The Art of the (Re)Con
Cyber Recon is the art of investigating a person or organization through their online world, identifying who they are, what they like, what accounts they use and which are most active, what systems are used, etc. All done without your knowledge and no way to detect it is happening to you or your business. You are leaking tons of data and it is all sitting in wait for anyone to find and use against you and your business.
Reconnaissance (recon): a preliminary survey to gain information; especially: an exploratory military survey of enemy territory. – Merriam-Webster
Make no mistake, in cybercrime and cyberwarfare you are the enemy. Before an attack begins, a certain amount of cyber recon can be conducted to ensure a higher chance of successfully stealing your data and you are leaving quite an impressive trail of data that may seem meaningless as individual pieces, but when combined together and added to the knowledge that you, like most people, are not expecting anything to happen can lead to a complete takeover of your network, business, and life.
I often refer to these sites as Social Engineering sites instead of social networking sites, and for good reason they are outstanding sources for cyber recon. Truth be told, I accidentally call them that because I talk about social engineering a lot and it just flows out readily. So much data is leaked on these sites that an attacker would be foolish to not at least take a quick look at your profiles. Some things to look for are company profiles on LinkedIn. Exploring the history of the company, gaining knowledge of who is in charge of what department, a list of employees, and so on is a great help. Combine that with profiles that give specifics about what they do for the organization and an attacker is well on his way to understanding your environment. This is amplified by your IT staff broadcasting what technology you use. Yay! Here’s an example I pulled from a random LinkedIn profile (but I modified it to protect them, heavily in fact because I kept chopping it up, throwing it in Google, and it kept coming up with the profile anyway, now it gives someone else’s profile and well I can’t help it, this is common).
Network operations management. Duties: Cisco administration. Backup administration. VPN administration. Windows 2012 Server administration. VMware administration. Palo Alto administration.
Our cyber recon has revealed what tech they use and as a bonus we know this person is in charge of the security appliances, among other juicy targets. It would be great to steal this individual’s account credentials wouldn’t it? But how can we find that? Well, we have a list of contacts, groups they belong to, hobbies and interests, other activities they frequently participate in, etc. We can also check other social media sites like Facebook to see what else the target likes, who might be friends, what bars they may go to, etc.
Now, what if I do the same type of cyber recon for the receptionist or some low level purchasing employee, etc.? Can I call them pretending to be one of these vendors and get them to tell me their account number for the agreement with Palo Alto, or Cisco? Then, can I call Palo Alto or Cisco and claim to be the network operations manager above, give them the account number, and get them to do something?
Before you run off screaming and kicking in doors in the office, you probably already put much of that information on a job posting. Weren’t you seeking someone who knows that equipment when you hired for that position in the first place? Well hackers performing cyber recon were looking at those requirements as well.
Yes, job postings are another treasure trove of information about your environment. Hiring salespeople? Do they need to know the CRM tool you use like Salesforce? The same goes for HR systems, payroll, etc. You leak data. That’s a fact. You have to in order to hire the right people, or at least make the process of weeding out people easier and once it’s on the Internet, it’s there forever just waiting for our cyber recon to discover.
You also invite attackers in for interviews. Nothing can give me better insight than having eyes on target and you’ve just invited me in. Of course, that is always a worry when hiring someone. Can they be trusted? The level of trust you need scales with their access to sensitive data. A background check is great, but it’s not going to catch everything, and if the attacker is bringing their A game, they’ve faked their identity anyway. You’re a good judge of character, the background check is going to catch them, so what’s the threat? Well, during the interview you had them wait in the lobby, then brought them to a conference room or your office so they didn’t get to see the server room or anything so you’re safe right? Not exactly. You probably discussed a great deal of technical detail giving them more insight than was already on the job posting. The attacker has actually been interviewing you more than you are interviewing them. Getting a feel of your expertise to understand what they are working against. Of course this is largely only effective for technical positions but did you leave them unattended in any room? How about 30 minutes into the interview when they asked for a glass of water? That’s all it took for them to insert a USB drive into your computer, attach a tiny device to your network that beacons out to a remote server giving them access to your network, etc.
Mis-configured Servers Recon
I can’t tell you the number of times I’ve tested a client and found a server sitting on the external network with a default installation of a web server like IIS, Apache, etc. The client installed a Windows or Linux server to perform some task, and rather than only install the services needed and turn off those they don’t (a process called hardening), they installed everything and it set up a web server with a default page. They never noticed it because they never intended there to be a website running on the server so they never looked. Now you’re asking me, what’s the big deal? It’s just a simple html page, I’m always patching everything so any new vulnerabilities are short lived. What does it matter? Well, for starters, some of these default pages leak data like versions of services it is running and internal IP addresses which I can use to trick your employees with my knowledge of your network to get them to trust me that I work for you or for a vendor. Some services have default logins that can give me access to the service. Even if none of that were true, and nothing could be done through the accidentally open service, it absolutely tells the attacker that you probably don’t know what you’re doing (and in this case they would be right) and they are going to be able to easily find a way into your environment.
Defending Against Cyber Recon
For starters, you need a third party evaluation of your environment. You know what is supposed to be there and it’s difficult to find things that aren’t. That’s why programmers have testers run the software. It’s very difficult to find problems with your own work. You are expecting it to work as it should. Apart from that, you need to be building specific purpose servers and disabling all unnecessary and unused services. This not only reduces the red flags that you might not know what you’re doing, but it also reduces the number of entry points. Win-win.
The first two are not so easily corrected. You could ask employees to not post specifics about their job function until after they have left the organization. That’s difficult and your mileage may vary. There are ways to get that information out of you anyway such as the job postings. You could not post details about positions, but then you will have to read a lot more resumes to find what you want and people may not apply if they don’t know what you are looking for. How would you stop the attacker who showed up for the interview anyway? The answer is Security Awareness Training. You and your staff need to know what to look for when attackers come knocking. This article is a start, keep following us for more tips in the future and sign up for the mailing list below for even more information. The quick answer for the interview attacker is don’t lose control of the interview. You are asking them questions, not the other way around. Don’t reveal too much especially when someone seems eager to get information from you. More importantly, you need a proper visitor policy that mandates all guests are escorted at all times while in the facility. Once you have that in place, you need to test yourself. Social Engineering Testing can help drive the awareness training home with real examples of an attack on the business and can identify any shortfalls in your policies and procedures. Continue to educate and verify and you will be well on your way to ensuring your success in stopping the threat.