One of the topics this week is about Reconnaissance, or learning about the target. You may be hired to think just like an outsider, someone trying to “hack” their way in. Remember that some of the “hacking” techniques may not require specific coding. There are so many methods, that for this week’s question, everyone needs to post a unique method of performing reconnaissance in order to earn full points. Describe the method of reconnaissance, and if possible, provide an example of a “hack” or other breach that can be tied back to the information learned due to reconnaissance.
I’ll start with an example that you’re likely seeing on television as part of New Jersey Transit’s “See Something, Say Something” campaign. The commercial promotes security awareness, with several suspicious actors. One of the scenes shows two people along the road, possibly looking at their potential target, but more specifically, another actor taking pictures, and the scene is shown from the viewpoint where we see that the pictures being taken are those of the CCTV system. Why? By taking pictures of the facility, the outsider is learning about the physical security controls of the facility, and can plan the attack to avoid the line of sight from these cameras.
Eugene Angelo Tartaglione says
One version of Reconnaissance could be a user finding a company directory and learning the titles / faces of people from the company before they plan on trying to enter the building. if they are to say hello to someone and know their name they are more likely to hold the door open for the person trying to come in, or strike up a conversation. Once the Actor is inside they can scope out the interior location to see if there are any vulnerable locations for an attack.
Humbert Amiani says
Eugene, this is actually very true. Late last year we had a gentleman follow some of the associates into our office building from lunch break. Luckily our reception had a sharp eye and stopped him as someone was holding the second door for him. He claimed to be a contractor but yet did not know the unit he supposedly worked in or the person he reports to. Issue was reported to Allentown police station right next door.
Nicholas Fabrizio says
Hi Eugene,
I agree that finding a company directory could be a powerful tool to help get in the building by like you said knowing their name and starting a conversation. In addition, the threat actor could further their reconnaissance with the employees name and title by searching social media platforms to gather more information on the employee. This additional information could help start the conversation with employee and distract them while the actor enters the building.
Kelly Sharadin says
Social engineering requires virtually no technical skills to be proficient when it comes to conducting reconnaissance. This recent attack against Deutsche Welle (a German broadcasting company) and the Jewish Journal (an Israeli magazine) by the Iranian hacker group Charming Kitten demonstrates the power of social engineering. Charming Kitten impersonated themselves as ‘credible journalists’ and created fake social media accounts to help with this illusion. The hacking group then contacted their targets through the messaging app WhatsApp to gain the trust of their victims. Once the group earned their target’s trust, they escalated their attacks using any means necessary to steal their information via malware deployment.
https://cyware.com/news/iranian-kitten-charming-journalists-sets-up-social-media-accounts-to-target-victims-3327d461
Candace T Nelson says
Wow! It is disturbing to know that these hackers are so heartless that they are willing to exploit the global COVID-19 pandemic and its many victims for their personal gain. There are so many vulnerable people out there right now, what with global unemployment nearing 200 million individuals. I have been receiving an abundance of emails from supposed recruiters that I would not trust, even if if were in the job market. I have also been receiving texts from someone purporting to be FedEx and telling me that they have a package to be delivered to me. After I annoyed a few of those text I received another about an equally ridiculous claim. I am careful to delete these “bad actors” from my phone, lest I inadvertently communicate with them or click on the links they are sending…
Humbert Amiani says
One form of technical reconnaissance is gauging the response and awareness of an organization’s security team. The attacker engages with harmless attacks with the aim of figuring out how alert the organization is, while planning a major attack based on the information they gathered. This method of recon also acts a deception plan since the security team may be expecting a regular type of attack when indeed the attacker is executing their intended serious attack. A good example would be the recently foiled attempt to hack Tesla, where the attackers planned to engage the response team with a DDoS attack while their inside person infects the system with ransomware/malware. In this case the attackers had probably done enough recon to know that they can possibly engage their target with a decoy attack to buy enough time and chance for the real attack without raising much suspicion.
Kelly Sharadin says
Hi Humbert,
A great example, the Tesla case was interesting news. With such public attention surrounding the failed attempt I wonder how attackers will re-orient themselves against Telsa. Telsa is a goldmine for intellectual property and industrial espionage threats I’d imagine/hope their incident response teams are insanely robust.
Humbert Amiani says
Hi Kelly,
The rate at which Tesla is growing makes them a prime target for industrial espionage and freelance hacker groups attempting to hit a jackpot with malware/ransomware. The company needs to stay alert at all times. Hopefully this foiled attempt will act as a learning example of how complex or simple attacks can come.
Zhuofu Wang says
Phishing is a common Social engineering attack, and the phishing email acts as the reconnaissance. It is often disguised as an email from within the company/court/bank and other institutions and contains attachments that carrying malicious programs. Once the victim opens and runs these attachments, the malware will start collecting information. Some of them will also establish communication channels with the attacker, allowing them to remotely access the internal network of the infected machine and explore the network topology. Attackers will use the infected machine as a pedal to find users with have higher permission and try to gain control. All of this is to do reconnaissance for the final attack.
Jerry Butler says
Phishing is a typical Social engineering attack. When talking about Phishing, most professionals think emails. Social engineering, defined by NIST SP 800-115, is the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust. Spear Phishing gets very interesting. Reconnaissance can lead to targeted access to unforeseen physical access. USB drives dropped into a federal parking lot led to a colossal breach in the DoD. Knowing most people tend to put USBs into the system, the threat was able to gain essentially physical access.
https://www.eweek.com/security/defense-department-confirms-critical-cyber-attack
Nicholas Fabrizio says
Hi Jerry,
That was an interesting article and a good reminder of the potential damage that could occur from plugging an unknown USB drive into a computer. Not only could it install malware, but possibly destroy the computer hardware by sending a high-voltage surge. IBM also banned USB drives from being used in their organization a couples of years ago.
https://www.secureworldexpo.com/industry-news/ibm-bans-usbs-storage
Anthony Wong says
One method of reconnaissance is a packet analyzer. This is a tool that monitors and intercepts network traffic logs. It can be either a wired or wireless network. As information is passed across the network, the information is captured and decoded (if needed) showing the values in a human readable format. Data such as usernames, password, and credit card information could be obtained. It is also worth noting a network administrator could use a packet analyzer to discover issues with the network, malware, and vulnerabilities. A packet analyzer can be used to gather information to defend or perform attacks.
Bryan Garrahan says
In this case I hope that the ability to perform these functions is very limited to certain individuals in Security. However, as we’ve discussed in class, reconnaissance tactics such as this could be easily deployed by disgruntled and/or bad internal actors.
Nicholas Fabrizio says
Hi Anthony,
Using a packet analyzer would provide a lot of information that could prove valuable during the reconnaissance phase. In addition, to capturing the information you mentioned I also see this method being used to passively monitor network traffic to learn behavior. An example would be to determine a time when network traffic is usually high each day to help hide the traffic of transferring stole data out of the companies network.
Nicholas Fabrizio says
When trying to reconnaissance the physical security of a facility one method that comes to mind is Google products such as Maps or Street View. These two products are free, available to anyone, and the risk of getting noticed during reconnaissance is low since the threat actor does not even have to been near the facility. Using Street View could reveal the location of guard stations, fencing, security cameras, and much more. However, these methods could produce out of date information as sometimes the images on Google Maps and Street View are months or years old and the facility could have improved security by then, but would give the threat actor a idea of the physical layout.
Bryan Garrahan says
A couple of people have posted about phishing but a similar topic I was thinking about was vishing (i.e. impersonating someone via phone call). I recently listened to a podcast (link below) which discussed how one penetration tester who found herself (Snow) struggling during the reconnaissance process of accessing a brand new building of a client she was looking to physically gain access to. Snow ended up using a vishing attack by impersonating as an important investor. Knowing the company would do anything to make a potential investor happy she was able to physically gain access. On top of this, she was even able to convince an internal employee to walk her through all of the facilities “physical weaknesses” by stating her investment firm was concerned about physical security after a few of their other clients had been compromised. She stated that one of the biggest findings was when she learned that one of the doors which appeared to be locked actually was unlocked during non-business hours and could easily be accessed by an outsider.
https://darknetdiaries.com/episode/22/
* Snow’s story starts around 27 minues in but the entire podcast talks about some other interesting penetration testing stories.
Amelia Safirstein says
Some cyber criminals have begun to outsource their reconnaissance. For example, a group called DeathStalker uses spearphishing to access a computer and infects the device with malware. The malware’s primary function is taking screenshots and sending them back to the hackers. The hackers then pass the data onto their customers for a price. This “APT for hire” scheme makes cyber crime more accessible for less tech savvy criminals.
https://www.csoonline.com/article/3573081/apt-style-mercenary-groups-challenge-the-threat-models-of-many-organizations.html