Hacker Recon 101

During 2022, cyber-attacks are increasing and evolving. The attacks range from simple to complex and both are used by hackers to gain access, cloak their malware and execute their payload or exfiltrate data. Like trained invaders, their attack will begin with reconnaissance. Cyber actors will do their best to uncover exposed assets and probe their target's attack surface for gaps that can be used as future entry points. The first line of defense is to limit the potentially useful information available to a potential attacker. Often, the stress between operational necessity and security concerns needs to be taken into account. This requires a better understanding of the type of information typically leveraged.

When running recon on an organization, hackers, whether white or black hats are as the old time gangsters would say, "casing a joint." To plan their attack, they will try and uncover as much information as possible about your organization:

Infrastructure

The types of technologies you use. As there is no flawless technology, learning about those used to build and manage your infrastructure is hackers' first step. They aim to find vulnerabilities to penetrate your infrastructure and shield themselves from detection. Hackers can gain information about your technologies and how they are used through listening to conversations in tech forums. DevOps participating in such discussions should refrain from divulging their real identity or information that might identify the organization.
Internet-facing servers that hold your organization's vital information. Hackers will attempt to find vulnerabilities ranging from unused or unpatched services to open ports.
Any system used as a server on a public network is a target, so system administrators must be extra vigilant in:
- Keeping all services current
- Opting for secure protocols whenever possible
- Limiting the type of network per machine to a strict minimum, preferably one per machine
- Monitoring all servers for suspicious activity
Operating System (OS). Each OS has its own vulnerabilities. Windows, Linux, Apple, and other OS regularly publish newly uncovered vulnerabilities and patches. This publicly available information is exploited by cyber-attackers once they know what OS you use.
For example, a forum conversation where your accountant, explains how to use a function on a Windows 8 Excel Spreadsheet tells the hacker that he uses Windows and has not updated his OS for ages.
This tidbit encourages the cyber-attacker to dig further as, if an employee with access to your organization's financial information is allowed to work on an endpoint that is rarely, if ever, updated, employees' endpoint security is lax.
Security maturity. Hackers are humans and tend to be lazy. A hacker on a recon mission who finds out that you are using an XSPM (Extended Security Posture Management)platform knows that, even if there is an exploitable entry point, escalation will be hampered at every step, and achieving the malicious action will require a superior level of planning. This discourages most potential cyber-attackers.

Credentials

Email addresses. As the human mind is the hardest software to upgrade and patch, phishing remains the number one penetration vector for hackers. Though some email addresses, such as info, support, sales, etc., must be public, employees' personal email can be leveraged by hackers for generic phishing messages and spear phishing.
Usernames & passwords– Darknet hackers' shopping malls are full of credentials for sale at ridiculously low prices, hence the recommendation to change your password regularly.
For system admin and other users with high privilege access, maintaining stellar password hygiene and Multi-factor Authentication (MFA) should be a requirement, not an option should their credentials are exposed to a hacker, the entire system could be irremediably compromised.

Recon activity can be classified into categories:

Active recon:hackers using tools or spyware to peak into your system. This should trigger alerts from properly configured detection tools, informing security information teams that hackers are "casing" them.
This should prompt launching a security validation exercise to ensure that potential security gaps are adequately monitored and scheduled for priority patching.
Passive recon: hackers "stalking" you by collecting publicly available information about your infrastructure's technological details or email addresses. This is, in effect, undetectable.

Cyber-attackers' goals fall under four broad categories:

Theft– by far the largest category in terms of numbers, attacks aimed at stealing can be subdivided into more categories matching what the theft aim is:
- Data is the 21st century's currency, and any data in the right (or wrong) hands can be translated into value. From Credit Card details to users' personal information to generic data such as traveling habits, all data can be misappropriated for commercial, strategic, or even military purposes.
- Intellectual Property– IP gives an edge to many organizations and businesses. Competitors, for example, have an immediate interest in obtaining that information.
- Computing resources– the resources used to power your infrastructure are costly, therefore attractive. Today, stolen resources' main usage is crypto mining.
Extortion is best known as ransomware, ransomware hijacks parts or all the infrastructure, encrypts the data, and requires payment in crypto-currency to decrypt the affected data. Exfiltrating data and threatening to sell them is also part of ransomware threats.
Information gathering– a stealthy type of attack that might remain undetected for extended periods. Typically, those are commandeered by nation-states, political opponents, or business competitors.
Destruction / taking over the infrastructure – attacks aimed at overtaking or destroying are typically led by nation-states targeting critical infrastructure, particularly aggressive competitors, or hacktivists.

Given the range of damages that can result from a cyber-attack, making recon as fruitless or daunting as possible for scouting cyber-attackers is a good policy. This explains the current trend toward better Attack Surface Management (ASM).

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: