Our previous series dug just below the surface of a hot topic you’ve heard about, even if you were living under a rock for the past four years… Unless attackers encrypted your smart TV, too. Perhaps you’re a victim of Cyber Reconnaissance?

This new series covers a framework that is used to defend computer networks against nearly any threat:

The Cyber Kill Chain

Each of the seven stages in the Cyber Kill Chain maps to detection and mitigation actions. Each article in this series will correspond to a single stage of the Kill Chain. We aim to describe the stage, then examples of tools and techniques used to carry out activities in the stage successfully, and finally actions that organizations may take to protect themselves.

In this first article, we will cover some background information about the Cyber Kill Chain framework. Next, we’ll take a pretend seat in the computer chair of a determined threat actor. From this perspective, we’ll dive into the first step nearly any attacker takes before compromising your network: reconnaissance, a.k.a. spying.

So, who made the Cyber Kill Chain?

 A long time ago, Lockheed Martin designed The Cyber Kill Chain. You know, the same military defense contractor that also produced the legendary U-2 and SR-71 spy planes? Yep, that Lockheed Martin. Seems they think cyber attacks are well worth defending. They developed this framework to help counter the most advanced class of criminal threats.

This advanced class is known for calculated and patient efforts. They use tools and techniques tailored to the target environment. These parties do so to gain economic or political advantages over others and have no issue leaving destruction in their wake.

Such damage takes time and resources away from our economy. Replacing data, software, and even hardware is significantly expensive. No wonder Lockheed Martin thought this is just as crucial as spy planes!

Because the Kill Chain uses an attacker’s viewpoint, the Kill Chain is threat-based. It allows organizations to plan, using their resources and investments intelligently. The framework nature of the Kill Chain promotes flexibility and hence can adapt to nearly any type of threat.

The Kill Chain concept considers that an attack is not a single event but is a series of phases (or stages) that build upon one another. Interrupting at a single stage is to disrupt the entire attack. Big thanks to Lockheed Martin, for making such a handy tool!

Stage 1: Reconnaissance

Reconnaissance: otherwise known as target selection and spying. An attacker either enters this stage with a planned target already established, or the attacker searches for a target based on suitability and susceptibility. Gathering as much information about the target as possible is their goal, beginning with passive and moving toward more aggressive active reconnaissance.

The attacker develops a list of potential victims with a narrow goal in mind (e.g., extract financial data from POS machines), and conducts reconnaissance to isolate those most vulnerable to attack. 

Remember the movie Home Alone? This situation is exactly like the part in the beginning; when Harry dressed up as a policeman and went from door to door in the neighborhood. He gathered intelligence to find most wealthy and least risky target for the Wet Bandits to strike!


Tools of the Trade

Cyber attackers are armed with an astonishing amount of resources available on the public internet to help them find what they’re looking for:

  • Email addresses
  • Employee names and contact information
  • IP address ranges
  • Active machines
  • Open ports and services
  • OS and application versions

Hackers employ every means available to discover vulnerable attack vectors into your organization:

  • Google hacks and internet-crawling resources such as Shodan and Censys. These are free to use and nearly undetectable from the target organization’s point of view.
  • xDedic is a marketplace for selling credentials to compromised servers.
  • Absent-minded or unwary users will sometimes upload code containing private SSH keys to public repositories.
  • Similarly helpful information to an attacker is posted to tech-help forums by IT administrators continually.
  • Social media has a treasure trove of information to mine, such as Quora, Facebook, even Myspace. 

Each of these resources is openly available to anyone.

Consider a favorite attack vector: email. Pointing out the obvious, an attacker needs to compile a list of email addresses before sending the weaponized.pdf to inboxes in your organization.

Discovering the structure of your organizational email addresses is an important aspect of compiling an email list (e.g., first.last@yourcompany.com, f.last@yourcompany.com, first@yourcompany.com, etc.). Manually searching company websites and LinkedIn can be quite helpful, though a tool called theHarvester automates the task.

For a quick and humbling experience, go to https://hunter.io/ and type in the URL to your company website. You should see the emails currently known in their data base. Just from knowing your home page’s web address, the attacker now knows the structure of your company’s email addresses. Possibly, attackers are informed with a few legitimate email addresses as well. How would you counter this?

Keep all open eyes on your digital footprint.

Detection of passive reconnaissance is especially challenging, so reducing the risks to your network include: 

  • Increasing cyber-situational awareness
  • Routinely auditing information available to the public
  • Using strong credentials on your network

Active Reconnaissance

Also called Attack Surface Enumeration, this method gathers information actively. The difference? This phase requires the attacker to interact with your organization’s resources directly.

Just like the Wet Bandits. They checked out the whole house, every single window, just trying to get in. Marv even put his head through the doggy-door. Now, he wouldn’t be able to get through it entirely, but even a peek into the house told him the general layout. Also, he might be able to get his hand on the lock, if he has the right tool.

Attackers aimed at actively pulling information about your business network have countless tools readily available. Nmap is a port-scanning tool, with one function designed to detect open ports and potentially vulnerable services on Internet-facing assets. Vulnerability scanners, such as OpenVAS, can also automate active reconnaissance. But scanners are “noisy”, and so significantly increase the opportunity to detect an attack.

Detecting active reconnaissance can be more easily done using a properly configured firewall, or an intrusion, detection & prevention system.

However, excessive alerts produced by an Internet-facing device can quickly overwhelm your security personnel. Just think of this as a set of wind-chimes at your open window being your “security alert.” Most of these alerts would just be false alarms, so it would be easy to miss when the actual threat appears.

Again, to prevent attackers from finding your network an easy target, it’s best to conduct an evaluation of your assets. Such evaluation includes whether or not the public should have access to them, and removing any unnecessary services on public-facing assets.

Completely denying an attacker at this stage can be ensured by powering down your infrastructure, and burying everything under 10 feet of concrete.

However, your organization will probably benefit much more by channeling Kevin McCallister. You can begin by taking preparations to lock down all access points that you can, being aware of where your weak points are, and using all available detection to reveal active reconnaissance. 

Stage 1: Reconnaissance – Best defeated by Detection