penetration vector for hackers. Though some email addresses, such as info, support, sales, etc., must be public, employees’ personal email can be leveraged by hackers for generic phishing messages and spear phishing.
- Usernames & passwords – Darknet hackers’ shopping malls are full of credentials for sale at ridiculously low prices, hence the recommendation to change your password regularly.
- System admins and users who have high privilege access to the system should practice excellent password hygiene and use MFA. – is an absolute must as, should their credentials fall into the hands of a hacker, the entire system could be irremediably compromised.
Can you spot a hacker recon?
Forewarned means forearmed. It might also be smart to look out for indications of hostile recon activities. Two types of recon activity are :
- Active recon: hackers using tools or spyware to peak into your system. This should trigger alerts from properly configured detection tools, informing security information teams that hackers are “casing” them.
- This should prompt launching a security validation exercise to ensure that potential security gaps are adequately monitored and scheduled for priority patching.
- Passive recon: hackers “stalking” you by collecting publicly available information about your infrastructure’s technological details or email addresses. In effect, this is undetectable.
What Does a Hacker do with the information Gathered During Recon?
Cyber-attackers’ goals fall under four broad categories:
- Theft – by far the largest category in terms of numbers, attacks aimed at stealing can be subdivided into more categories matching what the theft aim is:
- Data – data is 21st century’s currency, and any data in the right hand can be translated into value. From Credit Card details to users’ personal information to generic data such as traveling habits, all data can be misappropriated for commercial, strategic, or even military purposes.
- Intellectual Property – IP gives an edge to many organizations and businesses. For example, competitors may be interested in the information.
- Computing resources – the resources used to power your infrastructure are costly, therefore attractive. Crypto mining is the main use of stolen resources today.
- Extortion – best known as ransomware, ransomware hijacks parts or all the infrastructure, encrypts the data, and requires payment in crypto-currency to decrypt the affected data. Exfiltrating data and threatening to sell them is also part of ransomware threats.
- Information gathering – a stealthy type of attack that might remain undetected for extended periods. These are typically commandeered by nations, political enemies, or business rivals.
- Destruction / taking over the infrastructure – attacks aimed at overtaking or destroying are typically led by nation-states targeting critical infrastructure, particularly aggressive competitors, or hacktivists.
Given the range of damages that can result from a cyber-attack, making recon as fruitless or daunting as possible for scouting cyber-attackers is a good policy. This explains the current trend toward better Attack Surface Management (ASM).
Note: This article is written by Sasha Gohman, VP Research at Cymulate.