Successful Attacks: Reconnaissance
In order to do anything successful in a given setting, knowledge of the tasks and obstacles that may prevent the task is crucial. After determining an end-goal for the attack, such as gathering user data from a target, the first real step in the attack process is to gather useful information about the target. Useful is a very important word here. During the reconnaissance phase a wealth of useless information will, inevitably, be gathered. It is important to be able to filter out the junk information and retain the useful information. Although it is unlikely one will be able to perform that filtering on the spot. In this phase the attacker will likely be gathering information from every source imaginable. They will be running deep web searches, calling public phone lines, checking the whois entries of any of the target's domains, social engineering attacks (things such as phishing, email scams, prodding users for information, and even making new friends), and going as far as to dive through dumpsters for improperly disposed of documents. This will leave the attacker with a giant wealth of information, most of it will be completely and utterly useless. Within that overbearing mountain, however, a skilled attacker will be able to gather information that will be extraordinarily useful. A couple stray printer configuration pages, a list of email addresses, or some network shares written down on scraps is invaluable in this phase of an attack.
An attacker will be looking for anything that gives them clues regarding the target's: Network information (Subnets, IP ranges, Vlans, etc.) Manufacturers of computing equipment Printer manufacturers Internal organization Operating system versions Network equipment manufacturers Username policies Password policies and more
This information will give the attacker what they need to determine if any known exploits exist for the target's systems and begin formulating a plan to look for unknown exploits. It is very difficult to recognize the reconnaissance step of an attack. Security footage or reports of dumpster divers can be a good clue, but even those aren’t necessarily indicative of an incoming network attack. Those could be completely innocuous situations where a person is trying to reap usable hardware, with no desire for any data, or even someone down on their luck just trying to score a meal. The rest of the methods commonly used for reconnaissance are almost impossible to detect as being malicious as they are not really any different than the day to day actions of a normal end-user. However, while this is the most difficult phase to detect it is the easiest to defend against. The flow of useful information is paramount to the attacker’s success in phase one; the easiest solution is to cut off the flow of information. Some pieces of useful data cannot be denied: Whois information, addresses of company buildings, any publicly available phone numbers, or even basic website information and email addresses will always be able to be accessed. However, by ensuring on-site security and destruction of purchase order information, manufacturer manuals, boxes for critical equipment, and anything bearing network information (server names, IP addresses, etc.) up to and including things as seemingly innocuous as printer configuration pages can make a world of difference in an attack. Employees and other associates should be instructed to destroy certain documents once their purpose has been fulfilled. In most cases, simply shredding a document with a cross-cutting shredder will suffice. However, for particularly sensitive information, it may not be a bad idea to maintain burn storage for documents that will need to be burned, in most cases, by an off-site solution. Although this includes a third-party in the security process, with proper vetting and research a reputable third-party destruction solution is often a more cost-effective route. Although these steps prove to be very easy to plan in theory; they are much harder to implement in practice. Ensuring that information never leaves the facility places a requirement on end-users, service employees, and executives that may or may not be fulfilled. Company policies do a lot to promote good practice, but human nature tends to work against that. Mistakes are made, lazy practices exist, and sometimes it is down to forces of habit. If employees are used to simply throwing documents away instead of destroying them it may be difficult to retrain them to perform a different task. However, implemented, the goal of a phase one defense is to prevent the flow of useful information. Even better is to implement a plan that prevents the flow of ANY information, but that is, alas, unrealistic. It would not be cost effective in most environments to destroy or prevent any information that would otherwise leave the facility when comparing the benefits to the risk. However, in ultrahigh security situations this solution has proven to be viable. Should a well-formed defense fail against a phase one attack, it is likely that a phase two attack would be incoming. The best preparation for the failure of a defense against all but two of these phases directly correlates to successfully defending against the next phase. The exceptions being phase three and phase five, which will be addressed in their appropriate sections.